O365 - Security And Compliance - Content Search v2
This Integration is part of the Microsoft Exchange Online Pack.#
Supported versions
Supported Cortex XSOAR versions: 5.5.0 and later.
This integration enables you to manage and interact with Microsoft security and compliance content search. You can manage the security of all your organization's emails, SharePoint sites, OneDrives, etc., by searching for text strings or queries based on attributes of a malicious email. However, you can only perform actions (preview and delete) on emails. This integration was integrated and tested with Security & Compliance Center.
Use Cases#
- Create / Modify / Get / List / Remove / Trigger a search in the Security & Compliance Center - Content search service.
- Create / Get / List / Remove search actions in the Security & Compliance Center - Content search service. Supported actions for emails only are Purge (Delete) and Preview.
Playbooks#
- O365 - Security And Compliance - Search And Delete: Creates and starts a compliance search in the Security and Compliance Center to identify emails with similar attributes of a malicious email. If configured, will preview or delete the emails that were located. This playbook uses the following playbooks as sub-playbooks in its workflow.
- O365 - Security And Compliance - Search: Creates and starts a compliance search in the Security and Compliance Center to identify emails with attributes similar to a malicious email.
- O365 - Security And Compliance - Search Action - Delete: Deletes emails located by the O365 SecurityAndCompliance Search sub-playbook.
- O365 - Security And Compliance - Search Action - Preview: Provides a preview of the results of emails located by the O365 SecurityAndCompliance Search sub-playbook.
Permissions in the Security & Compliance Center#
Authentication#
To access the Security & Compliance Center, the user who is configuring the account which will be used in O365 S&C, needs to be a global administrator or needs to be assigned the Role Management role (a role is assigned only to the Organization Management role group). The Role Management role allows users to view, create, and modify role groups. Clarification: The account which is used by the integration, does not require Global Administrator permissions.
Login into the Security & Compliance Center:
From the side menu, click Permissions.
Search for and select the Data Investigator role.
Click Edit role group.
Click Choose Members and click Edit. Add the user you intend to be used in the integration:
Click Add.
Choose which members to add from the displayed list and click Add.
Click Done.
The username and password for the user which you intend to use for the investigation will need to be added to the UPN/Email and Delegated Password fields of the integration instance configuration.
Enabling Client Side Basic Authentication#
Client side basic authentication is necessary for O365 - Security And Compliance V2 and is necessary for Powershell remoting.
Per Microsoft's documentation, Security & Compliance PowerShell still requires Basic authentication in WinRM as described Prerequisites for the Exchange Online PowerShell module. REST API cmdlets that allow you to turn off Basic authentication in WinRM are not yet available for the Connect-IPPSSession cmdlet. For more information, see Updates for the EXO V3 module).
It is important to note that there are two types of basic authentication. The one that was deprecated which is the server side, and the other version which is the client side basic auth. What the exchange library does when client side basic auth is enabled is to instead of sending "user:pass" in the headers, it sends "Bearer xyz". The Exchange client itself, does not know the difference between the headers so when client basic auth is disabled, the bearer token can’t be sent.
Please note: The use of Username and Password is not indicative of the use of basic authentication. The PowerShell session uses modern authentication as noted here.
- Create a Group in Active Directory called “Enable Client Basic Auth” and add the user you will use for the integration to the group.
- Create a Policy in the Microsoft Endpoint Manager for - This can be found here
- Search for "Basic" and you will see the Remote Management dropdown. Under this option, please enable "Client basic authentication"
- Add the "Enable Client Basic Auth" group to the policy
- In the Instance Configuration, click the Test button. This will likely return an error with a correlation ID.
- Copy this ID and search for the correlation in the Risky Sign-Ins portal found here.
- Since we generated this alert, we can confirm that the sign-in is safe. by clicking the option found below.
- Finally return to the Instance Configuration and click the Test button to confirm the integration works.
Please Note: Microsoft requires that this connection be made from a secure connection. Disabling certificate verification is not supported at this time.
MFA Enabled Service Accounts#
It is mandatory to disable MFA for the service account which is using the integration in order for the authentication succeed.
When MFA is enabled, it is possible to be unable to confirm a sign in as safe. If there is a conditional access policy in place which will trigger a users account to require an MFA sign in, these policies should exempt the user which is used by the integration. This does not require MFA to be disabled.
The common settings available OOTB from Microsoft can be excluded in the following menu.
Known ConnectionUri and AzureADAuthorizedEndpointURI Endpoints#
| Environment | ConnectionUri | AzureADAuthorizationEndpointUri |
|---|---|---|
| Microsoft 365 or Microsoft 365 GCC | https://ps.compliance.protection.outlook.com/powershell-liveid/ | https://login.microsoftonline.com |
| Microsoft 365 GCC High | https://ps.compliance.protection.office365.us/powershell-liveid/ | https://login.microsoftonline.us |
| Microsoft 365 DoD | https://l5.ps.compliance.protection.office365.us/powershell-liveid/ | https://login.microsoftonline.us |
| Office 365 operated by 21Vianet | https://ps.compliance.protection.partner.outlook.cn/powershell-liveid | https://login.chinacloudapi.cn |
More information can be found here.
Additional Configuration/Debugging Options#
In the event that the above does not result in a successful connection to Security and Compliance, we recommend the following:
- Adding the IP address of the XSOAR server to the list of Named Locations.
- Configuring the IP address of the XSOAR server as an exemption for multi-factor authentication. https://account.activedirectory.windowsazure.com/usermanagement/mfasettings.aspx?tenantid={YOUR-TENANT-ID}
- Dismissing the user's risk level and state in the Risky Users Portal
Configure SecurityAndComplianceV2 on Cortex XSOAR#
Navigate to Settings > Integrations > Servers & Services.
Search for O365 - Security And Compliance - Content Search.
Authentication / Authorization methods:
Authentication:
- Click Add instance to create and configure a new integration instance.
| Parameter | Description | Required |
|---|---|---|
| delegated_auth | Fill Email (aka UPN) and password | False |
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
o365-sc-new-search#
Create compliance search in the Security & Compliance Center.
Base Command#
o365-sc-new-search
Input#
| Argument Name | Description | Required |
|---|---|---|
| search_name | The name of the compliance search. If not specified, will have the prefix "XSOAR-" followed by the GUID e.g., XSOAR-d6228fd0-756b-4e4b-8721-76776df91526. | Required |
| case | The name of a Core eDiscovery case to associate with the new compliance search. | Optional |
| kql | Text search string or a query that is formatted using the Keyword Query Language (KQL). Tips for finding messages to remove using KQL | |
| Optional | ||
| description | Description of the compliance search. | Optional |
| allow_not_found_exchange_locations | Whether to include mailboxes other than regular user mailboxes in the compliance search. Default is "false". | Optional |
| exchange_location | Comma-separated list of mailboxes/distribution groups to include, or you can use the value "All" to include all. | Optional |
| exchange_location_exclusion | Comma-separated list of mailboxes/distribution groups to exclude when you use the value "All" for the exchange_location parameter. | Optional |
| public_folder_location | Comma-separated list of public folders to include, or you can use the value "All" to include all. | Optional |
| share_point_location | Comma-separated list of SharePoint online sites to include. You can identify the sites by their URL value, or you can use the value "All" to include all sites. | Optional |
| share_point_location_exclusion | Comma-separated list of SharePoint online sites to exclude when you use the value "All" for the share_point_location argument. You can identify the sites by their URL value. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| O365.SecurityAndCompliance.ContentSearch.Search.AllowNotFoundExchangeLocationsEnabled | Boolean | Whether to include mailboxes other than regular user mailboxes in the compliance search. |
| O365.SecurityAndCompliance.ContentSearch.Search.AzureBatchFrameworkEnabled | Boolean | Whether the Azure Batch Framework is enabled for job processing. |
| O365.SecurityAndCompliance.ContentSearch.Search.CaseId | String | Identity of a Core eDiscovery case which is associated with the compliance search. |
| O365.SecurityAndCompliance.ContentSearch.Search.CaseName | String | Name of a Core eDiscovery case which is associated with the compliance search. |
| O365.SecurityAndCompliance.ContentSearch.Search.ContentMatchQuery | String | Compliance text search string or a query that is formatted using the Keyword Query Language (KQL). |
| O365.SecurityAndCompliance.ContentSearch.Search.CreatedBy | String | Security and compliance search creator. |
| O365.SecurityAndCompliance.ContentSearch.Search.CreatedTime | Date | Security and compliance search creation time. |
| O365.SecurityAndCompliance.ContentSearch.Search.Description | String | Security and compliance search description. |
| O365.SecurityAndCompliance.ContentSearch.Search.Errors | String | Security and compliance search errors. |
| O365.SecurityAndCompliance.ContentSearch.Search.ExchangeLocation | String | Security and compliance search exchange locations to include. |
| O365.SecurityAndCompliance.ContentSearch.Search.Identity | String | Security and compliance search identity. |
| O365.SecurityAndCompliance.ContentSearch.Search.IsValid | Boolean | Whether the security and compliance search is valid. |
| O365.SecurityAndCompliance.ContentSearch.Search.Items | Number | The number of security and compliance search scanned items. |
| O365.SecurityAndCompliance.ContentSearch.Search.JobEndTime | Date | Security and compliance search job end time. |
| O365.SecurityAndCompliance.ContentSearch.Search.JobId | String | Security and compliance search job ID. |
| O365.SecurityAndCompliance.ContentSearch.Search.JobRunId | String | Security and compliance search job run ID. |
| O365.SecurityAndCompliance.ContentSearch.Search.JobStartTime | Date | Security and compliance search job run start time. |
| O365.SecurityAndCompliance.ContentSearch.Search.LastModifiedTime | Date | Security and compliance search last modification time. |
| O365.SecurityAndCompliance.ContentSearch.Search.LogLevel | String | Security and compliance search Azure log level. |
| O365.SecurityAndCompliance.ContentSearch.Search.Name | String | Security and compliance search name. |
| O365.SecurityAndCompliance.ContentSearch.Search.OneDriveLocation | String | Security and compliance search OneDrive locations to include. |
| O365.SecurityAndCompliance.ContentSearch.Search.OneDriveLocationExclusion | String | Security and compliance search OneDrive locations to exclude. |
| O365.SecurityAndCompliance.ContentSearch.Search.PublicFolderLocation | String | Security and compliance search public folder locations to include. |
| O365.SecurityAndCompliance.ContentSearch.Search.PublicFolderLocationExclusion | String | Security and compliance search public folder locations to exclude. |
| O365.SecurityAndCompliance.ContentSearch.Search.RunBy | String | Security and compliance search last run by UPN (Email representation). |
| O365.SecurityAndCompliance.ContentSearch.Search.RunspaceId | String | Security and compliance search run space ID. |
| O365.SecurityAndCompliance.ContentSearch.Search.SharePointLocation | String | Security and compliance search SharePoint locations to include. |
| O365.SecurityAndCompliance.ContentSearch.Search.Size | Number | Security and compliance search bytes results size. |
| O365.SecurityAndCompliance.ContentSearch.Search.Status | String | Security and compliance search status. |
| O365.SecurityAndCompliance.ContentSearch.Search.TenantId | String | Security and compliance search Tenant ID. |
Command Example#
!o365-sc-new-search search_name="example" exchange_location="user1@demistodev.onmicrosoft.com,user2@demistodev.onmicrosoft.com" allow_not_found_exchange_locations=true kql="Rodrigo"
Context Example#
Human Readable Output#
Security And Compliance - New search 'example' created#
ContentMatchQuery CreatedBy Description LastModifiedTime Name Rodrigo XSOAR-user Short description 11/29/2020 7:12:46 AM example
o365-sc-set-search#
Modifies non-running compliance searches in the Security & Compliance Center.
Base Command#
o365-sc-set-search
Input#
| Argument Name | Description | Required |
|---|---|---|
| search_name | The name of the compliance search. | Required |
| kql | Modify the text search string or a query that is formatted using the Keyword Query Language (KQL). | Optional |
| description | Modify the description for the compliance search. | Optional |
| allow_not_found_exchange_locations | Whether to include mailboxes other than regular user mailboxes in the compliance search. | Optional |
| add_exchange_location | Comma-separated list of added mailboxes/distribution groups to include, or you can use the value "All" to include all mailboxes. | Optional |
| add_exchange_location_exclusion | Comma-separated list of added mailboxes/distribution groups to exclude when you use the value "All" for the exchange_location (used in create new compliance search) or the add_exchange_location argument. | Optional |
| add_public_folder_location | Comma-separated list of added public folders to include, or you can use the value "All" to include all. | Optional |
| add_share_point_location | Comma-separated list of added SharePoint online sites to include. You identify the sites by their URL value, or you can use the value "All" to include all sites. | Optional |
| add_share_point_location_exclusion | Comma-separated list of added SharePoint online sites to exclude when you use the value "All" for the exchange_location (used in create new compliance search) argument or the share_point_location argument. You can identify the sites by their URL value. | Optional |
| remove_exchange_location | Comma-separated list of removed mailboxes/distribution group to include. | Optional |
| remove_exchange_location_exclusion | Comma-separated list of removed mailboxes/distribution group to exclude when you use the value "All" for the exchange_location (Used in create new compliance search) or the add_exchange_location argument. | Optional |
| remove_public_folder_location | Comma-separated list of removed public folders to include. | Optional |
| remove_share_point_location | Comma-separated list of removed SharePoint online sites to include. You can identify the sites by their URL value. | Optional |
| remove_share_point_location_exclusion | Comma-separated list of removed SharePoint online sites to exclude when you use the value "All" for the exchange_location (Used in create new compliance search) argument or the share_point_location argument. You can identify the sites by their URL value. | Optional |
Context Output#
There is no context output for this command.
Command Example#
!o365-sc-set-search search_name="example" remove_exchange_location="test2@demistodev.onmicrosoft.com"
Human Readable Output#
Security And Compliance - Search example modified!
o365-sc-remove-search#
Remove compliance search by name from the Security & Compliance Center.
Base Command#
o365-sc-remove-search
Input#
| Argument Name | Description | Required |
|---|---|---|
| search_name | The name of the compliance search. | Required |
Context Output#
There is no context output for this command.
Command Example#
!o365-sc-remove-search search_name="example"
Human Readable Output#
Security And Compliance - Search example removed!
o365-sc-list-search#
List compliance searches in the Security & Compliance Center.
Base Command#
o365-sc-list-search
Input#
There are no input arguments for this command.
Context Output#
| Path | Type | Description |
|---|---|---|
| O365.SecurityAndCompliance.ContentSearch.Search.AllowNotFoundExchangeLocationsEnabled | Boolean | Whether to include mailboxes other than regular user mailboxes in the compliance search. |
| O365.SecurityAndCompliance.ContentSearch.Search.AzureBatchFrameworkEnabled | Boolean | Whether the Azure Batch Framework is enabled for job processing. |
| O365.SecurityAndCompliance.ContentSearch.Search.CaseId | String | Identity of a Core eDiscovery case which is associated with the compliance search. |
| O365.SecurityAndCompliance.ContentSearch.Search.CaseName | String | Name of a Core eDiscovery case which is associated with the compliance search. |
| O365.SecurityAndCompliance.ContentSearch.Search.ContentMatchQuery | String | Compliance text search string or a query that is formatted using the Keyword Query Language (KQL). |
| O365.SecurityAndCompliance.ContentSearch.Search.CreatedBy | String | Security and compliance search creator. |
| O365.SecurityAndCompliance.ContentSearch.Search.CreatedTime | Date | Security and compliance search creation time. |
| O365.SecurityAndCompliance.ContentSearch.Search.Description | String | Security and compliance search description. |
| O365.SecurityAndCompliance.ContentSearch.Search.Errors | String | Security and compliance search errors. |
| O365.SecurityAndCompliance.ContentSearch.Search.ExchangeLocation | String | Security and compliance search exchange locations to include. |
| O365.SecurityAndCompliance.ContentSearch.Search.Identity | String | Security and compliance search identity. |
| O365.SecurityAndCompliance.ContentSearch.Search.IsValid | Boolean | Whether the security and compliance search is valid. |
| O365.SecurityAndCompliance.ContentSearch.Search.Items | Number | The number of security and compliance search scanned items. |
| O365.SecurityAndCompliance.ContentSearch.Search.JobEndTime | Date | Security and compliance search job end time. |
| O365.SecurityAndCompliance.ContentSearch.Search.JobId | String | Security and compliance search job ID. |
| O365.SecurityAndCompliance.ContentSearch.Search.JobRunId | String | Security and compliance search job run ID. |
| O365.SecurityAndCompliance.ContentSearch.Search.JobStartTime | Date | Security and compliance search job run start time. |
| O365.SecurityAndCompliance.ContentSearch.Search.LastModifiedTime | Date | Security and compliance search last modification time. |
| O365.SecurityAndCompliance.ContentSearch.Search.LogLevel | String | Security and compliance search Azure log level. |
| O365.SecurityAndCompliance.ContentSearch.Search.Name | String | Security and compliance search name. |
| O365.SecurityAndCompliance.ContentSearch.Search.OneDriveLocation | String | Security and compliance search OneDrive locations to include. |
| O365.SecurityAndCompliance.ContentSearch.Search.OneDriveLocationExclusion | String | Security and compliance search OneDrive locations to exclude. |
| O365.SecurityAndCompliance.ContentSearch.Search.PublicFolderLocation | String | Security and compliance search public folder locations to include. |
| O365.SecurityAndCompliance.ContentSearch.Search.PublicFolderLocationExclusion | String | Security and compliance search public folder locations to exclude. |
| O365.SecurityAndCompliance.ContentSearch.Search.RunBy | String | Security and compliance search last run by UPN (Email representation). |
| O365.SecurityAndCompliance.ContentSearch.Search.RunspaceId | String | Security and compliance search run space ID. |
| O365.SecurityAndCompliance.ContentSearch.Search.SharePointLocation | String | Security and compliance search SharePoint locations to include. |
| O365.SecurityAndCompliance.ContentSearch.Search.Size | Number | Security and compliance search bytes results size. |
| O365.SecurityAndCompliance.ContentSearch.Search.Status | String | Security and compliance search status. |
| O365.SecurityAndCompliance.ContentSearch.Search.TenantId | String | Security and compliance search Tenant ID. |
Command Example#
!o365-sc-list-search
Context Example#
Human Readable Output#
Security And Compliance - Search configurations#
CreatedBy Description LastModifiedTime Name RunBy XSOAR-user1 Short description 8/22/2019 6:43:48 AM example1 XSOAR-user1 XSOAR-user2 Short description 1/8/2020 12:44:30 AM example2 XSOAR-user2
o365-sc-get-search#
Gets compliance search by name from the Security & Compliance Center.
Base Command#
o365-sc-get-search
Input#
| Argument Name | Description | Required |
|---|---|---|
| search_name | The name of the compliance search. | Required |
| limit | The maximum number of results to return. If you want to return all requests that match the query, use "-1" for the value of this argument. | Optional |
| all_results | Whether to include mailboxes which have no results in results entry context. | Optional |
| export | Whether to export search results as json file to war-room. | Optional |
| statistics | Show search statistics. Default is "false". | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| O365.SecurityAndCompliance.ContentSearch.Search.AllowNotFoundExchangeLocationsEnabled | Boolean | Whether to include mailboxes other than regular user mailboxes in the compliance search. |
| O365.SecurityAndCompliance.ContentSearch.Search.AzureBatchFrameworkEnabled | Boolean | Whether the Azure Batch Framework is enabled for job processing. |
| O365.SecurityAndCompliance.ContentSearch.Search.CaseId | String | Identity of a Core eDiscovery case which is associated with the compliance search. |
| O365.SecurityAndCompliance.ContentSearch.Search.CaseName | String | Name of a Core eDiscovery case which is associated with the compliance search. |
| O365.SecurityAndCompliance.ContentSearch.Search.ContentMatchQuery | String | Compliance text search string or a query that is formatted using the Keyword Query Language (KQL). |
| O365.SecurityAndCompliance.ContentSearch.Search.CreatedBy | String | Security and compliance search creator. |
| O365.SecurityAndCompliance.ContentSearch.Search.CreatedTime | Date | Security and compliance search creation time. |
| O365.SecurityAndCompliance.ContentSearch.Search.Description | String | Security and compliance search description. |
| O365.SecurityAndCompliance.ContentSearch.Search.Errors | String | Security and compliance search errors. |
| O365.SecurityAndCompliance.ContentSearch.Search.ExchangeLocation | String | Security and compliance search exchange locations to include. |
| O365.SecurityAndCompliance.ContentSearch.Search.Identity | String | Security and compliance search identity. |
| O365.SecurityAndCompliance.ContentSearch.Search.IsValid | Boolean | Whether the security and compliance search is valid. |
| O365.SecurityAndCompliance.ContentSearch.Search.Items | Number | Number of security and compliance search scanned items. |
| O365.SecurityAndCompliance.ContentSearch.Search.JobEndTime | Date | Security and compliance search job end time. |
| O365.SecurityAndCompliance.ContentSearch.Search.JobId | String | Security and compliance search job ID. |
| O365.SecurityAndCompliance.ContentSearch.Search.JobRunId | String | Security and compliance search job run ID. |
| O365.SecurityAndCompliance.ContentSearch.Search.JobStartTime | Date | Security and compliance search job run start time. |
| O365.SecurityAndCompliance.ContentSearch.Search.LastModifiedTime | Date | Security and compliance search last modification time. |
| O365.SecurityAndCompliance.ContentSearch.Search.LogLevel | String | Security and compliance search the Azure log level. |
| O365.SecurityAndCompliance.ContentSearch.Search.Name | String | Security and compliance search name. |
| O365.SecurityAndCompliance.ContentSearch.Search.OneDriveLocation | String | Security and compliance search OneDrive locations to include. |
| O365.SecurityAndCompliance.ContentSearch.Search.OneDriveLocationExclusion | String | Security and compliance search OneDrive locations to exclude. |
| O365.SecurityAndCompliance.ContentSearch.Search.PublicFolderLocation | String | Security and compliance search public folder locations to include. |
| O365.SecurityAndCompliance.ContentSearch.Search.PublicFolderLocationExclusion | String | Security and compliance search public folder locations to exclude. |
| O365.SecurityAndCompliance.ContentSearch.Search.RunBy | String | Security and compliance search last run by UPN (Email representation). |
| O365.SecurityAndCompliance.ContentSearch.Search.RunspaceId | String | Security and compliance search run space ID. |
| O365.SecurityAndCompliance.ContentSearch.Search.SharePointLocation | String | Security and compliance search SharePoint locations to include. |
| O365.SecurityAndCompliance.ContentSearch.Search.Size | Number | Security and compliance search bytes results size. |
| O365.SecurityAndCompliance.ContentSearch.Search.Status | String | Security and compliance search status. |
| O365.SecurityAndCompliance.ContentSearch.Search.TenantId | String | Security and compliance search Tenant ID. |
| O365.SecurityAndCompliance.ContentSearch.Search.SuccessResults.Location | String | Security and compliance search result location. |
| O365.SecurityAndCompliance.ContentSearch.Search.SuccessResults.ItemsCount | Number | The number of security and compliance search results in location. |
| O365.SecurityAndCompliance.ContentSearch.Search.SuccessResults.Size | Number | The byte size of the security and compliance search results in location. |
Command Example#
!o365-sc-get-search search_name="example"
Context Example#
Human Readable Output#
Security And Compliance - 'example' search#
CreatedBy Description LastModifiedTime Name RunBy Status XSOAR-user Short description 2020-11-29T07:20:43.283 example XSOAR-user NotStarted
o365-sc-start-search#
Starts stopped, completed, or not started compliance search in the Security & Compliance Center.
Base Command#
o365-sc-start-search
Input#
| Argument Name | Description | Required |
|---|---|---|
| search_name | The name of the compliance search. | Required |
Context Output#
There is no context output for this command.
Command Example#
!o365-sc-start-search search_name="example"
Human Readable Output#
Security And Compliance - search example started !
o365-sc-stop-search#
Stop running compliance search in the Security & Compliance Center.
Base Command#
o365-sc-stop-search
Input#
| Argument Name | Description | Required |
|---|---|---|
| search_name | The name of the compliance search. | Required |
Context Output#
There is no context output for this command.
Command Example#
!o365-sc-stop-search search_name="example"
Human Readable Output#
Security And Compliance - search example stopped !
o365-sc-new-search-action#
After you create a content search using the o365-sc-new-search command and run it using the o365-sc-start-search command, you assign a search action to the search using the o365-sc-new-search-action command.
Base Command#
o365-sc-new-search-action
Input#
| Argument Name | Description | Required |
|---|---|---|
| search_name | The name of the compliance search. | Required |
| action | Search action to perform. Possible values are: "Preview" and "Purge". Default is "Preview". | Optional |
| purge_type | Purge type. Possible values are: "Soft Delete" and "HardDelete". Default is "SoftDelete". | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| O365.SecurityAndCompliance.ContentSearch.SearchAction.Action | String | Security and compliance search action type. Either "Purge" or "Preview". |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.AllowNotFoundExchangeLocationsEnabled | Boolean | Whether to include mailboxes other than regular user mailboxes in the compliance search. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.AzureBatchFrameworkEnabled | Boolean | Whether the Azure Batch Framework is enabled for job processing. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.CaseId | String | Identity of a Core eDiscovery case which is associated with the compliance search. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.CaseName | String | Name of a Core eDiscovery case which is associated with the compliance search. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.CreatedBy | String | Security and compliance search action creator. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.CreatedTime | Date | Security and compliance search action creation time. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.Description | String | Security and compliance search action description. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.Errors | String | Security and compliance search action errors. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.EstimateSearchJobId | String | Security and compliance search action job ID estimation. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.EstimateSearchRunId | String | Security and compliance search action run ID estimation. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.ExchangeLocation | String | Security and compliance search action exchange locations to include. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.ExchangeLocationExclusion | String | Security and compliance search action exchange locations to exclude. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.Identity | String | Security and compliance search action identity. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.IsValid | Boolean | Whether the security and compliance search action is valid. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.JobEndTime | Date | Security and compliance search action job end time. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.JobId | String | Security and compliance search action job ID. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.JobRunId | String | Security and compliance search action job run ID. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.JobStartTime | Date | Security and compliance search action job start time. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.LastModifiedTime | Date | Security and compliance search action last modified time. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.Name | String | Security and compliance search action name. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.PublicFolderLocation | String | Security and compliance search action public folder locations to include. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.PublicFolderLocationExclusion | String | Security and compliance search action public folder locations to exclude. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.Retry | Boolean | Whether to retry if the search action failed. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.RunBy | String | Security and compliance search action run by UPN (email address). |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.RunspaceId | String | Security and compliance search action run space ID. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.SearchName | String | Security and compliance search action search name. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.SharePointLocation | String | Security and compliance search action SharePoint locations to include. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.SharePointLocationExclusion | String | Security and compliance search action SharePoint locations to exclude. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.Status | String | Security and compliance search action status. Either "Started" or "Completed". |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.TenantId | String | Security and compliance search action Tenant ID. |
Command Example#
!o365-sc-new-search-action search_name="example" action="Preview"
Context Example#
Human Readable Output#
Security And Compliance - search action 'example_Preview' created#
Action LastModifiedTime Name RunBy SearchName Status Preview 11/29/2020 7:23:50 AM example_Preview XSOAR-user example Completed
o365-sc-remove-search-action#
Removes compliance search action by search the action name from the Security & Compliance Center.
Base Command#
o365-sc-remove-search-action
Input#
| Argument Name | Description | Required |
|---|---|---|
| search_action_name | The name of the compliance search action. | Required |
Context Output#
There is no context output for this command.
Command Example#
!o365-sc-remove-search-action search_action_name="example_Preview"
Human Readable Output#
Security And Compliance - search action example_Preview removed!
o365-sc-list-search-action#
Lists compliance search actions from the Security & Compliance Center.
Base Command#
o365-sc-list-search-action
Input#
There are no input arguments for this command.
Context Output#
| Path | Type | Description |
|---|---|---|
| O365.SecurityAndCompliance.ContentSearch.SearchAction.Action | String | Security and compliance search action type. Either "Purge or "Preview". |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.AllowNotFoundExchangeLocationsEnabled | Boolean | Whether to include mailboxes other than regular user mailboxes in the compliance search. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.AzureBatchFrameworkEnabled | Boolean | Whether the Azure Batch Framework is enabled for job processing. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.CaseId | String | Identity of a Core eDiscovery case which is associated with the compliance search. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.CaseName | String | Name of a Core eDiscovery case which is associated with the compliance search. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.CreatedBy | String | Security and compliance search action creator. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.CreatedTime | Date | Security and compliance search action creation time. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.Description | String | Security and compliance search action description. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.Errors | String | Security and compliance search action errors. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.EstimateSearchJobId | String | Security and compliance search action job ID estimation. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.EstimateSearchRunId | String | Security and compliance search action run ID estimation. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.ExchangeLocation | String | Security and compliance search action exchange locations to include. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.ExchangeLocationExclusion | String | Security and compliance search action exchange locations to exclude. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.Identity | String | Security and compliance search action identity. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.IsValid | Boolean | Whether the security and compliance search action is valid. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.JobEndTime | Date | Security and compliance search action job end time. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.JobId | String | Security and compliance search action job ID. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.JobRunId | String | Security and compliance search action job run ID. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.JobStartTime | Date | Security and compliance search action job start time. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.LastModifiedTime | Date | Security and compliance search action last modified time. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.Name | String | Security and compliance search action name. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.PublicFolderLocation | String | Security and compliance search action public folder locations to include. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.PublicFolderLocationExclusion | String | Security and compliance search action public folder locations to exclude. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.Retry | Boolean | Whether to retry if the search action failed. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.RunBy | String | Security and compliance search action run by UPN (email address). |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.RunspaceId | String | Security and compliance search action run space ID. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.SearchName | String | Security and compliance search action search name. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.SharePointLocation | String | Security and compliance search action SharePoint locations to include. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.SharePointLocationExclusion | String | Security and compliance search action SharePoint locations to exclude. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.Status | String | Security and compliance search action status (Started/Completed). |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.TenantId | String | Security and compliance search action Tenant ID. |
Command Example#
!o365-sc-list-search-action
Context Example#
Human Readable Output#
Security And Compliance - search actions#
Action JobEndTime LastModifiedTime Name RunBy SearchName Status Preview 10/14/2020 1:47:00 PM 10/14/2020 1:45:44 PM example_Preview XSOAR-user example Completed Purge 11/25/2020 10:51:04 AM 11/25/2020 10:50:37 AM example_Purge XSOAR-user example Completed
o365-sc-get-search-action#
Gets compliance search action from the Security & Compliance Center.
Base Command#
o365-sc-get-search-action
Input#
| Argument Name | Description | Required |
|---|---|---|
| search_action_name | The name of the compliance search action. | Required |
| limit | The maximum number of results to return. If you want to return all requests that match the query, use "-1" for the value of this argument. | Optional |
| export | Whether to export search results as json file to war-room. | Optional |
| results | Whether to print the results in the War Room. Default is "false". | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| O365.SecurityAndCompliance.ContentSearch.SearchAction.Action | String | Security and compliance search action type. Either "Purge" or "Preview". |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.AllowNotFoundExchangeLocationsEnabled | Boolean | Whether to include mailboxes other than regular user mailboxes in the compliance search. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.AzureBatchFrameworkEnabled | Boolean | Whether the Azure Batch Framework is enabled for job processing. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.CaseId | String | Identity of a Core eDiscovery case which is associated with the compliance search. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.CaseName | String | Name of a Core eDiscovery case which is associated with the compliance search. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.CreatedBy | String | Security and compliance search action creator. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.CreatedTime | Date | Security and compliance search action creation time. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.Description | String | Security and compliance search action description. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.Errors | String | Security and compliance search action errors. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.EstimateSearchJobId | String | Security and compliance search action job ID estimation. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.EstimateSearchRunId | String | Security and compliance search action run ID estimation. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.ExchangeLocation | String | Security and compliance search action exchange locations to include. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.ExchangeLocationExclusion | String | Security and compliance search action exchange locations to exclude. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.Identity | String | Security and compliance search action identity. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.IsValid | Boolean | Whether the security and compliance search action is valid. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.JobEndTime | Date | Security and compliance search action job end time. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.JobId | String | Security and compliance search action job ID. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.JobRunId | String | Security and compliance search action job run ID. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.JobStartTime | Date | Security and compliance search action job start time. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.LastModifiedTime | Date | Security and compliance search action last modified time. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.Name | String | Security and compliance search action name. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.PublicFolderLocation | String | Security and compliance search action public folder locations to include. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.PublicFolderLocationExclusion | String | Security and compliance search action public folder locations to exclude. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.Location | String | Security and compliance search action result location. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.ItemCount | String | Security and compliance search action result item count. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.TotalSize | String | Security and compliance search action result total size. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.FailedCount | String | Security and compliance search action result failed count. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.Sender | String | Security and compliance search action result mail sender. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.Subject | String | Security and compliance search action result subject. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.Type | String | Security and compliance search action result type. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.Size | String | Security and compliance search action result size. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.ReceivedTime | Date | Security and compliance search action result received time. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.DataLink | String | Security and compliance search action data link. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.Retry | Boolean | Whether to retry if the search action failed. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.RunBy | String | Security and compliance search action run by UPN (email address). |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.RunspaceId | String | Security and compliance search action run space ID. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.SearchName | String | Security and compliance search action search name. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.SharePointLocation | String | Security and compliance search action SharePoint locations to include. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.SharePointLocationExclusion | String | Security and compliance search action SharePoint locations to exclude. |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.Status | String | Security and compliance search action status. Either "Started" or "Completed". |
| O365.SecurityAndCompliance.ContentSearch.SearchAction.TenantId | String | Security and compliance search action Tenant ID. |
Command Example#
!o365-sc-get-search-action search_action_name="example_Preview"
Context Example#
Human Readable Output#
Security And Compliance - search action 'example_Preview'#
Action JobEndTime LastModifiedTime Name RunBy SearchName Status Preview 11/29/2020 7:24:05 AM 11/29/2020 7:23:50 AM example_Preview XSOAR-user example Completed
Tips for finding messages to remove#
- Keyword Query Language (KQL)
- If you know the exact text or phrase used in the subject line of the message, use the Subject property in the search query, e.g.,
(subject:give me all ur money). - If you know that exact date (or date range) of the message, include the Received property in the search query, e.g.,
(received:6/13/2021..6/16/2021). - If you know who sent the message, include the From property in the search query, e.g.,
(from:user1@demistodev.onmicrosoft.com). - For all the available search properties see: Keyword queries and search conditions for eDiscovery.
- If you know the exact text or phrase used in the subject line of the message, use the Subject property in the search query, e.g.,
- Preview the search results to verify that the search returned only the message (or messages) that you want to delete.
- Use the search estimate statistics (displayed by using the
o365-sc-get-searchcommand) to get a count of the total number of emails.
o365-sc-compliance-case-create#
Create eDiscovery cases in the Microsoft Purview compliance portal.
Base Command#
o365-sc-compliance-case-create
Input#
| Argument Name | Description | Required |
|---|---|---|
| case_name | Case name create. | Required |
| case_type | "AdvancedEdiscovery: Used to manage legal or other types of investigations. ComplianceClassifier: This type of case corresponds to a trainable classifier. DataInvestigation: Data investigation cases are used to investigate data spillage incidents. DSR: Data Subject Request (DSR) cases are used to manage General Data Protection Regulation (GDPR) DSR investigations. eDiscovery: eDiscovery (also called eDiscovery Standard) cases are used to manage legal or other types of investigations. This is the default value. InsiderRisk: Insider risk cases are used to manage insider risk management cases. Typically, insider risk management cases are manually created in the Microsoft Purview compliance portal to further investigate activity based on a risk alert. SupervisionPolicy: This type of case corresponds to communication compliance policy." . Possible values are: AdvancedEdiscovery, ComplianceClassifier, DataInvestigation, DSR, eDiscovery, InsiderRisk, SupervisionPolicy. Default is eDiscovery. | Optional |
| description | Case description. | Optional |
| external_id | Case external ID. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| O365.SecurityAndCompliance.ComplianceCase.Name | String | Case name. |
| O365.SecurityAndCompliance.ComplianceCase.Status | String | Case status. |
| O365.SecurityAndCompliance.ComplianceCase.CreatedDateTime | String | Case created date time. |
o365-sc-compliance-case-list#
List different types of compliance cases in the Microsoft Purview compliance portal.
Base Command#
o365-sc-compliance-case-list
Input#
| Argument Name | Description | Required |
|---|---|---|
| identity | List cases by identity. | Optional |
| case_type | List cases by type. Possible values are: AdvancedEdiscovery, ComplianceClassifier, DataInvestigation, DSR, eDiscovery, InsiderRisk, SupervisionPolicy. | Optional |
| limit | Limit returned cases list size. Default is 50. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| O365.SecurityAndCompliance.ComplianceCase.Name | String | Case name. |
| O365.SecurityAndCompliance.ComplianceCase.Status | String | Case status. |
| O365.SecurityAndCompliance.ComplianceCase.GUID | UUID | Case GUID. |
| O365.SecurityAndCompliance.ComplianceCase.CreatedDateTime | String | Case created date time. |
o365-sc-compliance-case-delete#
Removes compliance cases from the Microsoft Purview compliance portal.
Base Command#
o365-sc-compliance-case-delete
Input#
| Argument Name | Description | Required |
|---|---|---|
| identity | Delete case by identity. | Required |
Context Output#
There is no context output for this command.
o365-sc-case-hold-policy-create#
Creates new case hold policies in the Microsoft Purview compliance portal.
Base Command#
o365-sc-case-hold-policy-create
Input#
| Argument Name | Description | Required |
|---|---|---|
| policy_name | Name of the policy to create. | Required |
| case | eDiscovery case, Case Name, Case Identity (GUID value). | Required |
| comment | Attach a comment to the case. | Optional |
| exchange_location | Mailbox or distribution group. | Optional |
| public_folder_location | Comma-separated list of public folders to include, or you can use the value "All" to include all. | Optional |
| share_point_location | SharePoint Online and OneDrive for Business sites to include. | Optional |
| enabled | Set hold policy as enabled or not. Possible values are: true, false. Default is true. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| O365.SecurityAndCompliance.CaseHoldPolicy.Name | String | Case hold policy name. |
| O365.SecurityAndCompliance.CaseHoldPolicy.Workload | String | Case hold policy workload. |
| O365.SecurityAndCompliance.CaseHoldPolicy.Enabled | String | Is case hold policy enabled. |
| O365.SecurityAndCompliance.CaseHoldPolicy.Mode | String | Case hold policy mode. |
o365-sc-case-hold-policy-get#
View existing case hold policies in the Microsoft Purview compliance portal.
Base Command#
o365-sc-case-hold-policy-get
Input#
| Argument Name | Description | Required |
|---|---|---|
| identity | Identify of the case hold policy to get. | Optional |
| case | Case of policy to get. Case name or case GUID. | Optional |
| distribution_detail | Whether to include distribution details or not. Possible values are: true, false. Default is true. | Optional |
| include_bindings | Whether to include bindings or not. Possible values are: true, false. Default is true. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| O365.SecurityAndCompliance.CaseHoldPolicy.Name | String | Case hold policy name. |
| O365.SecurityAndCompliance.CaseHoldPolicy.GUID | String | Case hold policy GUID. |
| O365.SecurityAndCompliance.CaseHoldPolicy.Workload | String | Case hold policy workload. |
| O365.SecurityAndCompliance.CaseHoldPolicy.Status | String | Case hold policy status. |
| O365.SecurityAndCompliance.CaseHoldPolicy.Mode | String | Case hold policy mode. |
o365-sc-case-hold-policy-delete#
Removes case hold policies from the Microsoft Purview compliance portal.
Base Command#
o365-sc-case-hold-policy-delete
Input#
| Argument Name | Description | Required |
|---|---|---|
| identity | Identify of the case hold policy to delete. | Required |
| force_delete | Whether to use force delete or not. Possible values are: true, false. Default is false. | Optional |
Context Output#
There is no context output for this command.
o365-sc-case-hold-rule-create#
Creates new case hold rules in the Microsoft Purview compliance portal.
Base Command#
o365-sc-case-hold-rule-create
Input#
| Argument Name | Description | Required |
|---|---|---|
| rule_name | Create rule with the specified name. | Required |
| policy_name | Create rule for the specified policy. | Required |
| query | Query using Keyword Query Language (KQL). | Optional |
| comment | Attach a comment to the created rule. | Optional |
| is_disabled | Whether the rule is disabled or not. Possible values are: true, false. Default is false. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| O365.SecurityAndCompliance.CaseHoldRule.Name | String | Case hold policy name. |
| O365.SecurityAndCompliance.CaseHoldRule.Status | String | Case hold policy status. |
| O365.SecurityAndCompliance.CaseHoldRule.Mode | String | Case hold policy mode. |
o365-sc-case-hold-rule-list#
View case hold rules in the Microsoft Purview compliance portal.
Base Command#
o365-sc-case-hold-rule-list
Input#
| Argument Name | Description | Required |
|---|---|---|
| identify | Get hold rule list by identity. | Optional |
| policy | Get hold rule list by policy. | Optional |
| limit | Limit the returned items list size. Default is 50. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| O365.SecurityAndCompliance.CaseHoldRule.Name | String | Case hold policy name. |
| O365.SecurityAndCompliance.CaseHoldRule.GUID | UUID | Case hold policy GUID. |
| O365.SecurityAndCompliance.CaseHoldRule.Enabled | String | Whether case hold policy is enabled. |
| O365.SecurityAndCompliance.CaseHoldRule.Mode | String | Case hold policy mode. |
o365-sc-case-hold-rule-delete#
Removes case hold rules from the Microsoft Purview compliance portal.
Base Command#
o365-sc-case-hold-rule-delete
Input#
| Argument Name | Description | Required |
|---|---|---|
| identity | Delete rule by identity. | Optional |
| force_delete | Whether to use force delete or not. Possible values are: true, false. Default is false. | Optional |
Context Output#
There is no context output for this command.
Known Limitations#
- Security and compliance integrations do not support Security and compliance on-premise.
- Each security and compliance command creates an IPS-Session (PowerShell session). The security and compliance PowerShell limits the number of concurrent sessions to 3. Since this affects the behavior of multiple playbooks running concurrently it we recommend that you retry failed tasks when using the integration commands in playbooks.
- Proxies are not supported due to a Microsoft limitation.
- Due to a Microsoft limitation, you can perform a search and purge operation on a maximum of 50,000 mailboxes. To work around this limitation, configure multiple instances of the integration each with different permission filtering so that the number of mailboxes in each instance does not exceed 50,000.
- A maximum of 10 items per mailbox can be removed at one time, due to a Microsoft limitiation.
- For more Microsoft known limitations see Limits for eDiscovery search.