Fortinet black logo

Exchange v4.0.0

Copy Link
Copy Doc ID 8ecbfbd6-f232-11ec-bb32-fa163e15d75b:295

About the connector

The Exchange connector provides a robust, platform-independent, and simple interface for communicating with Microsoft Exchange 2007-2016 Server or Office 365 using Exchange Web Services (EWS).

This document provides information about the Exchange connector, which facilitates automated interactions, with an Exchange server using FortiSOAR™ playbooks. Add the Exchange connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving unread emails, moving or deleting emails from the Exchange server, sending an email from the Exchange server, or running a query on the Exchange server based on the parameter (s) that you have specified.

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling email content from Exchange. Currently, the email content ingested from Exchange is mapped to "alerts" in FortiSOAR™. For more information, see the Data Ingestion Support section.

Version information

Connector Version: 4.0.0

FortiSOAR™ Version Tested on: 7.2.0-914

Exchange Version Tested on: Microsoft Exchange 2007-2016 Server or Office 365

Authored By: Fortinet

Certified: Yes

Release Notes for version 4.0.0

The following enhancements and bugs have been made to the Exchange Connector in version 4.0.0:

  • Added support for a modern authentication method, i.e., the OAuth method.
    IMPORTANT: The Exchange connector no longer supports Basic Authentication as Office 365 no longer supports Basic auth. Microsoft announced that starting October 1, 2022, basic authentication is disabled for Outlook, EWS, RPS, POP, IMAP, and EAS protocols in Exchange Online. For more information, see the Deprecation of Basic authentication in Exchange Online article.
  • Added the following new configuration parameters on the Connector Configuration page:
    • Authentication Method
    • Access Type
    • Tenant ID
    • Client ID
    • Client Secret
    • Authorization Code

Important: Exchange 4.x.x will NOT work with version FortiSOAR 4.12.x and earlier. This is because exchangelib==3.1.0 requires Python '>=3.5' but version 4.12.x has an earlier Python version.

Registering a new application using the Microsoft Azure Portal

  1. Sign in to the Azure Portal.
  2. From the left-hand navigation menu, select the Azure Active Directory service.
  3. Select App registrations > +New registration.
  4. On the Register an application page, enter the following details and then click the Register button:
    • Name: Specify the name for the application.
    • From the Supported account types options, select the Account in any organizational directory (any Azure Active Directory – multitenant option.
    • Redirect URI: Specify the redirect URL for the application. The authentication response to this URI will be returned after the user is successfully authenticated. For example localhost.
  5. After you have successfully created the application, you need to assign permissions to the application. There are two ways to assign permissions:
    1. Using Manual Steps:
      1. From the left-hand navigation menu, select API permission, and then click + Add Permission.
      2. On the Request API permissions page, select API my organization uses. Type "Office" in the search bar, and select Office 365 Exchange Online.

        Once you select Office 365 Exchange Online, two types of permissions are displayed, Delegated permissions and Application permissions.
        Delegated permissions: are used by apps that have a signed-in user present. For these apps, either the user or an administrator consents to the permissions that the app requests, and the app can act as the signed-in user when making API calls.
        Application permissions: are used by apps that run without a signed-in user present; for example, apps that run as background services or daemons, and can access multiple mailboxes. Select Delegated permissions or Application permissions based on your requirement.
        1. To set Application Permissions for the app, do the following:
          1. Select full_access_as_app permission from the Other permissions option, as shown in the following image:
          2. Permissions must be granted by the administrator or user after permissions are successfully assigned as shown in the following image:

            After permissions are successfully granted, you can view the permission status, as shown in the following image:
        2. To set Delegated Permissions for the app, do the following:
          1. Select EWS.AccessAsUser.All permission from the EWS permissions option, as shown in the following image:
          2. Permissions must be granted by the administrator or user after permissions are successfully assigned as shown in the following image:

            After permissions are successfully granted, you can view the permission status, as shown in the following image:
    2. Using or Managing Manifest File: See https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth#register-your-application.

Getting the Authorization Code

  1. Gather information for the following parameters:
  2. Get the authorization code by using your web browser to browse to the following URL. Replace the fields in the following URL example with your values.
    https://login.microsoftonline.com/<tenantid>/oauth2/v2.0/authorize?response_type=code&scope=offline_access
    https://outlook.office365.com/EWS.AccessAsUser.All&client_id=<client-id>&response_mode=query&grant_type=authorization_code

    Replace:
    <tenant-id> with the registered application’s tenant ID.
    <client-id> with the registered application’s client ID
    Note: The above URL must be sent as a single line; line breaks have been added to the following URL for readability. For more information, see Request an authorization code.
  3. Paste the URL as a single line into your web browser and, if prompted, sign in to Azure.
  4. The URL returns the authorization code in the code field. Save the authorization code in a secure location.
    The full returned URL looks as shown in the following image, with the full code field value, 0.ASkAIj...RxgFhSAA, shortened for brevity:
  5. Copy the authorization code from to the equal to (=) sign and without the "code=" prefix, till the “&session_state” and paste it into your instance configuration in the 'Authorization Code' parameter.
    For example, http://localhost/?code=0.ASkAIj...RxgFhSAA&session_state=c44574d5-38ba-4f93-b2a3-a830db8e8cdf
    In the 'Authorization Code' parameter, enter only the bold text, i.e., 0.ASkAIj...RxgFhSAA

Getting the Client's Secret

After you have successfully assigned permissions to the application, create the client's secret:

  1. Sign in to the Azure Portal.
  2. From the left-navigation menu, select Certificates & secrets > + New client secret.
  3. On the Add a client secret page, add the description of the app and the duration of the expiration of the secret and then click Add.
    The Certificates & secrets will display the value of the secret for the application:

    Important: The value of the client's secret is visible only initially, so do not forget to store the value of the secret.

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.

You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-exchange

Upgrade Notes

  • Before you begin upgrading your Exchange connector, you should stop the 'Listener'. You can restart the Listener once your Exchange connector is upgraded. To stop the listener, clear the Enable Email Notification Service checkbox on the configuration page of the Exchange connector. For more information on the Exchange connector's configuration parameters, see the Configuration Parameters section.
  • If the "Communication Module", which is part of the SOAR Framework Solution Pack, is not installed, then upgrading the connector from a version prior to 3.4.3 and that that is enabled with the 'Listener' to version 3.4.3 and later, requires you to modify the Set Variable step in the ">Exchange > Fetch" playbook to set the use_communications variable to false as shown in the following image:

    For more information on the "Communications Module" and Use Unified Communications parameter, see the Data Ingestion Support section.

Prerequisites to configuring the connector

  • You must have the hostname of the Exchange server to which you will connect and perform the automated operations required credentials based on the selected authentication method.
  • You must open port 993 (IMAP) on the firewall to allow communication between FortiSOAR™ and the Exchange server.
  • The FortiSOAR™ server should have outbound connectivity to port 443 on the Exchange Server.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Exchange connector card. On the connector popup, click the Configurations tab to enter the required configuration details:

Parameter Description
Exchange

There are two types of MS Exchange solutions: hosted and cloud. Choose Office365 if you have the cloud services of Exchange or choose On-Premises if you have the hosted services of Exchange.
Note: Notification services will work on both cloud and on-premise solutions.
If you choose On-Premises, then you must specify the following parameters:

  • Protocol: The protocol that will be used to communicate with the Exchange server/Office 365 server. Choose either http or https.
    By default, this is set to https.
  • Host: Hostname of the Exchange server to which you will connect and perform the automated operations.
  • Username: Username to access the Exchange server/Office 365 server.
    For Exchange, add the username in the format: Domain\Username.
  • Password: Password to access the Exchange server.
  • Email Address: Email address of your Exchange server.
  • Access Type: (Optional) Access type for the user. You can choose between Delegate or Impersonation.
    By default, this is set as Delegate.
    If you select Impersonation, then ensure that in the Email Address field, you specify the email address that has been granted Impersonation rights. For information on how to grant Impersonation rights in Office 365, see the How to Grant Application Impersonation Rights in Office 365? article.

If you choose Office365, then you must specify the following parameters:

  • Protocol: The protocol that will be used to communicate with the Exchange server/Office 365 server. Choose either http or https.
    By default, this is set to https.
  • Host: Hostname of the Exchange server to which you will connect and perform the automated operations.
    Note: For Office365 and outlook.live.com, add the host as outlook.office365.com.
  • Authentication Method: The method used for authentication. You can choose between OAUTH (recommended) or NTLM/Basic Authentication (Deprecated).
    • If you choose OAUTH, then you must specify the following parameters:
      • Access Type: Select the access type for the user. You can choose between "On behalf of User - Delegated Permission" or "Without a User - Application Permission". By default, this is set as "Without a User - Application Permission".
        The 'Without a User - Application Permission' flow refers to a process in which there is no user sign-in; instead, the administrator provides consent on behalf of all user's inboxes in a given tenant. Azure applications require 'full_app' permissions for granting your admin's consent.
        The 'On behalf of User - Delegated Permission' flow refers to a process in which users access the mailbox using the signed-in users' consent.
        For more information on permissions and registering an app with Azure, see the Registering a new application using the Microsoft Azure Portal section.
        • If you choose 'Without a User - Application Permission', then you must specify the following parameters:
          • Tenant ID: ID of the tenant that you have been provided for your application in the Azure instance.The tenant ID can be 'common', 'organizations', 'consumers', or tenant identifiers.
          • Client ID: Unique ID of the Azure application that is used to create an authentication token required to access the API. The client ID comes from registering the application with the Microsoft Azure portal. It is in the UUID format.
          • Client Secret: Unique Client Secret of the Azure application that is used to create an authentication token required to access the API. Sometimes called an application password, the client secret is set from the 'Certificates & Secrets' section of the Microsoft Azure portal.
          • Email Address: Email address of your Exchange server.
        • If you choose 'On behalf of User - Delegated Permission', then you must specify the following parameters:
          • Tenant ID: ID of the tenant that you have been provided for your application in the Azure instance.The tenant ID can be 'common', 'organizations', 'consumers', or tenant identifiers.
          • Client ID: Unique ID of the Azure application that is used to create an authentication token required to access the API. The client ID comes from registering the application with the Microsoft Azure portal. It is in the UUID format.
          • Client Secret: Unique Client Secret of the Azure application that is used to create an authentication token required to access the API. Sometimes called an application password, the client secret is set from the 'Certificates & Secrets' section of the Microsoft Azure portal.
          • Email Address: Email address of your Exchange server.
          • Authorization Code: The authorization code that you acquired during the authorization step. For more information on how to get the Authentication code, see the Getting the Authorization Code section.
    • If you choose NTLM/Basic Authentication (DEPRECATED), then you must specify the following parameters:
      • Username: Username to access the Exchange server/Office 365 server.
        For Exchange, add the username in the format: Domain\Username.
      • Password: Password to access the Exchange server.
      • Email Address: Email address of your Exchange server.
      • Access Type: (Optional) Access type for the user. You can choose between Delegate or Impersonation.
        By default, this is set as Delegate.
        If you select Impersonation, then ensure that in the Email Address field, you specify the email address that has been granted Impersonation rights. For information on how to grant Impersonation rights in Office 365, see the How to Grant Application Impersonation Rights in Office 365? article.
Use Autodiscover An alias account will work for the given account details.
Defaults to False.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
Defaults to True.
Enable Email Notification Service Select this option, i.e., set it to True (default) to set up a listener that would instantly notify FortiSOAR™ whenever a new email arrives in the mailbox.
Once you select this option, the following parameters get populated:
  • Folder Path to Monitor: Path of the mailbox that you want the listener to monitor. By default, this is set to the user's 'Inbox'; however, it can be changed to any folder by entering the path of that folder in this field. For example, to monitor a 'Phishing' mailbox that is present within 'Inbox', you can enter Inbox/Phishing in this field.
    From version 4.0.0 onwards, you can configure multiple folders that you want the listener to monitor in the same mailbox, by providing appropriate values i.e., the path(s) of the folder within the same mailbox that you want the listener to monitor in the "Folder Path to Monitor" field. For example, to monitor the Inbox mailbox and the Phishing and Analysis mailboxes within the Inbox mailbox specify Inbox, Inbox/Phishing, Inbox/Analysis in the "Folder Path to Monitor" field.
    Important: The name that you provide for the mailbox that you want to monitor must be unique. The listener will work only when the folder name is unique.
    Note: If you have configured the listener for a custom folder and not the 'Inbox', then you must update the source and source_folder variables in the Set Variable step of the "> Exchange > Fetch" playbook from 'Inbox' to the custom folder. You require to enter the "Custom Folder" string in the source field and the name of the folder in the source_folder field. For example, if you want to monitor the "Inbox/Phishing" mailbox, then you need to enter Inbox/Phishing in the source_folder field. This is required for retrieving unread emails from the custom folder.
    An example screenshot follows:
  • Listener Port: Port on which you want to start the listener.
    Note: This port is used for communication between FortiSOAR™ and the Exchange notification service process. 10011 is the default port number. You can specify any unused port number if the default port is unavailable. You can also use a similar port number for multiple Exchange connector configurations as the Exchange notification service process is capable of communicating with multiple Exchange servers.
  • Playbook Trigger: The API endpoint used to trigger the playbook
    Note: The playbook authentication method should be set as HMAC.

Important: For more information on performing data ingestion for Exchange on an agent or using the listener-based ingestion on an agent, see the Data Ingestion Support section.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:

Function Description Annotation and Category
Get Unread Emails Gets all unread emails from your Exchange account. You can also mark the retrieved Unread emails as Read. get_email_new
Investigation
Create Calendar Event Creates an event in a calendar on the Exchange Server, based on input parameters, such as subject, from date, and to date, you have specified. create_event
Investigation
Get Calendar Events Gets events from the calendar on the Exchange server, based on the filter criteria, such as subject, from time, and to time, you have specified. get_events
Investigation
Get Contacts Retrieves the list of contacts from the mailbox associated with your Exchange account. get_contacts
Investigation
Delete Email Deletes an email from a specified folder in your Exchange account, based on the input parameters, such as message ID and delete type, you have specified. delete_email
Investigation
Mark Email as Read Marks an unread email as read in your Exchange account, based on the message ID you have specified. mark_as_read
Investigation
Move Email Moves an email from a specified folder to a specified folder, based on the message ID and the source and destination folder you have specified. move_email
Miscellaneous
Copy Email Copy an email from a specified folder to a specified folder, based on the message ID and the source and destination folder you have specified. copy_email
Miscellaneous
Search Email Runs a query in your Exchange account and searches emails, based on input parameters, such as folder name, email address, body, and subject, that you have specified. search_query
Investigation
Send Email Sends an email from your Exchange account. send_email
Investigation
Get Folder Metadata Retrieves the count of all the emails, including unread emails and subfolder details, from your Exchange account for the folder you have specified. get_folder_metadata
Investigation
Get Unread Emails (Deprecated) Gets all unread emails from your Exchange account. You can also mark the retrieved Unread emails as Read.
Important: This operation has been retained since the new Get Unread Emails has an updated output schema. If you have used this operation earlier in an existing playbook, then the playbook would fail if this operation is removed.
get_email
Investigation
Add Category Assigns categories to an email in your Exchange account based on the message ID and categories that you have specified. add_category
Containment
Get Category Retrieves categories associated with the specified email in your Exchange account based on the message ID that you have specified. get_category
Investigation
Remove Category Removes categories from an email in your Exchange account based on the message ID and categories that you have specified. remove_category
Investigation

operation: Get Unread Emails

Input parameters

Parameter Description
Source Select the source folder from which you want to retrieve unread emails from your Exchange account. You can choose from All, Inbox, Sent, Drafts, Trash, Custom Folder. By default, this is set as Inbox.
If you select All, then this operation will search for emails across all folders associated with your Exchange account.
If you select Custom Folder, then you must specify the folder in your Exchange account from which you want to retrieve unread emails.
Mark as Read Select this option, i.e., set it to True (default), to retrieve the unread emails from the Exchange account and also marks these emails as Read.
By default, this is set to True.
Pull Oldest First Select this option, i.e., set it to True to retrieve the oldest unread email first from the Exchange account, i.e., if this operation is checked, then the unread emails get sorted by DateTime from oldest to newest. By default, this is unchecked, i.e., it is set as False.
Limit (Optional) Maximum number of emails, based on your filter criterion, you want to include in the output of this operation. If you do not specify anything in this field then all emails based on your filter criterion will be included in the output of this operation.
Parse Inline Images Select this option, i.e., set it to True, to retrieve the body of the unread emails including inline images, from the Exchange account. By default, this is set to False (option is unchecked).
Save Email Select this option, i.e., set it to True (default) to save the email as a file in the Attachments module.
Extract Attachment Data Select this option, i.e., set it to True (default) to also extract the attachment data for the unread emails, if the type of the attachment is eml or msg.
Exclude Absolute Path in Output Select this checkbox if you want to exclude the absolute path from this operation's output. This helps improving the performance of connector operations especially in case of large mailboxes. By default, this checkbox is unchecked.

Output

The JSON contains details of all the unread emails retrieved from the Exchange server.

The output contains the following populated JSON schema:
{
"epilogue": "",
"attachment_files": [],
"body": {
"html": "",
"text": "",
"json": ""
},
"preamble": "",
"headers": {
"x-received": "",
"mime-version": "",
"message-id": "",
"x-exchange-antispam-report-test": "",
"x-exchange-antispam-report-cfa-test": "",
"x-ms-office365-filtering-correlation-id": "",
"x-ms-exchange-crosstenant-network-message-id": "",
"x-microsoft-exchange-diagnostics": [],
"x-ms-exchange-crosstenant-id": "",
"x-ms-exchange-crosstenant-fromentityheader": "",
"spamdiagnosticmetadata": "",
"x-gm-message-state": "",
"spamdiagnosticoutput": "",
"to": "",
"x-microsoft-antispam": "",
"subject": "",
"from": "",
"received": [],
"x-ms-exchange-crosstenant-originalarrivaltime": "",
"x-microsoft-antispam-message-info": [],
"authentication-results": "",
"x-ms-publictraffictype": "",
"received-spf": "",
"x-ms-traffictypediagnostic": "",
"x-ms-exchange-transport-crosstenantheadersstamped": "",
"sender": "",
"x-ms-exchange-organization-authsource": "",
"x-ms-exchange-organization-messagedirectionality": "",
"x-ms-exchange-organization-scl": "",
"auto-submitted": "",
"x-forefront-antispam-report": "",
"x-eoptenantattributedmessage": "",
"dkim-signature": [],
"x-google-smtp-source": "",
"reply-to": "",
"x-ms-exchange-processed-by-bccfoldering": "",
"x-google-dkim-signature": "",
"x-ms-exchange-organization-authas": "",
"content-type": "",
"x-ms-exchange-organization-network-message-id": "",
"return-path": "",
"x-eopattributedmessage": "",
"x-ms-exchange-transport-endtoendlatency": ""
},
"item_id": "",
"attachments": [
{
"file": "",
"metadata": {
"sha256": "",
"content_length": "",
"content_type": "",
"sha1": "",
"filename": "",
"md5": ""
},
"json": "",
"text": ""
}
],
"email_as_attachment": "",
"folder_path": "",
"parsed_attachment_data": []
}

operation: Create Calendar Event

Input parameters

Parameter Description
Subject Subject line of the event that you want to create on the Exchange server.
Start Date Start date and time of the event that you want to create on the Exchange server.
End Date End date and time of the event that you want to create on the Exchange server.
Required Attendees Email IDs of the members who are required to attend the event. You must add the email IDs in the CSV or list format.
For example, @xyz.com, def@lmn.com
Optional Attendees (Optional) Email IDs of the optional members who can attend the event. You must add the email IDs in the CSV or list format.
Body (Optional) Details of the event that you want to create on the Exchange server.
Location (Optional) Location of the event that you want to create on the Exchange server.
Categories (Optional) Category of the event that you want to create on the Exchange server. You must add the categories in the CSV or list format.
For example, Blue category, Green Category, etc.
Show As (Optional) Status of the attendees when they are attending this event. You can choose one of the following options: Free, Working elsewhere, Tentative, Busy, or OOF.
Reminder (Optional) Time before the event starts when you want to set a reminder for the attendees. You can choose one of the following options: 0 minutes, 5 minutes, 10 minutes, 15 minutes, 30 minutes, 1 hour, 2 hour, 3 hour, 4 hour, 8 hour, 12 hour, 1 day, 2 day, 3 day, 1 week, or 2 week.
Is All Day If you select this option, i.e., set it to True, then this sets the event as a full-day event.
By default, this is set to False.
Is Private If you select this option, i.e., set it to True, then this sets the event as a private event, and it can be viewed only by its attendees.
By default, this is set to True.

Output

The JSON output contains the status of the create calendar event operation. The JSON output returns a Success message if the calendar event is successfully added on the Exchange server or an Error message containing the reason for failure.

The output contains the following populated JSON schema:
{
"message": ""
}

operation: Get Calendar Events

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Subject Subject text based on which you want to filter events on the Exchange server.
From Time Start date and time from when you want to retrieve events from the Exchange server.
To Time End date and time till when you want to retrieve events from the Exchange server.

Output

The JSON output contains the retrieved events from the calendar on the Exchange server, based on the input parameters you have specified.

The output contains the following populated JSON schema:
{
"Organizer": "",
"Importance": "",
"Required attendees": [],
"End": "",
"Attachments": [
{
"size": "",
"Name": "",
"content_type": ""
}
],
"Legacy status": "",
"Location": "",
"Reminder minutes before start": "",
"Subject": "",
"Reminder is set": "",
"sensitivity": "",
"Is all day": "",
"Start": "",
"Categories": [],
"Body": "",
"Optional attendees": []
}

operation: Get Contacts

Input parameters

None.

Output

The JSON output contains the retrieved contact list from the mailbox on the Exchange server.

The output contains the following populated JSON schema:
{
"N": "",
"ADR": "",
"TEL": "",
"REV": "",
"VERSION": "",
"PRODID": "",
"ORG": "",
"CLASS": "",
"EMAIL": "",
"FN": "",
"LABEL": "",
"MAILER": ""
}

operation: Delete Email

Input parameters

Parameter Description
Message ID ID of the email that you want to delete from an Exchange account.
Delete Type Type of Delete that you want to use to delete the email. You can choose from the following options: Soft Delete, Hard Delete, or Move To Trash.
Folder Name (Optional) Folder in the Exchange account from which you want to delete the email.
By default, this is set as Inbox.
Target Email Address (Optional) Email address from which you want to delete the specified email.
Important: The Exchange account that you have specified in the configuration parameters and using which the connector has logged into Exchange must have Impersonation rights on this email address. For information on how to grant Impersonation rights in Office 365, see the How to Grant Application Impersonation Rights in Office 365? article.

Output

The JSON output contains the status of the delete operation. The JSON output returns a Success message if the email is successfully deleted from the Exchange server or an Error message containing the reason for failure.

The output contains the following populated JSON schema:
{
"message": ""
}

operation: Mark Email as Read

Input parameters

Parameter Description
Message ID ID of the email that you want to mark as read.
Folder Name (Optional) Name of the folder name that contains the email message that you want to mark as read.

Output

The JSON output contains the status of the "mark email as read" operation. The JSON output returns a Success message if the specified email is successfully marked as read on the Exchange server or an Error message containing the reason for failure.

The output contains the following populated JSON schema:
{
"message": ""
}

operation: Move Email

Input parameters

Parameter Description
Source Email Address (Optional) Email address from which you want to move the specified email.
Important: The Exchange account that you have specified in the configuration parameters and using which the connector has logged into Exchange must have Impersonation rights on this email address. For information on how to grant Impersonation rights in Office 365, see the How to Grant Application Impersonation Rights in Office 365? article.
Source Source folder on the Exchange server from where you want to move the email. To specify the source, you can choose to specify either the Folder Name or Folder Path.
If you choose Folder Name, then in the Source Folder Name parameter, specify the name of the source folder on the Exchange server from where you want to move the email.
If you choose Folder Path, then in the Source Folder Path parameter, specify the path of the source folder on the Exchange server from where you want to move the email.
Message ID ID of the email that you want to move.
Destination Email Address (Optional) Email address to which you want to move the specified email.
Important: The Exchange account that you have specified in the configuration parameters and using which the connector has logged into Exchange must have Impersonation rights on this email address. For information on how to grant Impersonation rights in Office 365, see the How to Grant Application Impersonation Rights in Office 365? article.
Destination Folder Destination folder on the Exchange server to which you want to move the email. To specify the destination, you can choose to specify either the Folder Name or Folder Path.
If you choose Folder Name, then in the Destination Folder Name parameter, specify the name of the destination folder on the Exchange server to which you want to move the email.
If you choose Folder Path, then in the Destination Folder Path parameter, specify the path of the destination folder on the Exchange server to which you want to move the email.

Output

The JSON output contains the status of the move operation. The JSON output returns a Success message if the email is successfully moved as per your specifications on the Exchange server or an Error message containing the reason for failure.

The output contains the following populated JSON schema:
{
"message": ""
}

operation: Copy Email

Input parameters

Parameter Description
Source Email Address (Optional) Email address from which you want to copy the specified email.
Important: The Exchange account that you have specified in the configuration parameters and using which the connector has logged into Exchange must have Impersonation rights on this email address. For information on how to grant Impersonation rights in Office 365, see the How to Grant Application Impersonation Rights in Office 365? article.
Source Source folder on the Exchange server from where you want to copy the email. To specify the source, you can choose to specify either the Folder Name or Folder Path.
If you choose Folder Name, then in the Source Folder Name parameter, specify the name of the source folder on the Exchange server from where you want to copy the email.
If you choose Folder Path, then in the Source Folder Path parameter, specify the path of the source folder on the Exchange server from where you want to copy the email.
Message ID ID of the email that you want to copy.
Destination Email Address (Optional) Email address to which you want to copy the specified email.
Important: The Exchange account that you have specified in the configuration parameters and using which the connector has logged into Exchange must have Impersonation rights on this email address. For information on how to grant Impersonation rights in Office 365, see the How to Grant Application Impersonation Rights in Office 365? article.
Destination Destination folder on the Exchange server to which you want to copy the email. To specify the destination, you can choose to specify either the Folder Name or Folder Path.
If you choose Folder Name, then in the Destination Folder Name parameter, specify the name of the destination folder on the Exchange server to which you want to copy the email.
If you choose Folder Path, then in the Destination Folder Path parameter, specify the path of the destination folder on the Exchange server to which you want to copy the email.

Output

The output contains the following populated JSON schema:
{
"message": ""
}

operation: Search Email

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied, and an unfiltered list is returned.

Parameter Description
Target Email Address (Optional) Email address in which you want to search for emails.
Important: The Exchange account that you have specified in the configuration parameters and using which the connector has logged into Exchange must have Impersonation rights on this email address. For information on how to grant Impersonation rights in Office 365, see the How to Grant Application Impersonation Rights in Office 365? article.
Folder Name Folder in the Exchange account based on which you want to search for emails.
Note: If you enter All in this field, then this operation will search for emails across all folders associated with your Exchange account.
Subject Subject of the email message based on which you want to search emails on your Exchange account.
Body Content within the body of the email based on which you want to search emails on the Exchange account.
Sender Email address of the sender based on which you want to search emails on the Exchange account.
Limit Maximum number of emails, based on your filter criterion, you want to include in the output of this operation. If you do not specify anything in this field then all emails based on your filter criterion will be included in the output of this operation.
Email Range Maximum number of emails that you want to display in the output based on your search criteria.
If you do not specify the range, then all the emails based on your search criteria are displayed.
Pull Oldest First Select this option, i.e., set it to True to pull the oldest email first from the Exchange account, i.e., if this operation is checked, then the emails get sorted by DateTime from oldest to newest. By default, this is unchecked, i.e., it is set as False.
Parse Inline Images Select this option, i.e., set it to True, to retrieve the body of the emails including inline images, from the Exchange server. By default, this is set to False (option is unchecked).
Extract Attachment Data Select this option, i.e., set it to True (default) to also extract the attachment data for the searched emails, if the type of the attachment is eml or msg.
Exclude Absolute Path in Output Select this checkbox if you want to exclude the absolute path from this operation's output. This helps improving the performance of connector operations especially in case of large mailboxes. By default, this checkbox is unchecked.
Query Search parameters based on which you want to search emails on the Exchange server in the form of a query.
Accepts input in the dictionary format.
For example, {'subject__icontains' : '365', 'datetime_received__gt' : '2018-01-20T18:30:00.000Z'}
You can also provide options such as:
subject__exact='foo' // Returns items where subject is 'foo'. Same as filter(subject='foo'),
subject__iexact='foo' // Returns items where subject is 'foo', 'FOO' or 'Foo',
subject_contains='foo' //Returns items where subject contains 'foo',
subject_icontains, subject_startswith, and subject_istartswith.

Output

The JSON output contains the details of all emails that match the search criteria that you have specified.

The output contains the following populated JSON schema:
{
"search_fields": "",
"emails": [
{
"preamble": "",
"headers": {
"X-Exchange-Antispam-Report-Test": "",
"X-EOPTenantAttributedMessage": "",
"Message-ID": "",
"Sender": "",
"Reply-To": "",
"X-MS-Exchange-Transport-CrossTenantHeadersStamped": "",
"SpamDiagnosticOutput": "",
"DKIM-Signature": [],
"X-Microsoft-Antispam-Message-Info": [],
"X-MS-Exchange-Processed-By-BccFoldering": "",
"X-MS-Exchange-CrossTenant-Network-Message-Id": "",
"X-MS-Exchange-Organization-AuthAs": "",
"X-MS-Office365-Filtering-Correlation-Id": "",
"X-Received": "",
"X-MS-Exchange-Organization-AuthSource": "",
"X-Microsoft-Exchange-Diagnostics": [],
"X-Forefront-Antispam-Report": "",
"Received-SPF": "",
"X-Microsoft-Antispam": "",
"X-Google-DKIM-Signature": "",
"Subject": "",
"X-MS-Exchange-CrossTenant-FromEntityHeader": "",
"X-MS-TrafficTypeDiagnostic": "",
"Received": [],
"X-MS-Exchange-Organization-SCL": "",
"X-MS-Exchange-Organization-Network-Message-Id": "",
"X-MS-PublicTrafficType": "",
"X-EOPAttributedMessage": "",
"X-Google-Smtp-Source": "",
"X-MS-Exchange-Transport-EndToEndLatency": "",
"X-Exchange-Antispam-Report-CFA-Test": "",
"X-MS-Exchange-CrossTenant-Id": "",
"To": "",
"From": "",
"X-MS-Exchange-Organization-MessageDirectionality": "",
"SpamDiagnosticMetadata": "",
"Content-Type": "",
"Auto-Submitted": "",
"X-Gm-Message-State": "",
"X-MS-Exchange-CrossTenant-OriginalArrivalTime": "",
"Return-Path": "",
"MIME-Version": "",
"Authentication-Results": ""
},
"epilogue": "",
"file": "",
"item_id": "",
"attachments": [
{
"text": "",
"file": "",
"json": "",
"metadata": {
"filename": "",
"md5": "",
"sha256": "",
"content_type": "",
"sha1": "",
"content_length": ""
}
}
],
"parsed_attachment_data": [],
"folder_path": "",
"body": {
"text": "",
"html": "",
"json": ""
},
"attachment_files": []
}
]
}

operation: Send Email

Important: For this operation to work, you must have the FortiSOAR™ Built-in connector: "Utilities" (minimum version required is 2.0.1) installed on your system. For more information on FortiSOAR™ Built-in connectors, see FortiSOAR™ product documentation.

Input parameters

Parameter Description
Subject (Optional) Subject of the email message that you want to send from the Exchange account.
TO Recipients Email IDs of the members to whom you want to send the email message from the Exchange account. You must add the email IDs in the CSV or list format.
For example, abc@xyz.com, def@lmn.com
Important: You must specify email ID(s) in at least one of the following fields: TO Recipients, CC Recipients, or BCC Recipients.
CC Recipients Email IDs of the members to be added to the CC list of the email message that you want to send from the Exchange account. You must add the email IDs in the CSV or list format.
BCC Recipients Email IDs of the members to be added to the BCC list of the email message that you want to send from the Exchange account. You must add the email IDs in the CSV or list format.
Body (Optional) Message or content of the email that you want to send from the Exchange account.
Attachment IRIs (Optional) List of IRI ID(s) of the file (s) that you want to attach to the email that you want to send from the Exchange server. IRI IDs are used to access files from the Attachments module. You must add the Attachment IRIs in the CSV or list format.
Inline Attachment IRIs (Optional) List of IRI ID(s) of the file (s) that you want to add inline to the email that you want to send from the Exchange server. You can add the image content inline in the email body using its UUIDs. For example, <img src="cid%3Adfe26867-01a1-4969-8168-8c8882586538">

Output

The JSON output contains the status of the send email operation. The JSON output returns a Success message if the email is successfully sent from the Exchange server or an Error message containing the reason for failure.

The output contains the following populated JSON schema:
{
"message": ""
}

operation: Get Folder Metadata

Input parameters

Parameter Description
Source Select the source folder whose total email count, including unread emails and subfolders details you want to retrieve from your Exchange account. You can choose from Inbox, Sent, Drafts, Trash, Custom Folder. By default, this is set as Inbox.
If you select Custom Folder, then you must specify the folder in your Exchange account from which you want to retrieve unread emails.

Output

The output contains the following populated JSON schema:
{
"total_email_count": "",
"folder": "",
"child_folder_count": "",
"child_folder_metadata": [],
"unread_email_count": ""
}

operation: Get Unread Emails (Deprecated)

Input parameters

Note: This operation is deprecated and replaced with the "Get Unread Emails" operation. However, this operation has been retained since the new "Get Unread Emails" has an updated output schema. Therefore, if you had used this operation earlier in an existing playbook, then the playbook would fail if this operation is completely removed.

Parameter Description
Source Select the source folder from which you want to retrieve unread emails from your Exchange account. You can choose from All, Inbox, Sent, Drafts, Trash, Custom Folder. By default, this is set as Inbox.
If you select All, then this operation will search for emails across all folders associated with your Exchange account.
If you select Custom Folder, then you must specify the folder in your Exchange account from which you want to retrieve unread emails.
Mark as Read Select this option, i.e., set it to True (default) to retrieve the unread emails from the Exchange account and also marks these emails as Read.
By default, this is set to True.
Pull Oldest First Select this option, i.e., set it to True to retrieve the oldest unread email first from the Exchange account, i.e., if this operation is checked, then the unread emails get sorted by DateTime from oldest to newest. By default, this is unchecked, i.e., it is set as False.
Limit (Optional) Maximum number of emails, based on your filter criterion, you want to include in the output of this operation. If you do not specify anything in this field then all emails based on your filter criterion will be included in the output of this operation.
Parse Inline Images Select this option, i.e., set it to True, to retrieve the body of the unread emails including inline images, from the Exchange account. By default, this is set to False (option is unchecked).
Save Email Select this option, i.e., set it to True (default) to save the email as a file in the Attachments module.
Extract Attachment Data Select this option, i.e., set it to True (default) to also extract the attachment data for the unread emails, if the type of the attachment is eml or msg.

Output

The JSON contains details of all the unread emails retrieved from the Exchange server.

Output

The output contains the following populated JSON schema:
{
"epilogue": "",
"attachment_files": [],
"body": {
"html": "",
"text": "",
"json": ""
},
"preamble": "",
"headers": {
"X-Received": "",
"MIME-Version": "",
"Message-ID": "",
"X-Exchange-Antispam-Report-Test": "",
"X-Exchange-Antispam-Report-CFA-Test": "",
"X-MS-Office365-Filtering-Correlation-Id": "",
"X-MS-Exchange-CrossTenant-Network-Message-Id": "",
"X-Microsoft-Exchange-Diagnostics": [],
"X-MS-Exchange-CrossTenant-Id": "",
"X-MS-Exchange-CrossTenant-FromEntityHeader": "",
"SpamDiagnosticMetadata": "",
"X-Gm-Message-State": "",
"SpamDiagnosticOutput": "",
"To": "",
"X-Microsoft-Antispam": "",
"Subject": "",
"From": "",
"Received": [],
"X-MS-Exchange-CrossTenant-OriginalArrivalTime": "",
"X-Microsoft-Antispam-Message-Info": [],
"Authentication-Results": "",
"X-MS-PublicTrafficType": "",
"Received-SPF": "",
"X-MS-TrafficTypeDiagnostic": "",
"X-MS-Exchange-Transport-CrossTenantHeadersStamped": "",
"Sender": "",
"X-MS-Exchange-Organization-AuthSource": "",
"X-MS-Exchange-Organization-MessageDirectionality": "",
"X-MS-Exchange-Organization-SCL": "",
"Auto-Submitted": "",
"X-Forefront-Antispam-Report": "",
"X-EOPTenantAttributedMessage": "",
"DKIM-Signature": [],
"X-Google-Smtp-Source": "",
"Reply-To": "",
"X-MS-Exchange-Processed-By-BccFoldering": "",
"X-Google-DKIM-Signature": "",
"X-MS-Exchange-Organization-AuthAs": "",
"Content-Type": "",
"X-MS-Exchange-Organization-Network-Message-Id": "",
"Return-Path": "",
"X-EOPAttributedMessage": "",
"X-MS-Exchange-Transport-EndToEndLatency": ""
},
"item_id": "",
"attachments": [
{
"file": "",
"metadata": {
"sha256": "",
"content_length": "",
"content_type": "",
"sha1": "",
"filename": "",
"md5": ""
},
"json": "",
"text": ""
}
],
"email_as_attachment": "",
"folder_path": "",
"parsed_attachment_data": []
}

operation: Add Category

Input parameters

Parameter Description
Source (Optional) Name of the source folder from which you want to retrieve the email to which you want to add categories. You can choose from the following options: All, Inbox, Sent, Drafts, Trash, or Custom Folder. If you choose Custom Folder, then you must specify the following parameter:
  • Folder Name: Name of the folder from which you want to retrieve the email.
Message ID Message ID of the email to which you want to assign the specified categories.
Categories CSV list of categories that you want to assign to the specified email.

Output

The output contains the following populated JSON schema:
{
"subject": "",
"status": "",
"message_id": "",
"message": "",
"categories": []
}

operation: Get Category

Input parameters

Parameter Description
Source (Optional) Name of the source folder from which you want to retrieve the email whose categories you want to retrieve. You can choose from the following options: All, Inbox, Sent, Drafts, Trash or Custom Folder. If you choose Custom Folder, then you must specify the following parameter:
  • Folder Name: Name of the folder from which you want to retrieve the email.
Message ID Message ID of the email whose categories you want to retrieve.

Output

The output contains the following populated JSON schema:
{
"subject": "",
"status": "",
"message_id": "",
"message": "",
"categories": []
}

operation: Remove Category

Input parameters

Parameter Description
Source (Optional) Name of the source folder from which you want to retrieve the email whose categories you want to remove. You can choose from the following options: All, Inbox, Sent, Drafts, Trash or Custom Folder. If you choose Custom Folder, then you must specify the following parameter:
  • Folder Name: Name of the folder from which you want to retrieve the email.
Message ID Message ID of the email from which you want to remove the specified categories.
Categories CSV list of categories that you want to remove from the specified email.

Output

The output contains the following populated JSON schema:
{
"subject": "",
"status": "",
"message_id": "",
"message": "",
"removed": [],
"not_found": []
}

Included playbooks

The Sample - Exchange - 4.0.0 playbook collection comes bundled with the Exchange connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Exchange connector.

  • Calendar : Create Calendar Event
  • Calendar : Get Calendar Events
  • Categorize : Add Category
  • Categorize : Get Category
  • Categorize : Remove Category
  • Contacts : Get Contacts
  • Email : Copy Email
  • Email : Delete Email
  • Email : Mark Email as Read
  • Email : Move Email
  • Email : Search Email
  • Email : Send Email
  • > Exchange > Extract and Link File Indicator
  • > Exchange > Fetch
  • Exchange > Ingest
  • > Exchange > Process Email
  • Folder : Get Folder Metadata
  • Get Unread Emails

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Data Ingestion Support

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling email content from Exchange. Currently, email content ingested from Exchange is mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.

Configure Data Ingestion

You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming Exchange email content to FortiSOAR™ "Alerts".

The Data Ingestion Wizard enables you to configure scheduled pulling of data from Exchange into FortiSOAR™. It also lets you pull some sample data from Exchange using which you can define the mapping of data between Exchange and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users mostly require to only map any custom fields that are added to email content from Exchange.

  1. To begin configuring data ingestion, click Configure Data Ingestion on the Exchange connector’s "Configurations" page.
    Click Let’s Start by fetching some data, to open the “Fetch Sample Data” screen.

    Sample data is required to create a field mapping between the Exchange email data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
  2. On the Fetch Data screen, provide the configurations required to fetch email data from Exchange.
    From the Source drop-down list. choose the folder from which the unread emails need to be retrieved from the Exchange server. By default, this is set as "Inbox". You can select the Parse Inline Images checkbox if you want to include the inline images while retrieving the body of the unread emails from the Exchange server. Select the Use Unified Communications checkbox to allow communication with external entities, for example, other SOC teams using emails, instant messaging, etc. from within an alert generated in FortiSOAR™. For "Unified Communications" to work, you must install and configure the SOAR Framework Solution Pack on your FortiSOAR™ instance. For more information on the SOAR Framework Solution Pack see the SOAR Framework Solution Pack documentation.
    The fetched data is used to create a mapping between the emails retrieved from Exchange and FortiSOAR™ alerts.

    Once you have completed specifying the configurations, click Fetch Data.
  3. On the Field Mapping screen, map the fields of an email ingested from Exchange to the fields of an alert present in FortiSOAR™.
    To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the from parameter of an email ingested from Exchange to the Email From parameter of a FortiSOAR™ alert, click the Email From field and then click the from field to populate its keys:

    For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed mapping fields, click Save Mapping & Continue.

  4. Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Exchange, so that the content gets pulled from the Exchange integration into FortiSOAR™.
    On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
    In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull unread emails from Exchange every 5 minutes, click Every X Minute, and in the minute box enter */5. This would mean that based on the configuration you have set up, unread emails will be pulled from Exchange every 5 minutes.

    Once you have completed scheduling, click Save Settings & Continue.

  5. The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
    Important: After you have completed configuring the data ingestion for Exchange on an agent or are using the listener-based ingestion on an agent, then users must update the "> Exchange > Extract and Link File Indicator" playbook that is part of the Exchange ingestion playbooks collection (Connectors page > Data Ingestion > Exchange > Select Agent Configuration > Playbooks). You must update the configuration of the 'Utility' connector from "Self" to "Agent" in the "Upload File IOCs" step of the "> Exchange > Extract and Link File Indicator" playbook.

Troubleshooting

Issue when trying to save the connector configuration on an agent node

When you install the connector on an agent node, you might get a "connectors.exchange connector check_health(): Unsupported tzinfo type: _PytzShimTimezone(datetime.timezone.utc, 'UTC')" error with the 'Health Check' displaying as 'Disconnected' when you try to save the connector configuration on the agent node.

Resolution:
This issue can occur if the connector framework does not refer to the latest exchangelib dependency package and instead refers to the old exchangelib==1.10.7 package. In order to update the reference, users require to restart the 'cyops-integrations-agent' service as described in the following steps:

  1. ssh to your agent machine.
  2. To restart the 'cyops-integrations-agent' service, use the systemctl restart cyops-integrations-agent command.

Error while installing dependency when you are upgrading the Exchange connector to 4.0.0

When you try to upgrade your exchange connector from an earlier version to version 4.0.0, then you might get a dependency installation failure error: "cannot import name 'Identity'".

Resolution:
This issue can occur if the connector framework does not refer to the latest exchangelib dependency package and instead refers to the old exchangelib==1.10.7 package. In order to update the reference, users require to restart the 'uwsgi' service as described in the following steps:

  1. ssh to your FortiSOAR™ machine.
  2. To restart the 'uwsgi' service, use the systemctl restart uwsgi command.
Previous
Next

About the connector

The Exchange connector provides a robust, platform-independent, and simple interface for communicating with Microsoft Exchange 2007-2016 Server or Office 365 using Exchange Web Services (EWS).

This document provides information about the Exchange connector, which facilitates automated interactions, with an Exchange server using FortiSOAR™ playbooks. Add the Exchange connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving unread emails, moving or deleting emails from the Exchange server, sending an email from the Exchange server, or running a query on the Exchange server based on the parameter (s) that you have specified.

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling email content from Exchange. Currently, the email content ingested from Exchange is mapped to "alerts" in FortiSOAR™. For more information, see the Data Ingestion Support section.

Version information

Connector Version: 4.0.0

FortiSOAR™ Version Tested on: 7.2.0-914

Exchange Version Tested on: Microsoft Exchange 2007-2016 Server or Office 365

Authored By: Fortinet

Certified: Yes

Release Notes for version 4.0.0

The following enhancements and bugs have been made to the Exchange Connector in version 4.0.0:

Important: Exchange 4.x.x will NOT work with version FortiSOAR 4.12.x and earlier. This is because exchangelib==3.1.0 requires Python '>=3.5' but version 4.12.x has an earlier Python version.

Registering a new application using the Microsoft Azure Portal

  1. Sign in to the Azure Portal.
  2. From the left-hand navigation menu, select the Azure Active Directory service.
  3. Select App registrations > +New registration.
  4. On the Register an application page, enter the following details and then click the Register button:
    • Name: Specify the name for the application.
    • From the Supported account types options, select the Account in any organizational directory (any Azure Active Directory – multitenant option.
    • Redirect URI: Specify the redirect URL for the application. The authentication response to this URI will be returned after the user is successfully authenticated. For example localhost.
  5. After you have successfully created the application, you need to assign permissions to the application. There are two ways to assign permissions:
    1. Using Manual Steps:
      1. From the left-hand navigation menu, select API permission, and then click + Add Permission.
      2. On the Request API permissions page, select API my organization uses. Type "Office" in the search bar, and select Office 365 Exchange Online.

        Once you select Office 365 Exchange Online, two types of permissions are displayed, Delegated permissions and Application permissions.
        Delegated permissions: are used by apps that have a signed-in user present. For these apps, either the user or an administrator consents to the permissions that the app requests, and the app can act as the signed-in user when making API calls.
        Application permissions: are used by apps that run without a signed-in user present; for example, apps that run as background services or daemons, and can access multiple mailboxes. Select Delegated permissions or Application permissions based on your requirement.
        1. To set Application Permissions for the app, do the following:
          1. Select full_access_as_app permission from the Other permissions option, as shown in the following image:
          2. Permissions must be granted by the administrator or user after permissions are successfully assigned as shown in the following image:

            After permissions are successfully granted, you can view the permission status, as shown in the following image:
        2. To set Delegated Permissions for the app, do the following:
          1. Select EWS.AccessAsUser.All permission from the EWS permissions option, as shown in the following image:
          2. Permissions must be granted by the administrator or user after permissions are successfully assigned as shown in the following image:

            After permissions are successfully granted, you can view the permission status, as shown in the following image:
    2. Using or Managing Manifest File: See https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth#register-your-application.

Getting the Authorization Code

  1. Gather information for the following parameters:
  2. Get the authorization code by using your web browser to browse to the following URL. Replace the fields in the following URL example with your values.
    https://login.microsoftonline.com/<tenantid>/oauth2/v2.0/authorize?response_type=code&scope=offline_access
    https://outlook.office365.com/EWS.AccessAsUser.All&client_id=<client-id>&response_mode=query&grant_type=authorization_code

    Replace:
    <tenant-id> with the registered application’s tenant ID.
    <client-id> with the registered application’s client ID
    Note: The above URL must be sent as a single line; line breaks have been added to the following URL for readability. For more information, see Request an authorization code.
  3. Paste the URL as a single line into your web browser and, if prompted, sign in to Azure.
  4. The URL returns the authorization code in the code field. Save the authorization code in a secure location.
    The full returned URL looks as shown in the following image, with the full code field value, 0.ASkAIj...RxgFhSAA, shortened for brevity:
  5. Copy the authorization code from to the equal to (=) sign and without the "code=" prefix, till the “&session_state” and paste it into your instance configuration in the 'Authorization Code' parameter.
    For example, http://localhost/?code=0.ASkAIj...RxgFhSAA&session_state=c44574d5-38ba-4f93-b2a3-a830db8e8cdf
    In the 'Authorization Code' parameter, enter only the bold text, i.e., 0.ASkAIj...RxgFhSAA

Getting the Client's Secret

After you have successfully assigned permissions to the application, create the client's secret:

  1. Sign in to the Azure Portal.
  2. From the left-navigation menu, select Certificates & secrets > + New client secret.
  3. On the Add a client secret page, add the description of the app and the duration of the expiration of the secret and then click Add.
    The Certificates & secrets will display the value of the secret for the application:

    Important: The value of the client's secret is visible only initially, so do not forget to store the value of the secret.

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.

You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-exchange

Upgrade Notes

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Exchange connector card. On the connector popup, click the Configurations tab to enter the required configuration details:

Parameter Description
Exchange

There are two types of MS Exchange solutions: hosted and cloud. Choose Office365 if you have the cloud services of Exchange or choose On-Premises if you have the hosted services of Exchange.
Note: Notification services will work on both cloud and on-premise solutions.
If you choose On-Premises, then you must specify the following parameters:

  • Protocol: The protocol that will be used to communicate with the Exchange server/Office 365 server. Choose either http or https.
    By default, this is set to https.
  • Host: Hostname of the Exchange server to which you will connect and perform the automated operations.
  • Username: Username to access the Exchange server/Office 365 server.
    For Exchange, add the username in the format: Domain\Username.
  • Password: Password to access the Exchange server.
  • Email Address: Email address of your Exchange server.
  • Access Type: (Optional) Access type for the user. You can choose between Delegate or Impersonation.
    By default, this is set as Delegate.
    If you select Impersonation, then ensure that in the Email Address field, you specify the email address that has been granted Impersonation rights. For information on how to grant Impersonation rights in Office 365, see the How to Grant Application Impersonation Rights in Office 365? article.

If you choose Office365, then you must specify the following parameters:

  • Protocol: The protocol that will be used to communicate with the Exchange server/Office 365 server. Choose either http or https.
    By default, this is set to https.
  • Host: Hostname of the Exchange server to which you will connect and perform the automated operations.
    Note: For Office365 and outlook.live.com, add the host as outlook.office365.com.
  • Authentication Method: The method used for authentication. You can choose between OAUTH (recommended) or NTLM/Basic Authentication (Deprecated).
    • If you choose OAUTH, then you must specify the following parameters:
      • Access Type: Select the access type for the user. You can choose between "On behalf of User - Delegated Permission" or "Without a User - Application Permission". By default, this is set as "Without a User - Application Permission".
        The 'Without a User - Application Permission' flow refers to a process in which there is no user sign-in; instead, the administrator provides consent on behalf of all user's inboxes in a given tenant. Azure applications require 'full_app' permissions for granting your admin's consent.
        The 'On behalf of User - Delegated Permission' flow refers to a process in which users access the mailbox using the signed-in users' consent.
        For more information on permissions and registering an app with Azure, see the Registering a new application using the Microsoft Azure Portal section.
        • If you choose 'Without a User - Application Permission', then you must specify the following parameters:
          • Tenant ID: ID of the tenant that you have been provided for your application in the Azure instance.The tenant ID can be 'common', 'organizations', 'consumers', or tenant identifiers.
          • Client ID: Unique ID of the Azure application that is used to create an authentication token required to access the API. The client ID comes from registering the application with the Microsoft Azure portal. It is in the UUID format.
          • Client Secret: Unique Client Secret of the Azure application that is used to create an authentication token required to access the API. Sometimes called an application password, the client secret is set from the 'Certificates & Secrets' section of the Microsoft Azure portal.
          • Email Address: Email address of your Exchange server.
        • If you choose 'On behalf of User - Delegated Permission', then you must specify the following parameters:
          • Tenant ID: ID of the tenant that you have been provided for your application in the Azure instance.The tenant ID can be 'common', 'organizations', 'consumers', or tenant identifiers.
          • Client ID: Unique ID of the Azure application that is used to create an authentication token required to access the API. The client ID comes from registering the application with the Microsoft Azure portal. It is in the UUID format.
          • Client Secret: Unique Client Secret of the Azure application that is used to create an authentication token required to access the API. Sometimes called an application password, the client secret is set from the 'Certificates & Secrets' section of the Microsoft Azure portal.
          • Email Address: Email address of your Exchange server.
          • Authorization Code: The authorization code that you acquired during the authorization step. For more information on how to get the Authentication code, see the Getting the Authorization Code section.
    • If you choose NTLM/Basic Authentication (DEPRECATED), then you must specify the following parameters:
      • Username: Username to access the Exchange server/Office 365 server.
        For Exchange, add the username in the format: Domain\Username.
      • Password: Password to access the Exchange server.
      • Email Address: Email address of your Exchange server.
      • Access Type: (Optional) Access type for the user. You can choose between Delegate or Impersonation.
        By default, this is set as Delegate.
        If you select Impersonation, then ensure that in the Email Address field, you specify the email address that has been granted Impersonation rights. For information on how to grant Impersonation rights in Office 365, see the How to Grant Application Impersonation Rights in Office 365? article.
Use Autodiscover An alias account will work for the given account details.
Defaults to False.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
Defaults to True.
Enable Email Notification Service Select this option, i.e., set it to True (default) to set up a listener that would instantly notify FortiSOAR™ whenever a new email arrives in the mailbox.
Once you select this option, the following parameters get populated:
  • Folder Path to Monitor: Path of the mailbox that you want the listener to monitor. By default, this is set to the user's 'Inbox'; however, it can be changed to any folder by entering the path of that folder in this field. For example, to monitor a 'Phishing' mailbox that is present within 'Inbox', you can enter Inbox/Phishing in this field.
    From version 4.0.0 onwards, you can configure multiple folders that you want the listener to monitor in the same mailbox, by providing appropriate values i.e., the path(s) of the folder within the same mailbox that you want the listener to monitor in the "Folder Path to Monitor" field. For example, to monitor the Inbox mailbox and the Phishing and Analysis mailboxes within the Inbox mailbox specify Inbox, Inbox/Phishing, Inbox/Analysis in the "Folder Path to Monitor" field.
    Important: The name that you provide for the mailbox that you want to monitor must be unique. The listener will work only when the folder name is unique.
    Note: If you have configured the listener for a custom folder and not the 'Inbox', then you must update the source and source_folder variables in the Set Variable step of the "> Exchange > Fetch" playbook from 'Inbox' to the custom folder. You require to enter the "Custom Folder" string in the source field and the name of the folder in the source_folder field. For example, if you want to monitor the "Inbox/Phishing" mailbox, then you need to enter Inbox/Phishing in the source_folder field. This is required for retrieving unread emails from the custom folder.
    An example screenshot follows:
  • Listener Port: Port on which you want to start the listener.
    Note: This port is used for communication between FortiSOAR™ and the Exchange notification service process. 10011 is the default port number. You can specify any unused port number if the default port is unavailable. You can also use a similar port number for multiple Exchange connector configurations as the Exchange notification service process is capable of communicating with multiple Exchange servers.
  • Playbook Trigger: The API endpoint used to trigger the playbook
    Note: The playbook authentication method should be set as HMAC.

Important: For more information on performing data ingestion for Exchange on an agent or using the listener-based ingestion on an agent, see the Data Ingestion Support section.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:

Function Description Annotation and Category
Get Unread Emails Gets all unread emails from your Exchange account. You can also mark the retrieved Unread emails as Read. get_email_new
Investigation
Create Calendar Event Creates an event in a calendar on the Exchange Server, based on input parameters, such as subject, from date, and to date, you have specified. create_event
Investigation
Get Calendar Events Gets events from the calendar on the Exchange server, based on the filter criteria, such as subject, from time, and to time, you have specified. get_events
Investigation
Get Contacts Retrieves the list of contacts from the mailbox associated with your Exchange account. get_contacts
Investigation
Delete Email Deletes an email from a specified folder in your Exchange account, based on the input parameters, such as message ID and delete type, you have specified. delete_email
Investigation
Mark Email as Read Marks an unread email as read in your Exchange account, based on the message ID you have specified. mark_as_read
Investigation
Move Email Moves an email from a specified folder to a specified folder, based on the message ID and the source and destination folder you have specified. move_email
Miscellaneous
Copy Email Copy an email from a specified folder to a specified folder, based on the message ID and the source and destination folder you have specified. copy_email
Miscellaneous
Search Email Runs a query in your Exchange account and searches emails, based on input parameters, such as folder name, email address, body, and subject, that you have specified. search_query
Investigation
Send Email Sends an email from your Exchange account. send_email
Investigation
Get Folder Metadata Retrieves the count of all the emails, including unread emails and subfolder details, from your Exchange account for the folder you have specified. get_folder_metadata
Investigation
Get Unread Emails (Deprecated) Gets all unread emails from your Exchange account. You can also mark the retrieved Unread emails as Read.
Important: This operation has been retained since the new Get Unread Emails has an updated output schema. If you have used this operation earlier in an existing playbook, then the playbook would fail if this operation is removed.
get_email
Investigation
Add Category Assigns categories to an email in your Exchange account based on the message ID and categories that you have specified. add_category
Containment
Get Category Retrieves categories associated with the specified email in your Exchange account based on the message ID that you have specified. get_category
Investigation
Remove Category Removes categories from an email in your Exchange account based on the message ID and categories that you have specified. remove_category
Investigation

operation: Get Unread Emails

Input parameters

Parameter Description
Source Select the source folder from which you want to retrieve unread emails from your Exchange account. You can choose from All, Inbox, Sent, Drafts, Trash, Custom Folder. By default, this is set as Inbox.
If you select All, then this operation will search for emails across all folders associated with your Exchange account.
If you select Custom Folder, then you must specify the folder in your Exchange account from which you want to retrieve unread emails.
Mark as Read Select this option, i.e., set it to True (default), to retrieve the unread emails from the Exchange account and also marks these emails as Read.
By default, this is set to True.
Pull Oldest First Select this option, i.e., set it to True to retrieve the oldest unread email first from the Exchange account, i.e., if this operation is checked, then the unread emails get sorted by DateTime from oldest to newest. By default, this is unchecked, i.e., it is set as False.
Limit (Optional) Maximum number of emails, based on your filter criterion, you want to include in the output of this operation. If you do not specify anything in this field then all emails based on your filter criterion will be included in the output of this operation.
Parse Inline Images Select this option, i.e., set it to True, to retrieve the body of the unread emails including inline images, from the Exchange account. By default, this is set to False (option is unchecked).
Save Email Select this option, i.e., set it to True (default) to save the email as a file in the Attachments module.
Extract Attachment Data Select this option, i.e., set it to True (default) to also extract the attachment data for the unread emails, if the type of the attachment is eml or msg.
Exclude Absolute Path in Output Select this checkbox if you want to exclude the absolute path from this operation's output. This helps improving the performance of connector operations especially in case of large mailboxes. By default, this checkbox is unchecked.

Output

The JSON contains details of all the unread emails retrieved from the Exchange server.

The output contains the following populated JSON schema:
{
"epilogue": "",
"attachment_files": [],
"body": {
"html": "",
"text": "",
"json": ""
},
"preamble": "",
"headers": {
"x-received": "",
"mime-version": "",
"message-id": "",
"x-exchange-antispam-report-test": "",
"x-exchange-antispam-report-cfa-test": "",
"x-ms-office365-filtering-correlation-id": "",
"x-ms-exchange-crosstenant-network-message-id": "",
"x-microsoft-exchange-diagnostics": [],
"x-ms-exchange-crosstenant-id": "",
"x-ms-exchange-crosstenant-fromentityheader": "",
"spamdiagnosticmetadata": "",
"x-gm-message-state": "",
"spamdiagnosticoutput": "",
"to": "",
"x-microsoft-antispam": "",
"subject": "",
"from": "",
"received": [],
"x-ms-exchange-crosstenant-originalarrivaltime": "",
"x-microsoft-antispam-message-info": [],
"authentication-results": "",
"x-ms-publictraffictype": "",
"received-spf": "",
"x-ms-traffictypediagnostic": "",
"x-ms-exchange-transport-crosstenantheadersstamped": "",
"sender": "",
"x-ms-exchange-organization-authsource": "",
"x-ms-exchange-organization-messagedirectionality": "",
"x-ms-exchange-organization-scl": "",
"auto-submitted": "",
"x-forefront-antispam-report": "",
"x-eoptenantattributedmessage": "",
"dkim-signature": [],
"x-google-smtp-source": "",
"reply-to": "",
"x-ms-exchange-processed-by-bccfoldering": "",
"x-google-dkim-signature": "",
"x-ms-exchange-organization-authas": "",
"content-type": "",
"x-ms-exchange-organization-network-message-id": "",
"return-path": "",
"x-eopattributedmessage": "",
"x-ms-exchange-transport-endtoendlatency": ""
},
"item_id": "",
"attachments": [
{
"file": "",
"metadata": {
"sha256": "",
"content_length": "",
"content_type": "",
"sha1": "",
"filename": "",
"md5": ""
},
"json": "",
"text": ""
}
],
"email_as_attachment": "",
"folder_path": "",
"parsed_attachment_data": []
}

operation: Create Calendar Event

Input parameters

Parameter Description
Subject Subject line of the event that you want to create on the Exchange server.
Start Date Start date and time of the event that you want to create on the Exchange server.
End Date End date and time of the event that you want to create on the Exchange server.
Required Attendees Email IDs of the members who are required to attend the event. You must add the email IDs in the CSV or list format.
For example, @xyz.com, def@lmn.com
Optional Attendees (Optional) Email IDs of the optional members who can attend the event. You must add the email IDs in the CSV or list format.
Body (Optional) Details of the event that you want to create on the Exchange server.
Location (Optional) Location of the event that you want to create on the Exchange server.
Categories (Optional) Category of the event that you want to create on the Exchange server. You must add the categories in the CSV or list format.
For example, Blue category, Green Category, etc.
Show As (Optional) Status of the attendees when they are attending this event. You can choose one of the following options: Free, Working elsewhere, Tentative, Busy, or OOF.
Reminder (Optional) Time before the event starts when you want to set a reminder for the attendees. You can choose one of the following options: 0 minutes, 5 minutes, 10 minutes, 15 minutes, 30 minutes, 1 hour, 2 hour, 3 hour, 4 hour, 8 hour, 12 hour, 1 day, 2 day, 3 day, 1 week, or 2 week.
Is All Day If you select this option, i.e., set it to True, then this sets the event as a full-day event.
By default, this is set to False.
Is Private If you select this option, i.e., set it to True, then this sets the event as a private event, and it can be viewed only by its attendees.
By default, this is set to True.

Output

The JSON output contains the status of the create calendar event operation. The JSON output returns a Success message if the calendar event is successfully added on the Exchange server or an Error message containing the reason for failure.

The output contains the following populated JSON schema:
{
"message": ""
}

operation: Get Calendar Events

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Subject Subject text based on which you want to filter events on the Exchange server.
From Time Start date and time from when you want to retrieve events from the Exchange server.
To Time End date and time till when you want to retrieve events from the Exchange server.

Output

The JSON output contains the retrieved events from the calendar on the Exchange server, based on the input parameters you have specified.

The output contains the following populated JSON schema:
{
"Organizer": "",
"Importance": "",
"Required attendees": [],
"End": "",
"Attachments": [
{
"size": "",
"Name": "",
"content_type": ""
}
],
"Legacy status": "",
"Location": "",
"Reminder minutes before start": "",
"Subject": "",
"Reminder is set": "",
"sensitivity": "",
"Is all day": "",
"Start": "",
"Categories": [],
"Body": "",
"Optional attendees": []
}

operation: Get Contacts

Input parameters

None.

Output

The JSON output contains the retrieved contact list from the mailbox on the Exchange server.

The output contains the following populated JSON schema:
{
"N": "",
"ADR": "",
"TEL": "",
"REV": "",
"VERSION": "",
"PRODID": "",
"ORG": "",
"CLASS": "",
"EMAIL": "",
"FN": "",
"LABEL": "",
"MAILER": ""
}

operation: Delete Email

Input parameters

Parameter Description
Message ID ID of the email that you want to delete from an Exchange account.
Delete Type Type of Delete that you want to use to delete the email. You can choose from the following options: Soft Delete, Hard Delete, or Move To Trash.
Folder Name (Optional) Folder in the Exchange account from which you want to delete the email.
By default, this is set as Inbox.
Target Email Address (Optional) Email address from which you want to delete the specified email.
Important: The Exchange account that you have specified in the configuration parameters and using which the connector has logged into Exchange must have Impersonation rights on this email address. For information on how to grant Impersonation rights in Office 365, see the How to Grant Application Impersonation Rights in Office 365? article.

Output

The JSON output contains the status of the delete operation. The JSON output returns a Success message if the email is successfully deleted from the Exchange server or an Error message containing the reason for failure.

The output contains the following populated JSON schema:
{
"message": ""
}

operation: Mark Email as Read

Input parameters

Parameter Description
Message ID ID of the email that you want to mark as read.
Folder Name (Optional) Name of the folder name that contains the email message that you want to mark as read.

Output

The JSON output contains the status of the "mark email as read" operation. The JSON output returns a Success message if the specified email is successfully marked as read on the Exchange server or an Error message containing the reason for failure.

The output contains the following populated JSON schema:
{
"message": ""
}

operation: Move Email

Input parameters

Parameter Description
Source Email Address (Optional) Email address from which you want to move the specified email.
Important: The Exchange account that you have specified in the configuration parameters and using which the connector has logged into Exchange must have Impersonation rights on this email address. For information on how to grant Impersonation rights in Office 365, see the How to Grant Application Impersonation Rights in Office 365? article.
Source Source folder on the Exchange server from where you want to move the email. To specify the source, you can choose to specify either the Folder Name or Folder Path.
If you choose Folder Name, then in the Source Folder Name parameter, specify the name of the source folder on the Exchange server from where you want to move the email.
If you choose Folder Path, then in the Source Folder Path parameter, specify the path of the source folder on the Exchange server from where you want to move the email.
Message ID ID of the email that you want to move.
Destination Email Address (Optional) Email address to which you want to move the specified email.
Important: The Exchange account that you have specified in the configuration parameters and using which the connector has logged into Exchange must have Impersonation rights on this email address. For information on how to grant Impersonation rights in Office 365, see the How to Grant Application Impersonation Rights in Office 365? article.
Destination Folder Destination folder on the Exchange server to which you want to move the email. To specify the destination, you can choose to specify either the Folder Name or Folder Path.
If you choose Folder Name, then in the Destination Folder Name parameter, specify the name of the destination folder on the Exchange server to which you want to move the email.
If you choose Folder Path, then in the Destination Folder Path parameter, specify the path of the destination folder on the Exchange server to which you want to move the email.

Output

The JSON output contains the status of the move operation. The JSON output returns a Success message if the email is successfully moved as per your specifications on the Exchange server or an Error message containing the reason for failure.

The output contains the following populated JSON schema:
{
"message": ""
}

operation: Copy Email

Input parameters

Parameter Description
Source Email Address (Optional) Email address from which you want to copy the specified email.
Important: The Exchange account that you have specified in the configuration parameters and using which the connector has logged into Exchange must have Impersonation rights on this email address. For information on how to grant Impersonation rights in Office 365, see the How to Grant Application Impersonation Rights in Office 365? article.
Source Source folder on the Exchange server from where you want to copy the email. To specify the source, you can choose to specify either the Folder Name or Folder Path.
If you choose Folder Name, then in the Source Folder Name parameter, specify the name of the source folder on the Exchange server from where you want to copy the email.
If you choose Folder Path, then in the Source Folder Path parameter, specify the path of the source folder on the Exchange server from where you want to copy the email.
Message ID ID of the email that you want to copy.
Destination Email Address (Optional) Email address to which you want to copy the specified email.
Important: The Exchange account that you have specified in the configuration parameters and using which the connector has logged into Exchange must have Impersonation rights on this email address. For information on how to grant Impersonation rights in Office 365, see the How to Grant Application Impersonation Rights in Office 365? article.
Destination Destination folder on the Exchange server to which you want to copy the email. To specify the destination, you can choose to specify either the Folder Name or Folder Path.
If you choose Folder Name, then in the Destination Folder Name parameter, specify the name of the destination folder on the Exchange server to which you want to copy the email.
If you choose Folder Path, then in the Destination Folder Path parameter, specify the path of the destination folder on the Exchange server to which you want to copy the email.

Output

The output contains the following populated JSON schema:
{
"message": ""
}

operation: Search Email

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied, and an unfiltered list is returned.

Parameter Description
Target Email Address (Optional) Email address in which you want to search for emails.
Important: The Exchange account that you have specified in the configuration parameters and using which the connector has logged into Exchange must have Impersonation rights on this email address. For information on how to grant Impersonation rights in Office 365, see the How to Grant Application Impersonation Rights in Office 365? article.
Folder Name Folder in the Exchange account based on which you want to search for emails.
Note: If you enter All in this field, then this operation will search for emails across all folders associated with your Exchange account.
Subject Subject of the email message based on which you want to search emails on your Exchange account.
Body Content within the body of the email based on which you want to search emails on the Exchange account.
Sender Email address of the sender based on which you want to search emails on the Exchange account.
Limit Maximum number of emails, based on your filter criterion, you want to include in the output of this operation. If you do not specify anything in this field then all emails based on your filter criterion will be included in the output of this operation.
Email Range Maximum number of emails that you want to display in the output based on your search criteria.
If you do not specify the range, then all the emails based on your search criteria are displayed.
Pull Oldest First Select this option, i.e., set it to True to pull the oldest email first from the Exchange account, i.e., if this operation is checked, then the emails get sorted by DateTime from oldest to newest. By default, this is unchecked, i.e., it is set as False.
Parse Inline Images Select this option, i.e., set it to True, to retrieve the body of the emails including inline images, from the Exchange server. By default, this is set to False (option is unchecked).
Extract Attachment Data Select this option, i.e., set it to True (default) to also extract the attachment data for the searched emails, if the type of the attachment is eml or msg.
Exclude Absolute Path in Output Select this checkbox if you want to exclude the absolute path from this operation's output. This helps improving the performance of connector operations especially in case of large mailboxes. By default, this checkbox is unchecked.
Query Search parameters based on which you want to search emails on the Exchange server in the form of a query.
Accepts input in the dictionary format.
For example, {'subject__icontains' : '365', 'datetime_received__gt' : '2018-01-20T18:30:00.000Z'}
You can also provide options such as:
subject__exact='foo' // Returns items where subject is 'foo'. Same as filter(subject='foo'),
subject__iexact='foo' // Returns items where subject is 'foo', 'FOO' or 'Foo',
subject_contains='foo' //Returns items where subject contains 'foo',
subject_icontains, subject_startswith, and subject_istartswith.

Output

The JSON output contains the details of all emails that match the search criteria that you have specified.

The output contains the following populated JSON schema:
{
"search_fields": "",
"emails": [
{
"preamble": "",
"headers": {
"X-Exchange-Antispam-Report-Test": "",
"X-EOPTenantAttributedMessage": "",
"Message-ID": "",
"Sender": "",
"Reply-To": "",
"X-MS-Exchange-Transport-CrossTenantHeadersStamped": "",
"SpamDiagnosticOutput": "",
"DKIM-Signature": [],
"X-Microsoft-Antispam-Message-Info": [],
"X-MS-Exchange-Processed-By-BccFoldering": "",
"X-MS-Exchange-CrossTenant-Network-Message-Id": "",
"X-MS-Exchange-Organization-AuthAs": "",
"X-MS-Office365-Filtering-Correlation-Id": "",
"X-Received": "",
"X-MS-Exchange-Organization-AuthSource": "",
"X-Microsoft-Exchange-Diagnostics": [],
"X-Forefront-Antispam-Report": "",
"Received-SPF": "",
"X-Microsoft-Antispam": "",
"X-Google-DKIM-Signature": "",
"Subject": "",
"X-MS-Exchange-CrossTenant-FromEntityHeader": "",
"X-MS-TrafficTypeDiagnostic": "",
"Received": [],
"X-MS-Exchange-Organization-SCL": "",
"X-MS-Exchange-Organization-Network-Message-Id": "",
"X-MS-PublicTrafficType": "",
"X-EOPAttributedMessage": "",
"X-Google-Smtp-Source": "",
"X-MS-Exchange-Transport-EndToEndLatency": "",
"X-Exchange-Antispam-Report-CFA-Test": "",
"X-MS-Exchange-CrossTenant-Id": "",
"To": "",
"From": "",
"X-MS-Exchange-Organization-MessageDirectionality": "",
"SpamDiagnosticMetadata": "",
"Content-Type": "",
"Auto-Submitted": "",
"X-Gm-Message-State": "",
"X-MS-Exchange-CrossTenant-OriginalArrivalTime": "",
"Return-Path": "",
"MIME-Version": "",
"Authentication-Results": ""
},
"epilogue": "",
"file": "",
"item_id": "",
"attachments": [
{
"text": "",
"file": "",
"json": "",
"metadata": {
"filename": "",
"md5": "",
"sha256": "",
"content_type": "",
"sha1": "",
"content_length": ""
}
}
],
"parsed_attachment_data": [],
"folder_path": "",
"body": {
"text": "",
"html": "",
"json": ""
},
"attachment_files": []
}
]
}

operation: Send Email

Important: For this operation to work, you must have the FortiSOAR™ Built-in connector: "Utilities" (minimum version required is 2.0.1) installed on your system. For more information on FortiSOAR™ Built-in connectors, see FortiSOAR™ product documentation.

Input parameters

Parameter Description
Subject (Optional) Subject of the email message that you want to send from the Exchange account.
TO Recipients Email IDs of the members to whom you want to send the email message from the Exchange account. You must add the email IDs in the CSV or list format.
For example, abc@xyz.com, def@lmn.com
Important: You must specify email ID(s) in at least one of the following fields: TO Recipients, CC Recipients, or BCC Recipients.
CC Recipients Email IDs of the members to be added to the CC list of the email message that you want to send from the Exchange account. You must add the email IDs in the CSV or list format.
BCC Recipients Email IDs of the members to be added to the BCC list of the email message that you want to send from the Exchange account. You must add the email IDs in the CSV or list format.
Body (Optional) Message or content of the email that you want to send from the Exchange account.
Attachment IRIs (Optional) List of IRI ID(s) of the file (s) that you want to attach to the email that you want to send from the Exchange server. IRI IDs are used to access files from the Attachments module. You must add the Attachment IRIs in the CSV or list format.
Inline Attachment IRIs (Optional) List of IRI ID(s) of the file (s) that you want to add inline to the email that you want to send from the Exchange server. You can add the image content inline in the email body using its UUIDs. For example, <img src="cid%3Adfe26867-01a1-4969-8168-8c8882586538">

Output

The JSON output contains the status of the send email operation. The JSON output returns a Success message if the email is successfully sent from the Exchange server or an Error message containing the reason for failure.

The output contains the following populated JSON schema:
{
"message": ""
}

operation: Get Folder Metadata

Input parameters

Parameter Description
Source Select the source folder whose total email count, including unread emails and subfolders details you want to retrieve from your Exchange account. You can choose from Inbox, Sent, Drafts, Trash, Custom Folder. By default, this is set as Inbox.
If you select Custom Folder, then you must specify the folder in your Exchange account from which you want to retrieve unread emails.

Output

The output contains the following populated JSON schema:
{
"total_email_count": "",
"folder": "",
"child_folder_count": "",
"child_folder_metadata": [],
"unread_email_count": ""
}

operation: Get Unread Emails (Deprecated)

Input parameters

Note: This operation is deprecated and replaced with the "Get Unread Emails" operation. However, this operation has been retained since the new "Get Unread Emails" has an updated output schema. Therefore, if you had used this operation earlier in an existing playbook, then the playbook would fail if this operation is completely removed.

Parameter Description
Source Select the source folder from which you want to retrieve unread emails from your Exchange account. You can choose from All, Inbox, Sent, Drafts, Trash, Custom Folder. By default, this is set as Inbox.
If you select All, then this operation will search for emails across all folders associated with your Exchange account.
If you select Custom Folder, then you must specify the folder in your Exchange account from which you want to retrieve unread emails.
Mark as Read Select this option, i.e., set it to True (default) to retrieve the unread emails from the Exchange account and also marks these emails as Read.
By default, this is set to True.
Pull Oldest First Select this option, i.e., set it to True to retrieve the oldest unread email first from the Exchange account, i.e., if this operation is checked, then the unread emails get sorted by DateTime from oldest to newest. By default, this is unchecked, i.e., it is set as False.
Limit (Optional) Maximum number of emails, based on your filter criterion, you want to include in the output of this operation. If you do not specify anything in this field then all emails based on your filter criterion will be included in the output of this operation.
Parse Inline Images Select this option, i.e., set it to True, to retrieve the body of the unread emails including inline images, from the Exchange account. By default, this is set to False (option is unchecked).
Save Email Select this option, i.e., set it to True (default) to save the email as a file in the Attachments module.
Extract Attachment Data Select this option, i.e., set it to True (default) to also extract the attachment data for the unread emails, if the type of the attachment is eml or msg.

Output

The JSON contains details of all the unread emails retrieved from the Exchange server.

Output

The output contains the following populated JSON schema:
{
"epilogue": "",
"attachment_files": [],
"body": {
"html": "",
"text": "",
"json": ""
},
"preamble": "",
"headers": {
"X-Received": "",
"MIME-Version": "",
"Message-ID": "",
"X-Exchange-Antispam-Report-Test": "",
"X-Exchange-Antispam-Report-CFA-Test": "",
"X-MS-Office365-Filtering-Correlation-Id": "",
"X-MS-Exchange-CrossTenant-Network-Message-Id": "",
"X-Microsoft-Exchange-Diagnostics": [],
"X-MS-Exchange-CrossTenant-Id": "",
"X-MS-Exchange-CrossTenant-FromEntityHeader": "",
"SpamDiagnosticMetadata": "",
"X-Gm-Message-State": "",
"SpamDiagnosticOutput": "",
"To": "",
"X-Microsoft-Antispam": "",
"Subject": "",
"From": "",
"Received": [],
"X-MS-Exchange-CrossTenant-OriginalArrivalTime": "",
"X-Microsoft-Antispam-Message-Info": [],
"Authentication-Results": "",
"X-MS-PublicTrafficType": "",
"Received-SPF": "",
"X-MS-TrafficTypeDiagnostic": "",
"X-MS-Exchange-Transport-CrossTenantHeadersStamped": "",
"Sender": "",
"X-MS-Exchange-Organization-AuthSource": "",
"X-MS-Exchange-Organization-MessageDirectionality": "",
"X-MS-Exchange-Organization-SCL": "",
"Auto-Submitted": "",
"X-Forefront-Antispam-Report": "",
"X-EOPTenantAttributedMessage": "",
"DKIM-Signature": [],
"X-Google-Smtp-Source": "",
"Reply-To": "",
"X-MS-Exchange-Processed-By-BccFoldering": "",
"X-Google-DKIM-Signature": "",
"X-MS-Exchange-Organization-AuthAs": "",
"Content-Type": "",
"X-MS-Exchange-Organization-Network-Message-Id": "",
"Return-Path": "",
"X-EOPAttributedMessage": "",
"X-MS-Exchange-Transport-EndToEndLatency": ""
},
"item_id": "",
"attachments": [
{
"file": "",
"metadata": {
"sha256": "",
"content_length": "",
"content_type": "",
"sha1": "",
"filename": "",
"md5": ""
},
"json": "",
"text": ""
}
],
"email_as_attachment": "",
"folder_path": "",
"parsed_attachment_data": []
}

operation: Add Category

Input parameters

Parameter Description
Source (Optional) Name of the source folder from which you want to retrieve the email to which you want to add categories. You can choose from the following options: All, Inbox, Sent, Drafts, Trash, or Custom Folder. If you choose Custom Folder, then you must specify the following parameter:
  • Folder Name: Name of the folder from which you want to retrieve the email.
Message ID Message ID of the email to which you want to assign the specified categories.
Categories CSV list of categories that you want to assign to the specified email.

Output

The output contains the following populated JSON schema:
{
"subject": "",
"status": "",
"message_id": "",
"message": "",
"categories": []
}

operation: Get Category

Input parameters

Parameter Description
Source (Optional) Name of the source folder from which you want to retrieve the email whose categories you want to retrieve. You can choose from the following options: All, Inbox, Sent, Drafts, Trash or Custom Folder. If you choose Custom Folder, then you must specify the following parameter:
  • Folder Name: Name of the folder from which you want to retrieve the email.
Message ID Message ID of the email whose categories you want to retrieve.

Output

The output contains the following populated JSON schema:
{
"subject": "",
"status": "",
"message_id": "",
"message": "",
"categories": []
}

operation: Remove Category

Input parameters

Parameter Description
Source (Optional) Name of the source folder from which you want to retrieve the email whose categories you want to remove. You can choose from the following options: All, Inbox, Sent, Drafts, Trash or Custom Folder. If you choose Custom Folder, then you must specify the following parameter:
  • Folder Name: Name of the folder from which you want to retrieve the email.
Message ID Message ID of the email from which you want to remove the specified categories.
Categories CSV list of categories that you want to remove from the specified email.

Output

The output contains the following populated JSON schema:
{
"subject": "",
"status": "",
"message_id": "",
"message": "",
"removed": [],
"not_found": []
}

Included playbooks

The Sample - Exchange - 4.0.0 playbook collection comes bundled with the Exchange connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Exchange connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Data Ingestion Support

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling email content from Exchange. Currently, email content ingested from Exchange is mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.

Configure Data Ingestion

You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming Exchange email content to FortiSOAR™ "Alerts".

The Data Ingestion Wizard enables you to configure scheduled pulling of data from Exchange into FortiSOAR™. It also lets you pull some sample data from Exchange using which you can define the mapping of data between Exchange and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users mostly require to only map any custom fields that are added to email content from Exchange.

  1. To begin configuring data ingestion, click Configure Data Ingestion on the Exchange connector’s "Configurations" page.
    Click Let’s Start by fetching some data, to open the “Fetch Sample Data” screen.

    Sample data is required to create a field mapping between the Exchange email data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
  2. On the Fetch Data screen, provide the configurations required to fetch email data from Exchange.
    From the Source drop-down list. choose the folder from which the unread emails need to be retrieved from the Exchange server. By default, this is set as "Inbox". You can select the Parse Inline Images checkbox if you want to include the inline images while retrieving the body of the unread emails from the Exchange server. Select the Use Unified Communications checkbox to allow communication with external entities, for example, other SOC teams using emails, instant messaging, etc. from within an alert generated in FortiSOAR™. For "Unified Communications" to work, you must install and configure the SOAR Framework Solution Pack on your FortiSOAR™ instance. For more information on the SOAR Framework Solution Pack see the SOAR Framework Solution Pack documentation.
    The fetched data is used to create a mapping between the emails retrieved from Exchange and FortiSOAR™ alerts.

    Once you have completed specifying the configurations, click Fetch Data.
  3. On the Field Mapping screen, map the fields of an email ingested from Exchange to the fields of an alert present in FortiSOAR™.
    To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the from parameter of an email ingested from Exchange to the Email From parameter of a FortiSOAR™ alert, click the Email From field and then click the from field to populate its keys:

    For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed mapping fields, click Save Mapping & Continue.

  4. Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Exchange, so that the content gets pulled from the Exchange integration into FortiSOAR™.
    On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
    In the “Configure Schedule Settings” section, specify the Cron expression for the schedule. For example, if you want to pull unread emails from Exchange every 5 minutes, click Every X Minute, and in the minute box enter */5. This would mean that based on the configuration you have set up, unread emails will be pulled from Exchange every 5 minutes.

    Once you have completed scheduling, click Save Settings & Continue.

  5. The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
    Important: After you have completed configuring the data ingestion for Exchange on an agent or are using the listener-based ingestion on an agent, then users must update the "> Exchange > Extract and Link File Indicator" playbook that is part of the Exchange ingestion playbooks collection (Connectors page > Data Ingestion > Exchange > Select Agent Configuration > Playbooks). You must update the configuration of the 'Utility' connector from "Self" to "Agent" in the "Upload File IOCs" step of the "> Exchange > Extract and Link File Indicator" playbook.

Troubleshooting

Issue when trying to save the connector configuration on an agent node

When you install the connector on an agent node, you might get a "connectors.exchange connector check_health(): Unsupported tzinfo type: _PytzShimTimezone(datetime.timezone.utc, 'UTC')" error with the 'Health Check' displaying as 'Disconnected' when you try to save the connector configuration on the agent node.

Resolution:
This issue can occur if the connector framework does not refer to the latest exchangelib dependency package and instead refers to the old exchangelib==1.10.7 package. In order to update the reference, users require to restart the 'cyops-integrations-agent' service as described in the following steps:

  1. ssh to your agent machine.
  2. To restart the 'cyops-integrations-agent' service, use the systemctl restart cyops-integrations-agent command.

Error while installing dependency when you are upgrading the Exchange connector to 4.0.0

When you try to upgrade your exchange connector from an earlier version to version 4.0.0, then you might get a dependency installation failure error: "cannot import name 'Identity'".

Resolution:
This issue can occur if the connector framework does not refer to the latest exchangelib dependency package and instead refers to the old exchangelib==1.10.7 package. In order to update the reference, users require to restart the 'uwsgi' service as described in the following steps:

  1. ssh to your FortiSOAR™ machine.
  2. To restart the 'uwsgi' service, use the systemctl restart uwsgi command.
Previous
Next