Skip to main content

Search And Delete Emails - Generic v2

This Playbook is part of the Common Playbooks Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

This playbook searches and delete emails with similar attributes of a malicious email using EWS or Office 365.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • O365 - Security And Compliance - Search And Delete
  • Search And Delete Emails - EWS


This playbook does not use any integrations.


  • Set


This playbook does not use any commands.

Playbook Inputs#

NameDescriptionDefault ValueRequired
FromThe value of the malicious email's "From" attribute.incident.emailfromOptional
SubjectThe value of the malicious email's "Subject" attribute.incident.emailsubjectOptional
AttachmentNameThe value of the malicious email's "AttachmentName" attribute.incident.attachmentnameOptional
SearchAndDeleteIntegrationThe integration in which to run the search and delete action. Can be O365 or EWS.EWSRequired
O365ExchangeLocationUsed only in O365. A comma-separated list of mailboxes/distribution groups to include, or use the value "All" to include all.incident.emailtoOptional
O365KQLUsed only in O365. Text search string or a query that is formatted using the Keyword Query Language (KQL).Optional
O365DescriptionUsed only in O365. Description of the compliance search.Optional
Used only in O365. Whether to include mailboxes other than regular user mailboxes in the compliance search.falseOptional
O365DeleteTypeUsed only in O365. The delete type to perform on the search results. Possible values are Hard and Soft or leave empty to select manually. (Hard = Unrecoverable, Soft=Recoverable)inputs.O365DeleteTypeOptional
O365ExchangeLocationExclusionUsed only when searching and deleting emails in O365. The exchange location. Determines from where to search and delete emails searched using O365 playbooks. Use the value "All" to search all mailboxes, use "SingleMailbox" to search and delete the email only from the recipient's inbox, or specify "Manual" to decide manually for every incident. Note: Searching all mailboxes may take a significant amount of time.inputs.O365ExchangeLocationExclusion.NoneOptional
ToThe email address to which the email was sent. This is used if the user decides to search for and delete emails only from the inbox of the recipient using O365.incident.emailtoOptional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Search And Delete Emails - Generic v2