Skip to content

CSOAR-3249 : EWS Action fails to ingest an attachment when it is an Outlook Item #5378

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 8 commits into from
May 19, 2025
Merged

CSOAR-3249 : EWS Action fails to ingest an attachment when it is an Outlook Item #5378

Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
6ef4a48
CSOAR-3249 - initail commit
mahendrak-sumo May 14, 2025
dbd92b3
CSOAR-3249 : updated the doc
mahendrak-sumo May 15, 2025
1040862
Merge branch 'main' into CSOAR-3249
mahendrak-sumo May 15, 2025
dbe57ba
CSOAR-3249 : updated the doc
mahendrak-sumo May 16, 2025
9171649
CSOAR-3249 : updated the version
mahendrak-sumo May 16, 2025
d7c2810
Merge branch 'main' into CSOAR-3249
mahendrak-sumo May 16, 2025
8199b9b
Updates from review
jpipkin1 May 16, 2025
be21e38
Add directions for fields
jpipkin1 May 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
107 changes: 105 additions & 2 deletions ...rm-services/automation-service/app-central/integrations/microsoft-ews-daemon.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,61 @@ import useBaseUrl from '@docusaurus/useBaseUrl';

<img src={useBaseUrl('/img/platform-services/automation-service/app-central/logos/microsoft-ews-daemon.png')} alt="microsoft-defender-atp" width="100"/>

***Version: 2.5
Updated: May 9, 2024***
***Version: 2.6
Updated: May 16, 2025***

:::sumo Cloud SOAR
This integration is only for Cloud SOAR.
:::

Process emails with EWS Daemon.

## Overview

### Purpose

The Microsoft EWS Incoming Mail Daemon automatically retrieves emails. It enables seamless integration with security automation platforms by pulling in messages for further analysis and action.
### Use cases

* Automatically ingest emails from monitored mailboxes for phishing analysis or ticketing systems.
* Feed email content into security orchestration workflows.
* Process and analyze attachments (for example, .eml, .msg, documents) in near real-time.
* Extract and enrich sender/recipient metadata for further investigation.

### Supported versions

* Microsoft Exchange Online (Office 365)

### Prerequisites
* Active Azure subscription
* Application registration with:
* Client ID
* Client Secret
* Tenant ID
* EWS API permissions
* Basic authentication (legacy) or OAuth 2.0 with modern authentication
* Correctly configured EWS endpoint
* Valid credentials or token

### Limitations
* Certain attachments may be represented differently, which can result in missing or inconsistent file metadata (for example, name or type).
* Mailbox rate limits may apply depending on Microsoft tenant configuration

## Usage

### Basic usage
* Configure credentials (Tenant ID, Client ID, Client Secret).
* Set retrieval parameters like polling frequency, folders to include/exclude.
* Enable the Daemon action in a rule or playbook.
* Emails are pulled automatically.

### Advanced usage
* Use filtering parameters to narrow email scope:
* Subject keywords
* Sender domain
* Date ranges
* Enable the Daemon action in a rule or playbook.

## Actions

* **Microsoft EWS Incoming Mail Daemon** *(Daemon)* - Automatically retrieve emails from EWS.
Expand Down Expand Up @@ -134,10 +180,66 @@ import IntegrationsAuth from '../../../../reuse/integrations-authentication.md';

<IntegrationsAuth/>

Use the information you set up in [Microsoft EWS configuration](#microsoft-ews-configuration) above:
* **Host**. Enter the host name of the EWS instance, for example, `outlook.office365.com`.
* **Authentication Method**. Select the [EWS authentication](https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/authentication-and-ews-in-exchange) method:
* **Basic**
* **NTLM**
* **OAuth 2.0**
* **Username**. Enter the Microsoft EWS username.
* **Password**. Enter the Microsoft EWS password.
* **Primary SMTP Address**. Enter the [primary SMTP address](https://learn.microsoft.com/en-us/exchange/client-developer/web-service-reference/primarysmtpaddress) for the user.
* **Tenant ID**. Enter the [tenant ID](https://learn.microsoft.com/en-us/entra/fundamentals/how-to-find-tenant) for authentication.
* **Client ID**. Enter the client ID for authentication.
* **Client Secret**. Enter the client secret for authentication.
* **Cloud SOAR API URL**. Enter the URL for your Cloud SOAR API, for example, `https://api.sumologic.com`. Enter the [API endpoint URL](/docs/api/getting-started/#sumo-logic-endpoints-by-deployment-and-firewall-security) for your region.
* **Access ID**. Enter the access ID from a Sumo Logic [access key](/docs/manage/security/access-keys/). Select **Default** as the scope when generating access keys.
* **Access Key**. Enter the access key associated with the Sumo Logic access ID entered above.
* **Automation Engine**. Select whether to use [Cloud or Bridge execution](/docs/platform-services/automation-service/automation-service-integrations/#cloud-or-bridge-execution).

<img src={useBaseUrl('/img/platform-services/automation-service/app-central/integrations/misc/microsoft-ews-daemon-configuration.png')} style={{border:'1px solid gray'}} alt="Microsoft EWS Daemon configuration" width="400"/>

For information about Microsoft EWS, see [Microsoft Exchange Web Services documentation](https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth).

## API reference

### Configuration
Environment variables or parameters:
* Tenant
* Client ID
* Client secret
* Email: The service account email address
* Password or OAuth token: Authentication credentials
* Automation bridge
* And other fields info based on the requirement

### Containment APIs

### Rate Limits and Quotas
* Microsoft may enforce throttling based on:
* Number of concurrent EWS requests
* Number of items retrieved per call
* Number of mailbox accesses per day/hour

#### Troubleshooting
| Issue | Resolution | Resolution |
| :-- |:-- |:-- |
| No emails retrieved | Incorrect folder, filters too strict | Check filters, verify folder ID |
| Authentication failed | Invalid credentials or token | Update credentials and reauthorize |

### FAQ

#### Can I filter which emails are fetched?
Yes. Filtering can be applied based on folders, received time. Custom filters may be implemented depending on integration configuration.

#### How frequently does the Daemon poll for new messages?
The polling interval is determined by the configuration within the integration setup or automation rule.

### Support
* For issues, questions, or improvements:
* Microsoft [Q&A](https://learn.microsoft.com/answers)
* Review logs on the portal using log search.

## Category

Email Gateway
Expand All @@ -150,3 +252,4 @@ Email Gateway
* March 4, 2024 (v2.3) - Updated code for compatibility with Python 3.12
* March 21, 2024 (v2.4) - Resolved an issue related to the Email Body
* May 9, 2024 (v2.5) - A new field has been added to the integration resource for specifying the folder or path to search within
* May 16, 2025 (v2.6) - Enhanced attachment handling to ensure accurate detection and processing.