Microsoft Graph Mail
Integration version: 6.0
Prerequisites
Before configuring the integration in the Google Security Operations SOAR platform, make sure to complete the following prerequisite steps:
Create the Microsoft Entra app.
Configure the API permissions for your app.
Create a client secret.
Create Microsoft Entra app
Sign in to the Azure portal as a user administrator or a password administrator.
Select Microsoft Entra ID.
Go to App registrations > New registration.
Enter the name of the app.
Click Register.
Save the Application (client) ID and Directory (tenant) ID values to use them later when configuring the integration parameters.
Configure API permissions
Go to API Permissions > Add a permission.
Select Microsoft Graph > Application permissions.
In the Select Permissions section, select the following required permissions:
Mail.Read
Mail.ReadWrite
Mail.Send
User.Read
Directory.Read.All
Click Add permissions.
Click Grant admin consent for
YOUR_ORGANIZATION_NAME
.When the Grant admin consent confirmation dialog appears, click Yes.
Create client secret
Navigate to Certificates and secrets > New client secret.
Provide a description for a client secret and set its expiration deadline.
Click Add.
Save the value of the client secret (not the secret ID) to use it as the
Client Secret
parameter value when configuring the integration. The client secret value is only displayed once.
Integrate Microsoft Graph Mail with Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
To configure the integration, use the following parameters:
Parameters | |
---|---|
Azure AD endpoint |
Required Microsoft Entra endpoint to connect to. Default value is |
Microsoft Graph Endpoint |
Required Microsoft Graph endpoint to connect to. Default value is |
Client ID |
Required Client (Application) ID of the Microsoft Entra app to use for the integration. |
Secret ID |
Required Client secret value of the Microsoft Entra app to use for the integration. |
Tenant |
Required Microsoft Entra ID (Tenant ID) value. |
Default Mailbox |
Required Default mailbox to use for the integration. |
Verify SSL |
Required If selected, verifies that the SSL certificate to connect to the Microsoft Graph server is valid. Selected by default. |
Actions
Before you configure actions, make sure that you've provided the required permissions for the integration.
Delete Email
Delete one or multiple emails from the mailbox based on the provided search criteria. If permissions allow it, the action can move emails into mailboxes other than the one provided in the integration configuration.
This action is asynchronous. Adjust the action timeout in the IDE accordingly.
Entities
This action doesn't run on entities.
Action inputs
To configure the action, use the following parameters:
Parameters | |
---|---|
Delete In Mailbox |
Required The default mailbox to execute the delete operation in. If permissions allow it, the action can search in other mailboxes as well. This parameter accepts multiple values as a comma-separated string. |
Folder Name |
Required
Mailbox folder to search an email in. |
Mail IDs |
Optional
Filter condition to search for emails with specific email IDs. The parameter also accepts a comma-separated list of email IDs to search for. If this parameter is provided, the search ignores the subject and sender filters. |
Subject Filter |
Optional
Filter condition that specifies the email subject to search for. |
Sender Filter |
Optional
Filter condition that specifies the sender of requested emails. |
Time Frame (minutes) |
Optional
Filter condition that specifies the timeframe in minutes to search for emails. |
Only Unread |
Optional
If checked, the action searches only for unread emails. Unchecked by default. |
How many mailboxes to process in a single batch |
Optional The number of mailboxes to process in a single batch (single connection to the mail server). Default value is 25. |
Action outputs
Action output type | |
---|---|
Case wall attachment | N/A |
Case wall link | N/A |
Case wall table | N/A |
Enrichment table | N/A |
JSON result | N/A |
Script result | Available |
Script result
Script result name | Value |
---|---|
is_success | True/False |
Case wall
The action provides the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
Failed to execute action, the error is:
ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Forward Email
Forward email including previous threads. If permissions allow it, the action sends an email from a mailbox different than the one specified in the integration configuration.
Entities
This action doesn't run on entities.
Action inputs
To configure the action, use the following parameters:
Parameters | |
---|---|
Send From |
Required Optional email address from which to send an email if permissions allow it. By default, the email is sent from the default mailbox specified in the integration configuration. |
Folder Name |
Optional
Mailbox folder to search an email in. |
Mail ID |
Required
ID of the mail to forward. |
Subject |
Required
Email subject. |
Send to |
Required
Comma-separated list of email addresses for the email
recipients, such as |
CC |
Optional
Comma-separated list of email addresses for the email CC field. Format is the same as for the |
BCC |
Optional
Comma-separated list of email addresses for the email BCC field. Format is the same as for the |
Attachments Paths |
Optional
Comma-separated list of paths for file attachments stored on the server,
for example, |
Mail content |
Required
Email body. |
Action outputs
Action output type | |
---|---|
Case wall attachment | N/A |
Case wall link | N/A |
Case wall table | N/A |
Enrichment table | N/A |
JSON result | N/A |
Script result | Available |
Script result
Script result name | Value |
---|---|
is_success | True/False |
Case wall
The action provides the following output messages:
Output message | Message description |
---|---|
Email with message ID
MAIL_ID was forwarded successfully. |
Action succeeded. |
|
Action failed. Check connection to the server, input parameters, or credentials. |
Move Email To Folder
Move one or multiple emails from the source email folder to another folder in the mailbox. If permissions allow it, the action can move emails in mailboxes other than the one provided in the integration configuration.
This action is asynchronous. Adjust the action timeout in the IDE accordingly.
Entities
This action doesn't run entities.
Action inputs
To configure the action, use the following parameters:
Parameters | |
---|---|
Move In Mailbox |
Required The default mailbox to execute the move operation in. If permissions allow it, the action can search in other mailboxes as well. This parameter accepts multiple values as a comma-separated string. |
Source Folder Name |
Required Source folder to move the email from. |
Destination Folder Name |
Required Destination folder to move the email to. |
Mail IDs |
Optional
Filter condition to search for emails with specific email IDs. The parameter also accepts a comma-separated list of email IDs to search for. If this parameter is provided, the search ignores the subject and sender filters. |
Subject Filter |
Optional
Filter condition that specifies the email subject to search for. This filter uses the |
Sender Filter |
Optional
Filter condition that specifies the sender of requested emails. This filter uses the |
Time Frame (minutes) |
Optional
Filter condition that specifies the timeframe in minutes to search for emails. |
Only Unread |
Optional
If checked, the action searches only for unread emails. Unchecked by default. |
How many mailboxes to process in a single batch |
Optional The number of mailboxes to process in a single batch (single connection to the mail server). Default value is 25. |
Action outputs
Action output type | |
---|---|
Case wall attachment | N/A |
Case wall link | N/A |
Case wall table | N/A |
Enrichment table | N/A |
JSON result | N/A |
Script result | Available |
Script result
Script result name | Value |
---|---|
is_success | True/False |
Case wall
The action provides the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
Failed to execute action, the error is:
ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Ping
Test connectivity to the Microsoft Graph mail service with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Entities
This action doesn't run on entities.
Action inputs
N/A
Action outputs
Action output type | |
---|---|
Case wall attachment | N/A |
Case wall link | N/A |
Case wall table | N/A |
Enrichment table | N/A |
JSON result | N/A |
Script result | Available |
Script result
Script result name | Value |
---|---|
is_success | True/False |
Case wall
The action provides the following output messages:
Output message | Message description |
---|---|
Successfully connected to the Microsoft Graph mail service with
the provided connection parameters! |
Action succeeded. |
Failed to connect to the Microsoft Graph mail service! Error is
ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Save Email To The Case
Save email or email attachments to the Google Security Operations SOAR Case wall. If permissions allow it, the action can save emails from mailboxes other than the one provided in the integration configuration.
Entities
This action doesn't run on entities.
Action inputs
To configure the action, use the following parameters:
Parameters | |
---|---|
Search In Mailbox |
Required The default mailbox to execute the search operation in. If permissions allow it, the action can search in other mailboxes as well. |
Folder Name |
Optional Mailbox folder to execute search in. |
Mail ID |
Required
Email ID to search for. The parameter also accepts a comma-separated list of email IDs to search for. If this parameter is provided, the search ignores the subject and sender filters. |
Save Only Email Attachments |
Optional If checked, the action saves only attachments from the specified email. Unchecked by default. |
Attachment To Save |
Optional If the `Save Only Email Attachments` checkbox is selected, the action only saves attachments specified by this parameter. The parameter accepts multiple values as a comma-separated string. |
Action outputs
Action output type | |
---|---|
Case wall attachment | Available |
Case wall link | N/A |
Case wall table | N/A |
Enrichment table | N/A |
JSON result | N/A |
Script result | Available |
Script result
Script result name | Value |
---|---|
is_success | True/False |
Case wall
The action provides the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
Failed to execute action, the error is:
ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Attachment
If the email is saved, the filename should be
EMAIL_SUBJECT.eml
If attachments are saved, the attachment name contains a file extension, if any.
Search Emails
Execute email search in the configured mailbox based on the provided search criteria. If permissions allow it, the action searches in mailboxes other than the one provided in the integration configuration.
This action is asynchronous. Adjust the action timeout in the IDE accordingly.
Entities
This action doesn't run on entities.
Action inputs
To configure the action, use the following parameters:
Parameters | |
---|---|
Search In Mailbox |
Required The default mailbox to execute the search operation in. If permissions allow it, the action can search in other mailboxes as well. The parameter accepts multiple values as a comma-separated string. |
Folder Name |
Required Mailbox folder to execute search in. |
Subject Filter |
Optional
Filter condition that specifies the email subject to search for. This filter uses the |
Sender Filter |
Optional
Filter condition that specifies the sender of requested emails. This filter uses the |
Time Frame (minutes) |
Optional
Filter condition that specifies the timeframe in minutes to search for emails. |
Max Emails To Return |
Optional Number of emails for the action to return. If no value is provided, the API default value is used. |
Only Unread |
Optional
If checked, the action searches only for unread emails. Unchecked by default. |
Select All Fields For Return |
Optional If checked, the action returns all available fields for the obtained email. Unchecked by default. |
How many mailboxes to process in a single batch |
Optional The number of mailboxes to process in a single batch (single connection to the mail server). Default value is 25. |
Action outputs
Action output type | |
---|---|
Case wall attachment | N/A |
Case wall link | N/A |
Case wall table | Available |
Enrichment table | N/A |
JSON result | N/A |
Script result | Available |
Script result
Script result name | Value |
---|---|
is_success | True/False |
Case wall
The action provides the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
Failed to execute action, the error is:
ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Case wall table
Table title: Matching Mails
Columns:
- Mail ID
- Subject
- Sender
- Receivers
- Received Date
Send Email
Send email from a specific mailbox to an arbitrary list of recipients.
This action can send either plain text or HTML-formatted emails. If permissions allow it, the action can send an email from a mailbox different than the one specified in the integration configuration.
Entities
This action doesn't run on entities.
Action inputs
To configure the action, use the following parameters:
Parameters | |
---|---|
Send From |
Required Optional email address from which to send an email if permissions allow it. By default, the email is sent from the default mailbox specified in the integration configuration. |
Subject |
Required
Email subject. |
Send to |
Required
Comma-separated list of email addresses for the email
recipients, such as |
CC |
Optional
Comma-separated list of email addresses for the email CC field. Format is the same as for the |
BCC |
Optional
Comma-separated list of email addresses for the email BCC field. Format is the same as for the |
Attachments Paths |
Optional
Comma-separated list of paths for file attachments stored on the server,
for example, |
Mail Content Type |
Optional
Type of the email content. Default value is Possible values:
|
Mail Content |
Required
Email body. |
Reply-To Recipients |
Optional Comma-separated list of recipients to use in the Reply-To header. |
Action outputs
Action output type | |
---|---|
Case wall attachment | N/A |
Case wall link | N/A |
Case wall table | N/A |
Enrichment table | N/A |
JSON result | N/A |
Script result | Available |
Script result
Script result name | Value |
---|---|
is_success | True/False |
Case wall
The action provides the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
Failed to execute action, the error is:
ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Send Thread Reply
Send a message as a reply to the email thread.
If permissions allow it, the action can send an email from a mailbox other than the one specified in the integration configuration.
Entities
This action doesn't run on entities.
Action inputs
To configure the action, use the following parameters:
Parameters | |
---|---|
Send From |
Required Optional email address from which to send an email if permissions allow it. By default, the email is sent from the default mailbox specified in the integration configuration. |
Mail ID |
Required
Email ID to search for. |
Folder Name |
Optional Mailbox folder to execute search in. Default value is |
Attachments Paths |
Optional
Comma-separated list of paths for file attachments stored on the server,
for example, |
Mail Content |
Required
Email body. |
Reply All |
Optional If checked, the action sends a reply to all recipients related to the original email. Unchecked by default. |
Reply To |
Optional Comma-separated list of emails to send the reply to. If no value is provided and the If the |
Action outputs
Action output type | |
---|---|
Case wall attachment | N/A |
Case wall link | N/A |
Case wall table | N/A |
Enrichment table | N/A |
JSON result | N/A |
Script result | Available |
Script result
Script result name | Value |
---|---|
is_success | True/False |
Case wall
The action provides the following output messages:
Output message | Message description |
---|---|
Successfully sent reply to the mail with ID:
EMAIL_ID |
Action succeeded. |
Error executing action "Send Thread Reply". Reason: if you want
to send a reply only to your own email address, you need to work with
"Reply To" parameter. |
Action failed. Check the |
Failed to execute action, the error is:
ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Wait For Email From user
Wait for the user's response based on an email sent using the Send Email action.
This action is asynchronous. Adjust the action timeout in the IDE accordingly.
Entities
This action doesn't run on entities.
Action inputs
To configure the action, use the following parameters:
Parameters | |
---|---|
Mail ID |
Required
ID of the email. If the email is sent using the |
Wait for All Recipients to Reply? |
Optional
If checked, the action waits for responses from all recipients until either reaching timeout or proceeding with the first reply. Checked by default. |
Wait Stage Exclude pattern |
Optional
Regular expression to exclude specific replies from the wait stage. This parameter works with the email body. Example: The action doesn't consider automatic out-of-office messages as recipient replies, instead waiting for an actual user reply. |
Folder to Check for Reply |
Optional
Mailbox email folder to search for the user reply in. The search is run in the mailbox which the email containing a question was sent from. This parameter also accepts a comma-separated list of folders to check the user response in multiple folders. This parameter is case-sensitive. Default value is |
Fetch Response Attachments |
Optional
If checked and the recipient reply contains attachments, the action fetches the reply and adds it as an attachment for the action result. Unchecked by default. |
Action outputs
Action output type | |
---|---|
Case wall attachment | Available |
Case wall link | N/A |
Case wall table | Available |
Enrichment table | N/A |
JSON result | N/A |
Script result | Available |
Script result
Script result name | Value |
---|---|
is_success | True/False |
Case wall
The action provides the following output messages:
Output message | Message description |
---|---|
|
Action succeeded. |
Failed to execute action, the error is:
ERROR_REASON |
Action failed. Check connection to the server, input parameters, or credentials. |
Case wall table
Table title: Matching Mails
Columns:
- Mail ID
- Received Date
- Sender
- Recipients
- Subject
Case wall attachment
Type: Entity
Attachment content: Title, Filename (extensions included, if any), fileContent.
- Title:
RECIPIENT_EMAIL
reply attachment. - Filename:
ATTACHMENT_FILENAME
+FILE_EXTENSION
- fileContent:
CONTENT_OF_THE_ATTACHED_FILE
Connectors
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
Microsoft Graph Mail Connector
Fetch emails from the Microsoft Graph mail service.
Use the dynamic list to filter specific values from the email body and subject parts using regular expressions. By default, regular expression is used to filter out the URLs from the email.
Connector parameters
To configure the connector, use the following parameters:
Parameters | |
---|---|
Product Field Name |
Required Name of the field where the product name is stored. Default value is |
Event Field Name |
Required Field name used to determine the event name (subtype). Default value is |
Environment Field Name |
Optional
Name of the field where the environment name is stored. If the
environment field isn't found, the environment is set to |
Environment Regex Pattern |
Optional
A regular expression pattern to run on the value found in the The default value This parameter lets you manipulate the environment field using the regular expression logic. If the regular expression pattern is null or empty, or the environment
value is null, the final environment result is |
Script Timeout |
Required The timeout limit (in seconds) for the python process running current script. Default value is 60 seconds. |
Azure AD endpoint |
Required Microsoft Entra endpoint to connect to. Default value is |
Microsoft Graph Endpoint |
Required Microsoft Graph endpoint to connect to. Default value is |
Client ID |
Required For Microsoft 365 OAuth authentication, an Application (Client) ID of the Microsoft Entra app used for the integration. |
Client Secret |
Required For Microsoft 365 OAuth authentication, the client secret provided for the auth flow. |
Tenant (Directory) ID |
Required For Microsoft 365 OAuth authentication, Tenant (Directory) ID of the Microsoft Entra app used for the integration. |
Mail Address |
Required Mail address for the connector to use. |
Folder to check for emails |
Required Email folder to search for the emails. Parameter also accepts a comma-separated list of folders to check the user response in multiple folders. This parameter is case-sensitive. Default value is |
Offset Time In Hours |
Required
Number of hours before now to fetch emails from. Default value is 24 hours. |
Max Emails Per Cycle |
Required
Number of emails to fetch per connector iteration. Default value is 10 emails. |
Unread Emails Only |
Optional
If checked, cases are created only from unread emails. Unchecked by default. |
Mark Emails as Read |
Optional
If checked, emails are marked as read after ingesting. Unchecked by default. |
Disable Overflow |
Optional If checked, the connector ignores the overflow mechanism. Unchecked by default. |
Original Received Mail Prefix |
Optional Prefix to add to the extracted event keys (for example, to, from, or subject) from the original email received in the monitored mailbox. Default value is
|
Attached Mail File Prefix |
Optional Prefix to add to the extracted event keys (for example, to, from, or subject) from the attached email file received in the monitored mailbox. Default value
is |
Headers to add to events |
Optional Comma-separated string specifying which email headers to add to events. Provided values can be exact match or set as a regular expression. |
Proxy Server Address |
Optional Address of the proxy server to use. |
Proxy Username |
Optional Proxy username to authenticate with. |
Proxy Password |
Optional Proxy password to authenticate with. |
Create a Separate Siemplify Alert per Attached Mail File
|
Optional If checked, the connector creates multiple alerts, with one alert every attached email file. This behavior is useful when processing emails with multiple email files attached and the Google Security Operations SOAR event mapping set to create entities from attached email files. Unchecked by default. |
Case Name Template |
Optional Parameter to set a custom case name. When this parameter is provided, the connector adds a new key called custom_case_name to the Google Security Operations SOAR event. You can
provide placeholders in the following format:
Example: |
Alert Name Template |
Optional Parameter to set a custom alert name. You can
provide placeholders in the following format:
Example: |
Connector rules
The connector supports proxy.