Microsoft Graph Mail

Integration version: 6.0

Prerequisites

Before configuring the integration in the Google Security Operations SOAR platform, make sure to complete the following prerequisite steps:

Create the Microsoft Entra app.
Configure the API permissions for your app.
Create a client secret.

Create Microsoft Entra app

Sign in to the Azure portal as a user administrator or a password administrator.
Select Microsoft Entra ID.
Go to App registrations > New registration.
Enter the name of the app.
Click Register.

Note: This document uses a single tenant setup as an example. Redirect URL is not needed for the OAuth flow (client credentials) supported by the integration.
Save the Application (client) ID and Directory (tenant) ID values to use them later when configuring the integration parameters.

Configure API permissions

Go to API Permissions > Add a permission.
Select Microsoft Graph > Application permissions.
In the Select Permissions section, select the following required permissions:
- Mail.Read
- Mail.ReadWrite
- Mail.Send
- User.Read
- Directory.Read.All
Click Add permissions.
Click Grant admin consent for YOUR_ORGANIZATION_NAME.

When the Grant admin consent confirmation dialog appears, click Yes.

Create client secret

Navigate to Certificates and secrets > New client secret.
Provide a description for a client secret and set its expiration deadline.
Click Add.
Save the value of the client secret (not the secret ID) to use it as the Client Secret parameter value when configuring the integration. The client secret value is only displayed once.

Integrate Microsoft Graph Mail with Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

To configure the integration, use the following parameters:

Parameters
`Azure AD endpoint`	Required Microsoft Entra endpoint to connect to. Default value is https://login.microsoftonline.com`
`Microsoft Graph Endpoint`	Required Microsoft Graph endpoint to connect to. Default value is `https://graph.microsoft.com`.
`Client ID`	Required Client (Application) ID of the Microsoft Entra app to use for the integration.
`Secret ID`	Required Client secret value of the Microsoft Entra app to use for the integration.
`Tenant`	Required Microsoft Entra ID (Tenant ID) value.
`Default Mailbox`	Required Default mailbox to use for the integration.
`Verify SSL`	Required If selected, verifies that the SSL certificate to connect to the Microsoft Graph server is valid. Selected by default.

Actions

Before you configure actions, make sure that you've provided the required permissions for the integration.

Delete Email

Delete one or multiple emails from the mailbox based on the provided search criteria. If permissions allow it, the action can move emails into mailboxes other than the one provided in the integration configuration.

This action is asynchronous. Adjust the action timeout in the IDE accordingly.

Entities

This action doesn't run on entities.

Action inputs

To configure the action, use the following parameters:

Parameters
`Delete In Mailbox`	Required The default mailbox to execute the delete operation in. If permissions allow it, the action can search in other mailboxes as well. This parameter accepts multiple values as a comma-separated string.
`Folder Name`	Required Mailbox folder to search an email in.
`Mail IDs`	Optional Filter condition to search for emails with specific email IDs. The parameter also accepts a comma-separated list of email IDs to search for. If this parameter is provided, the search ignores the subject and sender filters.
`Subject Filter`	Optional Filter condition that specifies the email subject to search for.
`Sender Filter`	Optional Filter condition that specifies the sender of requested emails.
`Time Frame (minutes)`	Optional Filter condition that specifies the timeframe in minutes to search for emails.
`Only Unread`	Optional If checked, the action searches only for unread emails. Unchecked by default.
`How many mailboxes to process in a single batch`	Optional The number of mailboxes to process in a single batch (single connection to the mail server). Default value is 25.

Action outputs

Action output type
Case wall attachment	N/A
Case wall link	N/A
Case wall table	N/A
Enrichment table	N/A
JSON result	N/A
Script result	Available

Script result

Script result name	Value
is_success	True/False

Case wall

The action provides the following output messages:

Output message Message description

Output message	Message description
`Successfully deleted emails in the following mailboxes: MAILBOX_NAME: DELETED_EMAILS_NUMBER` `Mailbox MAILBOX was not found.`	Action succeeded.
`Action was not able to find any emails based on the specified search criteria.` `Action failed to delete any emails because the provided mailbox folder name was not found in the mailbox(es): MAILBOX_NAME, MAILBOX_FOLDER` `Failed to find any of the provided mailboxes: MAILBOX_LIST` `Failed to execute action, the error is: ERROR_REASON`	Action failed. Check connection to the server, input parameters, or credentials.

Successfully deleted emails in the following mailboxes: MAILBOX_NAME: DELETED_EMAILS_NUMBER

Mailbox MAILBOX was not found.

Action succeeded.

Action was not able to find any emails based on the specified search criteria.

Action failed to delete any emails because the provided mailbox folder name was not found in the mailbox(es): MAILBOX_NAME, MAILBOX_FOLDER

Failed to find any of the provided mailboxes: MAILBOX_LIST

Failed to execute action, the error is:
      ERROR_REASON

Action failed.

Check connection to the server, input parameters, or credentials.

Forward Email

Forward email including previous threads. If permissions allow it, the action sends an email from a mailbox different than the one specified in the integration configuration.

Entities

This action doesn't run on entities.

Action inputs

To configure the action, use the following parameters:

Parameters
`Send From`	Required Optional email address from which to send an email if permissions allow it. By default, the email is sent from the default mailbox specified in the integration configuration.
`Folder Name`	Optional Mailbox folder to search an email in.
`Mail ID`	Required ID of the mail to forward.
`Subject`	Required Email subject.
`Send to`	Required Comma-separated list of email addresses for the email recipients, such as `user1@example.com, user2@example.com`.
`CC`	Optional Comma-separated list of email addresses for the email CC field. Format is the same as for the `Send to` parameter.
`BCC`	Optional Comma-separated list of email addresses for the email BCC field. Format is the same as for the `Send to` parameter.
`Attachments Paths`	Optional Comma-separated list of paths for file attachments stored on the server, for example, `/FILE_DIRECTORY/file.pdf`, `/FILE_DIRECTORY/image.jpg`.
`Mail content`	Required Email body.

Action outputs

Action output type
Case wall attachment	N/A
Case wall link	N/A
Case wall table	N/A
Enrichment table	N/A
JSON result	N/A
Script result	Available

Script result

Script result name	Value
is_success	True/False

Case wall

The action provides the following output messages:

Output message Message description

Email with message ID MAIL_ID was forwarded successfully. Action succeeded.

Output message	Message description
`Email with message ID MAIL_ID was forwarded successfully.`	Action succeeded.
`Error executing action "Forward Email" because the provided mail id EMAIL_ID was not found.` `Action failed to delete any emails because the provided mailbox folder name was not found in the mailbox(es): MAILBOX: MAILBOX_FOLDER` `Action failed to run because specified attachments were not found: ATTACHMENTS_LIST` `Failed to execute action, the error is: ERROR_REASON`	Action failed. Check connection to the server, input parameters, or credentials.

Error executing action "Forward Email" because the provided mail id EMAIL_ID was not found.

Action failed to delete any emails because the provided mailbox folder name was not found in the mailbox(es): MAILBOX: MAILBOX_FOLDER

Action failed to run because specified attachments were not found: ATTACHMENTS_LIST

Failed to execute action, the error is: ERROR_REASON

Action failed.

Check connection to the server, input parameters, or credentials.

Move Email To Folder

Move one or multiple emails from the source email folder to another folder in the mailbox. If permissions allow it, the action can move emails in mailboxes other than the one provided in the integration configuration.

This action is asynchronous. Adjust the action timeout in the IDE accordingly.

Entities

This action doesn't run entities.

Action inputs

To configure the action, use the following parameters:

Parameters
`Move In Mailbox`	Required The default mailbox to execute the move operation in. If permissions allow it, the action can search in other mailboxes as well. This parameter accepts multiple values as a comma-separated string.
`Source Folder Name`	Required Source folder to move the email from.
`Destination Folder Name`	Required Destination folder to move the email to.
`Mail IDs`	Optional Filter condition to search for emails with specific email IDs. The parameter also accepts a comma-separated list of email IDs to search for. If this parameter is provided, the search ignores the subject and sender filters.
`Subject Filter`	Optional Filter condition that specifies the email subject to search for. This filter uses the `contains` logic.
`Sender Filter`	Optional Filter condition that specifies the sender of requested emails. This filter uses the `equals` logic.
`Time Frame (minutes)`	Optional Filter condition that specifies the timeframe in minutes to search for emails.
`Only Unread`	Optional If checked, the action searches only for unread emails. Unchecked by default.
`How many mailboxes to process in a single batch`	Optional The number of mailboxes to process in a single batch (single connection to the mail server). Default value is 25.

Action outputs

Action output type
Case wall attachment	N/A
Case wall link	N/A
Case wall table	N/A
Enrichment table	N/A
JSON result	N/A
Script result	Available

Script result

Script result name	Value
is_success	True/False

Case wall

The action provides the following output messages:

Output message Message description

Output message	Message description
`Successfully moved emails in the following mailboxes: MAILBOX: MOVED_EMAILS_NUMBER` `Mailbox MAILBOX was not found.`	Action succeeded.
`Action was not able to find any emails based on the specified search criteria.` `Action failed to move any emails because the provided source folder was not found in the mailbox(es): MAILBOX_NAME, MAILBOX_FOLDER` `Action failed to move any emails because the provided destination folder was not found in the mailbox(es): MAILBOX_NAME, MAILBOX_FOLDER` `Failed to find any of the provided mailboxes: MAILBOX_LIST` `Failed to execute action, the error is: ERROR_REASON`	Action failed. Check connection to the server, input parameters, or credentials.

Successfully moved emails in the following mailboxes: MAILBOX: MOVED_EMAILS_NUMBER

Mailbox MAILBOX was not found.

Action succeeded.

Action was not able to find any emails based on the specified search criteria.

Action failed to move any emails because the provided source folder was not found in the mailbox(es): MAILBOX_NAME, MAILBOX_FOLDER

Action failed to move any emails because the provided destination folder was not found in the mailbox(es): MAILBOX_NAME, MAILBOX_FOLDER

Failed to find any of the provided mailboxes: MAILBOX_LIST

Failed to execute action, the error is:
      ERROR_REASON

Action failed.

Check connection to the server, input parameters, or credentials.

Ping

Test connectivity to the Microsoft Graph mail service with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Entities

This action doesn't run on entities.

Action inputs

N/A

Action outputs

Action output type
Case wall attachment	N/A
Case wall link	N/A
Case wall table	N/A
Enrichment table	N/A
JSON result	N/A
Script result	Available

Script result

Script result name	Value
is_success	True/False

Case wall

The action provides the following output messages:

Output message Message description

Successfully connected to the Microsoft Graph mail service with the provided connection parameters! Action succeeded.

Output message	Message description
`Successfully connected to the Microsoft Graph mail service with the provided connection parameters!`	Action succeeded.
`Failed to connect to the Microsoft Graph mail service! Error is ERROR_REASON`	Action failed. Check connection to the server, input parameters, or credentials.

Failed to connect to the Microsoft Graph mail service! Error is
      ERROR_REASON

Action failed.

Check connection to the server, input parameters, or credentials.

Save Email To The Case

Save email or email attachments to the Google Security Operations SOAR Case wall. If permissions allow it, the action can save emails from mailboxes other than the one provided in the integration configuration.

Entities

This action doesn't run on entities.

Action inputs

To configure the action, use the following parameters:

Parameters
`Search In Mailbox`	Required The default mailbox to execute the search operation in. If permissions allow it, the action can search in other mailboxes as well.
`Folder Name`	Optional Mailbox folder to execute search in.
`Mail ID`	Required Email ID to search for. The parameter also accepts a comma-separated list of email IDs to search for. If this parameter is provided, the search ignores the subject and sender filters.
`Save Only Email Attachments`	Optional If checked, the action saves only attachments from the specified email. Unchecked by default.
`Attachment To Save`	Optional If the `Save Only Email Attachments` checkbox is selected, the action only saves attachments specified by this parameter. The parameter accepts multiple values as a comma-separated string.

Action outputs

Action output type
Case wall attachment	Available
Case wall link	N/A
Case wall table	N/A
Enrichment table	N/A
JSON result	N/A
Script result	Available

Script result

Script result name	Value
is_success	True/False

Case wall

The action provides the following output messages:

Output message Message description

Output message	Message description
`Email successfully saved!` `Successfully saved the following attachments: ATTACHMENTS_LIST` `The following attachments were not found in email with mail id: EMAIL_ID: ATTACHMENTS_LIST`	Action succeeded.
`Mailbox MAILBOX_NAME was not found.` `Action failed to run because the provided mailbox folder name MAILBOX_FOLDER was not found in the mailbox MAILBOX_NAME` `Failed to execute action, the error is: ERROR_REASON`	Action failed. Check connection to the server, input parameters, or credentials.

Email successfully saved!

Successfully saved the following attachments: ATTACHMENTS_LIST

The following attachments were not found in email with mail id: EMAIL_ID: ATTACHMENTS_LIST

Action succeeded.

Mailbox MAILBOX_NAME was not found.

Action failed to run because the provided mailbox folder name MAILBOX_FOLDER was not found in the mailbox MAILBOX_NAME

Failed to execute action, the error is:
      ERROR_REASON

Action failed.

Check connection to the server, input parameters, or credentials.

Attachment

If the email is saved, the filename should be EMAIL_SUBJECT.eml
If attachments are saved, the attachment name contains a file extension, if any.

Search Emails

Execute email search in the configured mailbox based on the provided search criteria. If permissions allow it, the action searches in mailboxes other than the one provided in the integration configuration.

This action is asynchronous. Adjust the action timeout in the IDE accordingly.

Entities

This action doesn't run on entities.

Action inputs

To configure the action, use the following parameters:

Parameters
`Search In Mailbox`	Required The default mailbox to execute the search operation in. If permissions allow it, the action can search in other mailboxes as well. The parameter accepts multiple values as a comma-separated string. Note: For complex searches against a significant number of mailboxes, use the Exchange Extension Pack integration.
`Folder Name`	Required Mailbox folder to execute search in.
`Subject Filter`	Optional Filter condition that specifies the email subject to search for. This filter uses the `contains` logic.
`Sender Filter`	Optional Filter condition that specifies the sender of requested emails. This filter uses the `equals` logic.
`Time Frame (minutes)`	Optional Filter condition that specifies the timeframe in minutes to search for emails.
`Max Emails To Return`	Optional Number of emails for the action to return. If no value is provided, the API default value is used.
`Only Unread`	Optional If checked, the action searches only for unread emails. Unchecked by default.
`Select All Fields For Return`	Optional If checked, the action returns all available fields for the obtained email. Unchecked by default.
`How many mailboxes to process in a single batch`	Optional The number of mailboxes to process in a single batch (single connection to the mail server). Default value is 25.

Action outputs

Action output type
Case wall attachment	N/A
Case wall link	N/A
Case wall table	Available
Enrichment table	N/A
JSON result	N/A
Script result	Available

Script result

Script result name	Value
is_success	True/False

Case wall

The action provides the following output messages:

Action was not able to find any emails based on the specified search criteria.

Output message Message description

Output message	Message description
`Successfully found emails in the following mailboxes: MAILBOX: FOUND_EMAILS_NUMBER` `Mailbox MAILBOX was not found.`	Action succeeded.
`Failed to find any of the provided mailboxes: MAILBOX_LIST` `Failed to execute action, the error is: ERROR_REASON`	Action failed. Check connection to the server, input parameters, or credentials.

Successfully found emails in the following mailboxes: MAILBOX: FOUND_EMAILS_NUMBER

Mailbox MAILBOX was not found.

Action succeeded.

Failed to find any of the provided mailboxes: MAILBOX_LIST

Failed to execute action, the error is:
      ERROR_REASON

Action failed.

Check connection to the server, input parameters, or credentials.

Case wall table

Table title: Matching Mails

Columns:

Mail ID
Subject
Sender
Receivers
Received Date

Send Email

Send email from a specific mailbox to an arbitrary list of recipients.

This action can send either plain text or HTML-formatted emails. If permissions allow it, the action can send an email from a mailbox different than the one specified in the integration configuration.

Entities

This action doesn't run on entities.

Action inputs

To configure the action, use the following parameters:

Parameters
`Send From`	Required Optional email address from which to send an email if permissions allow it. By default, the email is sent from the default mailbox specified in the integration configuration.
`Subject`	Required Email subject.
`Send to`	Required Comma-separated list of email addresses for the email recipients, such as `user1@example.com, user2@example.com`.
`CC`	Optional Comma-separated list of email addresses for the email CC field. Format is the same as for the `Send to` parameter.
`BCC`	Optional Comma-separated list of email addresses for the email BCC field. Format is the same as for the `Send to` parameter.
`Attachments Paths`	Optional Comma-separated list of paths for file attachments stored on the server, for example, `/FILE_DIRECTORY/file.pdf`, `/FILE_DIRECTORY/image.jpg`.
`Mail Content Type`	Optional Type of the email content. Default value is `Text`. Possible values: `Text` `HTML`
`Mail Content`	Required Email body.
`Reply-To Recipients`	Optional Comma-separated list of recipients to use in the Reply-To header. Note: Use the Reply-To header to redirect reply emails to the specific email address instead of the sender address stated in the From field.

Action outputs

Action output type
Case wall attachment	N/A
Case wall link	N/A
Case wall table	N/A
Enrichment table	N/A
JSON result	N/A
Script result	Available

Script result

Script result name	Value
is_success	True/False

Case wall

The action provides the following output messages:

Output message Message description

Output message	Message description
`Email was sent successfully.`	Action succeeded.
`Action failed to run because specified attachments were not found: ATTACHMENTS_LIST` `Failed to execute action, the error is: ERROR_REASON`	Action failed. Check connection to the server, input parameters, or credentials.

Email was sent successfully.

Action succeeded.

Action failed to run because specified attachments were not found: ATTACHMENTS_LIST

Failed to execute action, the error is:
      ERROR_REASON

Action failed.

Check connection to the server, input parameters, or credentials.

Send Thread Reply

Send a message as a reply to the email thread.

If permissions allow it, the action can send an email from a mailbox other than the one specified in the integration configuration.

Entities

This action doesn't run on entities.

Action inputs

To configure the action, use the following parameters:

Parameters
`Send From`	Required Optional email address from which to send an email if permissions allow it. By default, the email is sent from the default mailbox specified in the integration configuration.
`Mail ID`	Required Email ID to search for.
`Folder Name`	Optional Mailbox folder to execute search in. Default value is `Inbox`.
`Attachments Paths`	Optional Comma-separated list of paths for file attachments stored on the server, for example, `/FILE_DIRECTORY/file.pdf`, `/FILE_DIRECTORY/image.jpg`.
`Mail Content`	Required Email body.
`Reply All`	Optional If checked, the action sends a reply to all recipients related to the original email. Unchecked by default. Note: This parameter has priority over the `Reply To` parameter.
`Reply To`	Optional Comma-separated list of emails to send the reply to. If no value is provided and the `Reply All` checkbox is unchecked, the action only sends a reply to the original email sender. If the `Reply All` checkbox is selected, the action ignores this parameter.

Action outputs

Action output type
Case wall attachment	N/A
Case wall link	N/A
Case wall table	N/A
Enrichment table	N/A
JSON result	N/A
Script result	Available

Script result

Script result name	Value
is_success	True/False

Case wall

The action provides the following output messages:

Output message Message description

Successfully sent reply to the mail with ID: EMAIL_ID Action succeeded.

Output message	Message description
`Successfully sent reply to the mail with ID: EMAIL_ID`	Action succeeded.
`Error executing action "Send Thread Reply". Reason: if you want to send a reply only to your own email address, you need to work with "Reply To" parameter.`	Action failed. Check the `Reply To` parameter value.
`Error executing action "Send Thread Reply" because the provided mail id EMAIL_ID was not found.` `Action failed to run because specified attachments were not found: ATTACHMENTS_LIST` `Failed to execute action, the error is: ERROR_REASON`	Action failed. Check connection to the server, input parameters, or credentials.

Error executing action "Send Thread Reply". Reason: if you want
      to send a reply only to your own email address, you need to work with
      "Reply To" parameter.

Action failed.

Check the Reply To parameter value.

Error executing action "Send Thread Reply" because the provided mail id EMAIL_ID was not found.

Action failed to run because specified attachments were not found: ATTACHMENTS_LIST

Failed to execute action, the error is:
      ERROR_REASON

Action failed.

Check connection to the server, input parameters, or credentials.

Wait For Email From user

Wait for the user's response based on an email sent using the Send Email action.

This action is asynchronous. Adjust the action timeout in the IDE accordingly.

Entities

This action doesn't run on entities.

Action inputs

To configure the action, use the following parameters:

Parameters
`Mail ID`	Required ID of the email. If the email is sent using the `Send Mail` action, select the `SendEmail.JSONResult.id` field as a placeholder.
`Wait for All Recipients to Reply?`	Optional If checked, the action waits for responses from all recipients until either reaching timeout or proceeding with the first reply. Checked by default.
`Wait Stage Exclude pattern`	Optional Regular expression to exclude specific replies from the wait stage. This parameter works with the email body. Example: The action doesn't consider automatic out-of-office messages as recipient replies, instead waiting for an actual user reply.
`Folder to Check for Reply`	Optional Mailbox email folder to search for the user reply in. The search is run in the mailbox which the email containing a question was sent from. This parameter also accepts a comma-separated list of folders to check the user response in multiple folders. This parameter is case-sensitive. Default value is `Inbox`.
`Fetch Response Attachments`	Optional If checked and the recipient reply contains attachments, the action fetches the reply and adds it as an attachment for the action result. Unchecked by default.

Action outputs

Action output type
Case wall attachment	Available
Case wall link	N/A
Case wall table	Available
Enrichment table	N/A
JSON result	N/A
Script result	Available

Script result

Script result name	Value
is_success	True/False

Case wall

The action provides the following output messages:

Output message Message description

Output message	Message description
`Found the user EMAIL_RECIPIENT reply: USER_REPLY` `Timeout getting reply from user: EMAIL_RECIPIENT.`	Action succeeded.
`Action failed to receive any replies until timeout.` `Failed to execute action, the error is: ERROR_REASON`	Action failed. Check connection to the server, input parameters, or credentials.

Found the user EMAIL_RECIPIENT reply: USER_REPLY

Timeout getting reply from user: EMAIL_RECIPIENT.

Action succeeded.

Action failed to receive any replies until timeout.

Failed to execute action, the error is:
      ERROR_REASON

Action failed.

Check connection to the server, input parameters, or credentials.

Case wall table

Table title: Matching Mails

Columns:

Mail ID
Received Date
Sender
Recipients
Subject

Case wall attachment

Type: Entity

Attachment content: Title, Filename (extensions included, if any), fileContent.

Title: RECIPIENT_EMAIL reply attachment.
Filename: ATTACHMENT_FILENAME + FILE_EXTENSION
fileContent: CONTENT_OF_THE_ATTACHED_FILE

Connectors

For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

Microsoft Graph Mail Connector

Fetch emails from the Microsoft Graph mail service.

Use the dynamic list to filter specific values from the email body and subject parts using regular expressions. By default, regular expression is used to filter out the URLs from the email.

Connector parameters

To configure the connector, use the following parameters:

Parameters
`Product Field Name`	Required Name of the field where the product name is stored. Default value is `device_product`.
`Event Field Name`	Required Field name used to determine the event name (subtype). Default value is `event_name`.
`Environment Field Name`	Optional Name of the field where the environment name is stored. If the environment field isn't found, the environment is set to `""`.
`Environment Regex Pattern`	Optional A regular expression pattern to run on the value found in the `Environment Field Name` field. The default value `.*` catches all and returns the value unchanged. This parameter lets you manipulate the environment field using the regular expression logic. If the regular expression pattern is null or empty, or the environment value is null, the final environment result is `""`.
`Script Timeout`	Required The timeout limit (in seconds) for the python process running current script. Default value is 60 seconds.
`Azure AD endpoint`	Required Microsoft Entra endpoint to connect to. Default value is https://login.microsoftonline.com`
`Microsoft Graph Endpoint`	Required Microsoft Graph endpoint to connect to. Default value is `https://graph.microsoft.com`.
`Client ID`	Required For Microsoft 365 OAuth authentication, an Application (Client) ID of the Microsoft Entra app used for the integration.
`Client Secret`	Required For Microsoft 365 OAuth authentication, the client secret provided for the auth flow.
`Tenant (Directory) ID`	Required For Microsoft 365 OAuth authentication, Tenant (Directory) ID of the Microsoft Entra app used for the integration.
`Mail Address`	Required Mail address for the connector to use.
`Folder to check for emails`	Required Email folder to search for the emails. Parameter also accepts a comma-separated list of folders to check the user response in multiple folders. This parameter is case-sensitive. Default value is `Inbox`.
`Offset Time In Hours`	Required Number of hours before now to fetch emails from. Default value is 24 hours.
`Max Emails Per Cycle`	Required Number of emails to fetch per connector iteration. Default value is 10 emails.
`Unread Emails Only`	Optional If checked, cases are created only from unread emails. Unchecked by default.
`Mark Emails as Read`	Optional If checked, emails are marked as read after ingesting. Unchecked by default.
`Disable Overflow`	Optional If checked, the connector ignores the overflow mechanism. Unchecked by default.
`Original Received Mail Prefix`	Optional Prefix to add to the extracted event keys (for example, to, from, or subject) from the original email received in the monitored mailbox. Default value is `orig`.
`Attached Mail File Prefix`	Optional Prefix to add to the extracted event keys (for example, to, from, or subject) from the attached email file received in the monitored mailbox. Default value is `attach`.
`Headers to add to events`	Optional Comma-separated string specifying which email headers to add to events. Provided values can be exact match or set as a regular expression.
`Proxy Server Address`	Optional Address of the proxy server to use.
`Proxy Username`	Optional Proxy username to authenticate with.
`Proxy Password`	Optional Proxy password to authenticate with.
`Create a Separate Siemplify Alert per Attached Mail File`	Optional If checked, the connector creates multiple alerts, with one alert every attached email file. This behavior is useful when processing emails with multiple email files attached and the Google Security Operations SOAR event mapping set to create entities from attached email files. Unchecked by default.
`Case Name Template`	Optional Parameter to set a custom case name. When this parameter is provided, the connector adds a new key called custom_case_name to the Google Security Operations SOAR event. You can provide placeholders in the following format: `[name of the field]`. Example: `Phishing - [event_mailbox]`. Note: For placeholders, the connector uses the first Google Security Operations SOAR event. Only keys containing the string value are handled.
`Alert Name Template`	Optional Parameter to set a custom alert name. You can provide placeholders in the following format: `[name of the field]`. Example: `Phishing - [event_mailbox]`. Note: For placeholders, the connector uses the first Google Security Operations SOAR event. Only keys containing the string value are handled. If you provide no value or an invalid template, the connector uses the default alert name.

Connector rules

The connector supports proxy.