O365 - Security And Compliance - Content Search v2
Microsoft Exchange Online Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 5.5.0 and later.
This integration enables you to manage and interact with Microsoft security and compliance content search. You can manage the security of all your organization's emails, SharePoint sites, OneDrives, etc., by searching for text strings or queries based on attributes of a malicious email. However, you can only perform actions (preview and delete) on emails. This integration was integrated and tested with Security & Compliance Center.
#
Use Cases- Create / Modify / Get / List / Remove / Trigger a search in the Security & Compliance Center - Content search service.
- Create / Get / List / Remove search actions in the Security & Compliance Center - Content search service. Supported actions for emails only are Purge (Delete) and Preview.
#
Playbooks- O365 - Security And Compliance - Search And Delete: Creates and starts a compliance search in the Security and Compliance Center to identify emails with similar attributes of a malicious email. If configured, will preview or delete the emails that were located. This playbook uses the following playbooks as sub-playbooks in its workflow.
- O365 - Security And Compliance - Search: Creates and starts a compliance search in the Security and Compliance Center to identify emails with attributes similar to a malicious email.
- O365 - Security And Compliance - Search Action - Delete: Deletes emails located by the O365 SecurityAndCompliance Search sub-playbook.
- O365 - Security And Compliance - Search Action - Preview: Provides a preview of the results of emails located by the O365 SecurityAndCompliance Search sub-playbook.
#
Permissions in the Security & Compliance Center#
AuthenticationTo access the Security & Compliance Center, the user who is configuring the account which will be used in O365 S&C, needs to be a global administrator or needs to be assigned the Role Management role (a role is assigned only to the Organization Management role group). The Role Management role allows users to view, create, and modify role groups. Clarification: The account which is used by the integration, does not require Global Administrator permissions.
Login into the Compliance Center:
From the side menu navigate to Role & Scopes -> Permissions under Microsoft Purview solutions click on Roles.
Click Create role group.
Give a name and description (optional).
Click Choose roles.
Select the following roles:
- Case Management
- Communication
- Compliance Search
- Custodian
- Data Investigation Management
- Export
- Hold
- Preview
- Review
- RMS Decrypt
- Search And Purge
Click Choose users.
Select one or more users to add to the role group.
Click Create.
The username and password for the user which you intend to use for the investigation will need to be added to the UPN/Email and Delegated Password fields of the integration instance configuration.
Please Note: Microsoft requires that this connection be made from a secure connection. Disabling certificate verification is not supported at this time.
#
Known ConnectionUri and AzureADAuthorizedEndpointURI EndpointsEnvironment | ConnectionUri | AzureADAuthorizationEndpointUri |
---|---|---|
Microsoft 365 or Microsoft 365 GCC | https://ps.compliance.protection.outlook.com/powershell-liveid/ | https://login.microsoftonline.com |
Microsoft 365 GCC High | https://ps.compliance.protection.office365.us/powershell-liveid/ | https://login.microsoftonline.us |
Microsoft 365 DoD | https://l5.ps.compliance.protection.office365.us/powershell-liveid/ | https://login.microsoftonline.us |
Office 365 operated by 21Vianet | https://ps.compliance.protection.partner.outlook.cn/powershell-liveid | https://login.chinacloudapi.cn |
More information can be found here.
#
Configure SecurityAndComplianceV2 on Cortex XSOARNavigate to Settings > Integrations > Servers & Services.
Search for O365 - Security And Compliance - Content Search.
Authentication / Authorization methods:
Click Add instance to create and configure a new integration instance.
Open playground - War-room:
Run the !o365-sc-auth-start command and follow the instructions. Expected output is:
#
Security And Compliance - Authorize instructions- To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code XXXXXXX to authenticate.
- Run the command !o365-sc-auth-complete command in the War Room.
- To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code XXXXXXX to authenticate.
Test - OAuth2.0 authorization, Run the !o365-sc-auth-test command.
#
CommandsYou can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
o365-sc-auth-startOAuth2.0 - Start authorization.
#
Base Commando365-sc-auth-start
#
InputThere are no input arguments for this command.
#
Context OutputThere is no context output for this command.
#
Command Example!o365-sc-auth-start
#
Human Readable Output#
Security And Compliance - Authorize instructions
- To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code XXXXXXX to authenticate.
- Run the !o365-sc-auth-complete command in the War Room.
#
o365-sc-auth-completeOAuth2.0 - Complete authorization.
#
Base Commando365-sc-auth-complete
#
InputThere are no input arguments for this command.
#
Context OutputThere is no context output for this command.
#
Command Example!o365-sc-auth-complete
#
Human Readable OutputYour account successfully authorized!
#
o365-sc-auth-testOAuth2.0 - Test authorization.
#
Base Commando365-sc-auth-test
#
InputThere are no input arguments for this command.
#
Context OutputThere is no context output for this command.
#
Command Example!o365-sc-auth-test
#
Human Readable OutputTest ok!
#
o365-sc-new-searchCreate compliance search in the Security & Compliance Center.
#
Base Commando365-sc-new-search
#
InputArgument Name | Description | Required |
---|---|---|
search_name | The name of the compliance search. If not specified, will have the prefix "XSOAR-" followed by the GUID e.g., XSOAR-d6228fd0-756b-4e4b-8721-76776df91526. | Required |
case | The name of a Core eDiscovery case to associate with the new compliance search. | Optional |
kql | Text search string or a query that is formatted using the Keyword Query Language (KQL). Tips for finding messages to remove using KQL | |
Optional | ||
description | Description of the compliance search. | Optional |
allow_not_found_exchange_locations | Whether to include mailboxes other than regular user mailboxes in the compliance search. Default is "false". | Optional |
exchange_location | Comma-separated list of mailboxes/distribution groups to include, or you can use the value "All" to include all. | Optional |
exchange_location_exclusion | Comma-separated list of mailboxes/distribution groups to exclude when you use the value "All" for the exchange_location parameter. | Optional |
public_folder_location | Comma-separated list of public folders to include, or you can use the value "All" to include all. | Optional |
share_point_location | Comma-separated list of SharePoint online sites to include. You can identify the sites by their URL value, or you can use the value "All" to include all sites. | Optional |
share_point_location_exclusion | Comma-separated list of SharePoint online sites to exclude when you use the value "All" for the share_point_location argument. You can identify the sites by their URL value. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
O365.SecurityAndCompliance.ContentSearch.Search.AllowNotFoundExchangeLocationsEnabled | Boolean | Whether to include mailboxes other than regular user mailboxes in the compliance search. |
O365.SecurityAndCompliance.ContentSearch.Search.AzureBatchFrameworkEnabled | Boolean | Whether the Azure Batch Framework is enabled for job processing. |
O365.SecurityAndCompliance.ContentSearch.Search.CaseId | String | Identity of a Core eDiscovery case which is associated with the compliance search. |
O365.SecurityAndCompliance.ContentSearch.Search.CaseName | String | Name of a Core eDiscovery case which is associated with the compliance search. |
O365.SecurityAndCompliance.ContentSearch.Search.ContentMatchQuery | String | Compliance text search string or a query that is formatted using the Keyword Query Language (KQL). |
O365.SecurityAndCompliance.ContentSearch.Search.CreatedBy | String | Security and compliance search creator. |
O365.SecurityAndCompliance.ContentSearch.Search.CreatedTime | Date | Security and compliance search creation time. |
O365.SecurityAndCompliance.ContentSearch.Search.Description | String | Security and compliance search description. |
O365.SecurityAndCompliance.ContentSearch.Search.Errors | String | Security and compliance search errors. |
O365.SecurityAndCompliance.ContentSearch.Search.ExchangeLocation | String | Security and compliance search exchange locations to include. |
O365.SecurityAndCompliance.ContentSearch.Search.Identity | String | Security and compliance search identity. |
O365.SecurityAndCompliance.ContentSearch.Search.IsValid | Boolean | Whether the security and compliance search is valid. |
O365.SecurityAndCompliance.ContentSearch.Search.Items | Number | The number of security and compliance search scanned items. |
O365.SecurityAndCompliance.ContentSearch.Search.JobEndTime | Date | Security and compliance search job end time. |
O365.SecurityAndCompliance.ContentSearch.Search.JobId | String | Security and compliance search job ID. |
O365.SecurityAndCompliance.ContentSearch.Search.JobRunId | String | Security and compliance search job run ID. |
O365.SecurityAndCompliance.ContentSearch.Search.JobStartTime | Date | Security and compliance search job run start time. |
O365.SecurityAndCompliance.ContentSearch.Search.LastModifiedTime | Date | Security and compliance search last modification time. |
O365.SecurityAndCompliance.ContentSearch.Search.LogLevel | String | Security and compliance search Azure log level. |
O365.SecurityAndCompliance.ContentSearch.Search.Name | String | Security and compliance search name. |
O365.SecurityAndCompliance.ContentSearch.Search.OneDriveLocation | String | Security and compliance search OneDrive locations to include. |
O365.SecurityAndCompliance.ContentSearch.Search.OneDriveLocationExclusion | String | Security and compliance search OneDrive locations to exclude. |
O365.SecurityAndCompliance.ContentSearch.Search.PublicFolderLocation | String | Security and compliance search public folder locations to include. |
O365.SecurityAndCompliance.ContentSearch.Search.PublicFolderLocationExclusion | String | Security and compliance search public folder locations to exclude. |
O365.SecurityAndCompliance.ContentSearch.Search.RunBy | String | Security and compliance search last run by UPN (Email representation). |
O365.SecurityAndCompliance.ContentSearch.Search.RunspaceId | String | Security and compliance search run space ID. |
O365.SecurityAndCompliance.ContentSearch.Search.SharePointLocation | String | Security and compliance search SharePoint locations to include. |
O365.SecurityAndCompliance.ContentSearch.Search.Size | Number | Security and compliance search bytes results size. |
O365.SecurityAndCompliance.ContentSearch.Search.Status | String | Security and compliance search status. |
O365.SecurityAndCompliance.ContentSearch.Search.TenantId | String | Security and compliance search Tenant ID. |
#
Command Example!o365-sc-new-search search_name="example" exchange_location="user1@demistodev.onmicrosoft.com,user2@demistodev.onmicrosoft.com" allow_not_found_exchange_locations=true kql="Rodrigo"
#
Context Example#
Human Readable Output#
Security And Compliance - New search 'example' created
ContentMatchQuery CreatedBy Description LastModifiedTime Name Rodrigo XSOAR-user Short description 11/29/2020 7:12:46 AM example
#
o365-sc-set-searchModifies non-running compliance searches in the Security & Compliance Center.
#
Base Commando365-sc-set-search
#
InputArgument Name | Description | Required |
---|---|---|
search_name | The name of the compliance search. | Required |
kql | Modify the text search string or a query that is formatted using the Keyword Query Language (KQL). | Optional |
description | Modify the description for the compliance search. | Optional |
allow_not_found_exchange_locations | Whether to include mailboxes other than regular user mailboxes in the compliance search. | Optional |
add_exchange_location | Comma-separated list of added mailboxes/distribution groups to include, or you can use the value "All" to include all mailboxes. | Optional |
add_exchange_location_exclusion | Comma-separated list of added mailboxes/distribution groups to exclude when you use the value "All" for the exchange_location (used in create new compliance search) or the add_exchange_location argument. | Optional |
add_public_folder_location | Comma-separated list of added public folders to include, or you can use the value "All" to include all. | Optional |
add_share_point_location | Comma-separated list of added SharePoint online sites to include. You identify the sites by their URL value, or you can use the value "All" to include all sites. | Optional |
add_share_point_location_exclusion | Comma-separated list of added SharePoint online sites to exclude when you use the value "All" for the exchange_location (used in create new compliance search) argument or the share_point_location argument. You can identify the sites by their URL value. | Optional |
remove_exchange_location | Comma-separated list of removed mailboxes/distribution group to include. | Optional |
remove_exchange_location_exclusion | Comma-separated list of removed mailboxes/distribution group to exclude when you use the value "All" for the exchange_location (Used in create new compliance search) or the add_exchange_location argument. | Optional |
remove_public_folder_location | Comma-separated list of removed public folders to include. | Optional |
remove_share_point_location | Comma-separated list of removed SharePoint online sites to include. You can identify the sites by their URL value. | Optional |
remove_share_point_location_exclusion | Comma-separated list of removed SharePoint online sites to exclude when you use the value "All" for the exchange_location (Used in create new compliance search) argument or the share_point_location argument. You can identify the sites by their URL value. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!o365-sc-set-search search_name="example" remove_exchange_location="test2@demistodev.onmicrosoft.com"
#
Human Readable OutputSecurity And Compliance - Search example modified!
#
o365-sc-remove-searchRemove compliance search by name from the Security & Compliance Center.
#
Base Commando365-sc-remove-search
#
InputArgument Name | Description | Required |
---|---|---|
search_name | The name of the compliance search. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!o365-sc-remove-search search_name="example"
#
Human Readable OutputSecurity And Compliance - Search example removed!
#
o365-sc-list-searchList compliance searches in the Security & Compliance Center.
#
Base Commando365-sc-list-search
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
O365.SecurityAndCompliance.ContentSearch.Search.AllowNotFoundExchangeLocationsEnabled | Boolean | Whether to include mailboxes other than regular user mailboxes in the compliance search. |
O365.SecurityAndCompliance.ContentSearch.Search.AzureBatchFrameworkEnabled | Boolean | Whether the Azure Batch Framework is enabled for job processing. |
O365.SecurityAndCompliance.ContentSearch.Search.CaseId | String | Identity of a Core eDiscovery case which is associated with the compliance search. |
O365.SecurityAndCompliance.ContentSearch.Search.CaseName | String | Name of a Core eDiscovery case which is associated with the compliance search. |
O365.SecurityAndCompliance.ContentSearch.Search.ContentMatchQuery | String | Compliance text search string or a query that is formatted using the Keyword Query Language (KQL). |
O365.SecurityAndCompliance.ContentSearch.Search.CreatedBy | String | Security and compliance search creator. |
O365.SecurityAndCompliance.ContentSearch.Search.CreatedTime | Date | Security and compliance search creation time. |
O365.SecurityAndCompliance.ContentSearch.Search.Description | String | Security and compliance search description. |
O365.SecurityAndCompliance.ContentSearch.Search.Errors | String | Security and compliance search errors. |
O365.SecurityAndCompliance.ContentSearch.Search.ExchangeLocation | String | Security and compliance search exchange locations to include. |
O365.SecurityAndCompliance.ContentSearch.Search.Identity | String | Security and compliance search identity. |
O365.SecurityAndCompliance.ContentSearch.Search.IsValid | Boolean | Whether the security and compliance search is valid. |
O365.SecurityAndCompliance.ContentSearch.Search.Items | Number | The number of security and compliance search scanned items. |
O365.SecurityAndCompliance.ContentSearch.Search.JobEndTime | Date | Security and compliance search job end time. |
O365.SecurityAndCompliance.ContentSearch.Search.JobId | String | Security and compliance search job ID. |
O365.SecurityAndCompliance.ContentSearch.Search.JobRunId | String | Security and compliance search job run ID. |
O365.SecurityAndCompliance.ContentSearch.Search.JobStartTime | Date | Security and compliance search job run start time. |
O365.SecurityAndCompliance.ContentSearch.Search.LastModifiedTime | Date | Security and compliance search last modification time. |
O365.SecurityAndCompliance.ContentSearch.Search.LogLevel | String | Security and compliance search Azure log level. |
O365.SecurityAndCompliance.ContentSearch.Search.Name | String | Security and compliance search name. |
O365.SecurityAndCompliance.ContentSearch.Search.OneDriveLocation | String | Security and compliance search OneDrive locations to include. |
O365.SecurityAndCompliance.ContentSearch.Search.OneDriveLocationExclusion | String | Security and compliance search OneDrive locations to exclude. |
O365.SecurityAndCompliance.ContentSearch.Search.PublicFolderLocation | String | Security and compliance search public folder locations to include. |
O365.SecurityAndCompliance.ContentSearch.Search.PublicFolderLocationExclusion | String | Security and compliance search public folder locations to exclude. |
O365.SecurityAndCompliance.ContentSearch.Search.RunBy | String | Security and compliance search last run by UPN (Email representation). |
O365.SecurityAndCompliance.ContentSearch.Search.RunspaceId | String | Security and compliance search run space ID. |
O365.SecurityAndCompliance.ContentSearch.Search.SharePointLocation | String | Security and compliance search SharePoint locations to include. |
O365.SecurityAndCompliance.ContentSearch.Search.Size | Number | Security and compliance search bytes results size. |
O365.SecurityAndCompliance.ContentSearch.Search.Status | String | Security and compliance search status. |
O365.SecurityAndCompliance.ContentSearch.Search.TenantId | String | Security and compliance search Tenant ID. |
#
Command Example!o365-sc-list-search
#
Context Example#
Human Readable Output#
Security And Compliance - Search configurations
CreatedBy Description LastModifiedTime Name RunBy XSOAR-user1 Short description 8/22/2019 6:43:48 AM example1 XSOAR-user1 XSOAR-user2 Short description 1/8/2020 12:44:30 AM example2 XSOAR-user2
#
o365-sc-get-searchGets compliance search by name from the Security & Compliance Center.
#
Base Commando365-sc-get-search
#
InputArgument Name | Description | Required |
---|---|---|
search_name | The name of the compliance search. | Required |
limit | The maximum number of results to return. If you want to return all requests that match the query, use "-1" for the value of this argument. | Optional |
all_results | Whether to include mailboxes which have no results in results entry context. | Optional |
export | Whether to export search results as json file to war-room. | Optional |
statistics | Show search statistics. Default is "false". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
O365.SecurityAndCompliance.ContentSearch.Search.AllowNotFoundExchangeLocationsEnabled | Boolean | Whether to include mailboxes other than regular user mailboxes in the compliance search. |
O365.SecurityAndCompliance.ContentSearch.Search.AzureBatchFrameworkEnabled | Boolean | Whether the Azure Batch Framework is enabled for job processing. |
O365.SecurityAndCompliance.ContentSearch.Search.CaseId | String | Identity of a Core eDiscovery case which is associated with the compliance search. |
O365.SecurityAndCompliance.ContentSearch.Search.CaseName | String | Name of a Core eDiscovery case which is associated with the compliance search. |
O365.SecurityAndCompliance.ContentSearch.Search.ContentMatchQuery | String | Compliance text search string or a query that is formatted using the Keyword Query Language (KQL). |
O365.SecurityAndCompliance.ContentSearch.Search.CreatedBy | String | Security and compliance search creator. |
O365.SecurityAndCompliance.ContentSearch.Search.CreatedTime | Date | Security and compliance search creation time. |
O365.SecurityAndCompliance.ContentSearch.Search.Description | String | Security and compliance search description. |
O365.SecurityAndCompliance.ContentSearch.Search.Errors | String | Security and compliance search errors. |
O365.SecurityAndCompliance.ContentSearch.Search.ExchangeLocation | String | Security and compliance search exchange locations to include. |
O365.SecurityAndCompliance.ContentSearch.Search.Identity | String | Security and compliance search identity. |
O365.SecurityAndCompliance.ContentSearch.Search.IsValid | Boolean | Whether the security and compliance search is valid. |
O365.SecurityAndCompliance.ContentSearch.Search.Items | Number | Number of security and compliance search scanned items. |
O365.SecurityAndCompliance.ContentSearch.Search.JobEndTime | Date | Security and compliance search job end time. |
O365.SecurityAndCompliance.ContentSearch.Search.JobId | String | Security and compliance search job ID. |
O365.SecurityAndCompliance.ContentSearch.Search.JobRunId | String | Security and compliance search job run ID. |
O365.SecurityAndCompliance.ContentSearch.Search.JobStartTime | Date | Security and compliance search job run start time. |
O365.SecurityAndCompliance.ContentSearch.Search.LastModifiedTime | Date | Security and compliance search last modification time. |
O365.SecurityAndCompliance.ContentSearch.Search.LogLevel | String | Security and compliance search the Azure log level. |
O365.SecurityAndCompliance.ContentSearch.Search.Name | String | Security and compliance search name. |
O365.SecurityAndCompliance.ContentSearch.Search.OneDriveLocation | String | Security and compliance search OneDrive locations to include. |
O365.SecurityAndCompliance.ContentSearch.Search.OneDriveLocationExclusion | String | Security and compliance search OneDrive locations to exclude. |
O365.SecurityAndCompliance.ContentSearch.Search.PublicFolderLocation | String | Security and compliance search public folder locations to include. |
O365.SecurityAndCompliance.ContentSearch.Search.PublicFolderLocationExclusion | String | Security and compliance search public folder locations to exclude. |
O365.SecurityAndCompliance.ContentSearch.Search.RunBy | String | Security and compliance search last run by UPN (Email representation). |
O365.SecurityAndCompliance.ContentSearch.Search.RunspaceId | String | Security and compliance search run space ID. |
O365.SecurityAndCompliance.ContentSearch.Search.SharePointLocation | String | Security and compliance search SharePoint locations to include. |
O365.SecurityAndCompliance.ContentSearch.Search.Size | Number | Security and compliance search bytes results size. |
O365.SecurityAndCompliance.ContentSearch.Search.Status | String | Security and compliance search status. |
O365.SecurityAndCompliance.ContentSearch.Search.TenantId | String | Security and compliance search Tenant ID. |
O365.SecurityAndCompliance.ContentSearch.Search.SuccessResults.Location | String | Security and compliance search result location. |
O365.SecurityAndCompliance.ContentSearch.Search.SuccessResults.ItemsCount | Number | The number of security and compliance search results in location. |
O365.SecurityAndCompliance.ContentSearch.Search.SuccessResults.Size | Number | The byte size of the security and compliance search results in location. |
#
Command Example!o365-sc-get-search search_name="example"
#
Context Example#
Human Readable Output#
Security And Compliance - 'example' search
CreatedBy Description LastModifiedTime Name RunBy Status XSOAR-user Short description 2020-11-29T07:20:43.283 example XSOAR-user NotStarted
#
o365-sc-start-searchStarts stopped, completed, or not started compliance search in the Security & Compliance Center.
#
Base Commando365-sc-start-search
#
InputArgument Name | Description | Required |
---|---|---|
search_name | The name of the compliance search. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!o365-sc-start-search search_name="example"
#
Human Readable OutputSecurity And Compliance - search example started !
#
o365-sc-stop-searchStop running compliance search in the Security & Compliance Center.
#
Base Commando365-sc-stop-search
#
InputArgument Name | Description | Required |
---|---|---|
search_name | The name of the compliance search. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!o365-sc-stop-search search_name="example"
#
Human Readable OutputSecurity And Compliance - search example stopped !
#
o365-sc-new-search-actionAfter you create a content search using the o365-sc-new-search command and run it using the o365-sc-start-search command, you assign a search action to the search using the o365-sc-new-search-action command.
#
Base Commando365-sc-new-search-action
#
InputArgument Name | Description | Required |
---|---|---|
search_name | The name of the compliance search. | Required |
action | Search action to perform. Possible values are: "Preview" and "Purge". Default is "Preview". | Optional |
purge_type | Purge type. Possible values are: "Soft Delete" and "HardDelete". Default is "SoftDelete". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
O365.SecurityAndCompliance.ContentSearch.SearchAction.Action | String | Security and compliance search action type. Either "Purge" or "Preview". |
O365.SecurityAndCompliance.ContentSearch.SearchAction.AllowNotFoundExchangeLocationsEnabled | Boolean | Whether to include mailboxes other than regular user mailboxes in the compliance search. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.AzureBatchFrameworkEnabled | Boolean | Whether the Azure Batch Framework is enabled for job processing. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.CaseId | String | Identity of a Core eDiscovery case which is associated with the compliance search. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.CaseName | String | Name of a Core eDiscovery case which is associated with the compliance search. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.CreatedBy | String | Security and compliance search action creator. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.CreatedTime | Date | Security and compliance search action creation time. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.Description | String | Security and compliance search action description. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.Errors | String | Security and compliance search action errors. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.EstimateSearchJobId | String | Security and compliance search action job ID estimation. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.EstimateSearchRunId | String | Security and compliance search action run ID estimation. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.ExchangeLocation | String | Security and compliance search action exchange locations to include. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.ExchangeLocationExclusion | String | Security and compliance search action exchange locations to exclude. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.Identity | String | Security and compliance search action identity. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.IsValid | Boolean | Whether the security and compliance search action is valid. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.JobEndTime | Date | Security and compliance search action job end time. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.JobId | String | Security and compliance search action job ID. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.JobRunId | String | Security and compliance search action job run ID. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.JobStartTime | Date | Security and compliance search action job start time. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.LastModifiedTime | Date | Security and compliance search action last modified time. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.Name | String | Security and compliance search action name. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.PublicFolderLocation | String | Security and compliance search action public folder locations to include. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.PublicFolderLocationExclusion | String | Security and compliance search action public folder locations to exclude. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.Retry | Boolean | Whether to retry if the search action failed. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.RunBy | String | Security and compliance search action run by UPN (email address). |
O365.SecurityAndCompliance.ContentSearch.SearchAction.RunspaceId | String | Security and compliance search action run space ID. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.SearchName | String | Security and compliance search action search name. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.SharePointLocation | String | Security and compliance search action SharePoint locations to include. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.SharePointLocationExclusion | String | Security and compliance search action SharePoint locations to exclude. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.Status | String | Security and compliance search action status. Either "Started" or "Completed". |
O365.SecurityAndCompliance.ContentSearch.SearchAction.TenantId | String | Security and compliance search action Tenant ID. |
#
Command Example!o365-sc-new-search-action search_name="example" action="Preview"
#
Context Example#
Human Readable Output#
Security And Compliance - search action 'example_Preview' created
Action LastModifiedTime Name RunBy SearchName Status Preview 11/29/2020 7:23:50 AM example_Preview XSOAR-user example Completed
#
o365-sc-remove-search-actionRemoves compliance search action by search the action name from the Security & Compliance Center.
#
Base Commando365-sc-remove-search-action
#
InputArgument Name | Description | Required |
---|---|---|
search_action_name | The name of the compliance search action. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!o365-sc-remove-search-action search_action_name="example_Preview"
#
Human Readable OutputSecurity And Compliance - search action example_Preview removed!
#
o365-sc-list-search-actionLists compliance search actions from the Security & Compliance Center.
#
Base Commando365-sc-list-search-action
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
O365.SecurityAndCompliance.ContentSearch.SearchAction.Action | String | Security and compliance search action type. Either "Purge or "Preview". |
O365.SecurityAndCompliance.ContentSearch.SearchAction.AllowNotFoundExchangeLocationsEnabled | Boolean | Whether to include mailboxes other than regular user mailboxes in the compliance search. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.AzureBatchFrameworkEnabled | Boolean | Whether the Azure Batch Framework is enabled for job processing. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.CaseId | String | Identity of a Core eDiscovery case which is associated with the compliance search. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.CaseName | String | Name of a Core eDiscovery case which is associated with the compliance search. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.CreatedBy | String | Security and compliance search action creator. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.CreatedTime | Date | Security and compliance search action creation time. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.Description | String | Security and compliance search action description. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.Errors | String | Security and compliance search action errors. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.EstimateSearchJobId | String | Security and compliance search action job ID estimation. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.EstimateSearchRunId | String | Security and compliance search action run ID estimation. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.ExchangeLocation | String | Security and compliance search action exchange locations to include. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.ExchangeLocationExclusion | String | Security and compliance search action exchange locations to exclude. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.Identity | String | Security and compliance search action identity. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.IsValid | Boolean | Whether the security and compliance search action is valid. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.JobEndTime | Date | Security and compliance search action job end time. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.JobId | String | Security and compliance search action job ID. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.JobRunId | String | Security and compliance search action job run ID. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.JobStartTime | Date | Security and compliance search action job start time. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.LastModifiedTime | Date | Security and compliance search action last modified time. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.Name | String | Security and compliance search action name. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.PublicFolderLocation | String | Security and compliance search action public folder locations to include. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.PublicFolderLocationExclusion | String | Security and compliance search action public folder locations to exclude. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.Retry | Boolean | Whether to retry if the search action failed. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.RunBy | String | Security and compliance search action run by UPN (email address). |
O365.SecurityAndCompliance.ContentSearch.SearchAction.RunspaceId | String | Security and compliance search action run space ID. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.SearchName | String | Security and compliance search action search name. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.SharePointLocation | String | Security and compliance search action SharePoint locations to include. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.SharePointLocationExclusion | String | Security and compliance search action SharePoint locations to exclude. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.Status | String | Security and compliance search action status (Started/Completed). |
O365.SecurityAndCompliance.ContentSearch.SearchAction.TenantId | String | Security and compliance search action Tenant ID. |
#
Command Example!o365-sc-list-search-action
#
Context Example#
Human Readable Output#
Security And Compliance - search actions
Action JobEndTime LastModifiedTime Name RunBy SearchName Status Preview 10/14/2020 1:47:00 PM 10/14/2020 1:45:44 PM example_Preview XSOAR-user example Completed Purge 11/25/2020 10:51:04 AM 11/25/2020 10:50:37 AM example_Purge XSOAR-user example Completed
#
o365-sc-get-search-actionGets compliance search action from the Security & Compliance Center.
#
Base Commando365-sc-get-search-action
#
InputArgument Name | Description | Required |
---|---|---|
search_action_name | The name of the compliance search action. | Required |
limit | The maximum number of results to return. If you want to return all requests that match the query, use "-1" for the value of this argument. | Optional |
export | Whether to export search results as json file to war-room. | Optional |
results | Whether to print the results in the War Room. Default is "false". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
O365.SecurityAndCompliance.ContentSearch.SearchAction.Action | String | Security and compliance search action type. Either "Purge" or "Preview". |
O365.SecurityAndCompliance.ContentSearch.SearchAction.AllowNotFoundExchangeLocationsEnabled | Boolean | Whether to include mailboxes other than regular user mailboxes in the compliance search. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.AzureBatchFrameworkEnabled | Boolean | Whether the Azure Batch Framework is enabled for job processing. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.CaseId | String | Identity of a Core eDiscovery case which is associated with the compliance search. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.CaseName | String | Name of a Core eDiscovery case which is associated with the compliance search. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.CreatedBy | String | Security and compliance search action creator. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.CreatedTime | Date | Security and compliance search action creation time. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.Description | String | Security and compliance search action description. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.Errors | String | Security and compliance search action errors. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.EstimateSearchJobId | String | Security and compliance search action job ID estimation. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.EstimateSearchRunId | String | Security and compliance search action run ID estimation. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.ExchangeLocation | String | Security and compliance search action exchange locations to include. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.ExchangeLocationExclusion | String | Security and compliance search action exchange locations to exclude. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.Identity | String | Security and compliance search action identity. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.IsValid | Boolean | Whether the security and compliance search action is valid. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.JobEndTime | Date | Security and compliance search action job end time. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.JobId | String | Security and compliance search action job ID. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.JobRunId | String | Security and compliance search action job run ID. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.JobStartTime | Date | Security and compliance search action job start time. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.LastModifiedTime | Date | Security and compliance search action last modified time. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.Name | String | Security and compliance search action name. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.PublicFolderLocation | String | Security and compliance search action public folder locations to include. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.PublicFolderLocationExclusion | String | Security and compliance search action public folder locations to exclude. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.Location | String | Security and compliance search action result location. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.ItemCount | String | Security and compliance search action result item count. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.TotalSize | String | Security and compliance search action result total size. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.FailedCount | String | Security and compliance search action result failed count. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.Sender | String | Security and compliance search action result mail sender. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.Subject | String | Security and compliance search action result subject. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.Type | String | Security and compliance search action result type. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.Size | String | Security and compliance search action result size. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.ReceivedTime | Date | Security and compliance search action result received time. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.DataLink | String | Security and compliance search action data link. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.Retry | Boolean | Whether to retry if the search action failed. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.RunBy | String | Security and compliance search action run by UPN (email address). |
O365.SecurityAndCompliance.ContentSearch.SearchAction.RunspaceId | String | Security and compliance search action run space ID. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.SearchName | String | Security and compliance search action search name. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.SharePointLocation | String | Security and compliance search action SharePoint locations to include. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.SharePointLocationExclusion | String | Security and compliance search action SharePoint locations to exclude. |
O365.SecurityAndCompliance.ContentSearch.SearchAction.Status | String | Security and compliance search action status. Either "Started" or "Completed". |
O365.SecurityAndCompliance.ContentSearch.SearchAction.TenantId | String | Security and compliance search action Tenant ID. |
#
Command Example!o365-sc-get-search-action search_action_name="example_Preview"
#
Context Example#
Human Readable Output#
Security And Compliance - search action 'example_Preview'
Action JobEndTime LastModifiedTime Name RunBy SearchName Status Preview 11/29/2020 7:24:05 AM 11/29/2020 7:23:50 AM example_Preview XSOAR-user example Completed
#
Tips for finding messages to remove- Keyword Query Language (KQL)
- If you know the exact text or phrase used in the subject line of the message, use the Subject property in the search query, e.g.,
(subject:give me all ur money)
. - If you know that exact date (or date range) of the message, include the Received property in the search query, e.g.,
(received:6/13/2021..6/16/2021)
. - If you know who sent the message, include the From property in the search query, e.g.,
(from:user1@demistodev.onmicrosoft.com)
. - For all the available search properties see: Keyword queries and search conditions for eDiscovery.
- If you know the exact text or phrase used in the subject line of the message, use the Subject property in the search query, e.g.,
- Preview the search results to verify that the search returned only the message (or messages) that you want to delete.
- Use the search estimate statistics (displayed by using the
o365-sc-get-search
command) to get a count of the total number of emails.
#
o365-sc-compliance-case-createCreate eDiscovery cases in the Microsoft Purview compliance portal.
#
Base Commando365-sc-compliance-case-create
#
InputArgument Name | Description | Required |
---|---|---|
case_name | Case name create. | Required |
case_type | "AdvancedEdiscovery: Used to manage legal or other types of investigations. ComplianceClassifier: This type of case corresponds to a trainable classifier. DataInvestigation: Data investigation cases are used to investigate data spillage incidents. DSR: Data Subject Request (DSR) cases are used to manage General Data Protection Regulation (GDPR) DSR investigations. eDiscovery: eDiscovery (also called eDiscovery Standard) cases are used to manage legal or other types of investigations. This is the default value. InsiderRisk: Insider risk cases are used to manage insider risk management cases. Typically, insider risk management cases are manually created in the Microsoft Purview compliance portal to further investigate activity based on a risk alert. SupervisionPolicy: This type of case corresponds to communication compliance policy." . Possible values are: AdvancedEdiscovery, ComplianceClassifier, DataInvestigation, DSR, eDiscovery, InsiderRisk, SupervisionPolicy. Default is eDiscovery. | Optional |
description | Case description. | Optional |
external_id | Case external ID. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
O365.SecurityAndCompliance.ComplianceCase.Name | String | Case name. |
O365.SecurityAndCompliance.ComplianceCase.Status | String | Case status. |
O365.SecurityAndCompliance.ComplianceCase.CreatedDateTime | String | Case created date time. |
#
o365-sc-compliance-case-listList different types of compliance cases in the Microsoft Purview compliance portal.
#
Base Commando365-sc-compliance-case-list
#
InputArgument Name | Description | Required |
---|---|---|
identity | List cases by identity. | Optional |
case_type | List cases by type. Possible values are: AdvancedEdiscovery, ComplianceClassifier, DataInvestigation, DSR, eDiscovery, InsiderRisk, SupervisionPolicy. | Optional |
limit | Limit returned cases list size. Default is 50. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
O365.SecurityAndCompliance.ComplianceCase.Name | String | Case name. |
O365.SecurityAndCompliance.ComplianceCase.Status | String | Case status. |
O365.SecurityAndCompliance.ComplianceCase.GUID | UUID | Case GUID. |
O365.SecurityAndCompliance.ComplianceCase.CreatedDateTime | String | Case created date time. |
#
o365-sc-compliance-case-deleteRemoves compliance cases from the Microsoft Purview compliance portal.
#
Base Commando365-sc-compliance-case-delete
#
InputArgument Name | Description | Required |
---|---|---|
identity | Delete case by identity. | Required |
#
Context OutputThere is no context output for this command.
#
o365-sc-case-hold-policy-createCreates new case hold policies in the Microsoft Purview compliance portal.
#
Base Commando365-sc-case-hold-policy-create
#
InputArgument Name | Description | Required |
---|---|---|
policy_name | Name of the policy to create. | Required |
case | eDiscovery case, Case Name, Case Identity (GUID value). | Required |
comment | Attach a comment to the case. | Optional |
exchange_location | Mailbox or distribution group. | Optional |
public_folder_location | Comma-separated list of public folders to include, or you can use the value "All" to include all. | Optional |
share_point_location | SharePoint Online and OneDrive for Business sites to include. | Optional |
enabled | Set hold policy as enabled or not. Possible values are: true, false. Default is true. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
O365.SecurityAndCompliance.CaseHoldPolicy.Name | String | Case hold policy name. |
O365.SecurityAndCompliance.CaseHoldPolicy.Workload | String | Case hold policy workload. |
O365.SecurityAndCompliance.CaseHoldPolicy.Enabled | String | Is case hold policy enabled. |
O365.SecurityAndCompliance.CaseHoldPolicy.Mode | String | Case hold policy mode. |
#
o365-sc-case-hold-policy-getView existing case hold policies in the Microsoft Purview compliance portal.
#
Base Commando365-sc-case-hold-policy-get
#
InputArgument Name | Description | Required |
---|---|---|
identity | Identify of the case hold policy to get. | Optional |
case | Case of policy to get. Case name or case GUID. | Optional |
distribution_detail | Whether to include distribution details or not. Possible values are: true, false. Default is true. | Optional |
include_bindings | Whether to include bindings or not. Possible values are: true, false. Default is true. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
O365.SecurityAndCompliance.CaseHoldPolicy.Name | String | Case hold policy name. |
O365.SecurityAndCompliance.CaseHoldPolicy.GUID | String | Case hold policy GUID. |
O365.SecurityAndCompliance.CaseHoldPolicy.Workload | String | Case hold policy workload. |
O365.SecurityAndCompliance.CaseHoldPolicy.Status | String | Case hold policy status. |
O365.SecurityAndCompliance.CaseHoldPolicy.Mode | String | Case hold policy mode. |
#
o365-sc-case-hold-policy-deleteRemoves case hold policies from the Microsoft Purview compliance portal.
#
Base Commando365-sc-case-hold-policy-delete
#
InputArgument Name | Description | Required |
---|---|---|
identity | Identify of the case hold policy to delete. | Required |
force_delete | Whether to use force delete or not. Possible values are: true, false. Default is false. | Optional |
#
Context OutputThere is no context output for this command.
#
o365-sc-case-hold-rule-createCreates new case hold rules in the Microsoft Purview compliance portal.
#
Base Commando365-sc-case-hold-rule-create
#
InputArgument Name | Description | Required |
---|---|---|
rule_name | Create rule with the specified name. | Required |
policy_name | Create rule for the specified policy. | Required |
query | Query using Keyword Query Language (KQL). | Optional |
comment | Attach a comment to the created rule. | Optional |
is_disabled | Whether the rule is disabled or not. Possible values are: true, false. Default is false. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
O365.SecurityAndCompliance.CaseHoldRule.Name | String | Case hold policy name. |
O365.SecurityAndCompliance.CaseHoldRule.Status | String | Case hold policy status. |
O365.SecurityAndCompliance.CaseHoldRule.Mode | String | Case hold policy mode. |
#
o365-sc-case-hold-rule-listView case hold rules in the Microsoft Purview compliance portal.
#
Base Commando365-sc-case-hold-rule-list
#
InputArgument Name | Description | Required |
---|---|---|
identify | Get hold rule list by identity. | Optional |
policy | Get hold rule list by policy. | Optional |
limit | Limit the returned items list size. Default is 50. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
O365.SecurityAndCompliance.CaseHoldRule.Name | String | Case hold policy name. |
O365.SecurityAndCompliance.CaseHoldRule.GUID | UUID | Case hold policy GUID. |
O365.SecurityAndCompliance.CaseHoldRule.Enabled | String | Whether case hold policy is enabled. |
O365.SecurityAndCompliance.CaseHoldRule.Mode | String | Case hold policy mode. |
#
o365-sc-case-hold-rule-deleteRemoves case hold rules from the Microsoft Purview compliance portal.
#
Base Commando365-sc-case-hold-rule-delete
#
InputArgument Name | Description | Required |
---|---|---|
identity | Delete rule by identity. | Optional |
force_delete | Whether to use force delete or not. Possible values are: true, false. Default is false. | Optional |
#
Context OutputThere is no context output for this command.
#
Known Limitations- Security and compliance integrations do not support Security and compliance on-premise.
- Each security and compliance command creates an IPS-Session (PowerShell session). The security and compliance PowerShell limits the number of concurrent sessions to 3. Since this affects the behavior of multiple playbooks running concurrently it we recommend that you retry failed tasks when using the integration commands in playbooks.
- Proxies are not supported due to a Microsoft limitation.
- Due to a Microsoft limitation, you can perform a search and purge operation on a maximum of 50,000 mailboxes. To work around this limitation, configure multiple instances of the integration each with different permission filtering so that the number of mailboxes in each instance does not exceed 50,000.
- A maximum of 10 items per mailbox can be removed at one time, due to a Microsoft limitiation.
- For more Microsoft known limitations see Limits for eDiscovery search.