Skip to main content

O365 - Security And Compliance - Search And Delete

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

This playbook performs the following steps:

  1. Creates a compliance search.
  2. Starts a compliance search.
  3. Waits for the compliance search to complete.
  4. Gets the results of the compliance search.
  5. Gets the preview results, if specified.
  6. Deletes the search results (Hard/Soft).


This playbook uses the following sub-playbooks, integrations, and scripts.


  • O365 - Security And Compliance - Search
  • Hard delete
  • Soft delete
  • O365 - Security And Compliance - Search Action - Preview


  • SecurityAndCompliance


  • PrintErrorEntry


  • o365-sc-remove-search
  • o365-sc-remove-search-action

Playbook Inputs#

NameDescriptionDefault ValueRequired
search_nameThe name of the compliance search. If not specified will have prefix of "XSOAR-" and GUID e.g. XSOAR-d6228fd0-756b-4e4b-8721-76776df91526.Optional
caseThe name of a Core eDiscovery case to associate with the new compliance search.Optional
kqlText search string or a query that is formatted using the Keyword Query Language (KQL).Required
descriptionDescription of the compliance search.Optional
allow_not_found_exchange_locationsWhether to include mailboxes other than regular user mailboxes in the compliance search. Default is "false".trueOptional
exchange_locationComma-separated list of mailboxes/distribution groups to include, or use the value "All" to include all.Required
exchange_location_exclusionComma-separated list of mailboxes/distribution groups to exclude when you use the value "All" for the exchange_location parameter.Optional
forceWhether to replace the existing search. If "true", the existing search will be removed and a new search will be created. If "false", the existing search will be used and any new search configurations will be ignored.falseRequired
previewWhether to preview the results using the search action "Preview". Possible values are: "true" and "false" or leave empty to select manually.trueRequired
delete_typeSpecify the delete type to perform on the search results. Possible values are Hard and Soft or leave empty to select manually. (Hard = Unrecoverable, Soft=Recoverable)SoftRequired

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

O365 - Security And Compliance - Search And Delete

Known Limitations#

  • Each security and compliance command creates a PSSession (PowerShell session). The security and compliance PowerShell limits the number of concurrent sessions to 3. Since this affects the behavior of multiple playbooks running concurrently it we recommend that you retry failed tasks when using the integration commands in playbooks.
  • In order to handle sessions limits, A retry mechanism is applied which will retry for 10 time with 30 sec breaks. (The retry isn't applied on the generic polling as it's not supported yet)
  • Due to a Microsoft limitation, you can perform a search and purge operation on a maximum of 50,000 mailboxes. To work around this limitation, configure multiple instances of the integration each with different permission filtering so that the number of mailboxes in each instance does not exceed 50,000.