Skip to main content

Microsoft 365 Defender - Emails Indicators Hunt

This Playbook is part of the Microsoft 365 Defender Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.2.0 and later.

This playbook retrieves email data based on the "URLDomain", "SHA256" and "IPAddress" inputs. SHA256 - Emails with attachments matching the "SHA256" input are retrieved. URLDomain - If the "URLDomain" value is found as a substring of URL(s) in the body of the email, the email is retrieved. IPAddress - Emails with "SenderIPv4"/SenderIPv6" or URLs (in the body) matching the "IPAddress" input are retrieved.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


  • Microsoft 365 Defender


  • Set
  • IsIntegrationAvailable
  • SetAndHandleEmpty


  • microsoft-365-defender-advanced-hunting

Playbook Inputs#

NameDescriptionDefault ValueRequired
URLDomainDomain or URL to search within emails. Can be a single domain or URL or an array of domains or URLs to search. The search looks for the exact Domain or URL.Optional
SHA256The SHA256 hash file or an array of hashes to search within emails.Optional
IPAddressThe source or destination IP address to search. Can be a single address or an array of IP addresses.Optional
TimeoutThe time limit in seconds for the HTTP request to run. Default is 60.60Optional
SearchTimeframeNumber of days past to search. Default is 7.7Optional
ResultsLimitNumber of retrieved entries. Enter -1 for unlimited query. 50 is the default.50Optional
ListenerMailboxThe mailbox of the listening integration. In case it is provided, the emails found in it will be ignored.Optional

Playbook Outputs#

Microsoft365Defender.RetrievedEmailsEmail objects containing relevant fields.string
Microsoft365Defender.RetrievedEmails.InternetMessageIdInternet Message ID of the email.string
Microsoft365Defender.RetrievedEmails.SenderFromDomainSender domain.string
Microsoft365Defender.RetrievedEmails.EmailDirectionEmail direction (inbound/outbound).string
Microsoft365Defender.RetrievedEmails.DeliveryLocationDelivery location.string
Microsoft365Defender.RetrievedEmails.AuthenticationDetailsAuthentication details (SPF, DKIM, DMARC, CompAuth).string
Microsoft365Defender.RetrievedEmails.DeliveryActionDelivery action.string
Microsoft365Defender.RetrievedEmails.SubjectEmail subject.string
Microsoft365Defender.RetrievedEmails.AttachmentCountNumber of attachments.string
Microsoft365Defender.RetrievedEmails.ThreatNamesThreat names.string
Microsoft365Defender.RetrievedEmails.RecipientEmailAddressRecipient email address.string
Microsoft365Defender.RetrievedEmails.EmailActionEmail action.string
Microsoft365Defender.RetrievedEmails.EmailLanguageEmail language.string
Microsoft365Defender.RetrievedEmails.SenderFromAddressSender address.string
Microsoft365Defender.RetrievedEmails.SenderDisplayNameSender display name.string
Microsoft365Defender.RetrievedEmails.SenderIPv4Sender IPv4.string
Microsoft365Defender.RetrievedEmails.ConfidenceLevelConfidence level.string
Microsoft365Defender.RetrievedEmails.ThreatTypesThreat types.string
Microsoft365Defender.RetrievedEmails.SHA256SHA256 of the attachments (if exists in the email).string
Microsoft365Defender.RetrievedEmails.UrlURLs found in the email's body.string
Microsoft365Defender.RetrievedEmails.UrlCountNumber of URLs found in the email's body.string
Microsoft365Defender.RetrievedEmails.SenderIPv6Sender IPv6.unknown

Playbook Image#

Microsoft 365 Defender - Emails Indicators Hunt