Skip to main content

EWS Extension Online Powershell v2

This Integration is part of the EWS Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

Use the EWS Extension Online Powershell v2 integration to get information about mailboxes and users in your organization. This integration was integrated and tested with version v2 of EWS Extension Online Powershell v2

Note: This integration does not replace the O365 - EWS - Extension integration, but an additional EWS extension integration which utilizes the EXO v2 module.

Configure EWS Extension Online Powershell v2 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for EWS Extension Online Powershell v2.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Exchange Online URLTrue
    CertificateA pfx certificate encoded in Base64.True
    The organization used in app-only authentication.True
    The application ID from the Azure portalTrue
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ews-mailbox-list#


Displays mailbox objects and attributes, populate property pages, or supplies mailbox information to other tasks.

Base Command#

ews-mailbox-list

Input#

Argument NameDescriptionRequired
identityThe identity of the mailbox you want to view.Optional
organizational_unitThe object's location in Active Directory by which to filter the results.Optional
primary_smtp_addressThe primary SMTP email address of the mailbox you want to view. Cannot be used with the user_principal_name argument. Can be retrieved using the ews-user-list command.Optional
user_principal_nameThe UPN of the mailbox you want to view. Cannot be used with the primary_smtp_address argument. Can be retrieved using the ews-user-list command.Optional
property_setsA comma-separated list of property sets to fetch. These property sets will supplement the outputs of this integration. Default is "Minimum". Available properties are: "All", "Minimum", "AddressList", "Archive", "Audit", "Delivery", "Hold", "Moderation", "Move", "Policy", "PublicFolder", "Quota", "Resource", "Retention", "SCL", "SoftDelete", "StatisticsSeed".Optional
limitThe maximum number of results to retrieve. Default is 10. Default is 10.Optional

Context Output#

PathTypeDescription
EWS.Mailbox.EmailAddressesStringEmail addresses of the mailbox.
EWS.Mailbox.AuditBypassEnabledBooleanWhether audit bypass is enabled.
EWS.Mailbox.DistinguishedNameStringDistinguished name of the mailbox.
EWS.Mailbox.ExchangeObjectIdStringExchange object ID of the mailbox.
EWS.Mailbox.ExchangeVersionStringExchange version of the mailbox.
EWS.Mailbox.GuidStringGUID of the mailbox.
EWS.Mailbox.IdStringID of the mailbox.
EWS.Mailbox.IdentityStringIdentity of the mailbox.
EWS.Mailbox.IsValidBooleanWhether the mailbox is valid.
EWS.Mailbox.NameStringName of the mailbox.
EWS.Mailbox.ObjectCategoryStringObject category of the mailbox.
EWS.Mailbox.ObjectClassStringObject class of the mailbox.
EWS.Mailbox.ObjectIdStringObject ID of the of the mailbox.
EWS.Mailbox.ObjectStateStringObject state of the mailbox.
EWS.Mailbox.OrganizationIdStringOrganization ID of the mailbox.
EWS.Mailbox.OriginatingServerStringOriginating server of the mailbox.
EWS.Mailbox.PSComputerNameStringPowerShell computer name of the mailbox.
EWS.Mailbox.PSShowComputerNameBooleanPowerShell show computer name of the mailbox.
EWS.Mailbox.RunspaceIdStringRun space ID of the mailbox.
EWS.Mailbox.WhenChangedDateLocal time of when the mailbox was last changed.
EWS.Mailbox.WhenChangedUTCDateUTC time of when the mailbox was last changed.
EWS.Mailbox.WhenCreatedDateLocal time of when the mailbox was created.
EWS.Mailbox.WhenCreatedUTCDateUTC time of when the mailbox was created.

Command Example#

!ews-mailbox-list limit=1

Context Example#

{
"EWS": {
"Mailbox": {
"Alias": "user",
"DisplayName": "User User",
"DistinguishedName": "CN=user,OU=example.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR07A005,DC=PROD,DC=OUTLOOK,DC=COM",
"EmailAddresses": [
"SPO:SPO_SPO0@SPO_SPO1",
"SIP:user@example.com",
"SMTP:user@example.com"
],
"ExchangeVersion": "0.20 (15.0.0)",
"ExternalDirectoryObjectId": "<ExternalDirectoryObjectId>",
"Guid": "<Guid>",
"Id": "user",
"Identity": "user",
"Name": "user",
"OrganizationId": "EURPR07A005.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/example.com - EURPR07A005.PROD.OUTLOOK.COM/ConfigurationUnits/example.com/Configuration",
"PrimarySmtpAddress": "user@example.com",
"RecipientType": "UserMailbox",
"RecipientTypeDetails": "UserMailbox",
"UserPrincipalName": "user@example.com"
}
}
}

Human Readable Output#

Results of ews-mailbox-list#

AliasDisplayNameDistinguishedNameEmailAddressesExchangeVersionExternalDirectoryObjectIdGuidIdIdentityNameOrganizationIdPrimarySmtpAddressRecipientTypeRecipientTypeDetailsUserPrincipalName
"user""User User""CN=user,OU=example.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR07A005,DC=PROD,DC=OUTLOOK,DC=COM"["SPO:SPO_cac4b654-5fcf-44f0-818e-479cf8ae42ac@SPO_SP01","SIP:user@example.com","SMTP:user@example.com"]"0.20 (15.0.0)""3fa9f28b-eb0e-463a-ba7b-8089fe9991e2"{"value":"042e60ea-0683-41a2-a149-ca4b682dcdda","Guid":"042e60ea-0683-41a2-a149-ca4b682dcdda"}"user""user""user""EURPR07A005.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/example.com - EURPR07A005.PROD.OUTLOOK.COM/ConfigurationUnits/example.com/Configuration""user@example.com""UserMailbox""UserMailbox""user@example.com"

ews-cas-mailbox-list#


Displays Client Access settings that are configured on mailboxes.

Base Command#

ews-cas-mailbox-list

Input#

Argument NameDescriptionRequired
identityThe identity of the mailbox you want to view.Optional
organizational_unitThe object's location in Active Directory by which to filter the results.Optional
primary_smtp_addressThe primary SMTP email address of the mailbox you want to view. Cannot be used with the user_principal_name argument. Can be retrieved using the ews-user-list command.Optional
user_principal_nameThe UPN of the mailbox you want to view. Cannot be used with the primary_smtp_address argument. Can be retrieved using the ews-user-list command.Optional
limitThe maximum number of results to retrieve. Default is 10. Default is 10.Optional

Context Output#

PathTypeDescription
EWS.CASMailbox.ActiveSyncEnabledBooleanWhether active sync is enabled.
EWS.CASMailbox.DisplayNameStringThe display name of the mailbox.
EWS.CASMailbox.ECPEnabledBooleanWhether the Exchange Control Panel (ECP) is enabled.
EWS.CASMailbox.EmailAddressesStringThe email addresses retrieved.
EWS.CASMailbox.EwsEnabledBooleanWhether the Exchange Web Services (EWS) is enabled.
EWS.CASMailbox.ExchangeVersionStringExchange version of the client access server mailbox.
EWS.CASMailbox.ExternalDirectoryObjectIdStringExternal directory object ID of the client access server mailbox.
EWS.CASMailbox.GuidStringThe GUID of the client access server mailbox.
EWS.CASMailbox.IdentityStringIdentity of the client access server mailbox.
EWS.CASMailbox.ImapEnabledBooleanWhether the Internet Message Access Protocol (IMAP) is enabled.
EWS.CASMailbox.MAPIEnabledBooleanWhether the Messaging Application Programming Interface is enabled.
EWS.CASMailbox.NameStringName of the client access server mailbox.
EWS.CASMailbox.OWAEnabledBooleanWhether Outlook on the web (OWA) is enabled.
EWS.CASMailbox.OrganizationIdStringOrganization ID
EWS.CASMailbox.PopEnabledBooleanWhether Post Office Protocol (POP) is enabled.
EWS.CASMailbox.PrimarySmtpAddressStringPrimary SMTP address.
EWS.CASMailbox.ServerLegacyDNStringServer legacy distinguished name (DN).

Command Example#

!ews-cas-mailbox-list limit=1

Context Example#

{
"EWS": {
"CASMailbox": {
"ActiveSyncEnabled": true,
"DisplayName": "User User",
"ECPEnabled": true,
"EmailAddresses": [
"SPO:SPO_SPO0@SPO_SPO1",
"SIP:user@example.com",
"SMTP:user@example.com"
],
"EwsEnabled": true,
"ExchangeVersion": "0.20 (15.0.0)",
"ExternalDirectoryObjectId": "<ExternalDirectoryObjectId>",
"Guid": "<Guid>",
"Identity": "user",
"ImapEnabled": true,
"MAPIEnabled": true,
"Name": "user",
"OWAEnabled": true,
"OrganizationId": "EURPR07A005.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/example.com - EURPR07A005.PROD.OUTLOOK.COM/ConfigurationUnits/example.com/Configuration",
"PopEnabled": true,
"PrimarySmtpAddress": "user@example.com",
"ServerLegacyDN": "/o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=DBXPR07MB383"
}
}
}

Human Readable Output#

Results of ews-cas-mailbox-list#

ActiveSyncEnabledDisplayNameECPEnabledEmailAddressesEwsEnabledExchangeVersionExternalDirectoryObjectIdGuidIdentityImapEnabledMAPIEnabledNameOrganizationIdOWAEnabledPopEnabledPrimarySmtpAddressServerLegacyDN
true"User User"true["SPO:SPO_cac4b654-5fcf-44f0-818e-479cf8ae42ac@SPO_SP01","SIP:user@example.com","SMTP:user@example.com"]true"0.20 (15.0.0)""3fa9f28b-eb0e-463a-ba7b-8089fe9991e2"{"value":"042e60ea-0683-41a2-a149-ca4b682dcdda","Guid":"042e60ea-0683-41a2-a149-ca4b682dcdda"}"user"truetrue"user""EURPR07A005.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/example.com - EURPR07A005.PROD.OUTLOOK.COM/ConfigurationUnits/example.com/Configuration"truetrue"user@example.com""/o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=DBXPR07MB383

ews-mailbox-permission-list#


Retrieves permissions on a mailbox.

Base Command#

ews-mailbox-permission-list

Input#

Argument NameDescriptionRequired
identityThe identity of the mailbox you want to view.Required

Context Output#

PathTypeDescription
EWS.MailboxPermission.IdentityStringThe specified identity of the mailbox.
EWS.MailboxPermission.Permission.AccessRightsStringAccess rights of the mailbox.
EWS.MailboxPermission.Permission.Deny.IsPresentBooleanWhether permission is denied.
EWS.MailboxPermission.Permission.IdentityStringThe permission identity.
EWS.MailboxPermission.Permission.InheritanceTypeStringPermission inheritance type.
EWS.MailboxPermission.Permission.IsInheritedBooleanWhether permission is inherited.
EWS.MailboxPermission.Permission.UserStringThe permission of the user.

Command Example#

!ews-mailbox-permission-list identity=user

Context Example#

{
"EWS": {
"MailboxPermission": {
"Identity": "user",
"Permission": {
"AccessRights": [
"FullAccess",
"ReadPermission"
],
"Deny": {
"IsPresent": false
},
"Identity": "user",
"InheritanceType": "All",
"IsInherited": false,
"User": "NT AUTHORITY\\SELF"
}
}
}
}

Human Readable Output#

Results of ews-mailbox-permission-list#

AccessRightsDenyIdentityInheritanceTypeIsInheritedUser
["FullAccess","ReadPermission"]{"IsPresent":false}"user""All"false"NT AUTHORITY\SELF"

ews-recipient-permission-list#


Displays information about SendAs permissions that are configured for users.

Base Command#

ews-recipient-permission-list

Input#

Argument NameDescriptionRequired
identityThe identity of the mailbox you want to view.Optional
limitThe maximum number of results to retrieve. Default is 10. Default is 10.Optional

Context Output#

PathTypeDescription
EWS.RecipientPermission.AccessControlTypeStringAccess control type of the recipient permission.
EWS.RecipientPermission.AccessRightsNumberAccess rights of the recipient permission.
EWS.RecipientPermission.IdentityStringIdentity of the recipient permission.
EWS.RecipientPermission.InheritanceTypeStringInheritance type of the recipient permission.
EWS.RecipientPermission.IsInheritedBooleanWhether the recipient permission is inherited.
EWS.RecipientPermission.TrusteeStringTrustee of the recipient permission.

Command Example#

!ews-recipient-permission-list identity=<Guid>

Context Example#

{
"EWS": {
"RecipientPermission": {
"AccessControlType": "Allow",
"AccessRights": [
1
],
"Identity": "user",
"InheritanceType": "None",
"IsInherited": false,
"Trustee": "NT AUTHORITY\\SELF"
}
}
}

Human Readable Output#

Results of ews-mailbox-permission-list#

AccessRightsDenyIdentityInheritanceTypeIsInheritedUser
["FullAccess","ReadPermission"]{"IsPresent":false}"user""All"false"NT AUTHORITY\SELF"

ews-recipient-list#


Displays existing recipient objects in your organization. This command returns all mail-enabled objects (for example, mailboxes, mail users, mail contacts, and distribution groups).

Base Command#

ews-recipient-list

Input#

Argument NameDescriptionRequired
identityThe identity of the mailbox you want to view.Optional
limitThe maximum number of results to retrieve. Default is 10. Default is 10.Optional

Context Output#

PathTypeDescription
EWS.Recipient.AliasStringRecipient alias.
EWS.Recipient.DisplayNameStringRecipient display name.
EWS.Recipient.DistinguishedNameStringRecipient distinguished name.
EWS.Recipient.EmailAddressesStringRecipient email addresses.
EWS.Recipient.ExchangeVersionStringRecipient exchange version.
EWS.Recipient.ExternalDirectoryObjectIdStringRecipient external directory object ID.
EWS.Recipient.IdentityStringRecipient identity.
EWS.Recipient.NameStringRecipient name.
EWS.Recipient.OrganizationIdStringRecipient organization ID.
EWS.Recipient.PrimarySmtpAddressStringRecipient primary SMTP address.
EWS.Recipient.RecipientTypeStringRecipient type.
EWS.Recipient.RecipientTypeDetailsStringRecipient type details.

Command Example#

!ews-recipient-list identity=<ExternalDirectoryObjectId>

Context Example#

{
"EWS": {
"Recipient": {
"Alias": "user",
"DisplayName": "User User",
"DistinguishedName": "CN=user,OU=example.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR07A005,DC=PROD,DC=OUTLOOK,DC=COM",
"EmailAddresses": [
"SPO:SPO_SPO0@SPO_SPO1",
"SIP:user@example.com",
"SMTP:user@example.com"
],
"ExchangeVersion": "0.20 (15.0.0)",
"ExternalDirectoryObjectId": "<ExternalDirectoryObjectId>",
"Identity": "user",
"Name": "user",
"OrganizationId": "EURPR07A005.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/example.com - EURPR07A005.PROD.OUTLOOK.COM/ConfigurationUnits/example.com/Configuration",
"PrimarySmtpAddress": "user@example.com",
"RecipientType": "UserMailbox",
"RecipientTypeDetails": "UserMailbox"
}
}
}

Human Readable Output#

Results of ews-recipient-list#

AliasDisplayNameDistinguishedNameEmailAddressesExchangeVersionExternalDirectoryObjectIdIdentityNameOrganizationIdPrimarySmtpAddressRecipientTypeRecipientTypeDetails
"user""user""CN=user_Identity,OU=example.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR07A005,DC=PROD,DC=OUTLOOK,DC=COM"["SPO:SPO_SP00@SPO_SP01","SMTP:user@example.com"]"0.10 (14.0.100)""Identity""user_Identity""user_Identity""EURPR07A005.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/example.com - EURPR07A005.PROD.OUTLOOK.COM/ConfigurationUnits/example.com/Configuration""user@example.com""MailUniversalDistributionGroup""GroupMailbox"

ews-new-tenant-allow-block-list-items#


Add new items to the Tenant Allow/Block Lists. Uses PowerShell New-TenantAllowBlockListItems cmdlet.

Official PowerShell cmdlet documentation here

Base Command#

ews-new-tenant-allow-block-list-items

Input#

Argument NameDescriptionRequired
entriesEntries to add to the list. Separate multiple entries with a comma (e.g. "Item1,Item2").Required
list_typeList type to add items to.Required
list_subtypeList subtype to add items to.Optional
actionAction to set for new entriesRequired
notesNotes to include on new list entriesOptional
expiration_dateEnter a specific date and time for the new entries to expire using format "YYYY-MM-DD HH:MM:SSz" for UTC time. Alternately, a PowerShell GetDate statement can be used.Optional
no_expirationSpecify whether to create list entries with no expiration date. Cannot be used with "expiration_date". If left false and no expiration date is set, default of 30 days will be used.Optional

Context Output#

PathTypeDescription
EWS.NewTenantBlocks.ActionStringList type ('Block' or 'Allow')
EWS.NewTenantBlocks.EntryValueHashStringEntry Value Hash
EWS.NewTenantBlocks.ErrorStringError (if any) returned by remote command
EWS.NewTenantBlocks.ExpirationDateStringDateTime the entry will expire and be removed
EWS.NewTenantBlocks.IdentityStringUnique identifier for the entry
EWS.NewTenantBlocks.LastModifiedDateTimeStringDateTime of last modification
EWS.NewTenantBlocks.ListSubTypeStringList sub type (Tenant or AdvancedDelivery)
EWS.NewTenantBlocks.ModifiedByStringUser / App Registration which last modified this entry
EWS.NewTenantBlocks.NotesStringCustom notes added to the entry.
EWS.NewTenantBlocks.ObjectStateStringState of the object (e.g. New/Modified/Deleted)
EWS.NewTenantBlocks.PSComputerNameStringName of Remote Powershell endpoint
EWS.NewTenantBlocks.PSShowComputerNameBoolFlag whether or not remote computer name is shown in PS prompt
EWS.NewTenantBlocks.RunspaceIdStringRunspaceID of the entry
EWS.NewTenantBlocks.SubmissionIDStringSubmissionID of the entry
EWS.NewTenantBlocks.SysManagedBoolSysManaged property of the entry
EWS.NewTenantBlocks.ValueStringThe value of the new entry created

Command Example#

!ews-new-tenant-allow-block-list-items action=Block list_type=sender entries="attacker@phishingsite.com" notes="Email observed in a phishing campaign."

Context Example#

{
"Action": "Block",
"EntryValueHash": "d568L6iokOxrYqB2L1CxcKy6S6A/tCDoQQJal33AFWo=",
"Error": null,
"ExpirationDate": "2022-06-15T19:30:52.6071551Z",
"Identity": "RgAAAAAuoyIuRcZsTKgZbIQyJWZUBwA02rlnO0nOR5RO-QI-xRP9AAAAAAEVAAA02rlnO0nOR5RO-QI-xRP9AAADfzPhAAAA0",
"LastModifiedDateTime": "2022-05-16T19:30:52.7320883Z",
"ListSubType": "Tenant",
"ModifiedBy": "",
"Notes": "Email observed in a phishing campaign.",
"ObjectState": "New",
"PSComputerName": "outlook.office365.com",
"PSShowComputerName": false,
"RunspaceId": "fe0186a8-6ce6-487d-bd65-a9869f60ffcd",
"SubmissionID": "",
"SysManaged": false,
"Value": "attacker@phishingsite.com"
}

Human Readable Output#

Results of ews-new-tenant-allow-block-list-items#

ActionEntryValueHashErrorExpirationDateIdentityLastModifiedDateTimeListSubTypeModifiedByNotesObjectStatePSComputerNamePSShowComputerNameRunspaceIdSubmissionIDSysManagedValue
Blockd568L6iokOxrYqB2L1CxcKy6S6A/tCDoQQJal33AFWo={"value":"2022-06-15T19:34:01.2028448Z","DateTime":"Wednesday, June 15, 2022 7:34:01 PM"}RgAAAAAuoyIuRcZsTKgZbIQyJWZUBwA02rlnO0nOR5RO-QI-xRP9AAAAAAEVAAA02rlnO0nOR5RO-QI-xRP9AAADfzPiAAAA0{"value":"2022-05-16T19:34:01.2652934Z","DateTime":"Monday, May 16, 2022 7:34:01 PM"}TenantEmail observed in a phishing campaign.Newoutlook.office365.comfalse{"value":"8f736b87-f951-4b6b-aa21-e358720c44e3","Guid":"8f736b87-f951-4b6b-aa21-e358720c44e3"}falseattacker@phishingsite.com

ews-get-tenant-allow-block-list-items#


Retrieve current Tenant Allow/Block List items. Uses Get-TenantAllowBlockListItems cmdlet.

Official PowerShell cmdlet documentation here

Base Command#

ews-get-tenant-allow-block-list-items

Input#

Argument NameDescriptionRequired
list_typeList type to retrieve items from.Required
list_subtypeList subtype to retrieve items from.Optional
actionAction to filter entries by.Required
expiration_dateEnter a specific date and time to filter entries by using format "YYYY-MM-DD HH:MM:SSz" for UTC time. Alternately, a PowerShell GetDate statement can be used.Optional
no_expirationFilter list items that are set to never expire.Optional
entrySpecif8ic entry value to retrieve.Optional

Context Output#

PathTypeDescription
EWS.CurrentTenantBlocks.ActionStringList type ('Block' or 'Allow')
EWS.CurrentTenantBlocks.EntryValueHashStringEntry Value Hash
EWS.CurrentTenantBlocks.ErrorBoolError (if any) returned by remote command
EWS.CurrentTenantBlocks.ExpirationDateStringDateTime the entry will expire and be removed
EWS.CurrentTenantBlocks.IdentityStringUnique identifier for the entry
EWS.CurrentTenantBlocks.LastModifiedDateTimeStringDateTime of last modification
EWS.CurrentTenantBlocks.ListSubTypeStringList sub type (Tenant or AdvancedDelivery)
EWS.CurrentTenantBlocks.ModifiedByStringUser / App Registration which last modified this entry
EWS.CurrentTenantBlocks.NotesStringCustom notes added to the entry.
EWS.CurrentTenantBlocks.ObjectStateStringState of the object (e.g. New/Modified/Deleted)
EWS.CurrentTenantBlocks.PSComputerNameStringName of Remote Powershell endpoint
EWS.CurrentTenantBlocks.PSShowComputerNameBoolFlag whether or not remote computer name is shown in PS prompt
EWS.CurrentTenantBlocks.RunspaceIdStringRunspaceID of the entry
EWS.CurrentTenantBlocks.SubmissionIDStringSubmissionID of the entry
EWS.CurrentTenantBlocks.SysManagedBoolSysManaged property of the entry
EWS.CurrentTenantBlocks.ValueStringThe value of the new entry created

Command Example#

!ews-get-tenant-allow-block-list-items action=Block list_type=sender

Context Example#

[
{
"Action": "Block",
"EntryValueHash": "d568L6iokOxrYqB2L1CxcKy6S6A/tCDoQQJal33AFWo=",
"Error": null,
"ExpirationDate": "2022-06-15T19:34:01.2028448Z",
"Identity": "RgAAAAAuoyIuRcZsTKgZbIQyJWZUBwA02rlnO0nOR5RO-QI-xRP9AAAAAAEVAAA02rlnO0nOR5RO-QI-xRP9AAADfzPiAAAA0",
"LastModifiedDateTime": "2022-05-16T19:34:01.2652934Z",
"ListSubType": "Tenant",
"ModifiedBy": "",
"Notes": "Email observed in a phishing campaign.",
"ObjectState": "Unchanged",
"PSComputerName": "outlook.office365.com",
"PSShowComputerName": false,
"RunspaceId": "010da4cf-2d47-4b8a-a882-4bd6885faff1",
"SubmissionID": "",
"SysManaged": false,
"Value": "attacker@phishingsite.com"
}
]

Human Readable Output#

Results of ews-get-tenant-allow-block-list-items#

ActionEntryValueHashErrorExpirationDateIdentityLastModifiedDateTimeListSubTypeModifiedByNotesObjectStatePSComputerNamePSShowComputerNameRunspaceIdSubmissionIDSysManagedValue
Blockd568L6iokOxrYqB2L1CxcKy6S6A/tCDoQQJal33AFWo={"value":"2022-06-15T19:34:01.2028448Z","DateTime":"Wednesday, June 15, 2022 7:34:01 PM"}RgAAAAAuoyIuRcZsTKgZbIQyJWZUBwA02rlnO0nOR5RO-QI-xRP9AAAAAAEVAAA02rlnO0nOR5RO-QI-xRP9AAADfzPiAAAA0{"value":"2022-05-16T19:34:01.2652934Z","DateTime":"Monday, May 16, 2022 7:34:01 PM"}TenantEmail observed in a phishing campaign.Unchangedoutlook.office365.comfalse{"value":"feada07c-99b7-48e9-a562-a755073522ff","Guid":"feada07c-99b7-48e9-a562-a755073522ff"}falseattacker@phishingsite.com

ews-get-tenant-allow-block-list-count#


Retrieve current count of defined Tenant Allow/Block List items. Uses Get-TenantAllowBlockListItems cmdlet.

Official PowerShell cmdlet documentation here

Base Command#

ews-get-tenant-allow-block-list-count

Input#

Argument NameDescriptionRequired
list_typeList type to retrieve items from.Optional
list_subtypeList subtype to retrieve items from.Optional

Context Output#

PathTypeDescription
EWS.CurrentListCount.CountNumberNumber of entries presently in the specified list
EWS.CurrentListCount.ListSubTypeStringList sub type (Tenant or AdvancedDelivery)
EWS.CurrentListCount.ListTypeStringList type

Command Example#

!ews-get-tenant-allow-block-list-count list_type=sender

Context Example#

{
"Count": 2,
"ListSubType": "Tenant",
"ListType": "sender"
}

Human Readable Output#

Results of ews-get-tenant-allow-block-list-count#

CountListSubTypeListType
2Tenantsender

ews-remove-tenant-allow-block-list-items#


Remove items from the Tenant Allow/Block Lists. You can delete items by their value or by unique ID. Uses PowerShell cmdlet Remove-TenantAllowBlockListItems cmdlet.

Official PowerShell cmdlet documentation here

Base Command#

ews-remove-tenant-allow-block-list-items

Input#

Argument NameDescriptionRequired
entriesEntries to remove from the list. Either use this OR 'ids' to specify items to remove. Separate multiple entries with a comma (e.g. "Item1,Item2").Optional
idsEntry IDs to remove from the list. Either use this OR 'entries' to specify items to remove. Separate multiple entries with a comma (e.g. "Item1,Item2").Optional
list_typeList type to remove items from.Required
list_subtypeList subtype to remove items from.Optional

Context Output#

PathTypeDescription
EWS.RemovedTenantBlocks.ActionStringAction
EWS.RemovedTenantBlocks.EntryValueHashStringNull for deleted items.
EWS.RemovedTenantBlocks.ErrorStringNull for deleted items.
EWS.RemovedTenantBlocks.ExpirationDateStringNull for deleted items.
EWS.RemovedTenantBlocks.IdentityStringBlank for deleted items.
EWS.RemovedTenantBlocks.LastModifiedDateTimeStringNull for deleted items.
EWS.RemovedTenantBlocks.ListSubTypeStringNull for deleted items.
EWS.RemovedTenantBlocks.ModifiedByStringNull for deleted items.
EWS.RemovedTenantBlocks.NotesStringNull for deleted items.
EWS.RemovedTenantBlocks.ObjectStateStringState of the object (Deleted)
EWS.RemovedTenantBlocks.PSComputerNameStringName of Remote Powershell endpoint
EWS.RemovedTenantBlocks.PSShowComputerNameBoolFlag whether or not remote computer name is shown in PS prompt
EWS.RemovedTenantBlocks.RunspaceIdStringRunspaceID of the entry
EWS.RemovedTenantBlocks.SubmissionIDStringSubmissionID of the entry
EWS.RemovedTenantBlocks.SysManagedBoolSysManaged property of the entry
EWS.RemovedTenantBlocks.ValueStringThe value of the entry that was removed

Command Example#

!ews-remove-tenant-allow-block-list-items list_type=sender entries="attacker2@phishingsite.com"

Context Example#

{
"Action": "0",
"EntryValueHash": null,
"Error": null,
"ExpirationDate": null,
"Identity": "",
"LastModifiedDateTime": null,
"ListSubType": null,
"ModifiedBy": null,
"Notes": null,
"ObjectState": "Deleted",
"PSComputerName": "outlook.office365.com",
"PSShowComputerName": false,
"RunspaceId": "efa88be5-7342-4b77-af2f-99dd2d914300",
"SubmissionID": null,
"SysManaged": null,
"Value": "attacker2@phishingsite.com"
}

Human Readable Output#

Results of ews-remove-tenant-allow-block-list-items#

ActionEntryValueHashErrorExpirationDateIdentityLastModifiedDateTimeListSubTypeModifiedByNotesObjectStatePSComputerNamePSShowComputerNameRunspaceIdSubmissionIDSysManagedValue
0Deletedoutlook.office365.comfalse{"value":"cd58060e-d033-4cdb-814e-9f9748fdf78c","Guid":"cd58060e-d033-4cdb-814e-9f9748fdf78c"}attacker@phishingsite.com