Hi all,
We use email ingestion as an input for several processes, mainly for phishing analysis.
So far we are ingesting from O365 through the EWS app but we are experiencing some issues so we want to migrate to ingestion through Graph API via the Graph app.
The thing is that comparing the artifacts generated at ingestion time for the same emails between the EWS app and the Graph app there are differences in the number of artifacts (sometimes more, sometimes less) and the CEF detail in those of "Email Artifact" type.
Even in the containers generated by the Graph app the different email artifacts created during ingestion (ex: from an email with other emails attached) have different structures, some of them similar or maybe equal to the CEF structure generated by the EWS and the Parser apps and some with a new structure exclusive of Graph generated artifacts.
Since the source of the emails is exactly the same and the output type is the same (Email Artifact) we expected the output content to be also the same.
There are differences not only in the output structure, but in the content also, mainly in the body content and its parsing.
Has anyone found any documentation explaining the parsing process and the output structure?
Any hints about the logic behind the different output data structures?
I'll mention some members who posted about related topics: @phanTom @drew19 @EdgeSync @lluebeck_splunk