Microsoft Graph Mail v1.1.0

About the connector

Microsoft Graph integrates with Outlook by creating an app to get authorized access to a user's Outlook mail in a personal or organization account.

This document provides information about the Microsoft Graph Mail connector, which facilitates automated interactions with Microsoft Graph APIs using FortiSOAR™ playbooks. Add the Microsoft Graph Mail Connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving all your unread emails from your Microsoft Outlook account, moving an email to a specific folder, and forwarding emails to specified recipients.

You can use FortiSOAR™'s Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling email context from your Outlook mailbox. For more information, see the Data Ingestion Support section.

Version information

Connector Version: 1.1.0

FortiSOAR™ Version Tested on: 7.2.1-1021

Microsoft Graph API Version Tested on: 1.0

Authored By: Fortinet

Certified: Yes

Release Notes for version 1.1.0

Following enhancements have been made to the Microsoft Graph Mail connector in version 1.1.0:

• Added the ability to ingest data, i.e., create records using emails retrieved from the 'Communication' Module. For more information, see the Data Ingestion Support section.
• Added multiple configurations support for Data Ingestion to ensure that the respective global variables based on the selected configuration are used. Earlier, even when there were multiple configurations, only one global variable was used.
• Migrated the python authentication dependency package from 'adal' to 'msal'.
• Updated the field mapping in Data Ingestion Playbooks for alert records.

Getting Access Tokens

You can get authentication tokens to access the security graph APIs using two methods:

• On behalf of the User – Delegated Permission. For more information see, https://docs.microsoft.com/en-us/graph/auth-v2-user
• Without a User - Application Permission. For more information see, https://docs.microsoft.com/en-us/graph/auth-v2-service

Getting Access Tokens using the On behalf of the user – Delegated Permission method

1. Ensure that the required permissions are granted for the registration of the application.
   For example, for a Microsoft Graph User: API/Permission name that should be granted is:
   • User.Read,
   • Mail.ReadWrite
   • Mail.Send
   • Mail.Read of type 'Delegated'.
2. The Redirect URL can be directed to any web application in which you want to receive responses from Azure AD. If you are unsure about what to set as a redirect URL, you can use https://localhost/myapp.
3. Copy the following URL and replace the TENANT_ID, CLIENT_ID, and REDIRECT_URI with your own tenant ID, client ID, and redirect URL: https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize?response_type=code&scope=offline_access User.Read Mail.ReadWrite Mail.Send Mail.Read&client_id=CLIENT_ID&redirect_uri=REDIRECT_URI
4. Enter the above link with the replaced values and you will be prompted to grant permissions for your Azure Service Management. You will be automatically redirected to a link with the following structure: REDIRECT_URI?code=AUTH_CODE&session_state=SESSION_STATE
5. Copy the AUTH_CODE (without the "code=" prefix) and paste it into your instance configuration in the 'Authorization Code' parameter.
6. Enter your client ID in the 'Client ID' parameter field.
7. Enter your client secret in the 'Client Secret' parameter field.
8. Enter your tenant ID in the 'Tenant ID' parameter field.
9. Enter your redirect URL in the 'Redirect URL' parameter field. By default, it is set to https://localhost/myapp.

Getting Access Tokens using the Without a User - Application Permission method

1. Ensure that the required permissions are granted for the registration of the application.
   For example, for a Microsoft Graph User: API/Permission name that should be granted is:
   • User.Read
   • Mail.ReadWrite
   • Mail.Send
   • Mail.Read of type 'Application'
2. Enter your client ID in the 'Client ID' parameter field.
3. Enter your client secret in the 'Client Secret' parameter field.
4. Enter your tenant ID in the 'Tenant ID' parameter field.

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-microsoft-graph-mail

Prerequisites to configuring the connector

• You must have acquired authentication tokens to access the security graph APIs using 'Delegated' or 'Application' Permissions. For more information see the Getting Access Tokens section.
• Ensure that host login.microsoftonline.com on port 443 is in the allowlist of your Firewall or Proxy servers.

Minimum Permissions Required

• Not Applicable

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Microsoft Graph Mail connector card. On the connector popup, click the Configurations tab to enter the required configuration details:

Parameter	Description
Get Access Token	Select the method using which you will get authentication tokens used to access the security graph APIs. You can choose between On behalf of User – Delegated Permission or Without a User - Application Permission. For more information, see the Getting Access Tokens section.
Server URL	The service-based URL to which you will connect and perform the automated operations.
Application (client) ID	The Unique ID of the Azure Active Directory application that is used to create an authentication token required to access the API.
Application (Client) Secret	The Unique Client Secret of the Azure Active Directory application that is used to create an authentication token required to access the API. For information on how to get the secret key, see https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.
Directory (tenant) ID	The ID of the tenant that you have been provided for your Azure Active Directory instance.
Authorization Code	(Only Applicable to On behalf of User – Delegated Permission) The authorization code that you acquired during the authorization step. For more information, see the Getting Access Tokens using the Delegated Permissions method section.
Redirect URL	(Only Applicable to On behalf of User – Delegated Permission) The redirect_url of your app, where authentication responses can be sent and received by your app. The redirect URL that you specify here must exactly match one of the redirect_urls you have registered in your app registration portal.
Verify SSL	Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True.

Important: If any permission in your Azure App is updated then you must delete the previous configuration or you need to add a new configuration.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:

Function	Description	Annotation and Category
Get Unread Emails	Retrieves all unread emails from your Microsoft Outlook account. You can also mark the retrieved Unread emails as 'Read'.	get_unread_emails Investigation
Search Emails	Runs a query in your Outlook account and searches for emails, based on input parameters, such as folder name or path, the user's ID or email address, Odata query, etc you have specified	search_emails Investigation
Get Folders	Retrieves a collection of folders under the root (Top of information store) folder from your Outlook account based on the user's ID or email address you have specified.	get_folders Investigation
Get Child Folders	Retrieves the list of child folders under the specified folder from your Outlook account based on the user's ID or email address and the parent folder ID or path you have specified.	get_child_folders Investigation
Move Email	Moves an email to a specified folder in your Outlook account based on the message ID, the user's ID or email address, and the destination folder you have specified.	move_email Miscellaneous
Copy Email	Copies an email to a specified folder in your Outlook account based on the message ID, the user's ID or email address, and the destination folder you have specified.	copy_email Miscellaneous
Delete Email	Deletes a specific email message in the specified user's mailbox based on the message ID, the user's ID or email address, and the source folder you have specified.	delete_email Investigation
Send Email	Sends an email mail to specified recipients from your Outlook account based on the recipient's email addresses, subject of the email, email content, etc you have specified.	send_email Investigation
Forward Email	Forwards a specific email message to specified recipients from your Outlook account based on the recipient's email addresses, message ID, and email content you have specified.	forward_email Investigation
Send Mail as Reply	Sends a mail as a reply to a specific email message to specified recipients in your Outlook account based on the message ID, recipient's email addresses, subject of the email, email content, etc you have specified.	send_email_as_reply Investigation

operation: Get Unread Emails

Input parameters

Parameter	Description
User ID/User Principal Name	The User ID or User Principal Name (usually an email address) using which you want to retrieve unread emails from your Microsoft Outlook account.
Source Folder	Select the source of the folder from which you want to retrieve unread emails from your Microsoft Outlook account. To specify a source, you can choose between 'Folder ID' or 'Folder Path'. If you choose 'Folder ID', then in the Folder ID field, specify the ID of the folder from which you want to retrieve emails. If you want to retrieve emails from a nested folder, then you need to specify folder IDs in the Parent_folder_id/child_folder_id format. If you choose 'Folder Path', then in the Folder Path field, specify the mailbox from which you want to retrieve emails. If you want to retrieve emails from the parent level folder, then you only need to specify the name of the parent folder, for example, Inbox. If you want to retrieve emails from a child folder, then you need to specify the folder path. For example, to retrieve emails from the 'Phishing' mailbox that is present within the 'Inbox folder', enter Inbox/Phishing in this field.
Mark as Read	Select this option, i.e., set it to True (default), to mark all the retrieved unread emails from your Microsoft Outlook account as Read. By default, this is set to True.
Parse Inline Images	Select this option, i.e., set it to True, to retrieve the body of the emails including inline images from your Microsoft Outlook account. By default, this is set to False (option is unchecked).
Save Email	Select this option, i.e., set it to True, to save the retrieved email as a file in the 'Attachments' module. By default, this is set to False (option is unchecked).
Limit	(Optional) The maximum number of emails, based on your filter criterion, you want to include in the output of this operation. If you do not specify anything in this field then all unread emails based on your filter criterion will be included in the output of this operation. By default, this is set to 20.

Output

The output contains the following populated JSON schema:
{
"id": "",
"body": {
"content": "",
"contentType": ""
},
"flag": {
"flagStatus": ""
},
"from": {
"emailAddress": {
"name": "",
"address": ""
}
},
"isRead": "",
"sender": {
"emailAddress": {
"name": "",
"address": ""
}
},
"isDraft": "",
"replyTo": [],
"subject": "",
"webLink": "",
"changeKey": "",
"categories": [],
"importance": "",
"@odata.etag": "",
"attachments": [
{
"id": "",
"name": "",
"size": "",
"filename": "",
"isInline": "",
"contentId": "",
"@odata.type": "",
"contentType": "",
"contentLocation": "",
"lastModifiedDateTime": "",
"@odata.mediaContentType": ""
}
],
"bodyPreview": "",
"ccRecipients": [],
"sentDateTime": "",
"toRecipients": [
{
"emailAddress": {
"name": "",
"address": ""
}
}
],
"bccRecipients": [],
"conversationId": "",
"hasAttachments": "",
"parentFolderId": "",
"createdDateTime": "",
"receivedDateTime": "",
"conversationIndex": "",
"internetMessageId": "",
"email_as_attachment": {},
"lastModifiedDateTime": "",
"isReadReceiptRequested": "",
"inferenceClassification": "",
"isDeliveryReceiptRequested": ""
}

operation: Search Emails

Input parameters

Parameter	Description
User ID/User Principal Name	The User ID or Principal Name (usually an email address) whose mailbox you want to search for emails.
Source Folder	Select the source of the folder that you want to search for emails in your Microsoft Outlook account. To specify a source, you can choose between 'Folder ID' or 'Folder Path'. If you choose 'Folder ID', then in the Folder ID field, specify the ID of the folder where you want to search for emails. If you want to search for emails from a nested folder, then you need to specify folder IDs in the Parent_folder_id/child_folder_id format. If you choose 'Folder Path', then in the Folder Path field, specify the mailbox where you want to search for emails. If you want to search for emails from the parent level folder, then you only need to specify the name of the parent folder, for example, Inbox. If you want to search for emails from a child folder, then you need to specify the folder path. For example, to search for emails from the 'Phishing' mailbox that is present within the 'Inbox folder', enter Inbox/Phishing in this field.
Odata Query	Specify the OData query using which you want to filter the emails from your Outlook account. Note: The query parameter '$filter' is not supported when using the 'Search' parameter. For more information, see Odata Query Parameters.
Search	Specify the search string using which you want to search for emails in your Outlook account. For more information, see Search Parameters.
Mark as Read	Select this option, i.e., set it to True, to mark the unread emails that are searched and retrieved from your Microsoft Outlook account as Read. By default, this is set to False (option is unchecked).
Parse Inline Images	Select this option, i.e., set it to True, to search and retrieve the body of the emails including inline images from your Microsoft Outlook account. By default, this is set to False (option is unchecked).
Limit	(Optional) The maximum number of emails, based on your filter criterion, you want to include in the result of this operation. By default, this is set to 20.

Output

The output contains the following populated JSON schema:
{
"id": "",
"body": {
"content": "",
"contentType": ""
},
"flag": {
"flagStatus": ""
},
"from": {
"emailAddress": {
"name": "",
"address": ""
}
},
"isRead": "",
"sender": {
"emailAddress": {
"name": "",
"address": ""
}
},
"isDraft": "",
"replyTo": [],
"subject": "",
"webLink": "",
"changeKey": "",
"categories": [],
"importance": "",
"@odata.etag": "",
"attachments": [
{
"id": "",
"name": "",
"size": "",
"filename": "",
"isInline": "",
"contentId": "",
"@odata.type": "",
"contentType": "",
"contentLocation": "",
"lastModifiedDateTime": "",
"@odata.mediaContentType": ""
}
],
"bodyPreview": "",
"ccRecipients": [],
"sentDateTime": "",
"toRecipients": [
{
"emailAddress": {
"name": "",
"address": ""
}
}
],
"bccRecipients": [],
"conversationId": "",
"hasAttachments": "",
"parentFolderId": "",
"createdDateTime": "",
"receivedDateTime": "",
"conversationIndex": "",
"internetMessageId": "",
"lastModifiedDateTime": "",
"isReadReceiptRequested": "",
"inferenceClassification": "",
"isDeliveryReceiptRequested": ""
}

operation: Get Folders

Input parameters

Parameter	Description
User ID/User Principal Name	The User ID or Principal Name (usually an email address) from whose mailbox you want to retrieve folders from Outlook.
Limit	(Optional) The maximum number of folders you want to include in the result of this operation. By default, this is set to 100.

Output

The output contains the following populated JSON schema:
{
"id": "",
"displayName": "",
"sizeInBytes": "",
"parentFolderId": "",
"totalItemCount": "",
"unreadItemCount": "",
"childFolderCount": ""
}

operation: Get Child Folders

Input parameters

Parameter	Description
User ID/User Principal Name	The User ID or Principal Name (usually an email address) from whose mailbox you want to retrieve child folders.
Source Folder	Select the source of the parent folder from which you want to retrieve child folders from your Microsoft Outlook account. To specify a source, you can choose between 'Folder ID' or 'Folder Path'. If you choose 'Folder ID', then in the Folder ID field, specify the ID of the parent folder from which you want to retrieve child folders. If you want to retrieve child folders from a nested folder, then you need to specify folder IDs in the Parent_folder_id/child_folder_id format. If you choose 'Folder Path', then in the Folder Path field, specify the parent folder from which you want to retrieve child folders. If you want to return child folders from nested folders, then you need to specify the folder path. For example, to return child folders of the 'Phishing' folder that is present within the 'Inbox folder', enter Inbox/Phishing in this field.
Limit	(Optional) The maximum number of child folders you want to include in the result of this operation. By default, this is set to 100.

Output

The output contains the following populated JSON schema:
{
"id": "",
"displayName": "",
"sizeInBytes": "",
"parentFolderId": "",
"totalItemCount": "",
"unreadItemCount": "",
"childFolderCount": ""
}

operation: Move Email

Input parameters

Parameter	Description
User ID/User Principal Name	The User ID or User Principal Name (usually an email address) whose email you want to move to the specified folder in Outlook.
Destination Folder	Select the destination folder in which you want to move the specified email. To specify a source, you can choose between 'Folder ID' or 'Folder Path'. If you choose 'Folder ID', then in the Folder ID field, specify the ID of the folder to which you want to move the specified email. If you choose 'Folder Path', then in the Folder Path field, specify the mailbox to which you want to move the specified email. If you want to move the email to a parent-level folder, then you only need to specify the name of the parent folder, for example, Inbox. If you want to move the email to a child folder, then you need to specify the folder path. For example, to move the email to the 'Phishing' mailbox that is present within the 'Inbox folder', enter Inbox/Phishing in this field.
Message ID	The ID of the message that you want to move into the specified folder in Outlook.

Output

The output contains the following populated JSON schema:
{
"id": "",
"body": {
"content": "",
"contentType": ""
},
"flag": {
"flagStatus": ""
},
"from": {
"emailAddress": {
"name": "",
"address": ""
}
},
"isRead": "",
"sender": {
"emailAddress": {
"name": "",
"address": ""
}
},
"isDraft": "",
"replyTo": [],
"subject": "",
"changeKey": "",
"categories": [],
"importance": "",
"@odata.etag": "",
"bodyPreview": "",
"ccRecipients": [],
"sentDateTime": "",
"toRecipients": [
{
"emailAddress": {
"name": "",
"address": ""
}
}
],
"bccRecipients": [],
"@odata.context": "",
"conversationId": "",
"hasAttachments": "",
"parentFolderId": "",
"createdDateTime": "",
"receivedDateTime": "",
"conversationIndex": "",
"internetMessageId": "",
"lastModifiedDateTime": "",
"isReadReceiptRequested": "",
"inferenceClassification": "",
"isDeliveryReceiptRequested": ""
}

operation: Copy Email

Input parameters

Parameter	Description
User ID/User Principal Name	The User ID or Principal Name (usually an email address) whose email you want to copy to the specified folder in Outlook.
Destination Folder	Select the destination folder in which you want to copy the specified email. To specify a source, you can choose between 'Folder ID' or 'Folder Path'. If you choose 'Folder ID', then in the Folder ID field, specify the ID of the folder to which you want to copy the specified email. If you choose 'Folder Path', then in the Folder Path field, specify the mailbox to which you want to copy the specified email. If you want to copy the email to a parent-level folder, then you only need to specify the name of the parent folder, for example, Inbox. If you want to copy the email to a child folder, then you need to specify the folder path. For example, to copy the email to the 'Phishing' mailbox that is present within the 'Inbox folder', enter Inbox/Phishing in this field.
Message ID	The ID of the message that you want to copy into the specified folder in Outlook.

Output

The output contains the following populated JSON schema:
{
"id": "",
"body": {
"content": "",
"contentType": ""
},
"flag": {
"flagStatus": ""
},
"from": {
"emailAddress": {
"name": "",
"address": ""
}
},
"isRead": "",
"sender": {
"emailAddress": {
"name": "",
"address": ""
}
},
"isDraft": "",
"replyTo": [],
"subject": "",
"changeKey": "",
"categories": [],
"importance": "",
"@odata.etag": "",
"bodyPreview": "",
"ccRecipients": [],
"sentDateTime": "",
"toRecipients": [
{
"emailAddress": {
"name": "",
"address": ""
}
}
],
"bccRecipients": [],
"@odata.context": "",
"conversationId": "",
"hasAttachments": "",
"parentFolderId": "",
"createdDateTime": "",
"receivedDateTime": "",
"conversationIndex": "",
"internetMessageId": "",
"lastModifiedDateTime": "",
"isReadReceiptRequested": "",
"inferenceClassification": "",
"isDeliveryReceiptRequested": ""
}

operation: Delete Email

Input parameters

Parameter	Description
User ID/User Principal Name	The User ID or Principal Name (usually an email address) whose email you want to delete from Outlook.
Source Folder	Select the source folder from which you want to delete the specified email. To specify a source, you can choose between 'Folder ID' or 'Folder Path'. If you choose 'Folder ID', then in the Folder ID field, specify the ID of the folder from which you want to delete the specified email. If you want to delete the email from a nested folder, then you need to specify folder IDs in the Parent_folder_id/child_folder_id format. If you choose 'Folder Path', then in the Folder Path field, specify the mailbox from which you want to delete the specified email. If you want to delete the email from a parent-level folder, then you only need to specify the name of the parent folder, for example, Inbox. If you want to delete the email from a child folder, then you need to specify the folder path. For example, to delete an email from the 'Phishing' mailbox that is present within the 'Inbox folder', enter Inbox/Phishing in this field.
Message ID	The ID of the message that you want to delete from the specified folder in Outlook.

Output

The output contains the following populated JSON schema:
{
"status": "",
"message": ""
}

operation: Send Email

Input parameters

Parameter	Description
From	The email address from which you want to send the email.
Subject	(Optional) The subject of the email message that you want to send from your Outlook account.
To Recipients	Email IDs of the members to whom you want to send the email message from your Outlook account. You must add the email IDs in the CSV or list format. For example, abc@xyz.com, def@lmn.com Important: You must specify email ID(s) in at least one of the following fields: To Recipients, Cc Recipients, or Bcc Recipients.
Cc Recipients	Email IDs of the members to be added to the Cc list of the email message that you want to send from your Outlook account. You must add the email IDs in the CSV or list format.
Bcc Recipients	Email IDs of the members to be added to the Bcc list of the email message that you want to send from your Outlook account. You must add the email IDs in the CSV or list format.
Body	(Optional) Message or content of the email that you want to send from your Outlook account. Note: Drag and drop images to add inline images to your email.
Attachment IRIs	(Optional) List of IRI ID(s) of the file(s) that you want to attach to the email that you want to send from your Outlook account. IRI IDs are used to access files from the FortiSOAR 'Attachments' module. You must add the Attachment IRIs in the CSV or list format.
Flag	(Optional) Select the flag value to set the 'Status' of the specified email that you want to send from your Outlook account. You can choose between the following options: Complete, Flagged, or Not Flagged.
Importance	(Optional) Select the importance value to set the 'Importance' of the specified email that you want to send from your Outlook account. You can choose between the following options: Low, Normal, or High.

Output

The output contains the following populated JSON schema:
{
"status": "",
"message": ""
}

operation: Forward Email

Input parameters

Parameter	Description
To Recipients	Email IDs of the members to whom you want to forward the email message from your Outlook account. You must add the email IDs in the CSV or list format. For example, abc@xyz.com, def@lmn.com
From Recipients	The email address from which you want to forward the email.
Message ID	The ID of the email message that you want to forward to the specified recipient's addresses.
Body	(Optional) Message or content of the email that you want to add while forwarding the same from your Outlook account.

Output

The output contains the following populated JSON schema:
{
"status": "",
"message": ""
}

operation: Send Mail as Reply

Input parameters

Parameter	Description
Message ID	The ID of the email message to which you want to send a reply.
From Recipients	The email address from which you want to reply to the specified email.
To Recipients	(Optional) Email IDs of the members to whom you want to send the reply email from your Outlook account. You must add the email IDs in the CSV or list format. For example, abc@xyz.com, def@lmn.com Important: You must specify email ID(s) in at least one of the following fields: To Recipients, Cc Recipients, or Bcc Recipients.
Cc Recipients	Email IDs of the members to be added to the Cc list of the email message that you want to send a reply email from your Outlook account. You must add the email IDs in the CSV or list format.
Bcc Recipients	Email IDs of the members to be added to the Bcc list of the email message that you want to send a reply email from your Outlook account. You must add the email IDs in the CSV or list format.
Body	(Optional) Message or content of the email that you want to send as a reply from your Outlook account.
Attachment IRIs	(Optional) List of IRI ID(s) of the file(s) that you want to attach to the reply email that you want to send from your Outlook account. IRI IDs are used to access files from the FortiSOAR 'Attachments' module. You must add the Attachment IRIs in the CSV or list format.

Output

The output contains the following populated JSON schema:
{
"status": "",
"message": ""
}

Included playbooks

The Sample - Microsoft Graph Mail - 1.1.0 playbook collection comes bundled with the Microsoft Graph Mail connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Microsoft Graph Mail connector.

• Copy Email
• Delete Email
• Forward Email
• Get Child Folders
• Get Folders
• Get Unread Emails
• Move Email
• > MS Graph Mail > Extract and Link File Indicator
• > MS Graph Mail > Fetch
• MS Graph Mail > Ingest
• > MS Graph Mail > Process Email
• Search Emails
• Send Email
• Send Mail as Reply

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

Data Ingestion Support

Use the Data Ingestion Wizard to quickly ingest data into FortiSOAR™ by pulling email content from your Outlook account. Currently, email content ingested from Outlook is mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.

Configure Data Ingestion

You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming Outlook email content to FortiSOAR™ "Alerts".

The Data Ingestion Wizard enables you to configure scheduled pulling of data from Outlook into FortiSOAR™. It also lets you pull some sample data from Outlook using which you can define the mapping of data between Outlook and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to email content from Outlook.

1. To begin configuring data ingestion, click Configure Data Ingestion on the Microsoft Graph Mail connector’s "Configurations" page.
   Click Let’s Start by fetching some data, to open the “Fetch Sample Data” screen.
   
   Sample data is required to create a field mapping between the Outlook email data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
2. On the Fetch Data screen, provide the configurations required to fetch email data from Outlook.
   In the User ID/User Principal Name field, specify the user ID or email address of the user from whose mailbox you want to retrieve the emails. In the Folder ID/Path field, specify the folder from which you want to retrieve emails. By default, this is set as Inbox. In case you want to retrieve emails from nested folders, then you need to specify the folder path. For example, to retrieve emails from the 'Phishing' mailbox that is present within the 'Inbox folder', enter Inbox/Phishing in this field. In the Fetch Mail in Last X Minutes field enter the number of minutes from when you want to fetch emails from Outlook.
   You can also specify the OData Query that is used to filter emails retrieved from Outlook based on the specified query and the Limit that specifies the maximum number of emails (default is set as 20) to retrieve from Outlook.
   Select the Use Unified Communications checkbox to create records in the 'Communication' module using the retrieved emails. Unified communication also allows communication with external entities, for example, other SOC teams using emails, instant messaging, etc. from within an alert record generated in FortiSOAR™. For "Unified Communications" to work, you must install and configure the SOAR Framework Solution Pack on your FortiSOAR™ instance. For more information on the SOAR Framework Solution Pack see the SOAR Framework Solution Pack documentation.
   
   Once you have completed specifying the configurations, click Fetch Data.
3. On the Field Mapping screen, map the fields of an email ingested from Outlook to the fields of an alert present in FortiSOAR™.
   To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the from parameter of an email ingested from Outlook to the Email From parameter of a FortiSOAR™ alert, click the Email From field and then click the from field to populate its keys.
   
   For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed mapping the fields, click Save Mapping & Continue.
4. Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Outlook, so that the content gets pulled from the Outlook integration into FortiSOAR™.
   On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
   In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull data from Microsoft Graph Mail every morning at 5 am, click Daily, and in the hour box enter 5 and in the minute box enter 0
   
   Once you have completed scheduling, click Save Settings & Continue.
5. The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.