Microsoft Graph Mail Delegated

This document explains how to integrate Microsoft Graph Mail Delegated with Google Security Operations (Google SecOps).

Before you begin

Before you configure the Microsoft Graph Mail Delegated integration in Google SecOps, complete the following steps:

  1. Create the Microsoft Entra application.

  2. Configure the API permissions for your application.

  3. Create a client secret.

  4. Generate a refresh token.

Create the Microsoft Entra application

To create the Microsoft Entra app, complete the following steps:

  1. Sign in to the Azure portal as a user administrator or a password administrator.

  2. Select Microsoft Entra ID.

  3. Go to App registrations > New registration.

  4. Enter the name of the application.

  5. Select suitable supported account types.

  6. Configure the redirect URI with the following values:

    1. Platform: Web

    2. Redirect URL: http://localhost

  7. Click Register.

  8. Save the Application (client) ID and Directory (tenant) ID values to configure the integration parameters.

Configure API permissions

To configure the API permissions for the integration, complete the following steps:

  1. In Azure portal, go to API Permissions > Add a permission.

  2. Select Microsoft Graph > Application permissions.

  3. In the Select Permissions section, select the following required permissions:

    • Mail.Read
    • Mail.ReadWrite
    • Mail.Send
    • User.Read
    • Directory.Read.All

  4. Click Add permissions.

  5. Click Grant admin consent for ORGANIZATION_NAME.

    When the Grant admin consent confirmation dialog appears, click Yes.

Create a client secret

To create a client secret, complete the following steps:

  1. Go to Certificates and secrets > New client secret.

  2. Provide a description for a client secret and set its expiration deadline.

  3. Click Add.

  4. Save the value of the client secret (not the secret ID) to use it as the Client Secret Value parameter value when you configure the integration. The client secret value is only displayed once.

Generate a refresh token

To generate a refresh token, complete the following steps:

  1. Configure the integration parameters (except the Refresh Token parameter) and save them.

  2. Optional: Simulate a case in Google SecOps.

  3. Run the Get Authorization action.

  4. Run the Generate Token action.

  5. Configure the Refresh Token parameter.

Optional: Simulate a case

To generate a refresh token, run manual actions on any case. If your Google SecOps instance is new and has no existing cases, simulate a case.

To simulate a case in Google SecOps, follow these steps:

  1. In the left navigation, select Cases.

  2. On the Cases page, click add Add a Case > Simulate Cases.

  3. Select any of the default cases and click Create. It doesn't matter what case you choose to simulate.

  4. Click Simulate.

    If you have an environment other than default and would like to use it, select the correct environment and click Simulate.

  5. In the Cases tab, click Refresh. The case you simulated appears in the case list.

Run the Get Authorization action

To manually run the Get Authorization action, complete the following steps:

  1. In the Cases tab, select any case or use the simulated case to open a Case View.

  2. In the Case View, click Manual Action.

  3. In the manual action Search field, enter Microsoft Graph Mail Delegated.

  4. In the results under the Microsoft Graph Mail Delegated integration, select Get Authorization. This action returns an authorization link that is used to interactively sign in to the Microsoft Entra application.

  5. Click Execute.

  6. After the action is executed, go to Case Wall of the case. In the Microsoft Graph Mail Delegated_Get Authorization action record, click View More. Copy the authorization link.

  7. Open a new browser window in incognito mode and paste the generated authorization URL. The Azure sign-in page opens.

  8. Sign in with the user credentials that you used for the integration. After you sign in, your browser redirects you to an address with a code in the address bar.

    The browser is expected to display an error because the application redirects you to http://localhost.

  9. Copy the entire URL with the access code from the address bar.

Run the Generate Token action

To manually run the Generate Token action, complete the following steps:

  1. In the Cases tab, select any case or use the simulated case to open a Case View.

  2. In the Case View tab, click Manual Action.

  3. In the manual action Search field, enter Microsoft Graph Mail Delegated.

  4. In the results under the Microsoft Graph Mail Delegated integration, select Generate Token.

  5. In the Authorization URL field, paste the whole URL with the access code that you copied after running the Get Authentication action.

  6. Click Execute.

  7. After the action is executed, go to Case Wall of the case. In the Microsoft Graph Mail Delegated_Generate Token action record, click View More.

  8. Copy the entire value of the generated refresh token.

Configure the Refresh Token parameter

  1. Go to the configuration dialog for the Microsoft Graph Mail Delegated integration.

  2. Enter the refresh token value that you obtained in the Generate Token action into the Refresh Token field.

  3. Click Save.

  4. Click Test to test if the configuration is correct and the integration works as expected.

Integration parameters

The Microsoft Graph Mail Delegated integration requires the following parameters:
Parameter Description
Microsoft Entra ID Endpoint

Required.

The Microsoft Entra ID endpoint to use in the integration.

The value can be different for different tenant types.

The default value is https://login.microsoftonline.com.
Microsoft Graph Endpoint

Required.

The Microsoft Graph endpoint to use in the integration.

The value can be different for different tenant types.

The default value is https://graph.microsoft.com.
Client ID

Required.

The client (application) ID of the Microsoft Entra application to use in the integration.
Client Secret Value

Required.

The client secret value of the Microsoft Entra application to use in the integration.
Microsoft Entra ID Directory ID

Required.

The Microsoft Entra ID (tenant ID) value.
User Mailbox

Required.

The mailbox to use in the integration.
Refresh Token

Required.

The refresh token used to authenticate.
Redirect URL

Required.

The redirect URL that you configured when you created your Microsoft Entra ID application.

The default value is http://localhost.
Mail Field Source

Required.

If selected, the integration retrieves the mailbox address from the user details mail attribute. If not selected, the integration retrieves the mailbox address from the userPrincipalName field.

Selected by default.
Verify SSL

Required.

If selected, the integration validates the SSL certificate when connecting to Microsoft Graph.

Selected by default.

For instructions about how to configure an integration in Google SecOps, see Configure integrations.

You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances.

Actions

Before you configure actions, provide the required permissions for the integration. For more detail, see the Configure API permissions section of this document.

Delete Email

You can use the Delete Email action to delete one or more emails from a mailbox. This action deletes emails based on your search criteria. With the appropriate permissions, the Delete Email action can move emails into different mailboxes.

This action is asynchronous. Adjust the action timeout in the Google SecOps integrated development environment (IDE) as needed.

This action doesn't run on Google SecOps entities.

Action inputs

The Delete Email action requires the following parameters:

Parameter Description
Delete In Mailbox

Required.

The default mailbox where to run the delete operation. If permissions allow, the action can also search in other mailboxes. This parameter accepts multiple values as a comma-separated string.
Folder Name

Required.

A mailbox folder to search for email. To specify a subfolder, use the / forward slash, such as Inbox/Subfolder.
Mail IDs

Optional.

A filter condition to search for emails with specific email IDs.

This parameter accepts a comma-separated list of email IDs to search for.

If this parameter is provided, the search ignores the Subject Filter and Sender Filter parameters.
Subject Filter

Optional.

A filter condition that specifies the email subject to search.
Sender Filter

Optional.

A filter condition that specifies the sender of requested emails.
Timeframe (Minutes)

Optional.

A filter condition that specifies the timeframe in minutes to search for emails.
Only Unread

Optional.

If selected, the action searches only for unread emails.

Not selected by default.
How many mailboxes to process in a single batch

Optional.

The number of mailboxes to process in a single batch (single connection to the mail server).

The default value is 25.

Action outputs

The following table describes the output types associated with the Delete Email action:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Not available
Output messages Available
Script result Available
Output messages

The Delete Email action provides the following output messages:

Output message Message description

Successfully deleted emails in the following mailboxes: MAILBOX_NAME: DELETED_EMAILS_NUMBER

Mailbox MAILBOX was not found.

 Action succeeded.

Action was not able to find any emails based on the specified search criteria.

Action failed to delete any emails because the provided mailbox folder name was not found in the mailbox(es): MAILBOX_NAME, MAILBOX_FOLDER

Failed to find any of the provided mailboxes: MAILBOX_LIST

Failed to execute action, the error is: ERROR_REASON

Action failed.

Check connection to the server, input parameters, or credentials.
Script result

The following table describes the values for the script result output when you use the Delete Email action:

Script result name Value
is_success True or False

Download Attachments From Email

Use the Download Attachments From Email action to download attachments from emails based on the criteria provided.

This action doesn't run on Google SecOps entities.

This action is asynchronous. If necessary, adjust the script timeout value in the Google SecOps IDE.

The action replaces the \` forward slash or/backslash characters in the names of the downloaded attachments with the_` underscore character.

Action inputs

The Download Attachments From Email action requires the following parameters:

Parameter Description
Search In Mailbox

Required.

The default mailbox where the search operation runs. If permissions allow, the action can also search in other mailboxes. This parameter accepts multiple values as a comma-separated string.
Folder Name

Required.

A mailbox folder where to run the search. To specify a subfolder, use the / forward slash, such as Inbox/Subfolder.
Download Destination

Required.

A storage type to save the downloaded attachments.

By default, the action attempts to save the attachment to the Cloud Storage bucket. Saving an attachment to the local file system is a fallback option.

The possible values are GCP Bucket and Local File System. The default value is GCP Bucket.
Download Path

Required.

A path to download attachments.

When saving attachments to the Cloud Storage bucket or a local file system, the action expects you to specify the download path in the Unix-like format, such as /tmp/test.
Mail IDs

Optional.

A filter condition to search for emails with specific email IDs.

This parameter accepts a comma-separated list of email IDs to search for.

If this parameter is provided, the search ignores the Subject Filter and Sender Filter parameters.
Subject Filter

Optional.

A filter condition that specifies the email subject to search for.

This filter uses the contains logic.
Sender Filter

Optional.

A filter condition that specifies the sender of requested emails.

This filter uses the equals logic.
Download Attachments From EML

Optional.

If selected, the action downloads attachments from EML files.

Not selected by default.
Download attachments to unique path?

Optional.

If selected, the action downloads attachments to the unique path provided in the Download Path parameter field to avoid overwriting any previously downloaded attachments.

Not selected by default.
How many mailboxes to process in a single batch

Optional.

The number of mailboxes to process in a single batch (single connection to the mail server).

The default value is 25.

Action outputs

The Download Attachments From Email action provides the following outputs:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Available
Output messages Available
Script result Available
JSON result

The following example describes the JSON result output received when you use the Download Attachments From Email action:

[
    {
        "attachment_name": "name1.png",
        "downloaded_path": "file_path/name1.png"
    },
    {
        "attachment_name": "name2.png",
        "downloaded_path": "file_path/name2.png"
    }
]
Output messages

The Download Attachments From Email action provides the following output messages:

Output message Message description

Downloaded NUMBER_OF_ATTACHMENTS attachments. Files: PATHS.

Failed to find emails in MAILBOX with the following mail ids: EMAIL_IDS.

In the mailboxes listed below, emails were found, but there were no attachments to download. Affected mailboxes: MAILBOXES. Mail IDs without attachments to download: LIST_OF_EMAIL_IDS attachments.

 Action succeeded.

Failed to find any emails using the provided criteria!

Failed to find any of the provided mailboxes: MAILBOXES

Action failed to run because the provided mailbox folder name FOLDER_NAME was not found in the mailbox MAILBOX.

Error executing action. Reason: ERROR_REASON

Action failed.

Check the connection to the server, input parameters, or credentials.
Script result

The following table describes the values for the script result output when using the Download Attachments From Email action:

Script result name Value
is_success True or False

Extract Data From Attached EML

Use the Extract Data From Attached EML action to retrieve data from the email EML attachments and return it in the action results. This action supports the .eml, .msg, and .ics file formats.

This action doesn't run on Google SecOps entities.

Action inputs

The Extract Data From Attached EML action requires the following parameters:

Parameter Description
Search In Mailbox

Required.

The default mailbox where the search operation runs. If permissions allow, the action can also search in other mailboxes. This parameter accepts multiple values as a comma-separated string.
Folder Name

Optional.

A mailbox folder where to run the search. To specify a subfolder, use the / forward slash, such as Inbox/Subfolder.
Mail IDs

Required.

A filter condition to search for emails with specific email IDs.

This parameter accepts a comma-separated list of email IDs to search for.
Regex Map JSON

Optional.

A JSON definition that contains regular expressions to apply to the attached email file and generate additional key values in the action JSON result. The example of this parameter value is as follows:

{ips: \\b\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\b}

Action outputs

The Extract Data From Attached EML action provides the following outputs:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Available
Output messages Available
Script result Available
JSON result

The following example describes the JSON result output received when using the Extract Data From Attached EML action:

[
    {
        "type": "EML",
        "subject": "examplesubject",
        "from": "sender@example.com",
        "to": "user1@example.com,user2@example.com",
        "date": "Thu,4Jul202412:11:29+0530",
        "text": "text",
        "html": "<p>example-html</p>",
        "regex": {},
        "regex_from_text_part": {},
        "id": "ID",
        "name": "example.eml"
    },
    {
        "type": "MSG",
        "subject": "examplesubject",
        "from": "user@example.com",
        "to": "user1@example.com,user2@example.com",
        "date": "Thu,4Jul202412:11:29+0530",
        "text": "text",
        "html": "<p>examplehtml</p>",
        "regex": {},
        "regex_from_text_part": {},
        "id": "ID",
        "name": "example.msg"
    },
    {
        "type": "ICS",
        "subject": "examplesubject",
        "from": "sender@example.com",
        "to": "user1@example.com,user2@example.com",
        "date": "Thu,4Jul202412:11:29+0530",
        "text": "text",
        "html": "<p>example-html</p>",
        "regex": {},
        "regex_from_text_part": {},
        "id": "ID",
        "name": "example.ics"
    }
]
Output messages

The Extract Data From Attached EML action provides the following output messages:

Output message Message description

Extracted data from ATTACHMENT_NAMES attached email files. Files: PATHS

Failed to find emails in MAILBOX with the following mail ids: MAIL_ID_LIST

 Action succeeded.

Failed to find any emails using the provided criteria!

Failed to find any of the provided mailboxes: MAILBOX_LIST

Action failed to run because the provided mailbox folder name MAILBOX_FOLDER was not found in the mailbox MAILBOX

Failed to execute action, the error is: ERROR_REASON

Action failed.

Check the connection to the server, input parameters, or credentials.
Script result

The following table describes the values for the script result output when using the Extract Data From Attached EML action:

Script result name Value
is_success True or False

Forward Email

Use the Forward Email action to forward emails that include previous threads. With the appropriate permissions, this action can send emails from a mailbox different than the one specified in the integration configuration.

This action doesn't run on Google SecOps entities.

Action inputs

The Forward Email action requires the following parameters:

Parameter Description
Send From

Required.

An optional email address from which to send an email, if permissions allow.

By default, the email is sent from the default mailbox specified in the integration configuration.
Folder Name

Optional.

A mailbox folder to search for emails. To specify a subfolder, use the / forward slash, such as Inbox/Subfolder.
Mail ID

Required.

The ID of the email to forward.
Subject

Required.

The email subject.
Send to

Required.

A comma-separated list of email addresses for the email recipients, such as user1@example.com, user2@example.com.
CC

Optional.

A comma-separated list of email addresses for the email CC field.

The format is the same as for the Send to parameter.
BCC

Optional.

A comma-separated list of email addresses for the email BCC field.

The format is the same as for the Send to parameter.
Attachments Paths

Optional.

A comma-separated list of paths for file attachments stored on the server, such as /FILE_DIRECTORY/file.pdf, /FILE_DIRECTORY/image.jpg.
Mail content

Required.

The email body.

Action outputs

The following table describes the output types associated with the Forward Email action:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Not available
Output messages Available
Script result Available
Output messages

The Forward Email action provides the following output messages:

Output message Message description
Email with message ID MAIL_ID was forwarded successfully. Action succeeded.

Error executing action "Forward Email" because the provided mail id EMAIL_ID was not found.

Action failed to delete any emails because the provided mailbox folder name was not found in the mailbox(es): MAILBOX: MAILBOX_FOLDER

Action failed to run because specified attachments were not found: ATTACHMENTS_LIST

Failed to execute action, the error is: ERROR_REASON

Action failed.

Check connection to the server, input parameters, or credentials.
Script result

The following table describes the values for the script result output when you use the Forward Email action:

Script result name Value
is_success True or False

Generate Token

Use the Generate Token action to obtain a refresh token for the integration configuration with delegated authentication. Use the authorization URL that you received in the Get Authorization action.

This action doesn't run on Google SecOps entities.

After you generate the refresh token for the first time, we recommend you to configure and activate the Refresh Token Renewal Job so the job automatically renews and keeps the refresh token valid.

Action inputs

The Generate Token action requires the following parameters:

Parameter Description
Authorization URL

Required. An authorization URL that you received in the Get Authorization action. The URL is required to request a refresh token.

Action outputs

The Generate Token action provides the following outputs:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Not available
Output messages Available
Script result Available
Output messages

The Generate Token action can return the following output messages:

Output message Message description

Successfully fetched the refresh token: TOKEN_VALUE. Enter this token in the integration configuration to authenticate with delegated permissions on behalf of the user that performed the configuration steps. We recommend you to configure a Refresh Token Renewal Job after you generate the initial refresh token so the job automatically renews and keeps the token valid.

 The action succeeded.

Failed to generate a token because the authorization URL that you provided is incorrect. The "code" parameter is missing. Make sure to copy the whole URL properly.

Failed to get the refresh token! Error is ERROR_REASON

Failed to connect to the Microsoft Graph Mail service! Error is ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.
Script result

The following table lists the value for the script result output when using the Generate Token action:

Script result name Value
is_success True or False

Get Authorization

Use the Get Authorization action to obtain a link with the access code for the delegated authentication. Copy the whole link and use it in the Generate Token action to get the refresh token.

This action doesn't run on Google SecOps entities.

Action inputs

None.

Action outputs

The Get Authorization action provides the following outputs:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Not available
Output messages Available
Script result Available
Output messages

The Get Authorization action can return the following output messages:

Output message Message description
Authorization URL generated successfully. To obtain a URL with access code, go to the link below as the user that you configured for the integration. Provide the URL with the access code in the Generate Token action. The action succeeded.

Failed to generate the authorization URL! Error is ERROR_REASON

Failed to connect to the Microsoft Graph Mail service! Error is ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.
Script result

The following table lists the value for the script result output when using the Get Authorization action:

Script result name Value
is_success True or False

Get Mailbox Account Out Of Facility Settings

Use the Get Mailbox Account Out Of Facility Settings action to retrieve the mailbox account out of facility (OOF) settings for the Google SecOps User entity provided.

The Get Mailbox Account Out Of Facility Settings action uses the beta version of Microsoft Graph API.

This action runs on the Google SecOps User entity.

Action inputs

None.

Action outputs

The Get Mailbox Account Out Of Facility Settings action provides the following outputs:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Available
Output messages Available
Script result Available
JSON result

The following example shows the JSON result output received when you use the Get Mailbox Account Out Of Facility Settings action:

{
   "@odata.context": "https://graph.microsoft.com/beta/$metadata#communications/presences/$entity",
   "id": "ID",
   "availability": "Offline",
   "activity": "Offline",
   "statusMessage": null,
   "outOfOfficeSettings": {
       "message": "\n\nOut Of Facility111\n",
       "isOutOfOffice": true
   }
}
Output messages

The Get Mailbox Account Out Of Facility Settings action can return the following output messages:

Output message Message description

Successfully returned OOF settings for ENTITY_ID.

Failed to find the following usernames in Office 365 service: USERNAME_LIST.

 The action succeeded.

Error executing action "Add Identity Protection Detection Comment". Reason: ERROR_REASON

Action wasn't able to find OOF settings for ENTITY_ID.

The action failed.

Check the connection to the server, input parameters, or credentials.
Script result

The following table lists the value for the script result output when you use the Get Mailbox Account Out Of Facility Settings action:

Script result name Value
is_success True or False

Mark Email as Junk

Use the Mark Email as Junk action to mark emails as junk in a specified mailbox. This action adds the email sender to the list of blocked senders and moves the message to the Junk Email folder.

The Mark Email as Junk action uses the beta version of Microsoft Graph API.

This action doesn't run on Google SecOps entities.

Action inputs

The Mark Email as Junk action requires the following parameters:

Parameter Description
Search In Mailbox

Required.

A mailbox where to search for email.

By default, the action attempts to search for the email in the default mailbox that you specified in the integration configuration. To execute a search in other mailboxes, configure appropriate permissions for the action.

This parameter accepts multiple values as a comma separated string.
Folder Name

Required.

A mailbox folder where to search for email. To specify a subfolder, use the / forward slash, such as Inbox/Subfolder.

The default value is Inbox.
Mail IDs

Required.

The IDs or internetMessageId values of the mails to mark as junk.

This parameter accepts multiple values as a comma-separated string.

Action outputs

The Mark Email as Junk action provides the following outputs:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Not available
Output messages Available
Script result Available
Output messages

The Mark Email as Junk action can return the following output messages:

Output message Message description

Successfully marked the email as junk.

Failed to find email with ID ID in MAILBOX.

Mailbox MAILBOX was not found.

 The action succeeded.

Error executing action "Mark Email as Junk". Reason: ERROR_REASON

Failed to find any emails based on provided parameters!

Action failed to run because the provided mailbox folder name MAILBOX_FOLDER was not found in the mailbox MAILBOX.

The action failed.

Check the connection to the server, input parameters, or credentials.
Script result

The following table lists the value for the script result output when you use the Mark Email as Junk action:

Script result name Value
is_success True or False

Mark Email as Not Junk

Use the Mark Email as Not Junk action to mark emails as not junk in a specific mailbox. This action removes the sender from the list of blocked senders and moves the message to the Inbox folder.

The Mark Email as Not Junk action uses the beta version of Microsoft Graph API.

This action doesn't run on Google SecOps entities.

Action inputs

The Mark Email as Not Junk action requires the following parameters:

Parameter Description
Search In Mailbox

Required.

A mailbox where to search for an email.

By default, the action attempts to search for the email in the default mailbox that you specified in the integration configuration. To execute a search in other mailboxes, configure appropriate permissions for the action.

This parameter accepts multiple values as a comma separated string.
Folder Name

Required.

A mailbox folder where to search for email. To specify a subfolder, use the / forward slash, such as Inbox/Subfolder.
Mail IDs

Required.

The IDs or internetMessageId values of the mails to mark as junk.

This parameter accepts multiple values as a comma separated string.

Action outputs

The Mark Email as Not Junk action provides the following outputs:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Not available
Output messages Available
Script result Available
Output messages

The Mark Email as Not Junk action can return the following output messages:

Output message Message description

Successfully marked the email as not junk.

Failed to find email with ID ID in MAILBOX.

Mailbox MAILBOX was not found.

 The action succeeded.

Error executing action "Mark Email as Not Junk". Reason: ERROR_REASON

Failed to find any emails based on provided parameters!

Action failed to run because the provided mailbox folder name MAILBOX_FOLDER was not found in the mailbox MAILBOX.

The action failed.

Check the connection to the server, input parameters, or credentials.
Script result

The following table lists the value for the script result output when you use the Mark Email as Not Junk action:

Script result name Value
is_success True or False

Move Email To Folder

Use the Move Email To Folder action to move one or multiple emails from the source email folder to the other folder in the mailbox. With the appropriate permissions, this action can move emails to other mailboxes different from the one that is provided in the integration configuration.

This action is asynchronous. Adjust the action timeout in the Google SecOps integrated development environment (IDE) as needed.

This action doesn't run on Google SecOps entities.

Action inputs

To configure the Move Email To Folder action, use the following parameters:

Parameter Description
Move In Mailbox

Required.

The default mailbox where the move operation runs. If permissions allow, the action can also search in other mailboxes. This parameter accepts multiple values as a comma-separated string.

Source Folder Name

Required.

A source folder from where to move the email. To specify a subfolder, use the / forward slash, such as Inbox/Subfolder.
Destination Folder Name

Required.

A destination folder to move the email.

Provide the parameter value in the following format: Inbox/folder_name/subfolder_name. This parameter is case-insensitive.
Mail IDs

Optional.

A filter condition to search for emails with specific email IDs.

This parameter accepts a comma-separated list of email IDs to search for.

If this parameter is provided, the search ignores the Subject Filter and Sender Filter parameters.
Subject Filter

Optional.

A filter condition that specifies the email subject to search for.

This filter uses the contains logic.
Sender Filter

Optional.

A filter condition that specifies the sender of requested emails.

This filter uses the equals logic.
Timeframe (Minutes)

Optional.

A filter condition that specifies the timeframe, in minutes, to search for emails.
Only Unread

Optional.

If selected, the action searches only for unread emails.

Not selected by default.
How many mailboxes to process in a single batch

Optional.

The number of mailboxes to process in a single batch (single connection to the mail server).

The default value is 25.

Action outputs

The following table describes the output types associated with the Move Email To Folder action:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Not available
Output messages Available
Script result Available
Output messages

The Move Email To Folder action provides the following output messages:

Output message Message description

Successfully moved emails in the following mailboxes: MAILBOX: MOVED_EMAILS_NUMBER

Mailbox MAILBOX was not found.

 Action succeeded.

Action was not able to find any emails based on the specified search criteria.

Action failed to move any emails because the provided source folder was not found in the mailbox(es): MAILBOX_NAME, MAILBOX_FOLDER

Action failed to move any emails because the provided destination folder was not found in the mailbox(es): MAILBOX_NAME, MAILBOX_FOLDER

Failed to find any of the provided mailboxes: MAILBOX_LIST

Failed to execute action, the error is: ERROR_REASON

Action failed.

Check connection to the server, input parameters, or credentials.
Script result

The following table describes the values for the script result output when you use the Move Email To Folder action:

Script result name Value
is_success True or False

Ping

Use the Ping action to test connectivity to the Microsoft Graph mail service.

This action doesn't run on Google SecOps entities.

Action inputs

None.

Action outputs

The following table describes the output types associated with the Ping action:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Not available
Output messages Available
Script result Available
Output messages

The Ping action provides the following output messages:

Output message Message description
Successfully connected to the Microsoft Graph mail service with the provided connection parameters! Action succeeded.
Failed to connect to the Microsoft Graph mail service! Error is ERROR_REASON

Action failed.

Check connection to the server, input parameters, or credentials.
Script result

The following table describes the values for the script result output when you use the Ping action:

Script result name Value
is_success True or False

Run Microsoft Search Query

Use the Run Microsoft Search Query action to perform a search using Microsoft Search engine. The search uses the constructed basic or advanced query that you specify. For more information about Microsoft Search, see Overview of the Microsoft Search API in Microsoft Graph.

Depending on the entity scope, the Run Microsoft Search Query action can require you to configure additional permissions. For more information about permissions required for specific entity types, see Use the Microsoft Search API to query data. For more information about how to configure permissions for the integration, see Configure API permissions.

This action doesn't run on Google SecOps entities.

Action inputs

The Run Microsoft Search Query action requires the following parameters:

Parameter Description
Entity Types To Search

Optional.

A comma-separated list of expected resource types for the search response.

The possible values are as follows:

  • acronym
  • bookmark
  • chatMessage
  • drive
  • driveItem
  • event
  • externalItem
  • list
  • listItem
  • message
  • person
  • site
Fields To Return

Optional.

The fields to return in the search response. If you don't configure this parameter, the action returns all available fields.
Search Query

Optional.

The query to run the search. For more information about the search query examples, see Use the Microsoft Search API to search Outlook messages.
Max Rows To Return

Optional.

The maximum number of rows for the action to return. If you don't configure this parameter, the action uses the default value.

The default value is 25.
Advanced Query

Optional.

The full search payload to use instead of constructing the search query with other action parameters. Format the search payload as a JSON string. If you configure this parameter, the action ignores all other parameters.

Action outputs

The Run Microsoft Search Query action provides the following outputs:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Not available
Output messages Available
Script result Available
Output messages

The Run Microsoft Search Query action can return the following output messages:

Output message Message description

Successfully retrieved results for the provided search query.

No results found for the provided query.

 The action succeeded.

Failed to construct a search query based on the provided parameters. Please check, if you specified all parameters properly.

Failed to run the search because the API doesn't support the provided combination of entities. See Microsoft documentation for supported entity combinations - URL. The error is ERROR_REASON

Failed to run the search as the provided advanced search query is invalid! Error is ERROR_REASON

Failed to connect to the Microsoft Graph Mail service! Error is ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.
Script result

The following table lists the value for the script result output when using the Run Microsoft Search Query action:

Script result name Value
is_success True or False

Save Email To The Case

Use the Save Email To The Case action to save emails or email attachments to the Google SecOps Case Wall. With the appropriate permissions, this action can save emails from mailboxes other than the one provided in the integration configuration.

This action doesn't run on Google SecOps entities.

Action inputs

The Save Email To The Case action requires the following parameters:

Parameter Description
Search In Mailbox

Required.

The default mailbox where the search operation runs. If permissions allow, the action can also search in other mailboxes.
Folder Name

Optional.

A mailbox folder where to search for email. To specify a subfolder, use the / forward slash, such as Inbox/Subfolder.
Mail ID

Required.

A comma-separated list of email IDs to search.

If you used the Send Email action to send emails, set the parameter value to either the {SendEmail.JSONResult|id} or {SendEmail.JSONResult|internetMessageId} placeholder.
Save Only Email Attachments

Optional.

If selected, the action saves only attachments from the specified email.

Not selected by default.
Attachment To Save

Optional.

If the Save Only Email Attachments parameter is selected, the action only saves attachments specified by this parameter.

This parameter accepts multiple values as a comma-separated string.
Base64 Encode

Optional.

If selected, the action encodes the email file into the base64 format.

Not selected by default.

Action outputs

The following table describes the output types associated with the Save Email To The Case action:

Action output type Availability
Case wall attachment Available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Available
Output messages Available
Script result Available
Case wall attachment

The following attachments are associated with the Save Email To The Case action:

  • EMAIL_SUBJECT.eml, if the action saves the email.

  • If the action saves the attachment, the attachment name contains a file extension, if any.

JSON result

The following example describes the JSON result output received when you use the Save Email To The Case action:

{
    "id": "ID",
    "createdDateTime": "2024-02-16T14:10:34Z",
    "eml_info": "example_info",
    "lastModifiedDateTime": "2024-02-16T14:10:41Z",
    "changeKey": "cxsdjjh",
    "categories": [],
    "receivedDateTime": "2024-02-16T14:10:35Z",
    "sentDateTime": "2024-02-16T14:09:36Z",
    "hasAttachments": true,
    "internetMessageId": "INTERNET_MESSAGE_ID",
    "subject": "all attachments",
    "bodyPreview": "all the attachments",
    "importance": "normal",
    "parentFolderId": "PARENT_FOLDER_ID",
    "conversationId": "CONVERSATION_ID",
    "conversationIndex": "example-index",
    "isDeliveryReceiptRequested": false,
    "isReadReceiptRequested": false,
    "isRead": true,
    "isDraft": false,
    "webLink": "https://example.com/",
    "inferenceClassification": "focused",
    "body": {
        "contentType": "html",
        "content": "<html><head>example-html</head></html>"
    },
    "sender": {
        "emailAddress": {
            "name": "NAME",
            "address": "sender@example.com"
        }
    },
    "from": {
        "emailAddress": {
            "name": "NAME",
            "address": "user@example.com"
        }
    },
    "toRecipients": [
        {
            "emailAddress": {
                "name": "NAME",
                "address": "recipient@example.com"
            }
        }
    ],
    "ccRecipients": [],
    "bccRecipients": [],
    "replyTo": [],
    "flag": {
        "flagStatus": "notFlagged"
    }
}
Output messages

On a Case Wall, the Save Email To The Case action provides the following output messages:

Output message Message description

Email successfully saved!

Successfully saved the following attachments: ATTACHMENTS_LIST

The following attachments were not found in email with mail id: EMAIL_ID: ATTACHMENTS_LIST

 Action succeeded.

Mailbox MAILBOX_NAME was not found.

Action failed to run because the provided mailbox folder name MAILBOX_FOLDER was not found in the mailbox MAILBOX_NAME

Failed to execute action, the error is: ERROR_REASON

Action failed.

Check connection to the server, input parameters, or credentials.
Script result

The following table describes the values for the script result output when you use the Save Email To The Case action:

Script result name Value
is_success True or False

Search Emails

Use the Search Emails action to execute email search in the default mailbox based on the provided search criteria. With appropriate permissions, this action can run a search in other mailboxes.

This action is asynchronous. Adjust the action timeout in the Google SecOps IDE as needed.

This action doesn't run on Google SecOps entities.

Action inputs

The Search Emails action requires the following parameters:

Parameter Description
Search In Mailbox

Required.

The default mailbox where the search operation runs. If permissions allow, the action can also search in other mailboxes. This parameter accepts multiple values as a comma-separated string.

For complex searches against a significant number of mailboxes, use the Exchange Extension Pack integration.
Folder Name

Required.

A mailbox folder where to search for emails. To specify a subfolder, use the / forward slash, such as Inbox/Subfolder.
Subject Filter

Optional.

A filter condition that specifies the email subject to search for.

This filter uses the contains logic.
Sender Filter

Optional.

A filter condition that specifies the sender of requested emails.

This filter uses the equals logic.
Timeframe (Minutes)

Optional.

A filter condition that specifies the timeframe in minutes to search for emails.
Max Emails To Return

Optional.

The number of emails for the action to return.

If you don't set a value, the API default value is used.

The default value is 10.
Only Unread

Optional.

If selected, the action searches only for unread emails.

Not selected by default.
All Fields To Return

Optional.

If selected, the action returns all available fields for the obtained email.

Not selected by default.
How many mailboxes to process in a single batch

Optional.

The number of mailboxes to process in a single batch (single connection to the mail server).

The default value is 25.

Action outputs

The following table describes the output types associated with the Search Emails action:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Available
Enrichment table Not available
JSON result Not available
Output messages Available
Script result Available
Case wall table

On a Case Wall, the Search Emails action provides the following table:

Table title: Matching Mails

Columns:

  • Mail ID
  • Subject
  • Sender
  • Receivers
  • Received Date
Output messages

The Search Emails action provides the following output messages:

Action was not able to find any emails based on the specified search criteria.

Output message Message description

Successfully found emails in the following mailboxes: MAILBOX: FOUND_EMAILS_NUMBER

Mailbox MAILBOX was not found.

 Action succeeded.

Failed to find any of the provided mailboxes: MAILBOX_LIST

Failed to execute action, the error is: ERROR_REASON

Action failed.

Check connection to the server, input parameters, or credentials.
Script result

The following table describes the values for the script result output when you use the Search Emails action:

Script result name Value
is_success True or False

Send Email

Use the Send Email action to send emails from a specific mailbox to an arbitrary list of recipients.

This action can send either plain text or HTML-formatted emails. With appropriate permissions, the action can send emails from a mailbox different than the one specified in the integration configuration.

This action doesn't run on Google SecOps entities.

Action inputs

The Send Email action requires the following parameters:

Parameter Description
Send From

Required.

An optional email address from which to send emails, if permissions allow.

By default, the action sends emails from the default mailbox specified in the integration configuration.
Subject

Required.

The email subject.
Send to

Required.

A comma-separated list of email addresses for the email recipients, such as user1@example.com, user2@example.com.
CC

Optional.

A comma-separated list of email addresses for the email CC field.

The format is the same as for the Send to parameter.
BCC

Optional.

A comma-separated list of email addresses for the email BCC field.

The format is the same as for the Send to parameter.
Attachments Paths

Optional.

A comma-separated list of paths for file attachments stored on the server, such as /FILE_DIRECTORY/file.pdf, /FILE_DIRECTORY/image.jpg.
Attachments Location

Required.

A location where the attachments are stored.

By default, the action attempts to upload attachments from the Cloud Storage bucket.

The possible values are GCP Bucket or Local File System. The default value is GCP Bucket.
Mail Content Type

Optional.

The type of the email content.

The possible values are as follows:

  • Text
  • HTML

The default value is Text.
Mail Content

Required.

The email body.
Reply-To Recipients

Optional.

A comma-separated list of recipients to use in the Reply-To header.

Use the Reply-To header to redirect reply emails to the specified email address instead of the sender's address in the From field.

Action outputs

The following table describes the output types associated with the Send Email action:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Not available
Output messages Available
Script result Available
Output messages

The Send Email action provides the following output messages:

Output message Message description

Email was sent successfully.

 Action succeeded.

Action failed to run because specified attachments were not found: ATTACHMENTS_LIST

Failed to execute action, the error is: ERROR_REASON

Action failed.

Check connection to the server, input parameters, or credentials.
Script result

The following table describes the values for the script result output when you use the Send Email action:

Script result name Value
is_success True or False

Send Email HTML

Use the Send Email HTML action to send emails you use the Google SecOps HTML template from a specific mailbox to an arbitrary list of recipients. With appropriate permissions, the action can send emails from a mailbox other than the default one.

This action doesn't run on Google SecOps entities.

Action inputs

The Send Email HTML action requires the following parameters:

Parameter Description
Send From

Required.

An optional email address from which to send emails, if permissions allow.

By default, the action sends emails from the default mailbox specified in the integration configuration.
Subject

Required.

The email subject.
Send to

Required.

A comma-separated list of email addresses for the email recipients, such as user1@example.com, user2@example.com.
CC

Optional.

A comma-separated list of email addresses for the email CC field.

The format is the same as for the Send to parameter.
BCC

Optional.

A comma-separated list of email addresses for the email BCC field.

The format is the same as for the Send to parameter.
Attachments Paths

Optional.

A full path for the attachment to provide, such as /FILE_DIRECTORY/file.pdf, /FILE_DIRECTORY/image.jpg.

You can provide multiple values in a comma-separated string.
Email HTML Template

Required.

The type of the HTML template to use.

The possible values are Email HTML Template and Dynamically generated list of available templates.

The default value is Email HTML Template.
Mail Content

Required.

The email body.
Reply-To Recipients

Optional.

A comma-separated list of recipients to use in the Reply-To header.

Use the Reply-To header to redirect reply emails to the specific email address instead of the sender's address stated in the From field.
Attachment Location

Required.

A location where the attachments are stored.

By default, the action attempts to upload attachments from the Cloud Storage bucket.

The possible values are GCP Bucket or Local File System. The default value is GCP Bucket.

Action outputs

The Send Email HTML action provides the following outputs:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Available
Output messages Available
Script result Available
JSON result

The following example describes the JSON result output received when you use the Send Email HTML action:

{
    "createdDateTime": "2024-01-30T16:50:27Z",
    "lastModifiedDateTime": "2024-01-30T16:50:27Z",
    "changeKey": "example-key",
    "categories": [],
    "receivedDateTime": "2024-01-30T16:50:27Z",
    "sentDateTime": "2024-01-30T16:50:27Z",
    "hasAttachments": false,
    "internetMessageId": "outlook.com",
    "subject": "Testing",
    "bodyPreview": "example",
    "importance": "normal",
    "parentFolderId": "ID",
    "conversationId": "ID",
    "conversationIndex": "INDEX",
    "isDeliveryReceiptRequested": false,
    "isReadReceiptRequested": false,
    "isRead": true,
    "isDraft": false,
    "webLink": "https://example.com",
    "inferenceClassification": "focused",
    "body": {
        "contentType": "html",
        "content": "content"
    },
    "sender": {
        "emailAddress": {
            "name": "NAME",
            "address": "sender@example.com"
        }
    },
    "from": {
        "emailAddress": {
            "name": "NAME",
            "address": "user@example.com"
        }
    },
    "toRecipients": [
        {
            "emailAddress": {
                "name": "NAME",
                "address": "recipient@example.com"
            }
        }
    ],
    "ccRecipients": [],
    "bccRecipients": [],
    "replyTo": [],
    "uniqueBody": {
        "contentType": "html",
        "content": "content"
    },
    "flag": {
        "flagStatus": "notFlagged"
    },
    "id": "ID"
}
Output messages

On a Case Wall, the Send Email HTML action provides the following output messages:

Output message Message description
Email was sent successfully. Action succeeded.

Action failed to run because the HTML template was not specified.

Action failed to run because the following specified attachments were not found: ATTACHMENT_LIST

Failed to execute action, the error is: ERROR_REASON

Action failed.

Check the connection to the server, input parameters, or credentials.
Script result

The following table describes the values for the script result output when you use the Send Email HTML action:

Script result name Value
is_success True or False

Send Thread Reply

Use the Send Thread Reply action to send a message as a reply to the email thread. With appropriate permissions, the action can send emails from a mailbox other than the one specified in the integration configuration.

This action doesn't run on Google SecOps entities.

Action inputs

The Send Thread Reply action requires the following parameters:

Parameter Description
Send From

Required.

An optional email address from which to send emails, if permissions allow.

By default, the action sends emails from the default mailbox specified in the integration configuration.
Mail ID

Required.

The email ID to search for.
Folder Name

Optional.

A mailbox folder where to search for email. To specify a subfolder, use the / forward slash, such as Inbox/Subfolder.

The default value is Inbox.
Attachments Paths

Optional.

A comma-separated list of paths for file attachments stored on the server, such as /FILE_DIRECTORY/file.pdf, /FILE_DIRECTORY/image.jpg.
Mail Content

Required.

The email body.
Reply All

Optional.

If selected, the action sends a reply to all recipients related to the original email.

Not selected by default.

This parameter has priority over the Reply To parameter.
Reply To

Optional.

A comma-separated list of emails to send the reply to.

If you provide no value and the Reply All checkbox is clear, the action only sends a reply to the original email sender.

If the Reply All checkbox is selected, the action ignores this parameter.
Attachments Location

Required.

A location where the attachments are stored.

By default, the action attempts to upload attachments from the Cloud Storage bucket.

The possible values are GCP Bucket or Local File System. The default value is GCP Bucket.

Action outputs

The following table describes the output types associated with the Send Thread Reply action:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Not available
Output messages Available
Script result Available
Output messages

The Send Thread Reply action provides the following output messages:

Output message Message description
Successfully sent reply to the mail with ID: EMAIL_ID Action succeeded.
Error executing action "Send Thread Reply". Reason: if you want to send a reply only to your own email address, you need to work with "Reply To" parameter.

Action failed.

Check the Reply To parameter value.

Error executing action "Send Thread Reply" because the provided mail id EMAIL_ID was not found.

Action failed to run because specified attachments were not found: ATTACHMENTS_LIST

Failed to execute action, the error is: ERROR_REASON

Action failed.

Check connection to the server, input parameters, or credentials.
Script result

The following table describes the values for the script result output when you use the Send Thread Reply action:

Script result name Value
is_success True or False

Send Vote Email

Use the Send Vote Email action to send emails with the predefined answering options. This action uses Google SecOps HTML templates to format the email. With appropriate permissions, the Send Vote Email action can send emails from a mailbox other than the default one.

This action doesn't run on Google SecOps entities.

Action inputs

The Send Vote Email action requires the following parameters:

Parameter Description
Send From

Required.

An optional email address from which to send emails, if permissions allow.

By default, the action sends emails from the default mailbox specified in the integration configuration.
Subject

Required.

The email subject.
Send to

Required.

A comma-separated list of email addresses for the email recipients, such as user1@example.com, user2@example.com.
CC

Optional.

A comma-separated list of email addresses for the email CC field.

The format is the same as for the Send to parameter.
BCC

Optional.

A comma-separated list of email addresses for the email BCC field.

The format is the same as for the Send to parameter.
Attachments Paths

Optional.

A full path for the attachment to provide, such as /FILE_DIRECTORY/file.pdf, /FILE_DIRECTORY/image.jpg.

You can provide multiple values in a comma-separated string.
Email HTML Template

Required.

The type of the HTML template to use.

The possible values are Email HTML Template and Dynamically generated list of available templates.

The default value is Email HTML Template.
Reply-To Recipients

Optional.

A comma-separated list of recipients to use in the Reply-To header.

Use the Reply-To header to redirect reply emails to the specified email address instead of the sender's address stated in the From field.
Structure of voting options

Required.

The structure of the vote to send to recipients.

The possible values are Yes/No or Approve/Reject. The default value is Yes/No.

Attachment Location

Required.

A location where the attachments are stored.

By default, the action attempts to upload the attachment from the Cloud Storage bucket.

The possible values are GCP Bucket or Local File System. The default value is GCP Bucket.

Action outputs

The Send Vote Email action provides the following outputs:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Available
Output messages Available
Script result Available
JSON result

The following example describes the JSON result output received when you use the Send Vote Email action:

{
    "createdDateTime": "2024-01-30T16:50:27Z",
    "lastModifiedDateTime": "2024-01-30T16:50:27Z",
    "changeKey": "KEY",
    "categories": [],
    "receivedDateTime": "2024-01-30T16:50:27Z",
    "sentDateTime": "2024-01-30T16:50:27Z",
    "hasAttachments": false,
    "internetMessageId": "<example-message-ID>",
    "subject": "Testing",
    "bodyPreview": "example",
    "importance": "normal",
    "parentFolderId": "FOLDER_ID",
    "conversationId": "CONVERSATION_ID",
    "conversationIndex": "CONVERSATION_INDEX",
    "isDeliveryReceiptRequested": false,
    "isReadReceiptRequested": false,
    "isRead": true,
    "isDraft": false,
    "webLink": "https://www.example.com/about",
    "inferenceClassification": "focused",
    "body": {
        "contentType": "html",
        "content": "content"
    },
    "sender": {
        "emailAddress": {
            "name": "NAME",
            "address": "sender@example.com"
        }
    },
    "from": {
        "emailAddress": {
            "name": "NAME",
            "address": "user@example.com"
        }
    },
    "toRecipients": [
        {
            "emailAddress": {
                "name": "NAME",
                "address": "recipient@example.com"
            }
        }
    ],
    "ccRecipients": [],
    "bccRecipients": [],
    "replyTo": [],
    "uniqueBody": {
        "contentType": "html",
        "content": "content"
    },
    "flag": {
        "flagStatus": "notFlagged"
    },
    "id": "ID"
}
Output messages

On a Case Wall, the Send Vote Email action provides the following output messages:

Output message Message description
Email was sent successfully. Action succeeded.

Action failed to run because the HTML template was not specified.

Action failed to run because the following specified attachments were not found: ATTACHMENT_LIST

Failed to execute action, the error is: ERROR_REASON

Action failed.

Check the connection to the server, input parameters, or credentials.
Script result

The following table describes the values for the script result output when you use the Send Vote Email action:

Script result name Value
is_success True or False

Wait For Email From User

Use the Wait For Email From User action to wait for the user's response based on an email sent using the Send Email action.

This action is asynchronous. Adjust the action timeout in the Google SecOps IDE as needed.

This action doesn't run on Google SecOps entities.

Action inputs

The Wait For Email From User action requires the following parameters:

Parameter Description
Mail ID

Required.

The ID of the email.

If you used the Send Email action to send emails, set the parameter value to either the {SendEmail.JSONResult|id} or {SendEmail.JSONResult|internetMessageId} placeholder.
Wait for All Recipients To Reply?

Optional.

If selected, the action waits for responses from all recipients until reaching timeout or proceeding with the first reply.

Selected by default.
Wait Stage Exclude Pattern

Optional.

A regular expression to exclude specific replies from the wait stage. This parameter works with the email body.

For example, if you configure the Out of Office.* regular expression, the action doesn't consider automatic out-of-office messages as recipient replies and waits for an actual user's reply.
Folder To Check For Reply

Optional.

A mailbox email folder to search for the user reply. The search is run in the mailbox from which the email with a question was sent.

This parameter is case-sensitive.

The default value is Inbox.
Fetch Response Attachments

Optional.

If selected and the recipient reply contains attachments, the action fetches the reply and adds it as an attachment to the action result.

Not selected by default.

Action outputs

The following table describes the output types associated with the Wait For Email From User action:

Action output type Availability
Case wall attachment Available
Case wall link Not available
Case wall table Available
Enrichment table Not available
JSON result Not available
Output messages Available
Script result Available
Case wall attachment

The following Case Wall attachment is associated with the Wait For Mail From User action:

Type: Entity

Attachment content: Title, Filename (extensions included, if any), fileContent.

  • Title: RECIPIENT_EMAIL reply attachment.
  • Filename: ATTACHMENT_FILENAME + FILE_EXTENSION
  • fileContent: CONTENT_OF_THE_ATTACHED_FILE
Case wall table

The Wait For Mail From User action can generate the following table:

Table title: Matching Mails

Columns:

  • Mail ID
  • Received Date
  • Sender
  • Recipients
  • Subject
Output messages

The Wait For Mail From User action provides the following output messages:

Output message Message description

Found the user EMAIL_RECIPIENT reply: USER_REPLY

Timeout getting reply from user: EMAIL_RECIPIENT.

 Action succeeded.

Action failed to receive any replies until timeout.

Failed to execute action, the error is: ERROR_REASON

Action failed.

Check connection to the server, input parameters, or credentials.
Script result

The following table describes the values for the script result output when you use the Wait For Email From User action:

Script result name Value
is_success True or False

Wait For Vote Email Results

Use the Wait For Vote Email Results action to wait for the user response based on the vote email sent using the Send Vote Email action.

This action is asynchronous. Adjust the action timeout in the Google SecOps IDE as needed.

This action doesn't run on Google SecOps entities.

Action inputs

The Wait For Vote Email Results action requires the following parameters:

Parameter Description
Vote Mail Sent From

Required.

The mailbox from which the Send Vote Email action sent an email.

The default value is the mailbox that you specified in the integration configuration.

Optionally, you can set a different value for this parameter if the vote mail is sent from a different mailbox.
Mail ID

Required.

The ID of the email.

If the email is sent using the Send Vote Email action, set the parameter value to either the SendVoteEmail.JSONResult|id or SendEmail.JSONResult|internetMessageId placeholder.

To return email IDs, you can use the Search Emails action.
Wait for All Recipients To Reply?

Optional.

If selected, the action waits for responses from all recipients until reaching timeout or proceeding with the first reply.

Selected by default.
Wait Stage Exclude Pattern

Optional.

A regular expression to exclude specific replies from the wait stage.

This parameter works with the email body.

Example: the action doesn't consider automatic out-of-office messages as recipient replies, instead waiting for an actual user reply.
Folder To Check For Reply

Optional.

A mailbox email folder to search for the user's reply. The search is run in the mailbox from which the email containing a question was sent.

This parameter accepts a comma-separated list of folders to check the user response in multiple folders.

This parameter is case-sensitive.

The default value is Inbox.
Folder To Check For Sent Mail

Optional.

A mailbox folder to search for the sent mail in. It is a mailbox that you sent the email with a question from.

This parameter accepts a comma-separated list of folders to check the user response in multiple folders.

This parameter is case sensitive. To specify a subfolder, use the / forward slash, such as Inbox/Subfolder.

The default value is Sent Items.
Fetch Response Attachments

Optional.

If selected and the recipient reply contains attachments, the action fetches the reply and adds it as an attachment to the Case Wall.

Not selected by default.

Action outputs

The Wait For Vote Email Results action provides the following outputs:

Action output type Availability
Case wall attachment Available
Case wall link Not available
Case wall table Available
Enrichment table Not available
JSON result Available
Output messages Available
Script result Available
Case wall attachment

The following Case Wall attachment is associated with the Wait For Vote Email Results action:

Type: Entity

Attachment content: Title, Filename (extensions included, if any), fileContent.

  • Title: RECIPIENT_EMAIL reply attachment.
  • Filename: ATTACHMENT_FILENAME + FILE_EXTENSION
  • fileContent: CONTENT_OF_THE_ATTACHED_FILE
Case wall table

On a Case Wall, the Wait For Email Results action generates the following table:

Table title: Matching Mails

Columns:

  • Mail ID
  • Received Date
  • Sender
  • Recipients
  • Subject
JSON result

The following example describes the JSON result output received when you use the Wait For Vote Email Results action:

{
    "Responses": [
        {
            "recipient": "user@example.com",
            "vote": "Approve"
        }
    ]
}
Output messages

The Wait For Vote Email Results action provides the following output messages:

Output message Message description

Found the user EMAIL_RECIPIENT reply: USER_REPLY.

Exceeded timeout to get a reply from user: EMAIL_RECIPIENT.

 Action succeeded.

Action failed to receive any replies until timeout.

Failed to execute action, the error is: ERROR_REASON

Action failed.

Check the connection to the server, input parameters, or credentials.
Script result

The following table describes the values for the script result output when you use the Wait For Vote Email Results action:

Script result name Value
is_success True or False

Connectors

For detailed instructions on how to configure a connector in Google SecOps, see Ingest your data (connectors).

Microsoft Graph Mail Delegated Connector

Use the Microsoft Graph Mail Delegated Connector to retrieve emails from the Microsoft Graph mail service.

The Microsoft Graph Mail Delegated Connector uses delegated authentication in Microsoft 365 and requires the user's interactive login to connect with Microsoft 365.

Use the dynamic list to filter the specified values from the email body and subject parts using regular expressions. By default, the connector uses a regular expression to filter out the URLs from the email.

Connector prerequisites

The Microsoft Graph Mail Delegated Connector requires you to configure the integration parameters and generate the refresh token.

Connector inputs

The Microsoft Graph Mail Delegated Connector requires the following parameters:
Parameter Description
Product Field Name

Required.

The name of the field where the product name is stored.

The default value is device_product.

The product name primarily impacts mapping. To streamline and improve the mapping process for the connector, the default value device_product resolves to a fallback value that is referenced from the code. Any invalid input for this parameter resolves to a fallback value by default.
Event Field Name

Required.

The field name used to determine the event name (subtype).

The default value is event_name.
Environment Field Name

Optional.

The name of the field where the environment name is stored.

If the environment field isn't found, the environment is set to "".

Environment Regex Pattern

Optional.

A regular expression pattern to run on the value found in the Environment Field Name field. This parameter lets you manipulate the environment field using the regular expression logic.

Use the default value .* to retrieve the required raw Environment Field Name value.

If the regular expression pattern is null or empty, or the environment value is null, the final environment result is "".
Email Exclude Pattern

Optional.

A regular expression to exclude specific emails from ingestion, such as spam or news.

This parameter works with both the subject and body of the email.
Script Timeout (Seconds)

Required.

The timeout limit, in seconds, for the Python process that runs the current script.

The default value is 300.
Microsoft Entra ID Endpoint

Required.

The Microsoft Entra endpoint to use in the integration.

The default value is https://login.microsoftonline.com.
Microsoft Graph Endpoint

Required.

The Microsoft Graph endpoint to use in the integration.

The default value is https://graph.microsoft.com.
Mail Address

Required.

An email address for the connector to use.
Refresh Token

Required.

The refresh token used to authenticate.
Client ID

Required.

An application (client) ID of the Microsoft Entra application.
Client Secret Value

Required.

The client secret value of the Microsoft Entra application.
Microsoft Entra ID Directory ID

Required.

The Microsoft Entra ID (tenant ID) value.
Folder to check for emails

Required.

An email folder to search for the emails. This parameter accepts a comma-separated list of folders to search for the user response in multiple folders. To specify a subfolder, use the / forward slash, such as Inbox/Subfolder.

This parameter is case-sensitive.

The default value is Inbox.
Offset Time In Hours

Required.

The number of hours before the first connector iteration to retrieve emails. This parameter applies to the initial connector iteration after you enable the connector for the first time. The connector can use this parameter as a fallback value when the timestamp from the latest connector iteration expires.

The default value is 24.
Max Emails Per Cycle

Required.

The number of emails to fetch for every connector iteration.

The default value is 10.
Unread Emails Only

Optional.

If selected, the connector creates cases only from unread emails.

Not selected by default.
Mark Emails as Read

Optional.

If selected, the connector marks emails as read after ingesting.

Not selected by default.
Disable Overflow

Optional.

If selected, the connector ignores the Google SecOps overflow mechanism.

Not selected by default.
Verify SSL

Required.

If selected, the integration validates the SSL certificate when connecting to Microsoft Graph.

Selected by default.
Original Received Mail Prefix

Optional.

A prefix to add to the extracted event keys (for example, to, from, or subject) from the original email received in the monitored mailbox.

The default value is orig.
Attached Mail File Prefix

Optional.

A prefix to add to the extracted event keys (for example, to, from, or subject) from the attached email file received in the monitored mailbox.

The default value is attach.
Create a Separate Google Secops Alert per Attached Mail File

Optional.

If selected, the connector creates multiple alerts, with one alert for every attached email file.

This behavior is useful when you process emails with multiple email files attached and set the Google SecOps event mapping to create entities from attached email files.

Not selected by default.
Attach Original EML

Optional.

If selected, the connector attaches the original email to the case info as an EML file.

Not selected by default.
Headers to add to events

Optional.

A comma-separated string of email headers to add to Google SecOps events, such as DKIM-Siganture, Received, or From.

You can configure an exact match for headers or set this parameter value as a regular expression.

The connector filters the configured values from the internetMessageHeaders list and adds them to the Google SecOps event.

To prevent the connector from adding headers to the event, set the parameter value as follows: None.

By default, the connector adds all available headers.
Case Name Template

Optional.

A custom case name.

When you configure this parameter, the connector adds a new key called custom_case_name to the Google SecOps SOAR event.

You can provide placeholders in the following format: [name of the field].

Example: Phishing - [event_mailbox].

For placeholders, the connector uses the first Google SecOps SOAR event. The connector only handles keys containing the string value.
Alert Name Template

Optional.

A custom alert name.

You can provide placeholders in the following format: [name of the field].

Example: Phishing - [event_mailbox].

For placeholders, the connector uses the first Google SecOps SOAR event. The connector only handles keys containing the string value. If you provide no value or an invalid template, the connector uses the default alert name.
Proxy Server Address

Optional.

The address of the proxy server to use.
Proxy Username

Optional.

The proxy username to authenticate with.
Proxy Password

Optional.

The proxy password to authenticate with.
Mail Field Source

Optional.

If selected, the integration retrieves the mailbox address from the user details mail attribute. If not selected, the integration retrieves the mailbox address from the userPrincipalName field.

Selected by default.

Connector rules

The connector supports proxies.

Jobs

To configure jobs in Google SecOps, complete the following steps:

  1. In the left navigation, select Response > Job Scheduler.
  2. In the Jobs tab, click add Create New Job.
  3. Select the required job from the list and click Save.
  4. Proceed to the job configuration.

Refresh Token Renewal Job

Use the Refresh Token Renewal Job periodically update the refresh token for the integration.

By default, the refresh token expires every 90 days. We recommended you to configure this job to automatically run every 7 or 14 days to keep the refresh token up to date.

Job inputs

The Refresh Token Renewal Job requires the following parameters:

Parameter Description
Integration Environments

Optional.

The integration environments for which to update refresh tokens. This parameter accepts multiple values as a comma-separated string.

To configure this parameter, enclose every environment name in "" double quotes, such as "Default environment", "Environment 1", or "Environment 5".
Connector Names

Optional.

The connector names for which to update refresh tokens. This parameter accepts multiple values as a comma-separated string.

To configure this parameter, enclose every connector name in "" double quotes, such as "Microsoft Graph Mail Delegated Connector", "Connector 2", or "Connector 5".

Need more help? Get answers from Community members and Google SecOps professionals.