Skip to main content

O365 - Security And Compliance - Search

This Playbook is part of the EWS Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

This playbook performs the following steps:

  1. Creates a compliance search.
  2. Starts a compliance search.
  3. Waits for the compliance search to complete.
  4. Gets the results of the compliance search as an output.
  5. Gets the preview results, if specified.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • GenericPolling
  • O365 - Security And Compliance - Search Action - Preview

Integrations#

  • SecurityAndCompliance

Scripts#

  • PrintErrorEntry

Commands#

  • o365-sc-get-search
  • o365-sc-new-search
  • o365-sc-start-search
  • o365-sc-remove-search

Playbook Inputs#


NameDescriptionDefault ValueRequired
search_nameThe name of the compliance search. If not specified will have prefix of "XSOAR-" and GUID e.g. XSOAR-d6228fd0-756b-4e4b-8721-76776df91526.Optional
forceIf false, use the existing search without modifying any search parameters. If true, overwrite the existing search. Possible values are: "true" and "false".falseRequired
previewWhether to preview results using the search action. Possible values are: "true" and "false".falseRequired
caseThe name of a Core eDiscovery case to associate with the new compliance search.Optional
kqlText search string or a query that is formatted using the Keyword Query Language (KQL).Optional
descriptionDescription of the compliance search.Optional
allow_not_found_exchange_locationsWhether to include mailboxes other than regular user mailboxes in the compliance search. Possible values are: "true" and "false".trueOptional
exchange_locationComma-separated list of mailboxes/distribution groups to include, or use the value "All" to include all.AllRequired
exchange_location_exclusionComma-separated list of mailboxes/distribution groups to exclude when you use the value "All" for the exchange_location parameter.Optional
public_folder_locationComma-separated list of public folders to include, or use the value "All" to include all.Optional
share_point_locationComma-separated list of SharePoint online sites to include. You can identify the sites by their URL value, or use the value "All" to include all sites.Optional
share_point_location_exclusionComma-separated list of SharePoint online sites to exclude when you use the value "All" for the share_point_location argument. You can identify the sites by their URL value.Optional
polling_intervalCompliance search polling interval3Optional
polling_timeoutCompliance search polling timeout.45Optional

Playbook Outputs#


PathDescriptionType
O365.SecurityAndCompliance.ContentSearch.Search.AllowNotFoundExchangeLocationsEnabledWhether to include mailboxes other than regular user mailboxes in the compliance search.Boolean
O365.SecurityAndCompliance.ContentSearch.Search.AzureBatchFrameworkEnabledWhether the Azure Batch Framework is enabled for job processing.Boolean
O365.SecurityAndCompliance.ContentSearch.Search.CaseIdIdentity of a Core eDiscovery case which is associated with the compliance search.String
O365.SecurityAndCompliance.ContentSearch.Search.CaseNameName of a Core eDiscovery case which is associated with the compliance search.String
O365.SecurityAndCompliance.ContentSearch.Search.ContentMatchQueryCompliance text search string or a query that is formatted using the Keyword Query Language (KQL).String
O365.SecurityAndCompliance.ContentSearch.Search.CreatedBySecurity and compliance search creator.String
O365.SecurityAndCompliance.ContentSearch.Search.CreatedTimeSecurity and compliance search creation time.Date
O365.SecurityAndCompliance.ContentSearch.Search.DescriptionSecurity and compliance search description.String
O365.SecurityAndCompliance.ContentSearch.Search.ErrorsSecurity and compliance search errors.String
O365.SecurityAndCompliance.ContentSearch.Search.ExchangeLocationSecurity and compliance search exchange locations to include.String
O365.SecurityAndCompliance.ContentSearch.Search.IdentitySecurity and compliance search identity.String
O365.SecurityAndCompliance.ContentSearch.Search.IsValidWhether the security and compliance search is valid.Boolean
O365.SecurityAndCompliance.ContentSearch.Search.ItemsNumber of security and compliance search scanned items.Number
O365.SecurityAndCompliance.ContentSearch.Search.JobEndTimeSecurity and compliance search job end time.Date
O365.SecurityAndCompliance.ContentSearch.Search.JobIdSecurity and compliance search job ID.String
O365.SecurityAndCompliance.ContentSearch.Search.JobRunIdSecurity and compliance search job run ID.String
O365.SecurityAndCompliance.ContentSearch.Search.JobStartTimeSecurity and compliance search job run start time.Date
O365.SecurityAndCompliance.ContentSearch.Search.LastModifiedTimeSecurity and compliance search last modification time.Date
O365.SecurityAndCompliance.ContentSearch.Search.LogLevelSecurity and compliance search Azure log level.String
O365.SecurityAndCompliance.ContentSearch.Search.NameSecurity and compliance search name.String
O365.SecurityAndCompliance.ContentSearch.Search.OneDriveLocationSecurity and compliance search OneDrive locations to include.String
O365.SecurityAndCompliance.ContentSearch.Search.OneDriveLocationExclusionSecurity and compliance search OneDrive locations to exclude.String
O365.SecurityAndCompliance.ContentSearch.Search.PublicFolderLocationSecurity and compliance search public folder locations to include.String
O365.SecurityAndCompliance.ContentSearch.Search.PublicFolderLocationExclusionSecurity and compliance search public folder locations to exclude.String
O365.SecurityAndCompliance.ContentSearch.Search.RunBySecurity and compliance search last run by UPN (Email representation).String
O365.SecurityAndCompliance.ContentSearch.Search.RunspaceIdSecurity and compliance search run space ID.String
O365.SecurityAndCompliance.ContentSearch.Search.SharePointLocationSecurity and compliance search SharePoint locations to include.String
O365.SecurityAndCompliance.ContentSearch.Search.SizeSecurity and compliance search bytes results size.Number
O365.SecurityAndCompliance.ContentSearch.Search.StatusSecurity and compliance search status.String
O365.SecurityAndCompliance.ContentSearch.Search.TenantIdSecurity and compliance search Tenant ID.String
O365.SecurityAndCompliance.ContentSearch.Search.SuccessResults.LocationSecurity and compliance search result location.String
O365.SecurityAndCompliance.ContentSearch.Search.SuccessResults.ItemsCountThe number of security and compliance search results in the location.Number
O365.SecurityAndCompliance.ContentSearch.Search.SuccessResults.SizeThe byte size of the security and compliance search results in the location.Number
O365.SecurityAndCompliance.ContentSearch.SearchAction.ActionSecurity and compliance search action type. Either "Purge" or "Preview".String
O365.SecurityAndCompliance.ContentSearch.SearchAction.AllowNotFoundExchangeLocationsEnabledWhether to include mailboxes other than regular user mailboxes in the compliance search.Boolean
O365.SecurityAndCompliance.ContentSearch.SearchAction.AzureBatchFrameworkEnabledWhether the Azure Batch Framework is enabled for job processing.Boolean
O365.SecurityAndCompliance.ContentSearch.SearchAction.CaseIdIdentity of a Core eDiscovery case which is associated with the compliance search.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.CaseNameName of a Core eDiscovery case which is associated with the compliance search.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.CreatedBySecurity and compliance search action creator.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.CreatedTimeSecurity and compliance search action creation time.Date
O365.SecurityAndCompliance.ContentSearch.SearchAction.DescriptionSecurity and compliance search action description.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.ErrorsSecurity and compliance search action errors.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.EstimateSearchJobIdSecurity and compliance search action job ID estimation.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.EstimateSearchRunIdSecurity and compliance search action run ID estimation.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.ExchangeLocationSecurity and compliance search action exchange locations to include.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.ExchangeLocationExclusionSecurity and compliance search action exchange locations to exclude.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.IdentitySecurity and compliance search action identity.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.IsValidWhether the security and compliance search action is valid.Boolean
O365.SecurityAndCompliance.ContentSearch.SearchAction.JobEndTimeSecurity and compliance search action job end time.Date
O365.SecurityAndCompliance.ContentSearch.SearchAction.JobIdSecurity and compliance search action job ID.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.JobRunIdSecurity and compliance search action job run ID.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.JobStartTimeSecurity and compliance search action job start time.Date
O365.SecurityAndCompliance.ContentSearch.SearchAction.LastModifiedTimeSecurity and compliance search action last modified time.Date
O365.SecurityAndCompliance.ContentSearch.SearchAction.NameSecurity and compliance search action name.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.PublicFolderLocationSecurity and compliance search action public folder locations to include.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.PublicFolderLocationExclusionSecurity and compliance search action public folder locations to exclude.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.LocationSecurity and compliance search action result location.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.SenderSecurity and compliance search action result mail sender.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.SubjectSecurity and compliance search action result subject.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.TypeSecurity and compliance search action result type.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.SizeSecurity and compliance search action result size.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.ReceivedTimeSecurity and compliance search action result received time.Date
O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.DataLinkSecurity and compliance search action data link.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.RetryWhether to retry if the search action failed.Boolean
O365.SecurityAndCompliance.ContentSearch.SearchAction.RunBySecurity and compliance search action run by UPN (email address).String
O365.SecurityAndCompliance.ContentSearch.SearchAction.RunspaceIdSecurity and compliance search action run space ID.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.SearchNameSecurity and compliance search action search name.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.SharePointLocationSecurity and compliance search action SharePoint locations to include.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.SharePointLocationExclusionSecurity and compliance search action SharePoint locations to exclude.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.StatusSecurity and compliance search action status. Either "Started" or "Completed".String
O365.SecurityAndCompliance.ContentSearch.SearchAction.TenantIdSecurity and compliance search action Tenant ID.String

Playbook Image#


O365 - Security And Compliance - Search

Known Limitations#


  • Each security and compliance command creates a PSSession (PowerShell session). The security and compliance PowerShell limits the number of concurrent sessions to 3. Since this affects the behavior of multiple playbooks running concurrently it we recommend that you retry failed tasks when using the integration commands in playbooks.
  • In order to handle sessions limits, A retry mechanism is applied which will retry for 10 time with 30 sec breaks. (The retry isn't applied on the generic polling as it's not supported yet)
  • Due to a Microsoft limitation, you can perform a search and purge operation on a maximum of 50,000 mailboxes. To work around this limitation, configure multiple instances of the integration each with different permission filtering so that the number of mailboxes in each instance does not exceed 50,000.