Microsoft Graph Mail
This document provides guidance on how to integrate Microsoft Graph Mail with Google Security Operations SOAR.
Integration version: 17.0
Use cases
Integrating Microsoft Graph Mail with Google SecOps can help you solve the following use cases:
Phishing email investigation and remediation: use the Google SecOps capabilities to identify malicious emails, automatically investigate the email headers, sender reputation, and attachments in phishing emails, and automate the threat remediation actions.
Compromised account response: use the Google SecOps capabilities to analyze recent emails sent from the suspicious account, looking for potentially malicious activities like bulk forwarding or unusual login locations. The compromised account response can help you identify compromised accounts and facilitate response actions, such as password resets and email scanning for data exfiltration attempts.
Before you begin
Before configuring the integration in the Google SecOps platform, complete the following steps:
Create the Microsoft Entra app.
Configure the API permissions for your app.
Create a client secret.
Create Microsoft Entra app
To create the Microsoft Entra app, complete the following steps:
Sign in to the Azure portal as a user administrator or a password administrator.
Select Microsoft Entra ID.
Go to App registrations > New registration.
Enter the name of the app.
Click Register.
This document provides an example using a single-tenant setup. The OAuth flow (client credentials) supported by the integration does not require the redirect URL.
Save the Application (client) ID and Directory (tenant) ID values to use them later when configuring the integration parameters.
Configure API permissions
To configure the API permissions for the integration, complete the following steps:
In Azure portal, go to API Permissions > Add a permission.
Select Microsoft Graph > Application permissions.
In the Select Permissions section, select the following required permissions:
Mail.Read
Mail.ReadWrite
Mail.Send
MailboxSettings.Read
MailboxSettings.ReadWrite
User.Read
Directory.Read.All
Click Add permissions.
Click Grant admin consent for
YOUR_ORGANIZATION_NAME
.When the Grant admin consent confirmation dialog appears, click Yes.
Create client secret
To create a client secret, complete the following steps:
Navigate to Certificates and secrets > New client secret.
Provide a description for a client secret and set its expiration deadline.
Click Add.
Save the value of the client secret (not the secret ID) to use it as the Secret ID parameter value when configuring the integration. The client secret value is only displayed once.
Integrate Microsoft Graph Mail with Google SecOps
The integration requires the following parameters:
Parameter | Description |
---|---|
Azure AD endpoint |
Required The Microsoft Entra endpoint to connect to. The default value is |
Microsoft Graph Endpoint |
Required The Microsoft Graph endpoint to connect to. The default value is |
Client ID |
Required The client (application) ID of the Microsoft Entra app to use in the integration. |
Secret ID |
Required The client secret value of the Microsoft Entra app to use in the integration. |
Tenant |
Required The Microsoft Entra ID (tenant ID) value. |
Default Mailbox |
Required The default mailbox to use in the integration. |
Verify SSL |
Required If selected, the integration verifies that the SSL certificate for the connection to the Microsoft Graph server is valid. Selected by default. |
For detailed instructions about configuring an integration in Google SecOps, see Configure integrations.
You can make changes at a later stage if needed. After you configure an integration instance, you can use it in playbooks. For more information about configuring and supporting multiple instances, see Supporting multiple instances.
Actions
Before you configure actions, provide the required permissions for the integration. For more detail, see the Configure API permissions section of this document.
Get Mailbox Account Out Of Facility Settings
Use the Get Mailbox Account Out Of Facility Settings action to retrieve the
mailbox account out of facility (OOF) settings for the
Google SecOps User
entity provided.
The Get Mailbox Account Out Of Facility Settings action uses the beta version of Microsoft Graph API.
This action runs on the Google SecOps User
entity.
Action inputs
None.
Action outputs
The Get Mailbox Account Out Of Facility Settings action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Available |
Output messages | Available |
Script result | Available |
JSON result
The following example shows the JSON result output received when using the Get Mailbox Account Out Of Facility Settings action:
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#communications/presences/$entity",
"id": "ID",
"availability": "Offline",
"activity": "Offline",
"statusMessage": null,
"outOfOfficeSettings": {
"message": "\n\nOut Of Facility111\n",
"isOutOfOffice": true
}
}
Output messages
The Get Mailbox Account Out Of Facility Settings action can return the following output messages:
Output message | Message description |
---|---|
|
The action succeeded. |
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Mailbox Account Out Of Facility Settings action:
Script result name | Value |
---|---|
is_success |
True or False |
Delete Email
You can use the Delete Email action to delete one or more emails from a mailbox. This action deletes emails based on your search criteria. With the appropriate permissions, the Delete Email action can move emails into different mailboxes.
This action is asynchronous. Adjust the action timeout in the IDE accordingly.
This action doesn't run on entities.
Action inputs
The Delete Email action requires the following parameters:
Parameter | Description |
---|---|
Delete In Mailbox |
Required The default mailbox to execute the delete operation in. If permissions allow it, the action executes search in other mailboxes. This parameter accepts multiple values as a comma-separated string. |
Folder Name |
Required
A mailbox folder to search an email in. |
Mail IDs |
Optional
A filter condition to search for emails with specific email IDs. This parameter accepts a comma-separated list of email IDs to search for. If this parameter is provided, the search ignores the |
Subject Filter |
Optional
A filter condition that specifies the email subject to search for. |
Sender Filter |
Optional
A filter condition that specifies the sender of requested emails. |
Time Frame (minutes) |
Optional
A filter condition that specifies the timeframe in minutes to search for emails. |
Only Unread |
Optional
If selected, the action searches only for unread emails. Not selected by default. |
How many mailboxes to process in a single batch |
Optional The number of mailboxes to process in a single batch (single connection to the mail server). The default value is 25. |
Action outputs
The following table describes the output types associated with the Delete Email action:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Not available |
Output messages | Available |
Script result | Available |
Output messages
The Delete Email action provides the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
Failed to execute action, the error is:
ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Delete Email action:
Script result name | Value |
---|---|
is_success |
True or False |
Download Attachments From Email
Use the Download Attachments From Email action to download attachments from emails based on the criteria provided.
This action isn't running on entities.
This action is asynchronous. If necessary, adjust the script timeout value in the Google SecOps IDE.
The action replaces the forward slash (\\
) or backslash (/
) characters in
the names of the downloaded attachments with the underscore (_
) character.
Action inputs
The Download Attachments From Email action requires the following parameters:
Parameter | Description |
---|---|
Search In Mailbox |
Required The default mailbox to execute the search operation in. If permissions allow it, the action can search in other mailboxes. This parameter accepts multiple values as a comma-separated string. |
Folder Name |
Required A mailbox folder to execute the search in. |
Download Destination |
Required A destination to save the downloaded attachments to. By default, the action attempts to save the attachment to the Cloud Storage bucket. Saving an attachment to the local file system is a fallback option. Possible values are |
Download Path |
Required A path to download attachments to. When saving
attachments to the Cloud Storage bucket or a local file system, the
action expects you to specify the download path in the Unix-like format, such
as |
Mail IDs |
Optional
A filter condition to search for emails with specific email IDs. This parameter accepts a comma-separated list of email IDs to search for. If this parameter is provided, the search ignores the |
Subject Filter |
Optional
A filter condition that specifies the email subject to search for. This filter uses the |
Sender Filter |
Optional
A filter condition that specifies the sender of requested emails. This filter uses the |
Download Attachments from EML |
Optional
If selected, the action downloads attachments from EML files. Not selected by default. |
Download Attachments to unique path? |
Optional If selected, the action downloads attachments to the
unique path provided in the Not selected by default. |
How many mailboxes to process in a single batch |
Optional The number of mailboxes to process in a single batch (single connection to the mail server). The default value is 25. |
Action outputs
The Download Attachments From Email action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Available |
Output messages | Available |
Script result | Available |
JSON result
The following example describes the JSON result output received when using the Download Attachments From Email action:
[
{
"attachment_name": "name1.png",
"downloaded_path": "file_path/name1.png"
},
{
"attachment_name": "name2.png",
"downloaded_path": "file_path/name2.png"
}
]
Output messages
The Download Attachments From Email action provides the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
|
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Download Attachments From Email action:
Script result name | Value |
---|---|
is_success |
True or False |
Extract Data From Attached EML
Use the Extract Data From Attached EML action to retrieve data from the
email EML attachments and return it in the action results. This action
supports the .eml
, .msg
, and .ics
file formats.
This action doesn't run on entities.
Action inputs
The Extract Data From Attached EML action requires the following parameters:
Parameter | Description |
---|---|
Search In Mailbox |
Required The default mailbox to execute the search operation in. If permissions allow it, the action can search in other mailboxes. This parameter accepts multiple values as a comma-separated string. |
Folder Name |
Optional A mailbox folder to execute the search in. |
Mail IDs |
Required
A filter condition to search for emails with specific email IDs. This parameter accepts a comma-separated list of email IDs to search for. |
Regex Map JSON |
Optional A JSON definition that contains regular expressions
to apply to the attached email file and generate additional key values in
the action JSON result. The example of this parameter value is as follows:
|
Action outputs
The Extract Data From Attached EML action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Available |
Output messages | Available |
Script result | Available |
JSON result
The following example describes the JSON result output received when using the Extract Data From Attached EML action:
[
{
"type": "EML",
"subject": "examplesubject",
"from": "sender@example.com",
"to": "user1@example.com,user2@example.com",
"date": "Thu,4Jul202412:11:29+0530",
"text": "text",
"html": "<p>example-html</p>",
"regex": {},
"regex_from_text_part": {},
"id": "ID",
"name": "example.eml"
},
{
"type": "MSG",
"subject": "examplesubject",
"from": "user@example.com",
"to": "user1@example.com,user2@example.com",
"date": "Thu,4Jul202412:11:29+0530",
"text": "text",
"html": "<p>examplehtml</p>",
"regex": {},
"regex_from_text_part": {},
"id": "ID",
"name": "example.msg"
},
{
"type": "ICS",
"subject": "examplesubject",
"from": "sender@example.com",
"to": "user1@example.com,user2@example.com",
"date": "Thu,4Jul202412:11:29+0530",
"text": "text",
"html": "<p>example-html</p>",
"regex": {},
"regex_from_text_part": {},
"id": "ID",
"name": "example.ics"
}
]
Output messages
The Extract Data From Attached EML action provides the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
Failed to execute action, the error is:
ERROR_REASON |
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Extract Data From Attached EML action:
Script result name | Value |
---|---|
is_success |
True or False |
Forward Email
Use the Forward Email action to forward emails that include previous threads. With the appropriate permissions, this action can send emails from a mailbox different than the one specified in the integration configuration.
This action doesn't run on entities.
Action inputs
The Forward Email action requires the following parameters:
Parameter | Description |
---|---|
Send From |
Required An optional email address from which to send an email if permissions allow it. By default, the email is sent from the default mailbox that is specified in the integration configuration. |
Folder Name |
Optional
A mailbox folder to search an email in. |
Mail ID |
Required
The ID of the email to forward. |
Subject |
Required
The email subject. |
Send to |
Required
A comma-separated list of email addresses for the email
recipients, such as |
CC |
Optional
A comma-separated list of email addresses for the email CC field. The format is the same as for the |
BCC |
Optional
A comma-separated list of email addresses for the email BCC field. The format is the same as for the |
Attachments Paths |
Optional
A comma-separated list of paths for file attachments stored on the server,
for example, |
Mail content |
Required
The email body. |
Action outputs
The following table describes the output types associated with the Forward Email action:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Not available |
Output messages | Available |
Script result | Available |
Output messages
The Forward Email action provides the following output messages:
Output message | Message description |
---|---|
Email with message ID
MAIL_ID was forwarded successfully. |
Action succeeded. |
|
Action failed. Check connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Forward Email action:
Script result name | Value |
---|---|
is_success |
True or False |
Mark Email as Junk
Use the Mark Email as Junk action to mark emails as junk in a specified mailbox. This action adds the email sender to the list of blocked senders and moves the message to the Junk Email folder.
The Mark Email as Junk action uses the beta version of Microsoft Graph API.
This action doesn't run on Google SecOps entities.
Action inputs
The Mark Email as Junk action requires the following parameters:
Parameter | Description |
---|---|
Search In Mailbox |
Required A mailbox to search for an email in. By default, the action attempts to search for the email in the default mailbox that you specified in the integration configuration. To execute a search in other mailboxes, configure appropriate permissions for the action. This parameter accepts multiple values as a comma separated string. |
Folder Name |
Required A mailbox folder to execute search in. The default value is |
Mail IDs |
Required The IDs or This parameter accepts multiple values as a comma separated string. |
Action outputs
The Mark Email as Junk action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Not available |
Output messages | Available |
Script result | Available |
Output messages
The Mark Email as Junk action can return the following output messages:
Output message | Message description |
---|---|
|
The action succeeded. |
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Mark Email as Junk action:
Script result name | Value |
---|---|
is_success |
True or False |
Mark Email as Not Junk
Use the Mark Email as Not Junk action to mark emails as not junk in a specific mailbox. This action removes the sender from the list of blocked senders and moves the message to the Inbox folder.
The Mark Email as Not Junk action uses the beta version of Microsoft Graph API.
This action doesn't run on Google SecOps entities.
Action inputs
The Mark Email as Not Junk action requires the following parameters:
Parameter | Description |
---|---|
Search In Mailbox |
Required A mailbox to search for an email in. By default, the action attempts to search for the email in the default mailbox that you specified in the integration configuration. To execute a search in other mailboxes, configure appropriate permissions for the action. This parameter accepts multiple values as a comma separated string. |
Folder Name |
Required A mailbox folder to execute search in. |
Mail IDs |
Required The IDs or This parameter accepts multiple values as a comma separated string. |
Action outputs
The Mark Email as Not Junk action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Not available |
Output messages | Available |
Script result | Available |
Output messages
The Mark Email as Not Junk action can return the following output messages:
Output message | Message description |
---|---|
|
The action succeeded. |
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Mark Email as Not Junk action:
Script result name | Value |
---|---|
is_success |
True or False |
Move Email To Folder
Use the Move Email To Folder action to move one or multiple emails from the source email folder to the other folder in the mailbox. With the appropriate permissions, this action can move emails to other mailboxes different from the one that is provided in the integration configuration.
This action is asynchronous. Adjust the action timeout in the IDE accordingly.
This action doesn't run entities.
Action inputs
To configure the Move Email To Folder action, use the following parameters:
Parameter | Description |
---|---|
Move In Mailbox |
Required The default mailbox to execute the move operation in. If permissions allow it, the action can search in other mailboxes as well. This parameter accepts multiple values as a comma-separated string. |
Source Folder Name |
Required A source folder to move the email from. |
Destination Folder Name |
Required A destination folder to move the email to. Provide the parameter value in the following format:
|
Mail IDs |
Optional
A filter condition to search for emails with specific email IDs. This parameter accepts a comma-separated list of email IDs to search for. If this parameter is provided, the search ignores the |
Subject Filter |
Optional
A filter condition that specifies the email subject to search for. This filter uses the |
Sender Filter |
Optional
A filter condition that specifies the sender of requested emails. This filter uses the |
Time Frame (minutes) |
Optional
A filter condition that specifies the timeframe in minutes to search for emails. |
Only Unread |
Optional
If selected, the action searches only for unread emails. Not selected by default. |
How many mailboxes to process in a single batch |
Optional The number of mailboxes to process in a single batch (single connection to the mail server). The default value is 25. |
Action outputs
The following table describes the output types associated with the Move Email To Folder action:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Not available |
Output messages | Available |
Script result | Available |
Output messages
The Move Email To Folder action provides the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
Failed to execute action, the error is:
ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Move Email To Folder action:
Script result name | Value |
---|---|
is_success |
True or False |
Ping
Use the Ping action to test connectivity to the Microsoft Graph mail service.
This action doesn't run on entities.
Action inputs
None.
Action outputs
The following table describes the output types associated with the Ping action:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Not available |
Output messages | Available |
Script result | Available |
Output messages
The Ping action provides the following output messages:
Output message | Message description |
---|---|
Successfully connected to the Microsoft Graph mail service with
the provided connection parameters! |
Action succeeded. |
Failed to connect to the Microsoft Graph mail service! Error is
ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Ping action:
Script result name | Value |
---|---|
is_success |
True or False |
Save Email To The Case
Use the Save Email To The Case action to save emails or email attachments to the Google SecOps Case Wall. With the appropriate permissions, this action can save emails from mailboxes other than the one provided in the integration configuration.
This action doesn't run on entities.
Action inputs
The Save Email To The Case action requires the following parameters:
Parameter | Description |
---|---|
Search In Mailbox |
Required The default mailbox to execute the search operation in. If permissions allow it, the action can search in other mailboxes. |
Folder Name |
Optional A mailbox folder to execute the search in. |
Mail ID |
Required
The email ID to search for. This parameter accepts a comma-separated list of email IDs to search for. |
Save Only Email Attachments |
Optional If selected, the action saves only attachments from the specified email. Not selected by default. |
Attachment To Save |
Optional If the This parameter accepts multiple values as a comma-separated string. |
Action outputs
The following table describes the output types associated with the Save Email To The Case action:
Action output type | Availability |
---|---|
Case wall attachment | Available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Available |
Output messages | Available |
Script result | Available |
Case wall attachment
The following attachments are associated with the Save Email To The Case action:
EMAIL_SUBJECT.eml
, if the action saves the email.If the action saves the attachment, the attachment name contains a file extension, if any.
JSON result
The following example describes the JSON result output received when using the Save Email To The Case action:
{
"id": "ID",
"createdDateTime": "2024-02-16T14:10:34Z",
"eml_info": "example_info",
"lastModifiedDateTime": "2024-02-16T14:10:41Z",
"changeKey": "cxsdjjh",
"categories": [],
"receivedDateTime": "2024-02-16T14:10:35Z",
"sentDateTime": "2024-02-16T14:09:36Z",
"hasAttachments": true,
"internetMessageId": "INTERNET_MESSAGE_ID",
"subject": "all attachments",
"bodyPreview": "all the attachments",
"importance": "normal",
"parentFolderId": "PARENT_FOLDER_ID",
"conversationId": "CONVERSATION_ID",
"conversationIndex": "example-index",
"isDeliveryReceiptRequested": false,
"isReadReceiptRequested": false,
"isRead": true,
"isDraft": false,
"webLink": "https://example.com/",
"inferenceClassification": "focused",
"body": {
"contentType": "html",
"content": "<html><head>example-html</head></html>"
},
"sender": {
"emailAddress": {
"name": "NAME",
"address": "sender@example.com"
}
},
"from": {
"emailAddress": {
"name": "NAME",
"address": "user@example.com"
}
},
"toRecipients": [
{
"emailAddress": {
"name": "NAME",
"address": "recipient@example.com"
}
}
],
"ccRecipients": [],
"bccRecipients": [],
"replyTo": [],
"flag": {
"flagStatus": "notFlagged"
}
}
Output messages
On a Case Wall, the Save Email To The Case action provides the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
Failed to execute action, the error is:
ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Save Email To The Case action:
Script result name | Value |
---|---|
is_success |
True or False |
Search Emails
Use the Search Emails action to execute email search in the default mailbox based on the provided search criteria. With appropriate permissions, this action can run a search in other mailboxes.
This action is asynchronous. Adjust the action timeout in the IDE accordingly.
This action doesn't run on entities.
Action inputs
The Search Emails action requires the following parameters:
Parameter | Description |
---|---|
Search In Mailbox |
Required The default mailbox to execute the search operation in. If permissions allow it, the action can search in other mailboxes. This parameter accepts multiple values as a comma-separated string. For complex searches against a significant number of mailboxes, use the Exchange Extension Pack integration. |
Folder Name |
Required A mailbox folder to execute the search in. |
Subject Filter |
Optional
A filter condition that specifies the email subject to search for. This filter uses the |
Sender Filter |
Optional
A filter condition that specifies the sender of requested emails. This filter uses the |
Time Frame (minutes) |
Optional
A filter condition that specifies the timeframe in minutes to search for emails. |
Max Emails To Return |
Optional The number of emails for the action to return. If you provide no value, the API default value is used. |
Only Unread |
Optional
If selected, the action searches only for unread emails. Not selected by default. |
Select All Fields For Return |
Optional If selected, the action returns all available fields for the obtained email. Not selected by default. |
How many mailboxes to process in a single batch |
Optional The number of mailboxes to process in a single batch (single connection to the mail server). The default value is 25. |
Action outputs
The following table describes the output types associated with the Search Emails action:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Available |
Enrichment table | Not available |
JSON result | Not available |
Output messages | Available |
Script result | Available |
Case wall table
On a Case Wall, the Search Emails action provides the following table:
Table title: Matching Mails
Columns:
- Mail ID
- Subject
- Sender
- Receivers
- Received Date
Output messages
The Search Emails action provides the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
Failed to execute action, the error is:
ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Search Emails action:
Script result name | Value |
---|---|
is_success |
True or False |
Send Email
Use the Send Email action to send emails from a specific mailbox to an arbitrary list of recipients.
This action can send either plain text or HTML-formatted emails. With appropriate permissions, the action can send emails from a mailbox different than the one specified in the integration configuration.
This action doesn't run on entities.
Action inputs
The Send Email action requires the following parameters:
Parameter | Description |
---|---|
Send From |
Required An optional email address from which to send emails if permissions allow it. By default, the action sends emails from the default mailbox specified in the integration configuration. |
Subject |
Required
The email subject. |
Send to |
Required
A comma-separated list of email addresses for the email
recipients, such as |
CC |
Optional
A comma-separated list of email addresses for the email CC field. The format is the same as for the |
BCC |
Optional
A comma-separated list of email addresses for the email BCC field. The format is the same as for the |
Attachments Paths |
Optional
A comma-separated list of paths for file attachments stored on the server,
for example, |
Mail Content Type |
Optional
The type of the email content. The default value is Possible values:
|
Mail Content |
Required
The email body. |
Reply-To Recipients |
Optional A comma-separated list of recipients to use in the Reply-To header. Use the Reply-To header to redirect reply emails to the specific email address instead of the sender address that is stated in the From field. |
Action outputs
The following table describes the output types associated with the Send Email action:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Not available |
Output messages | Available |
Script result | Available |
Output messages
The Send Email action provides the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
Failed to execute action, the error is:
ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Send Email action:
Script result name | Value |
---|---|
is_success |
True or False |
Send Email HTML
Use the Send Email HTML action to send emails using the Google SecOps HTML template from a specific mailbox to an arbitrary list of recipients. With appropriate permissions, the action can send emails from a mailbox other than the default one.
This action doesn't run on entities.
Action inputs
The Send Email HTML action requires the following parameters:
Parameter | Description |
---|---|
Send From |
Required An optional email address from which to send emails if permissions allow it. By default, the action sends emails from the default mailbox specified in the integration configuration. |
Subject |
Required
The email subject. |
Send to |
Required
A comma-separated list of email addresses for the email
recipients, such as |
CC |
Optional
A comma-separated list of email addresses for the email CC field. The format is the same as for the |
BCC |
Optional
A comma-separated list of email addresses for the email BCC field. The format is the same as for the |
Attachments Paths |
Optional
A full path for the attachment to provide,
for example, You can provide multiple values in a comma-separated string. |
Email HTML Template |
Required
The type of the HTML template to use. The default value is
Possible values:
|
Mail Content |
Required
The email body. |
Reply-To Recipients |
Optional A comma-separated list of recipients to use in the Reply-To header. Use the Reply-To header to redirect reply emails to the specific email address instead of the sender address that is stated in the From field. |
Attachment Location |
Required A location where the attachments are stored. By default, the action attempts to upload the attachment from the Cloud Storage bucket. Possible values are |
Action outputs
The Send Email HTML action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Available |
Output messages | Available |
Script result | Available |
JSON result
The following example describes the JSON result output received when using the Send Email HTML action:
{
"createdDateTime": "2024-01-30T16:50:27Z",
"lastModifiedDateTime": "2024-01-30T16:50:27Z",
"changeKey": "example-key",
"categories": [],
"receivedDateTime": "2024-01-30T16:50:27Z",
"sentDateTime": "2024-01-30T16:50:27Z",
"hasAttachments": false,
"internetMessageId": "outlook.com",
"subject": "Testing",
"bodyPreview": "example",
"importance": "normal",
"parentFolderId": "ID",
"conversationId": "ID",
"conversationIndex": "INDEX",
"isDeliveryReceiptRequested": false,
"isReadReceiptRequested": false,
"isRead": true,
"isDraft": false,
"webLink": "https://example.com",
"inferenceClassification": "focused",
"body": {
"contentType": "html",
"content": "content"
},
"sender": {
"emailAddress": {
"name": "NAME",
"address": "sender@example.com"
}
},
"from": {
"emailAddress": {
"name": "NAME",
"address": "user@example.com"
}
},
"toRecipients": [
{
"emailAddress": {
"name": "NAME",
"address": "recipient@example.com"
}
}
],
"ccRecipients": [],
"bccRecipients": [],
"replyTo": [],
"uniqueBody": {
"contentType": "html",
"content": "content"
},
"flag": {
"flagStatus": "notFlagged"
},
"id": "ID"
}
Output messages
On a Case Wall, the Send Email HTML action provides the following output messages:
Output message | Message description |
---|---|
Email was sent successfully. |
Action succeeded. |
|
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Send Email HTML action:
Script result name | Value |
---|---|
is_success |
True or False |
Send Thread Reply
Use the Send Thread Reply action to send a message as a reply to the email thread. With appropriate permissions, the action can send emails from a mailbox other than the one specified in the integration configuration.
This action doesn't run on entities.
Action inputs
The Send Thread Reply action requires the following parameters:
Parameter | Description |
---|---|
Send From |
Required An optional email address from which to send emails if permissions allow it. By default, the action sends emails from the default mailbox that is specified in the integration configuration. |
Mail ID |
Required
The email ID to search for. |
Folder Name |
Optional A mailbox folder to execute the search in. The default value is |
Attachments Paths |
Optional
A comma-separated list of paths for file attachments stored on the server,
for example, |
Mail Content |
Required
The email body. |
Reply All |
Optional If selected, the action sends a reply to all recipients related to the original email. Not selected by default.
This parameter has priority over the |
Reply To |
Optional A comma-separated list of emails to send the reply to. If you provide no value and the If the |
Action outputs
The following table describes the output types associated with the Send Thread Reply action:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Not available |
Output messages | Available |
Script result | Available |
Output messages
The Send Thread Reply action provides the following output messages:
Output message | Message description |
---|---|
Successfully sent reply to the mail with ID:
EMAIL_ID |
Action succeeded. |
Error executing action "Send Thread Reply". Reason: if you want
to send a reply only to your own email address, you need to work with
"Reply To" parameter. |
Action failed. Check the |
Failed to execute action, the error is:
ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Send Thread Reply action:
Script result name | Value |
---|---|
is_success |
True or False |
Send Vote Email
Use the Send Vote Email action to send emails with the predefined answering options. This action uses Google SecOps HTML templates to format the email. With appropriate permissions, the Send Vote Email action can send emails from a mailbox other than the default one.
This action doesn't run on entities.
Action inputs
The Send Vote Email action requires the following parameters:
Parameter | Description |
---|---|
Send From |
Required An optional email address from which to send emails if permissions allow it. By default, the action sends emails from the default mailbox specified in the integration configuration. |
Subject |
Required
The email subject. |
Send to |
Required
A comma-separated list of email addresses for the email
recipients, such as |
CC |
Optional
A comma-separated list of email addresses for the email CC field. The format is the same as for the |
BCC |
Optional
A comma-separated list of email addresses for the email BCC field. The format is the same as for the |
Attachments Paths |
Optional
A full path for the attachment to provide,
for example, You can provide multiple values in a comma-separated string. |
Email HTML Template |
Required
The type of the HTML template to use. The default value is
Possible values:
|
Mail Content |
Required
The email body. |
Reply-To Recipients |
Optional A comma-separated list of recipients to use in the Reply-To header. Use the Reply-To header to redirect reply emails to the specific email address instead of the sender address that is stated in the From field. |
Structure of voting options |
Required The structure of the vote to send to recipients. Possible values are |
Attachment Location |
Required A location where the attachments are stored. By default, the action attempts to upload the attachment from the Cloud Storage bucket. Possible values are |
Action outputs
The Send Vote Email action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Not available |
Case wall link | Not available |
Case wall table | Not available |
Enrichment table | Not available |
JSON result | Available |
Output messages | Available |
Script result | Available |
JSON result
The following example describes the JSON result output received when using the Send Vote Email action:
{
"createdDateTime": "2024-01-30T16:50:27Z",
"lastModifiedDateTime": "2024-01-30T16:50:27Z",
"changeKey": "KEY",
"categories": [],
"receivedDateTime": "2024-01-30T16:50:27Z",
"sentDateTime": "2024-01-30T16:50:27Z",
"hasAttachments": false,
"internetMessageId": "<example-message-ID>",
"subject": "Testing",
"bodyPreview": "example",
"importance": "normal",
"parentFolderId": "FOLDER_ID",
"conversationId": "CONVERSATION_ID",
"conversationIndex": "CONVERSATION_INDEX",
"isDeliveryReceiptRequested": false,
"isReadReceiptRequested": false,
"isRead": true,
"isDraft": false,
"webLink": "https://www.example.com/about",
"inferenceClassification": "focused",
"body": {
"contentType": "html",
"content": "content"
},
"sender": {
"emailAddress": {
"name": "NAME",
"address": "sender@example.com"
}
},
"from": {
"emailAddress": {
"name": "NAME",
"address": "user@example.com"
}
},
"toRecipients": [
{
"emailAddress": {
"name": "NAME",
"address": "recipient@example.com"
}
}
],
"ccRecipients": [],
"bccRecipients": [],
"replyTo": [],
"uniqueBody": {
"contentType": "html",
"content": "content"
},
"flag": {
"flagStatus": "notFlagged"
},
"id": "ID"
}
Output messages
On a Case Wall, the Send Vote Email action provides the following output messages:
Output message | Message description |
---|---|
Email was sent successfully. |
Action succeeded. |
|
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Send Vote Email action:
Script result name | Value |
---|---|
is_success |
True or False |
Wait For Email From User
Use the Wait For Email From User action to wait for the user's response based on an email sent using the Send Email action.
This action is asynchronous. Adjust the action timeout in the IDE accordingly.
This action doesn't run on entities.
Action inputs
The Wait For Email From User action requires the following parameters:
Parameter | Description |
---|---|
Mail ID |
Required
The ID of the email. If the email is sent using the |
Wait for All Recipients to Reply? |
Optional
If selected, the action waits for responses from all recipients until reaching timeout or proceeding with the first reply. Selected by default. |
Wait Stage Exclude pattern |
Optional
A regular expression to exclude specific replies from the wait stage. This parameter works with the email body. Example: the action doesn't consider automatic out-of-office messages as recipient replies, instead waiting for an actual user reply. |
Folder to Check for Reply |
Optional
A mailbox email folder to search for the user reply in. The search is run in the mailbox which the email containing a question was sent from. This parameter accepts a comma-separated list of folders to check the user response in multiple folders. This parameter is case-sensitive. The default value is |
Fetch Response Attachments |
Optional
If selected and the recipient reply contains attachments, the action fetches the reply and adds it as an attachment to the Case Wall. Not selected by default. |
Action outputs
The following table describes the output types associated with the Wait For Email From User action:
Action output type | Availability |
---|---|
Case wall attachment | Available |
Case wall link | Not available |
Case wall table | Available |
Enrichment table | Not available |
JSON result | Not available |
Output messages | Available |
Script result | Available |
Case wall attachment
The following Case Wall attachment is associated with the Wait For Mail From User action:
Type: Entity
Attachment content: Title, Filename (extensions included, if any), fileContent.
- Title:
RECIPIENT_EMAIL
reply attachment. - Filename:
ATTACHMENT_FILENAME
+FILE_EXTENSION
- fileContent:
CONTENT_OF_THE_ATTACHED_FILE
Case wall table
On a Case Wall, the Wait For Mail From User action generates the following table:
Table title: Matching Mails
Columns:
- Mail ID
- Received Date
- Sender
- Recipients
- Subject
Output messages
The Wait For Mail From User action provides the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
Failed to execute action, the error is:
ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Wait For Email From User action:
Script result name | Value |
---|---|
is_success |
True or False |
Wait For Vote Email Results
Use the Wait For Vote Email Results action to wait for the user response based on the vote email sent using the Send Vote Email action.
This action is asynchronous. Adjust the action timeout in the IDE accordingly.
This action doesn't run on entities.
Action inputs
The Wait For Vote Email Results action requires the following parameters:
Parameter | Description |
---|---|
Vote Mail Sent From |
Required By default, the actions sends an email from the default mailbox that you specified in the integration configuration. Optionally, you can set a different value for this parameter if the vote mail is sent from a different mailbox. |
Mail ID |
Required
The ID of the email. If the email is sent using the To return email IDs, you can use the |
Wait for All Recipients to Reply? |
Optional
If selected, the action waits for responses from all recipients until reaching timeout or proceeding with the first reply. Selected by default. |
Wait Stage Exclude pattern |
Optional
A regular expression to exclude specific replies from the wait stage. This parameter works with the email body. Example: the action doesn't consider automatic out-of-office messages as recipient replies, instead waiting for an actual user reply. |
Folder to Check for Reply |
Optional
A mailbox email folder to search for the user reply in. The search is run in the mailbox which the email containing a question was sent from. This parameter accepts a comma-separated list of folders to check the user response in multiple folders. This parameter is case-sensitive. The default value is |
Folder to Check for Sent Mail |
Optional A mailbox folder to search for the sent mail in. It is a mailbox that you sent the email with a question from. This parameter accepts a comma-separated list of folders to check the user response in multiple folders. This parameter is case sensitive. The
default value is |
Fetch Response Attachments |
Optional
If selected and the recipient reply contains attachments, the action fetches the reply and adds it as an attachment to the Case Wall. Not selected by default. |
Action outputs
The Wait For Vote Email Results action provides the following outputs:
Action output type | Availability |
---|---|
Case wall attachment | Available |
Case wall link | Not available |
Case wall table | Available |
Enrichment table | Not available |
JSON result | Available |
Output messages | Available |
Script result | Available |
Case wall attachment
The following Case Wall attachment is associated with the Wait For Vote Email Results action:
Type: Entity
Attachment content: Title, Filename (extensions included, if any), fileContent.
- Title:
RECIPIENT_EMAIL
reply attachment. - Filename:
ATTACHMENT_FILENAME
+FILE_EXTENSION
- fileContent:
CONTENT_OF_THE_ATTACHED_FILE
Case wall table
On a Case Wall, the Wait For Email Results action generates the following table:
Table title: Matching Mails
Columns:
- Mail ID
- Received Date
- Sender
- Recipients
- Subject
JSON result
The following example describes the JSON result output received when using the Wait For Vote Email Results action:
{
"Responses": [
{
"recipient": "user@example.com",
"vote": "Approve"
}
]
}
Output messages
The Wait For Vote Email Results action provides the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
|
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Wait For Vote Email Results action:
Script result name | Value |
---|---|
is_success |
True or False |
Connectors
For detailed instructions on how to configure a connector in Google SecOps, see Ingest your data (connectors).
Microsoft Graph Mail Connector
Use the Microsoft Graph Mail Connector to fetch emails from the Microsoft Graph mail service.
Use the dynamic list to filter specific values from the email body and subject parts using regular expressions. By default, the connector uses a regular expression to filter out the URLs from the email.
Connector parameters
The connector requires the following parameters:
Parameters | |
---|---|
Product Field Name |
Required The name of the field where the product name is stored. The default value is |
Event Field Name |
Required The field name used to determine the event name (subtype). The default value is |
Environment Field Name |
Optional
The name of the field where the environment name is stored. If the
environment field isn't found, the environment is set to |
Environment Regex Pattern |
Optional
A regular expression pattern to run on the value found in the
Use the default value If the regular expression pattern is null or empty, or the environment
value is null, the final environment result is |
Email exclude pattern |
Optional A regular expression to exclude specific emails from ingestion, such as spam or news. This parameter works with both the subject and body of the email. |
Script Timeout (Seconds) |
Required The timeout limit (in seconds) for the Python process running the current script. The default value is 300 seconds. |
Azure AD endpoint |
Required The Microsoft Entra endpoint to connect to. The default value is |
Microsoft Graph Endpoint |
Required The Microsoft Graph endpoint to connect to. The default value is |
Client ID |
Required For Microsoft 365 OAuth authentication, an application (client) ID of the Microsoft Entra app that is used in the integration. |
Client Secret |
Required For Microsoft 365 OAuth authentication, the client secret provided for the auth flow. |
Tenant (Directory) ID |
Required For Microsoft 365 OAuth authentication, the tenant (directory) ID of the Microsoft Entra app used in the integration. |
Mail Address |
Required An email address for the connector to use. |
Folder to check for emails |
Required An email folder to search for the emails. This parameter accepts a comma-separated list of folders to check the user response in multiple folders. This parameter is case-sensitive. The default value is |
Offset Time In Hours |
Required
The number of hours before now to fetch emails from. The default value is 24 hours. |
Max Emails Per Cycle |
Required
The number of emails to fetch for every connector iteration. The default value is 10 emails. |
Unread Emails Only |
Optional
If selected, the connector creates cases only from unread emails. Not selected by default. |
Mark Emails as Read |
Optional
If selected, the connector marks emails as read after ingesting. Not selected by default. |
Disable Overflow |
Optional If selected, the connector ignores the overflow mechanism. Not selected by default. |
Original Received Mail Prefix |
Optional A prefix to add to the extracted event keys (for
example, The default value is |
Attached Mail File Prefix |
Optional A prefix to add to the extracted event keys (for
example, The default value is |
Attach Original EML |
Optional If selected, the connector attaches the original email to the case info as an EML file. Not selected by default. |
Headers to add to events |
Optional A comma-separated string specifying which email headers to add to events. You can provide an exact match for headers or set this parameter value as a regular expression. |
Proxy Server Address |
Optional The address of the proxy server to use. |
Proxy Username |
Optional The proxy username to authenticate with. |
Proxy Password |
Optional The proxy password to authenticate with. |
Create a Separate Siemplify Alert per Attached Mail File
|
Optional If selected, the connector creates multiple alerts, with one alert for every attached email file. This behavior is useful when you process emails with multiple email files attached and set the Google SecOps SOAR event mapping to create entities from attached email files. Not selected by default. |
Case Name Template |
Optional A custom case name. When you configure
this parameter, the connector adds a new key called
You can provide placeholders in the following format:
Example: For placeholders, the connector uses the first Google SecOps SOAR event. The connector only handles keys containing the string value. |
Alert Name Template |
Optional A custom alert name. You can provide placeholders in the following format:
Example: For placeholders, the connector uses the first Google SecOps SOAR event. The connector only handles keys containing the string value. If you provide no value or an invalid template, the connector uses the default alert name. |
Connector rules
The connector supports proxies.