Exchange Extension Pack
Integration version: 4.0
Configure the integration to work with Exchange
Depending on the mail server that the integration is configured for, the configuration steps are different.
Below are the configuration instructions for Microsoft 365 and on-premises Exchange starting from version 2016, earlier versions are not supported.
Configure the integration to work with Microsoft 365
This integration uses PowerShell scripts to execute operations. The PowerShell package needs to be installed on the Google Security Operations SOAR server or the Google Security Operations SOAR remote agent that uses Exchange Extension Pack integration.
Here is an example of how to configure PowerShell for CentOS7:
Install the PowerShell package.
> curl https://packages.microsoft.com/config/rhel/7/prod.repo | sudo tee /etc/yum.repos.d/microsoft.repo > sudo yum install -y powershellOpen PowerShell interpreter and install Exchange Online PowerShell V3 and WSMan modules:
> pwsh > Install-Module -Name ExchangeOnlineManagement –AllowPrerelease -Force –Scope AllUsers > Install-Module -Name PSWSMan > Install-WSMan > exitGo to https://github.com/jborean93/omi/releases to get the
libmi.soandlibpsrpclient.sofiles for openssl 1.1. Download the latestglibc-1.1.tar.gzrelease to the CentOS host.Extract the downloaded tar archive:
> tar -xzvf glibc-1.1.tar.gzOverwrite existing the
libmi.soandlibpsrpclient.sofiles in the/opt/microsoft/powershell/7directory.
Configure account
Add the account that will be used with the integration to the Discover Management admin role in the Exchange Admin Center.
Assign permissions to the user
Assign the Compliance data administrator role to the user.
Configure the integration to work with on-premises Exchange
The following instruction is applicable to Exchange 2016, earlier versions are not supported.
This integration uses PowerShell scripts to execute operations. The PowerShell package needs to be installed on the Google Security Operations SOAR server or the Google Security Operations SOAR remote agent that uses Exchange Extension Pack integration.
Here is an example of how to configure PowerShell for CentOS7:
Install the PowerShell package.
> curl https://packages.microsoft.com/config/rhel/7/prod.repo | sudo tee /etc/yum.repos.d/microsoft.repo > sudo yum install -y powershellInstall the gssapi package.
The gssapi package is required for authentication from the Google Security Operations SOAR Linux server or remote agent to the Windows server where Exchange is running over the PowerShell session.
Example of the gssapi installation for CentOS 7:
> sudo yum install -y gssntlmsspEnable Powershell remoting on the Windows server where Exchange is running according to the Enable-PSRemoting document available within the Microsoft documentation.
Enable Basic Authentication in Exchange.
This integration uses Basic Authentication that should be explicitly enabled in the Exchange server.
Configure the account.
Account to use with the integration should be added to the "Discover Management" admin role in the Exchange Admin Center (EAC) console. To run the Mail Flow Rules action, you need to add a Transport Rules role to the relevant user:
- Go to the EAC and click permissions.
- Select Discovery Management and open it.
- In the Roles section, click
Add and select Transport Rules.
- Click add ->, then OK and Save.
- The role is now added to the Assigned Roles section. It may take some time for permissions to replicate.
Configure Exchange Extension Pack integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Exchange On-Prem Server Address | String | x.x.x.x | No | Mail server address (hostname or IP) to connect to. |
| Exchange Office365 Compliance Uri | String | https://ps.compliance.protection.outlook.com/powershell-liveid/ | No | Microsoft 365 Security Compliance Center PowerShell Uri to use to execute compliance operations. For more information, see the Connect to Security Compliance PowerShell document. |
| Exchange Office365 Online Powershell Uri | String | https://outlook.office365.com/powershell-liveid | No | Microsoft 365 Online Powershell Uri to use to execute Microsoft 365 management operations. For more information, see the Connect to Security Compliance PowerShell document. |
| Domain | String | example.com | No | Domain to authenticate with on mail server. |
| User name | String | user | No | Username to authenticate with on mail server. In case of Microsoft 365 provide a user mail address as the username. |
| Password | Password | N/A | No | A password to authenticate with on mail server. |
| Is Exchange On-Prem? | Checkbox | Unchecked | No | Specify if the target mail server is Exchange On-Prem. |
| Is Office365 (Exchange Online)? | Checkbox | Unchecked | No | Specify if the target mail server is Microsoft 365 (Exchange Online). |
Actions
Delete Compliance Search
Description
Delete Compliance Search and any associated with it fetch results or purge emails tasks.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Compliance Search Name | String | N/A | Yes | Name for the Compliance Search to delete. The name shouldn't contain special characters. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Case Wall
| Result type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If the action is successful, compliance search and actions are deleted (is_success=true): "Action successfully executed and compliance search and any associated with it fetch results or purge emails tasks were deleted." The action should fail and stop a playbook execution: If target is Exchange on premises or Microsoft 365 but powershell is not installed on Google Security Operations SOAR server: "Failed to execute action because powershell is not installed on Google Security Operations SOAR server! Please see the configuration instructions on how to install powershell. Error is {0}".format(exception.stacktrace) If target is Exchange on premises but gssntlmssp OS package is not installed on Google Security Operations SOAR server: "Failed to execute action because gssntlmssp package is not installed on Google Security Operations SOAR server! Please see the configuration instructions on how to install powershell. Error is {0}".format(exception.stacktrace) If a fatal error, like wrong credentials, no connection to the server, other is reported: "Failed to execute action! Error is {0}".format(exception.stacktrace) |
General |
Fetch Compliance Search Results
Description
Fetch results for the completed Compliance Search.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Compliance Search Name | String | N/A | Yes | Name for the Compliance Search. The name shouldn't contain special characters. |
| Max Emails To Return | Integer | N/A | No | Specify the number of emails that the action can return. |
| Remove Compliance Search Once Action Completes? | Checkbox | Checked | No | Specify whether the action should remove from Exchange server the search action and any related fetch or purge tasks once the action completes. |
| Create Case Wall Output Table? | Checkbox | Checked | No | Specify if the action should create case wall output table. If the "Max Emails To Return" parameter is set to a greater number, its recommended to uncheck this to increase the action performance. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
"Location": "test@example.com",
"Sender": "James Bond",
"Subject": "search test",
"Type": "Email",
"Size": "61772",
"Received Time": "3/12/2021 9:43:59 AM",
"Data Link": "data/All/FLDR5402c62d-7730-4c93-8f34-6bxxxxxxxxxx/BATCH0000/MSG192bc965-18c9-4c06-8834-2cxxxxxxxxxx.eml",
"Name": "test"
},
{
"Location": "test@example.com",
"Sender": "James Bond",
"Subject": "search test 2",
"Type": "Email",
"Size": "60881",
"Received Time": "3/12/2021 9:43:59 AM",
"Data Link": "data/All/FLDR5402c62d-7730-4c93-8f34-6bxxxxxxxxxx/BATCH0000/MSG9eefda9c-b1b5-46f0-8a54-bdxxxxxxxxxx.eml",
"Name": "test"
}
]
Case Wall
| Result type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If the action is successful and compliance action is created (is_success=true): "Action was executed successfully and task to fetch compliance search results is created" Once the action is completed: "Results for the Compliance Search {0} were successfully fetched".format(compliance search name) If the action is not able to find compliance search based on the provided name (is_success=false): "Action was not able to find compliance search {0}".format(compliance_search_name) If the action is failed because of some other non-critical error (is_success=false): "Action did not complete successfully due to errors. Errors information: {0}".format(error.stacktrace) The action should fail and stop a playbook execution: If target is Exchange on prem or Microsoft 365 but powershell is not installed on Google Security Operations SOAR server: "Failed to execute action because powershell is not installed on Google Security Operations SOAR server! Please see the configuration instructions on how to install powershell. Error is {0}".format(exception.stacktrace) If target is Exchange on prem but gssntlmssp OS package is not installed on Google Security Operations SOAR server: "Failed to execute action because gssntlmssp package is not installed on Google Security Operations SOAR server! Please see the configuration instructions on how to install powershell. Error is {0}".format(exception.stacktrace) If a fatal error, like wrong credentials, no connection to the server, other is reported: "Failed to execute action! Error is {0}".format(exception.stacktrace) |
General |
| Table | Table Title: Compliance Search Action Results Table Columns:
|
General |
Ping
Description
Test connectivity to the Exchange or Microsoft 365 server with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Case Wall
| Result type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "Successfully connected to the Exchange or Microsoft 365 server with the provided connection parameters!" The action should fail and stop a playbook execution: If none checkboxes are checked (Microsoft 365/exchange on prem): "Please specify type of mail server to connect to - Exchange on-prem or Microsoft 365" If both checkboxes are checked (Microsoft 365/exchange on prem): "Only one mail server type is supported at a time. Please specify type of mail server to connect to - Exchange on-prem or Microsoft 365" If target is Exchange on prem or Microsoft 365 but powershell is not installed on Google Security Operations SOAR server: "Failed to execute action because powershell is not installed on Google Security Operations SOAR server! Please see the configuration instructions on how to install powershell. Error is {0}".format(exception.stacktrace) If target is Exchange on prem but gssntlmssp OS package is not installed on Google Security Operations SOAR server: "Failed to execute action because gssntlmssp package is not installed on Google Security Operations SOAR server! Please see the configuration instructions on how to install powershell. Error is {0}".format(exception.stacktrace) If a fatal error, like wrong credentials, no connection to the server, other is reported: "Failed to execute action! Error is {0}".format(exception.stacktrace) |
General |
Purge Compliance Search Results
Description
Purge emails found by the completed Compliance Search.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Compliance Search Name | String | N/A | Yes | Name for the Compliance Search. The name shouldn't contain special characters. |
| Perform a HardDelete for deleted emails? | Checkbox | Unchecked | No | Specify whether HardDelete should be performed. This option applies only to Microsoft 365 and marks emails for permanent removal from the mailbox. |
| Remove Compliance Search Once Action Completes? | Checkbox | Checked | No | Specify whether the action should remove from Exchange server the search action and any related fetch or purge tasks once the action completes. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"Item count": "5",
"Purge Type": "SoftDelete"
}
Case Wall
| Result type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If the action is successful and compliance action is created (is_success=true): "Action was executed successfully and task to purge emails found with the compliance search is created" Once the action is completed: "Results for the Compliance Search {0} were successfully purged".format(compliance search name) If the action is not able to find compliance search based on the provided name (is_success=false): "Action was not able to find compliance search {0}".format(compliance_search_name) If the action does not return any results: "The Compliance Search {0} didn't return any results . Please update the search results or edit the Compliance search query and run the search again".format(compliance search name) The action should fail and stop a playbook execution: If target is Exchange on premises or Microsoft 365 but powershell is not installed on Google Security Operations SOAR server: "Failed to execute action because powershell is not installed on Google Security Operations SOAR server! Please see the configuration instructions on how to install powershell. Error is {0}".format(exception.stacktrace) If target is Exchange on premises but gssntlmssp OS package is not installed on Google Security Operations SOAR server: "Failed to execute action because gssntlmssp package is not installed on Google Security Operations SOAR server! Please see the configuration instructions on how to install powershell. Error is {0}".format(exception.stacktrace) If a fatal error, like wrong credentials, no connection to the server, other is reported: "Failed to execute action! Error is {0}".format(exception.stacktrace) |
General |
Run Compliance Search
Description
Run Exchange Compliance Search based on the provided search conditions. If the fetch compliance search results checkbox is set, the action returns the search results similarly to the Fetch Compliance Search Results action.
Exchange Compliance Search provides a fast mechanism to search in multiple mailboxes that are most useful for large Organizations with 1000+ mailboxes.
If the "Fetch Compliance Search Results?" checkbox is checked, maximum of 200 elements is displayed, but actual search can have more findings that are shown.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Compliance Search Name | String | N/A | Yes | Name for the Compliance Search. The name shouldn't contain special characters. |
| Subject Filter | String | N/A | No | Filter condition, specify the subject to search for emails. |
| Sender Filter | String | N/A | No | Filter condition, specify who should be the sender of needed emails. |
| Recipient Filter | String | N/A | No | Filter condition, specify who should be the recipient of needed emails. |
| Operator | DDL | AND | Yes | Operator to use to construct query from conditions above. |
| Time Frame (hours) | String | N/A | No | Time frame interval in hours to search for emails. |
| Location to Search Emails In | String | N/A | Yes | Location to search emails in, can be one of the following:
|
| Fetch Compliance Search Results? | Checkbox | Unchecked | No | Specify whether the action should immediately fetch the compliance search results. A maximum of 200 elements is displayed, but actual search can have more findings that are shown. |
| Max Emails To Return | Integer | N/A | No | Specify the number of emails that the action can return. |
| Create Case Wall Output Table? | Checkbox | Checked | No | Specify if the action should create case wall output table. If the "Max Emails To Return" parameter is set to a greater number, it's recommended to uncheck this to increase action performance. |
| Advanced Query | String | N/A | No | Instead of subject, sender or recipient filters, provide a query you want to run compliance search on. For more information, see the Keyword Query Language (KQL) syntax reference and Message properties indexed by Exchange Search documents. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"Name": "test",
"RunBy": "James Bond",
"JobEndTime": "2021-03-18T12:42:49.92",
"Status": "Completed"
}
Case Wall
| Result type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If the action is successful and compliance is created (is_success=true): "Action was executed successfully and compliance search is created" Once the action completed the search: "Compliance Search {0} successfully completed".format(compliance search name) If checkbox to fetch compliance search results is set: "Results for the Compliance Search {0} were successfully fetched".format(compliance search name) If checkbox to fetch compliance search results is set, but the action does not return any results: "The Compliance Search {0} didn't return any results . Please update the search results or edit the Compliance search query and run the search again".format(compliance search name) The action should fail and stop a playbook execution: If target is Exchange on prem or Microsoft 365 but powershell is not installed on Google Security Operations SOAR server: "Failed to execute action because powershell is not installed on Google Security Operations SOAR server! Please see the configuration instructions on how to install powershell. Error is {0}".format(exception.stacktrace) If target is Exchange on prem but gssntlmssp OS package is not installed on Google Security Operations SOAR server: "Failed to execute action because gssntlmssp package is not installed on Google Security Operations SOAR server! Please see the configuration instructions on how to install powershell. Error is {0}".format(exception.stacktrace) If a fatal error, like wrong credentials, no connection to the server, other is reported: "Failed to execute action! Error is {0}".format(exception.stacktrace) |
General |
Add Domains to Exchange-Siemplify Mail Flow Rules
Description
The action gets a list of Domains as a parameter and can create a new rule, filtering the domains from your Exchange Server. Actions to take can be modified in the parameters using rule parameters.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Domains | String | N/A | No | Specify the Domains you would like to add to the rule, in a comma-separated list. |
| Rule to add Domains to | DDL | Siemplify - Domains List - Permanently Delete | Yes | Specify the rule to add the Domains to. If the rule doesn't exist, the action creates it where it's missing. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"success": [
"test1.com",
"test2.com"
],
"already_available": [
"test3.com"
],
"invalid": [
"invalid"
]
}
Case Wall
| Result type | Value / Description | Type |
|---|---|---|
| Output message* | Action should not fail and not stop playbook execution: If successful (Rules are updated accordingly, inputs are right): "Added the following inputs to the corresponding rules: Rules updated: If at least on of the inputs is not correct (invalid email address in the parameter, invalid mail in the entity name): "Could not add the following inputs to the rule:"+ Action should fail and stop playbook execution: If an error is reported: "Error performing "Add Domains to Exchange-Siemplify Mail Flow Rules" action : {0}".format(exception.stacktrace) |
General |
Add Senders to Exchange-Siemplify Mail Flow Rules
Description
The action gets a list of Email Addresses as a parameter or works on the User entities with Email regexes (if parameters are not provided), and can create a new rule, filtering the senders from your Exchange Server. Actions can be modified in the parameters using the rule parameter.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Email Addresses | String | N/A | No | Specify the email addresses you would like to add to the rule, in a comma separated list. If no parameter is provided, the action works with the User entities. |
| Rule to add senders to | DDL | Siemplify - Senders List - Permanently Delete | Yes | Specify the rule to add the sender to. If the rule doesn't exist, the action creates it where it's missing. |
| Should add senders' domain to the corresponding Domains List rule as well? | Checkbox | Unchecked | No | Specify whether the action should automatically take the domains of the provided email addresses and add them as well to the corresponding domain rules (same rule action for domains). |
Run On
This action works on the User entity, if the email regex is valid for it, and if parameters are not provided.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"success": [
"test1@example.com",
"test2@example.com"
],
"already_available": [
"test3@example.com"
],
"invalid": [
"invalid"
]
}
Case Wall
| Result type | Value / Description | Type |
|---|---|---|
| Output message* | Action should not fail and not stop playbook execution: If successful (Rules are updated accordingly, inputs are right): "Added the following inputs to the corresponding rules: "Rules updated:"+ If at least one of the inputs is not correct (invalid email address in the parameter, invalid email in the entity name): "could not add the following inputs to the rule:"+ Action should fail and stop playbook execution: If an error is reported: "Error performing "Add Senders to Exchange-Siemplify Mail Flow Rule" action : {0}".format(exception.stacktrace) |
General |
Delete Exchange-Siemplify Mail Flow Rules
Description
The action gets a rule name as a parameter and deletes it.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Rule Name To Delete | DDL | Siemplify - Senders List - Permanently Delete Possible Values:
|
Yes | Specify the Rule name you would like to completely delete. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Case Wall
| Result type | Value / Description | Type |
|---|---|---|
| Output message* | Action should not fail and not stop playbook execution: For successfully deleted rules: "Successfully deleted the following rules :" succesful_rule_names In case rules are not found in Exchange: "Could not delete the following rules: "+unseccessful_rule_names+", since they were not found in Exchange. Please make sure you have chosen the appropriate rule names and try again." In case of no rules found in Exchange: "Could not delete any of the provided rule names, since they were not found in Exchange. Please make sure you have chosen the appropriate rule names and try again." Action should fail and stop playbook execution: If an error is reported: "Error performing "Delete Exchange-Siemplify Mail Flow Rules" action : {0}".format(exception.stacktrace) |
General |
List Exchange-Siemplify Mail Flow Rules
Description
The action gets a rule name as a parameter and lists it.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Rule Name To List | DDL | Siemplify - Senders List - Permanently Delete Possible Values:
|
Yes | Specify the Rule name you would like to list. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
"Priority": 0,
"ManuallyModified": false,
"Description": "If the message:\r\n\tIs received from 'test@example1.com' or 'test@example2.com'\r\nTake the following actions:\r\n\tDelete the message without notifying the recipient or sender\r\n",
"Conditions": [
"Microsoft.Exchange.MessagingPolicies.Rules.Tasks.FromPredicate"
],
"Actions": [
"Microsoft.Exchange.MessagingPolicies.Rules.Tasks.DeleteMessageAction"
],
"State": "Enabled",
"Mode": "Enforce",
"FromAddressContainsWords": null,
"Identity": "Siemplify - Senders List - Permanently Delete",
"Name": "Siemplify - Senders List - Permanently Delete",
"DistinguishedName": "CN=Siemplify - Senders List - Permanently Delete,CN=TransportVersioned,CN=Rules,CN=Transport Settings,CN=mwc,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=exlab,DC=local",
"IsValid": true,
"From": [
"test@example1.com",
"test@example2.com"
],
"Guid": "xxxxx426-b665-41f9-82e0-0f1fd63xxxxx",
"ImmutableId": "xxxxx426-b665-41f9-82e0-0f1fd63xxxxx",
"WhenChanged": "/Date(1621952909000)/",
"ExchangeVersion": "0.1 (8.0.535.0)",
"OrganizationId": "",
"ObjectState": "Unchanged"
},
{
"Priority": 1,
"ManuallyModified": false,
"Description": "If the message:\r\n\tIncludes these words in the sender's address: 'example1.com' or 'example2.com'\r\nTake the following actions:\r\n\tDelete the message without notifying the recipient or sender\r\n",
"Conditions": [
"Microsoft.Exchange.MessagingPolicies.Rules.Tasks.FromAddressContainsPredicate"
],
"Actions": [
"Microsoft.Exchange.MessagingPolicies.Rules.Tasks.DeleteMessageAction"
],
"State": "Enabled",
"Mode": "Enforce",
"FromAddressContainsWords": [
"example1.com",
"example2.com"
],
"Identity": "Siemplify - Domains List - Permanently Delete",
"Name": "Siemplify - Domains List - Permanently Delete",
"DistinguishedName": "CN=Siemplify - Domains List - Permanently Delete,CN=TransportVersioned,CN=Rules,CN=Transport Settings,CN=mwc,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=exlab,DC=local",
"IsValid": true,
"From": null,
"Guid": "xxxxx697-e143-41aa-8dee-b783a78xxxxx",
"ImmutableId": "xxxxx697-e143-41aa-8dee-b783a78xxxxx",
"WhenChanged": "/Date(1621952960000)/",
"ExchangeVersion": "0.1 (8.0.535.0)",
"OrganizationId": "",
"ObjectState": "Unchanged"
}
]
Case Wall
| Result type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: For successfully found rules: "Successfully listed the following rules :" succesful_rule_names In case rules are not found in Exchange: "Could not list the following rules: "+unseccessful_rule_names+", since they were not found in Exchange. Please make sure you have chosen the appropriate rule names and try again." In case no rules are found in Exchange: "Could not list any of the provided rule names, since they were not found in Exchange. Please make sure you have chosen the appropriate rule names and try again." The action should fail and stop a playbook execution: If an error is reported: "Error performing "List Exchange-Siemplify Mail Flow Rules" action : {0}".format(exception.stacktrace) |
General |
Remove Domains from Exchange-Siemplify Mail Flow Rules
Description
The action gets a list of Domains as a parameter and can remove the provided domains from the existing rules.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Domains | String | N/A | No | Specify the Domains you would like to remove from the rule, in a comma-separated list. If no parameter is provided, the action works with entities. |
| Rule to remove Domains from | DDL | Siemplify - Domains List - Permanently Delete | Yes | Specify the rule to remove the Domains from. If the rule doesn't exist, the action does nothing. |
| Remove Domains from all available Rules | Checkbox | Unchecked | No | Specify whether the action should look for the provided domains in all of the Google Security Operations SOAR Mail Flow rules. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"success": [
"test1.com",
"test2.com"
],
"didn't_exist": [
"test3.com"
],
"invalid": [
"invalid"
]
}
Case Wall
| Result type | Value / Description | Type |
|---|---|---|
| Output message* | Action should not fail and not stop playbook execution: If successful (Rules are updated accordingly, inputs are right): "Removed the following inputs from the corresponding rules:" Rules updated: Action should fail and stop playbook execution: If an error is reported: "Error performing "Remove Domains from Exchange-Siemplify Mail Flow Rules" action : {0}".format(exception.stacktrace) |
General |
Remove Senders from Exchange-Siemplify Mail Flow Rules
Description
The action gets a a list of Senders as a parameter or works on the User entities (if parameters are not provided), and can remove the provided Senders from the existing rules.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Senders | String | N/A | No | Specify the Senders you would like to remove from the rule, in a comma-separated list. If no parameter is provided, the action works with entities. |
| Rule to remove Senders from | DDL | Siemplify Senders List - Permanently Delete | Yes | Specify the rule to remove the Senders from. If the rule doesn't exist, the action does nothing. |
| Should remove senders' domains from the corresponding Domains List rule as well? | Checkbox | Unchecked | No | Specify whether the action should automatically take the domains of the provided email addresses and remove them as well from the corresponding domain rules (same rule action for domains). |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"success": [
"test1@example.com",
"test2@example.com"
],
"didn't_exist": [
"test3@example.com"
],
"invalid": [
"invalid"
]
}
Case Wall
| Result type | Value / Description | Type |
|---|---|---|
| Output message* | Action should not fail and not stop playbook execution: If successful (Rules are updated accordingly, inputs are right): message: "Removed the following inputs from the corresponding rules:" Rules updated: If at least on of the inputs is not correct (invalid email address in the parameter, invalid email in the entity name): "could not add the following inputs to the rule:"+ Action should fail and stop playbook execution: If an error is reported: "Error performing "Remove Senders from Exchange-Siemplify Mail Flow Rules" action : {0}".format(exception.stacktrace) |
General |