Publisher: Splunk
Connector Version: 2.7.1
Product Vendor: Microsoft
Product Name: Office 365 (MS Graph)
Product Version Supported (regex): ".*"
Minimum Product Version: 5.3.0
This app connects to Office 365 using the MS Graph API to support investigate and generic actions related to the email messages and calendar events
- The 'id' field of email artifact has been renamed to 'messageId'. Hence, it is requested to the end-user to please update their existing playbooks by re-inserting | modifying | deleting the corresponding action blocks to ensure the correct functioning of the playbooks created on the earlier versions of the app.
This app requires registration of a Microsoft Graph Application. To do so, navigate to the URL https://portal.azure.com in a browser and log in with the Microsoft account, then, click App registrations .
On the next page, select New registration and give your app a name.
Once the app is created, follow the below-mentioned steps:
-
Under Certificates & secrets select New client secret . Enter the Description and select the desired duration in Expires . Click on Add . Note down this value somewhere secure, as it cannot be retrieved after closing the window.
-
Under Authentication , select Add a platform . In the Add a platform window, select Web . The Redirect URLs should be filled right here. We will get Redirect URLs from the Splunk SOAR asset we create below in the section titled Splunk SOAR Graph Asset .
-
Under API Permissions Click on Add a permission .
-
Under the Microsoft API section, select Microsoft Graph .
-
Provide the following Application permissions to the app:
-
Mail.Read (https://graph.microsoft.com/Mail.Read)
-
Mail.ReadWrite (https://graph.microsoft.com/Mail.ReadWrite)
-
User.Read.All (https://graph.microsoft.com/User.Read.All)
- For non-admin access, use User.Read (Delegated permission) instead (https://graph.microsoft.com/User.Read)
-
Group.Read.All (https://graph.microsoft.com/Group.Read.All) - It is required only if you want to run the list events action for the group's calendar and for the list groups and the list group members action.
-
Calendar.Read (https://graph.microsoft.com/Calendars.Read) - It is required only if you want to run the list events action for the user's calendar.
-
Calendars.ReadWrite (https://graph.microsoft.com/Calendars.ReadWrite) - It is required only if you want to run the delete event action from the user's calendar.
-
MailboxSettings.Read (https://graph.microsoft.com/MailboxSettings.Read) - It is required only if you want to run the oof status action.
-
After making these changes, click Add permissions , then select Grant admin consent for <your_organization_name_as_on_azure_portal> at the bottom of the screen.
When creating an asset for the MS Graph for Office 365 app, place Application ID of the app created during the app registration on the Azure Portal in the Application ID field and place the client secret generated during the app registration process in the Application Secret field. Then, after filling out the Tenant field, click SAVE . Both the Application/Client ID and the Tenant ID can be found in the Overview tab on your app's Azure page.
After saving, a new field will appear in the Asset Settings tab. Take the URL found in the POST incoming for MS Graph for Office 365 to this location field and place it in the Redirect URLs field mentioned in the previous step. To this URL, add /result . After doing so the URL should look something like:
https://<splunk_soar_host>/rest/handler/msgraphforoffice365_0a0a4087-10e8-4c96-9872-b740ff26d8bb/<asset_name>/result
Once again, click SAVE at the bottom of the screen.
Additionally, updating the Base URL in the Company Settings is also required. Navigate to Administration > Company Settings > Info to configure the Base URL For Splunk SOAR . Then, select Save Changes .
To complete the authorization process, this app needs permission to view assets, which is not granted by default. First, navigate to Asset Settings > Advanced , to check which user is listed under Select a user on behalf of which automated actions can be executed . By default, the user will be automation , but this user can be changed by clicking EDIT at the bottom of the window. To give this user permission to view assets, follow these steps:
- In the main drop-down menu, select Administration , then select the User Management , and under that tab, select Roles & Permissions . Finally, click + ROLE .
- In the Add Role wizard, give the role a name (e.g Asset Viewer ), and provide a description. Subsequently, under the Users tab , click ADD USERS to add the user assigned to the asset viewed earlier. Then click the Permissions tab.
- In the permission tab, under Basic Permissions , give the role the View Assets privilege. Then click SAVE .
- Configure the asset with required details while keeping the Admin Access Required as checked.
- While configuring the asset for the first time, keep Admin Consent Already Provided as unchecked.
- The Redirect URLs must be configured before executing test connectivity. To configure Redirect URLs , checkout the section titled Splunk SOAR Graph Asset above.
- After setting up the asset and user, click the TEST CONNECTIVITY button.
- A window should pop up and display a URL. You will be asked to open the link in a new tab. Open the link in the same browser so that you are logged into Splunk SOAR for the redirect. If you wish to use a different browser, log in to the Splunk SOAR first, and then open the provided link. This new tab will redirect to the Microsoft login page.
- Log in to the Microsoft account with the admin user.
- You will be prompted to agree to the permissions requested by the App.
- Review the requested permissions listed, then click Accept .
- If all goes well the browser should instruct you to close the tab.
- Now go back and check the message on the Test Connectivity dialog box, it should say Test Connectivity Passed .
- For subsequent test connectivity or action runs, you can keep Admin Consent Already Provided config parameter as checked. This will skip the interactive flow and use the client credentials for generating tokens.
- Configure the asset with required details while keeping the Admin Access Required as unchecked. Admin Consent Already Provided config parameter will be ignored in the non-admin workflow.
- Provide Access Scope parameter in the asset configuration. All the actions will get executed according to the scopes provided in the Access Scope config parameter.
- The Redirect URLs must be configured before executing test connectivity. To configure Redirect URLs , checkout the section titled Splunk SOAR Graph Asset above.
- After setting up the asset and user, click the TEST CONNECTIVITY button.
- A window should pop up and display a URL. You will be asked to open the link in a new tab. Open the link in the same browser so that you are logged into Splunk SOAR for the redirect. If you wish to use a different browser, log in to the Splunk SOAR first, and then open the provided link. This new tab will redirect to the Microsoft login page.
- Log in to the Microsoft account.
- You will be prompted to agree to the permissions requested by the App.
- Review the requested permissions listed, then click Accept .
- If all goes well the browser should instruct you to close the tab.
- Now go back and check the message on the Test Connectivity dialog box, it should say Test Connectivity Passed .
The app should now be ready to be used.
Configuration:
- email_address - Ingest from the provided email address.
- folder - To fetch the emails from the given folder name (must be provided if running ingestion)
- get_folder_id - Retrieve the folder ID for the provided folder name/folder path automatically and replace the folder parameter value.
- first_run_max_emails - Maximum containers to poll for the first scheduled polling (default - 1000).
- max_containers - Maximum containers to poll after the first scheduled poll completes (default - 100).
- extract_attachments - Extract all the attachments included in emails.
- extract_urls - Extracts the URLs present in the emails.
- extract_ips - Extracts the IP addresses present in the emails.
- extract_domains - Extract the domain names present in the emails.
- extract_hashes - Extract the hashes present in the emails (MD5).
- ingest_eml - Fetch the EML file content for the 'item attachment' and ingest it into the vault. This will only ingest the first level 'item attachment' as an EML file. The nested item attachments will not be ingested into the vault. If the extract_attachments flag is set to false, then the application will also skip the EML file ingestion regardless of this flag value.
If extract_attachments is set to true, only fileAttachment will be ingested. If both ingest_eml and extract_attachments are set to true, then both fileAttachment and itemAttachment will be ingested.
This is applicable to 'on poll', 'copy email', 'move email', and 'run query' actions.
- The get_folder_id parameter should be enabled only when you have specified folder name/folder path in the folder parameter.
- If you provide folder ID in the folder parameter and set get_folder_id parameter to true, it will throw an error of folder ID not found for given folder name (because the action considers folder parameter value as folder name/folder path).
- The folder parameter must be either a (case sensitive) well-known name ( https://docs.microsoft.com/en-us/graph/api/resources/mailfolder?view=graph-rest-1.0 ) or the internal o365 folder ID.
- The folder parameter supports nested folder paths. To specify the complete folder path using the
'/' (forward slash) as the separator.
e.g. to specify a folder named phishing which is nested within (is a child of) Inbox , set the value as Inbox/phishing . If a folder name has a literal forward slash('/') in the name escape it with a backslash('\\') to differentiate.
Please check the permissions for the state file as mentioned below.
- For Non-NRI instance: /opt/phantom/local_data/app_states/<appid>/<asset_id>_state.json
- For NRI instance: /<PHANTOM_HOME_DIRECTORY>/local_data/app_states/<appid>/<asset_id>_state.json
- File rights: rw-rw-r-- (664) (The Splunk SOAR user should have read and write access for the state file)
- File owner: Appropriate Splunk SOAR user
- An optional parameter Admin Access Required has been added to this app. In most cases, this should remain checked, as admin access is required for email use cases. If the desired integration is to integrate with only one user's calendar, you may consider unchecking this box. If unchecked, it allows a non-admin user to provide access to a specific account. This functionality will ONLY work with the list events functionality. If unchecked, the Access scope must be used. The default scope will work for listing calendar events. Additional information on scope can be found here.
- As per the Microsoft known issues for Group.Read.All permission ( here ), if you want to run the list events for fetching group's calendar events, you have to uncheck an optional parameter Admin Access Required and provide Group.Read.All (https://graph.microsoft.com/Group.Read.All) permission into the scope parameter in the asset configuration parameters. If an asset parameter Admin Access Required checked and configured the app with above mentioned all the application permissions (which includes Group.Read.All application permission), it throws an error like Access is denied while running list events action for fetching group's calendar events. Because of the known issue of Group.Read.All application permission, this permission required admin consent (on behalf of the user permission) to fetch the group's calendar events.
- If the parameter Admin Access Required is unchecked, you have to provide a scope parameter in the asset configuration. All the actions will get executed according to the scopes provided in the scope config parameter. The actions will throw an appropriate error if the scope of the corresponding permission is not provided by the end-user.
- There is an API limitation that will affect run_query action when providing Unicode values in the subject or in the body as parameters and if the result count exceeds 999, the action will fail.
- The sensitive values are stored encrypted in the state file.
The app uses HTTP/ HTTPS protocol for communicating with the Office365 server. Below are the default ports used by the Splunk SOAR Connector.
| Service Name | Transport Protocol | Port |
|---|---|---|
| http | tcp | 80 |
| https | tcp | 443 |
The below configuration variables are required for this Connector to operate. These variables are specified when configuring a Office 365 (MS Graph) asset in SOAR.
| VARIABLE | REQUIRED | TYPE | DESCRIPTION |
|---|---|---|---|
| tenant | required | string | Tenant ID (e.g. 1e309abf-db6c-XXXX-a1d2-XXXXXXXXXXXX) |
| client_id | required | string | Application ID |
| client_secret | required | password | Application Secret |
| admin_access | optional | boolean | Admin Access Required |
| admin_consent | optional | boolean | Admin Consent Already Provided |
| scope | optional | string | Access Scope (for use with non-admin access; space-separated) |
| ph_2 | optional | ph | |
| email_address | optional | string | Email Address of the User (On Poll) |
| folder | optional | string | Mailbox folder name/folder path or the internal office365 folder ID to ingest (On Poll) |
| get_folder_id | optional | boolean | Retrieve the folder ID for the provided folder name/folder path automatically and replace the folder parameter value (On Poll) |
| ph_3 | optional | ph | |
| first_run_max_emails | optional | numeric | Maximum Containers for scheduled polling first time |
| max_containers | optional | numeric | Maximum Containers for scheduled polling |
| extract_attachments | optional | boolean | Extract Attachments |
| extract_urls | optional | boolean | Extract URLs |
| extract_ips | optional | boolean | Extract IPs |
| extract_domains | optional | boolean | Extract Domain Names |
| extract_hashes | optional | boolean | Extract Hashes |
| ingest_eml | optional | boolean | Ingest EML file for the itemAttachment |
| ingest_manner | optional | string | How to Ingest (during ingestion, should the app get the latest emails or the oldest) |
| retry_count | optional | numeric | Maximum attempts to retry the API call (Default: 3) |
| retry_wait_time | optional | numeric | Delay in seconds between retries (Default: 60) |
test connectivity - Use supplied credentials to generate a token with MS Graph
generate token - Generate a token
oof check - Get user's out of office status
list events - List events from user or group calendar
list users - Retrieve a list of users
list groups - List all the groups in an organization, including but not limited to Office 365 groups
list group members - List all the members in group
list folders - Retrieve a list of mail folders
copy email - Copy an email to a folder
move email - Move an email to a folder
delete email - Delete an email
delete event - Delete an event from user calendar
get email - Get an email from the server
get email properties - Get non-standard email properties from the server
run query - Search emails
create folder - Create a new folder
get folder id - Get the API ID of the folder
on poll - Ingest emails from Office 365 using Graph API
Use supplied credentials to generate a token with MS Graph
Type: test
Read only: True
No parameters are required for this action
No Output
Generate a token
Type: generic
Read only: False
No parameters are required for this action
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.data | string | |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Get user's out of office status
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| user_id | required | User ID/Principal name | string | msgoffice365 user id msgoffice365 user principal name email |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.user_id | string | msgoffice365 user id msgoffice365 user principal name email |
| action_result.data.*[email protected] | string | url |
| action_result.data.*[email protected] | string | |
| action_result.data.*.externalAudience | string | |
| action_result.data.*.externalReplyMessage | string | |
| action_result.data.*.internalReplyMessage | string | |
| action_result.data.*.scheduledEndDateTime.dateTime | string | |
| action_result.data.*.scheduledEndDateTime.timeZone | string | |
| action_result.data.*.scheduledStartDateTime.dateTime | string | |
| action_result.data.*.scheduledStartDateTime.timeZone | string | |
| action_result.data.*.status | string | |
| action_result.summary.events_matched | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
List events from user or group calendar
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| user_id | optional | User ID/Principal name | string | msgoffice365 user id msgoffice365 user principal name email |
| group_id | optional | Group ID | string | msgoffice365 group id |
| filter | optional | OData query to filter/search for specific results | string | |
| limit | optional | Maximum number of events to return | numeric |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.filter | string | |
| action_result.parameter.group_id | string | msgoffice365 group id |
| action_result.parameter.limit | numeric | |
| action_result.parameter.user_id | string | msgoffice365 user id msgoffice365 user principal name email |
| action_result.data.*[email protected] | string | |
| action_result.data.*.allowNewTimeProposals | boolean | |
| action_result.data.*.attendee_list | string | |
| action_result.data.*.attendees.*.emailAddress.address | string | email |
| action_result.data.*.attendees.*.emailAddress.name | string | |
| action_result.data.*.attendees.*.status.response | string | |
| action_result.data.*.attendees.*.status.time | string | |
| action_result.data.*.attendees.*.type | string | |
| action_result.data.*.body.content | string | |
| action_result.data.*.body.contentType | string | |
| action_result.data.*.bodyPreview | string | |
| action_result.data.*[email protected] | string | url |
| action_result.data.*[email protected] | string | url |
| action_result.data.*.categories.*.name | string | |
| action_result.data.*.changeKey | string | |
| action_result.data.*.createdDateTime | string | |
| action_result.data.*.end.dateTime | string | |
| action_result.data.*.end.timeZone | string | |
| action_result.data.*.hasAttachments | boolean | |
| action_result.data.*.hideAttendees | boolean | |
| action_result.data.*.iCalUId | string | |
| action_result.data.*.id | string | msgoffice365 event id |
| action_result.data.*.importance | string | |
| action_result.data.*.isAllDay | boolean | |
| action_result.data.*.isCancelled | boolean | |
| action_result.data.*.isDraft | boolean | |
| action_result.data.*.isOnlineMeeting | boolean | |
| action_result.data.*.isOrganizer | boolean | |
| action_result.data.*.isReminderOn | boolean | |
| action_result.data.*.lastModifiedDateTime | string | |
| action_result.data.*.location.address.city | string | |
| action_result.data.*.location.address.countryOrRegion | string | |
| action_result.data.*.location.address.postalCode | string | |
| action_result.data.*.location.address.state | string | |
| action_result.data.*.location.address.street | string | |
| action_result.data.*.location.coordinates.latitude | numeric | |
| action_result.data.*.location.coordinates.longitude | numeric | |
| action_result.data.*.location.displayName | string | |
| action_result.data.*.location.locationType | string | |
| action_result.data.*.location.locationUri | string | url |
| action_result.data.*.location.uniqueId | string | |
| action_result.data.*.location.uniqueIdType | string | |
| action_result.data.*.locations.*.address.city | string | |
| action_result.data.*.locations.*.address.countryOrRegion | string | |
| action_result.data.*.locations.*.address.postalCode | string | |
| action_result.data.*.locations.*.address.state | string | |
| action_result.data.*.locations.*.address.street | string | |
| action_result.data.*.locations.*.coordinates.latitude | numeric | |
| action_result.data.*.locations.*.coordinates.longitude | numeric | |
| action_result.data.*.locations.*.displayName | string | |
| action_result.data.*.locations.*.locationType | string | |
| action_result.data.*.locations.*.locationUri | string | url |
| action_result.data.*.locations.*.uniqueId | string | |
| action_result.data.*.locations.*.uniqueIdType | string | |
| action_result.data.*.occurrenceId | string | |
| action_result.data.*.onlineMeeting | string | |
| action_result.data.*.onlineMeetingProvider | string | |
| action_result.data.*.onlineMeetingUrl | string | url |
| action_result.data.*.organizer.emailAddress.address | string | email |
| action_result.data.*.organizer.emailAddress.name | string | |
| action_result.data.*.originalEndTimeZone | string | |
| action_result.data.*.originalStartTimeZone | string | |
| action_result.data.*.recurrence | string | |
| action_result.data.*.reminderMinutesBeforeStart | numeric | |
| action_result.data.*.responseRequested | boolean | |
| action_result.data.*.responseStatus.response | string | |
| action_result.data.*.responseStatus.time | string | |
| action_result.data.*.sensitivity | string | |
| action_result.data.*.seriesMasterId | string | |
| action_result.data.*.showAs | string | |
| action_result.data.*.start.dateTime | string | |
| action_result.data.*.start.timeZone | string | |
| action_result.data.*.subject | string | |
| action_result.data.*.transactionId | string | |
| action_result.data.*.type | string | |
| action_result.data.*.webLink | string | url |
| action_result.data.locations.*.displayName | string | |
| action_result.summary.events_matched | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Retrieve a list of users
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| filter | optional | Search for specific results | string | |
| limit | optional | Maximum number of users to return | numeric |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.filter | string | |
| action_result.parameter.limit | numeric | |
| action_result.data.*.businessPhones | string | |
| action_result.data.*.displayName | string | |
| action_result.data.*.givenName | string | |
| action_result.data.*.id | string | msgoffice365 user id |
| action_result.data.*.jobTitle | string | |
| action_result.data.*.mail | string | email |
| action_result.data.*.mobilePhone | string | |
| action_result.data.*.officeLocation | string | |
| action_result.data.*.preferredLanguage | string | |
| action_result.data.*.surname | string | |
| action_result.data.*.userPrincipalName | string | msgoffice365 user principal name email |
| action_result.summary.total_users_returned | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
List all the groups in an organization, including but not limited to Office 365 groups
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| filter | optional | Search for specific results | string | |
| limit | optional | Maximum number of groups to return | numeric |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.filter | string | |
| action_result.parameter.limit | numeric | |
| action_result.data.*.classification | string | |
| action_result.data.*.createdDateTime | string | |
| action_result.data.*.creationOptions | string | |
| action_result.data.*.deletedDateTime | string | |
| action_result.data.*.description | string | |
| action_result.data.*.displayName | string | |
| action_result.data.*.expirationDateTime | string | |
| action_result.data.*.groupTypes | string | |
| action_result.data.*.id | string | msgoffice365 group id |
| action_result.data.*.isAssignableToRole | string | |
| action_result.data.*.mail | string | email |
| action_result.data.*.mailEnabled | boolean | |
| action_result.data.*.mailNickname | string | |
| action_result.data.*.membershipRule | string | |
| action_result.data.*.membershipRuleProcessingState | string | |
| action_result.data.*.onPremisesDomainName | string | |
| action_result.data.*.onPremisesLastSyncDateTime | string | |
| action_result.data.*.onPremisesNetBiosName | string | |
| action_result.data.*.onPremisesSamAccountName | string | |
| action_result.data.*.onPremisesSecurityIdentifier | string | |
| action_result.data.*.onPremisesSyncEnabled | string | |
| action_result.data.*.preferredDataLocation | string | |
| action_result.data.*.preferredLanguage | string | |
| action_result.data.*.proxyAddresses | string | |
| action_result.data.*.renewedDateTime | string | |
| action_result.data.*.resourceBehaviorOptions | string | |
| action_result.data.*.resourceProvisioningOptions | string | |
| action_result.data.*.securityEnabled | boolean | |
| action_result.data.*.securityIdentifier | string | |
| action_result.data.*.theme | string | |
| action_result.data.*.visibility | string | |
| action_result.summary.total_groups_returned | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
List all the members in group
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| group_id | required | Group ID | string | msgoffice365 group id |
| get_transitive_members | optional | Get a list of the group's members. A group can have users, devices, organizational contacts, and other groups as members. This operation is transitive and returns a flat list of all nested members | boolean | |
| filter | optional | Search for specific results | string | |
| limit | optional | Maximum number of members to return | numeric |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.filter | string | |
| action_result.parameter.get_transitive_members | boolean | |
| action_result.parameter.group_id | string | msgoffice365 group id |
| action_result.parameter.limit | numeric | |
| action_result.data.*[email protected] | string | |
| action_result.data.*.businessPhones | string | |
| action_result.data.*.displayName | string | |
| action_result.data.*.givenName | string | |
| action_result.data.*.id | string | msgoffice365 user id |
| action_result.data.*.jobTitle | string | |
| action_result.data.*.mail | string | email |
| action_result.data.*.mobilePhone | string | |
| action_result.data.*.officeLocation | string | |
| action_result.data.*.preferredLanguage | string | |
| action_result.data.*.surname | string | |
| action_result.data.*.userPrincipalName | string | msgoffice365 user principal name email |
| action_result.summary.total_members_returned | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Retrieve a list of mail folders
Type: investigate
Read only: True
If you want to list all the child folders (includes all the sub-levels) of the specific parent folder, then, you have to provide the parent folder_id parameter. If you don't provide folder_id it will list all the folders on Office 365 account (includes all the sub-level folders).
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| user_id | required | User ID/Principal name | string | msgoffice365 user id msgoffice365 user principal name email |
| folder_id | optional | Parent mail folder ID | string | msgoffice365 folder id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.folder_id | string | msgoffice365 folder id |
| action_result.parameter.user_id | string | msgoffice365 user id msgoffice365 user principal name email |
| action_result.data.*.childFolderCount | numeric | |
| action_result.data.*.displayName | string | |
| action_result.data.*.id | string | msgoffice365 folder id |
| action_result.data.*.isHidden | boolean | |
| action_result.data.*.parentFolderId | string | msgoffice365 folder id |
| action_result.data.*.sizeInBytes | numeric | |
| action_result.data.*.totalItemCount | numeric | |
| action_result.data.*.unreadItemCount | numeric | |
| action_result.summary.total_folders_returned | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Copy an email to a folder
Type: generic
Read only: False
The get_folder_id parameter should be enabled only when you have specified folder name/folder path in the folder parameter. If you provide folder ID in the folder parameter and set get_folder_id parameter to true, it will throw an error of folder ID not found for given folder name (because the action considers folder parameter value as folder name/folder path). The folder parameter must be either a (case sensitive) well-known name [list here; https://docs.microsoft.com/en-us/graph/api/resources/mailfolder?view=graph-rest-1.0] or the internal o365 folder ID. The action supports copying to a folder that is nested within another. To copy in such a folder, specify the complete folder path using the '/' (forward slash) as the separator.
e.g. to search in a folder named phishing which is nested within (is a child of) Inbox, set the value as Inbox/phishing. If a folder name has a literal forward slash('/') in the name escape it with a backslash('\') to differentiate.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| id | required | Message ID to copy | string | msgoffice365 message id |
| email_address | required | Source mailbox (email) | string | email |
| folder | required | Destination folder; this must be either a (case-sensitive) well-known name or the internal o365 folder ID | string | msgoffice365 mail folder msgoffice365 mail folder path msgoffice365 folder id |
| get_folder_id | optional | Assume the folder parameter contains a folder name/folder path, separated by '/' ; i.e. Inbox/dir1/dir2/dir3. If this parameter is enabled, it retrieves the folder ID for the provided folder name/folder path automatically and replaces the parameter value | boolean |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.email_address | string | email |
| action_result.parameter.folder | string | msgoffice365 mail folder msgoffice365 mail folder path msgoffice365 folder id |
| action_result.parameter.get_folder_id | boolean | |
| action_result.parameter.id | string | msgoffice365 message id |
| action_result.data.*[email protected] | string | url |
| action_result.data.*[email protected] | string | |
| action_result.data.*[email protected] | string | |
| action_result.data.*.bccRecipients.email | string | email |
| action_result.data.*.bccRecipients.name | string | |
| action_result.data.*.body.content | string | |
| action_result.data.*.body.contentType | string | |
| action_result.data.*.bodyPreview | string | |
| action_result.data.*.categories | string | |
| action_result.data.*.ccRecipients.email | string | email |
| action_result.data.*.ccRecipients.name | string | |
| action_result.data.*.changeKey | string | |
| action_result.data.*.conversationId | string | |
| action_result.data.*.conversationIndex | string | |
| action_result.data.*.createdDateTime | string | |
| action_result.data.*.flag.flagStatus | string | |
| action_result.data.*.from.emailAddress.address | string | email |
| action_result.data.*.from.emailAddress.name | string | |
| action_result.data.*.hasAttachments | boolean | |
| action_result.data.*.id | string | msgoffice365 message id |
| action_result.data.*.importance | string | |
| action_result.data.*.inferenceClassification | string | |
| action_result.data.*.internetMessageId | string | msgoffice365 internet message id |
| action_result.data.*.isDeliveryReceiptRequested | boolean | |
| action_result.data.*.isDraft | boolean | |
| action_result.data.*.isRead | boolean | |
| action_result.data.*.isReadReceiptRequested | boolean | |
| action_result.data.*.lastModifiedDateTime | string | |
| action_result.data.*.parentFolderId | string | msgoffice365 folder id |
| action_result.data.*.receivedDateTime | string | |
| action_result.data.*.replyTo | string | |
| action_result.data.*.sender.emailAddress.address | string | email |
| action_result.data.*.sender.emailAddress.name | string | |
| action_result.data.*.sentDateTime | string | |
| action_result.data.*.subject | string | msgoffice365 subject |
| action_result.data.*.toRecipients.*.emailAddress.address | string | email |
| action_result.data.*.toRecipients.*.emailAddress.name | string | |
| action_result.data.*.webLink | string | url |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Move an email to a folder
Type: generic
Read only: False
The get_folder_id parameter should be enabled only when you have specified folder name/folder path in the folder parameter. If you provide folder ID in the folder parameter and set get_folder_id parameter to true, it will throw an error of folder ID not found for given folder name (because the action considers folder parameter value as folder name/folder path). The folder parameter must be either a (case sensitive) well-known name [list here; https://docs.microsoft.com/en-us/graph/api/resources/mailfolder?view=graph-rest-1.0] or the internal o365 folder ID. The action supports moving to a folder that is nested within another. To copy in such a folder, specify the complete folder path using the '/' (forward slash) as the separator.
e.g. to search in a folder named phishing which is nested within (is a child of) Inbox, set the value as Inbox/phishing. If a folder name has a literal forward slash('/') in the name escape it with a backslash('\') to differentiate.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| id | required | Message ID to move | string | msgoffice365 message id |
| email_address | required | Source mailbox (email) | string | email |
| folder | required | Destination folder; this must be either a (case-sensitive) well-known name or the internal o365 folder ID | string | msgoffice365 mail folder msgoffice365 mail folder path msgoffice365 folder id |
| get_folder_id | optional | Assume the folder parameter contains a folder name/folder path, separated by '/'(forward slash) ; i.e. Inbox/dir1/dir2/dir3. If this parameter is enabled, it retrieves the folder ID for the provided folder name/folder path automatically and replaces the parameter value | boolean |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.email_address | string | email |
| action_result.parameter.folder | string | msgoffice365 mail folder msgoffice365 mail folder path msgoffice365 folder id |
| action_result.parameter.get_folder_id | boolean | |
| action_result.parameter.id | string | msgoffice365 message id |
| action_result.data.*[email protected] | string | url |
| action_result.data.*[email protected] | string | |
| action_result.data.*[email protected] | string | |
| action_result.data.*.bccRecipients.email | string | email |
| action_result.data.*.bccRecipients.name | string | |
| action_result.data.*.body.content | string | |
| action_result.data.*.body.contentType | string | |
| action_result.data.*.bodyPreview | string | |
| action_result.data.*.categories | string | |
| action_result.data.*.ccRecipients.email | string | email |
| action_result.data.*.ccRecipients.name | string | |
| action_result.data.*.changeKey | string | |
| action_result.data.*.conversationId | string | |
| action_result.data.*.conversationIndex | string | |
| action_result.data.*.createdDateTime | string | |
| action_result.data.*.flag.flagStatus | string | |
| action_result.data.*.from.emailAddress.address | string | email |
| action_result.data.*.from.emailAddress.name | string | |
| action_result.data.*.hasAttachments | boolean | |
| action_result.data.*.id | string | msgoffice365 message id |
| action_result.data.*.importance | string | |
| action_result.data.*.inferenceClassification | string | |
| action_result.data.*.internetMessageId | string | msgoffice365 internet message id |
| action_result.data.*.isDeliveryReceiptRequested | boolean | |
| action_result.data.*.isDraft | boolean | |
| action_result.data.*.isRead | boolean | |
| action_result.data.*.isReadReceiptRequested | boolean | |
| action_result.data.*.lastModifiedDateTime | string | |
| action_result.data.*.parentFolderId | string | msgoffice365 folder id |
| action_result.data.*.receivedDateTime | string | |
| action_result.data.*.replyTo | string | |
| action_result.data.*.sender.emailAddress.address | string | email |
| action_result.data.*.sender.emailAddress.name | string | |
| action_result.data.*.sentDateTime | string | |
| action_result.data.*.subject | string | msgoffice365 subject |
| action_result.data.*.toRecipients.*.emailAddress.address | string | email |
| action_result.data.*.toRecipients.*.emailAddress.name | string | |
| action_result.data.*.webLink | string | url |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Delete an email
Type: contain
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| id | required | Message ID to delete | string | msgoffice365 message id |
| email_address | required | Email address of the mailbox owner | string | email |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.email_address | string | email |
| action_result.parameter.id | string | msgoffice365 message id |
| action_result.data | string | |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Delete an event from user calendar
Type: generic
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| id | required | Event ID to delete | string | msgoffice365 event id |
| email_address | required | Email address of the mailbox owner | string | email |
| send_decline_response | optional | Send decline response to the organizer | boolean |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.email_address | string | email |
| action_result.parameter.id | string | msgoffice365 event id |
| action_result.parameter.send_decline_response | boolean | |
| action_result.data | string | |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Get an email from the server
Type: investigate
Read only: True
If the 'download attachments' parameter is set to true, the action will ingest the '#microsoft.graph.itemAttachment' and '#microsoft.graph.fileAttachment' type of attachments.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| id | required | Message ID to get | string | msgoffice365 message id |
| email_address | required | Email address of the mailbox owner | string | email |
| download_attachments | optional | Download attachments to vault | boolean | |
| extract_headers | optional | Extract email headers | boolean | |
| download_email | optional | Download email to vault | boolean |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.download_attachments | boolean | |
| action_result.parameter.download_email | boolean | |
| action_result.parameter.email_address | string | email |
| action_result.parameter.extract_headers | boolean | |
| action_result.parameter.id | string | msgoffice365 message id |
| action_result.data.*[email protected] | string | url |
| action_result.data.*[email protected] | string | |
| action_result.data.*[email protected] | string | |
| action_result.data.*.allowNewTimeProposals | string | |
| action_result.data.*.attachments.*[email protected] | string | |
| action_result.data.*.attachments.*[email protected] | string | |
| action_result.data.*.attachments.*.attachmentType | string | |
| action_result.data.*.attachments.*.contentId | string | email |
| action_result.data.*.attachments.*.contentLocation | string | |
| action_result.data.*.attachments.*.contentType | string | |
| action_result.data.*.attachments.*.id | string | |
| action_result.data.*.attachments.*.isInline | boolean | |
| action_result.data.*.attachments.*.itemType | string | |
| action_result.data.*.attachments.*.lastModifiedDateTime | string | |
| action_result.data.*.attachments.*.name | string | |
| action_result.data.*.attachments.*.size | numeric | |
| action_result.data.*.attachments.*.vaultId | string | sha1 vault id |
| action_result.data.*.bccRecipients.email | string | email |
| action_result.data.*.bccRecipients.name | string | |
| action_result.data.*.body.content | string | |
| action_result.data.*.body.contentType | string | |
| action_result.data.*.bodyPreview | string | |
| action_result.data.*.categories | string | |
| action_result.data.*.ccRecipients.email | string | email |
| action_result.data.*.ccRecipients.name | string | |
| action_result.data.*.changeKey | string | |
| action_result.data.*.conversationId | string | |
| action_result.data.*.conversationIndex | string | |
| action_result.data.*.createdDateTime | string | |
| action_result.data.*.endDateTime.dateTime | string | |
| action_result.data.*.endDateTime.timeZone | string | |
| action_result.data.*[email protected] | string | |
| action_result.data.*.event.allowNewTimeProposals | boolean | |
| action_result.data.*.event.attendees.*.emailAddress.address | string | email |
| action_result.data.*.event.attendees.*.emailAddress.name | string | |
| action_result.data.*.event.attendees.*.status.response | string | |
| action_result.data.*.event.attendees.*.status.time | string | |
| action_result.data.*.event.attendees.*.type | string | |
| action_result.data.*.event.body.content | string | |
| action_result.data.*.event.body.contentType | string | |
| action_result.data.*.event.bodyPreview | string | |
| action_result.data.*[email protected] | string | url |
| action_result.data.*[email protected] | string | url |
| action_result.data.*.event.changeKey | string | |
| action_result.data.*.event.createdDateTime | string | |
| action_result.data.*.event.end.dateTime | string | |
| action_result.data.*.event.end.timeZone | string | |
| action_result.data.*.event.hasAttachments | boolean | |
| action_result.data.*.event.hideAttendees | boolean | |
| action_result.data.*.event.iCalUId | string | |
| action_result.data.*.event.id | string | msgoffice365 event id |
| action_result.data.*.event.importance | string | |
| action_result.data.*.event.isAllDay | boolean | |
| action_result.data.*.event.isCancelled | boolean | |
| action_result.data.*.event.isDraft | boolean | |
| action_result.data.*.event.isOnlineMeeting | boolean | |
| action_result.data.*.event.isOrganizer | boolean | |
| action_result.data.*.event.isReminderOn | boolean | |
| action_result.data.*.event.lastModifiedDateTime | string | |
| action_result.data.*.event.location.displayName | string | |
| action_result.data.*.event.location.locationType | string | |
| action_result.data.*.event.location.uniqueIdType | string | |
| action_result.data.*.event.occurrenceId | string | |
| action_result.data.*.event.onlineMeeting.joinUrl | string | url |
| action_result.data.*.event.onlineMeetingProvider | string | |
| action_result.data.*.event.onlineMeetingUrl | string | |
| action_result.data.*.event.organizer.emailAddress.address | string | email |
| action_result.data.*.event.organizer.emailAddress.name | string | |
| action_result.data.*.event.originalEndTimeZone | string | |
| action_result.data.*.event.originalStartTimeZone | string | |
| action_result.data.*.event.recurrence | string | |
| action_result.data.*.event.reminderMinutesBeforeStart | numeric | |
| action_result.data.*.event.responseRequested | boolean | |
| action_result.data.*.event.responseStatus.response | string | |
| action_result.data.*.event.responseStatus.time | string | |
| action_result.data.*.event.sensitivity | string | |
| action_result.data.*.event.seriesMasterId | string | |
| action_result.data.*.event.showAs | string | |
| action_result.data.*.event.start.dateTime | string | |
| action_result.data.*.event.start.timeZone | string | |
| action_result.data.*.event.subject | string | |
| action_result.data.*.event.transactionId | string | |
| action_result.data.*.event.type | string | |
| action_result.data.*.event.webLink | string | url |
| action_result.data.*.flag.flagStatus | string | |
| action_result.data.*.from.emailAddress.address | string | email |
| action_result.data.*.from.emailAddress.name | string | email |
| action_result.data.*.hasAttachments | boolean | |
| action_result.data.*.id | string | msgoffice365 message id |
| action_result.data.*.importance | string | |
| action_result.data.*.inferenceClassification | string | |
| action_result.data.*.internetMessageHeaders.ARC-Authentication-Results | string | |
| action_result.data.*.internetMessageHeaders.ARC-Message-Signature | string | |
| action_result.data.*.internetMessageHeaders.ARC-Seal | string | |
| action_result.data.*.internetMessageHeaders.Accept-Language | string | |
| action_result.data.*.internetMessageHeaders.Authentication-Results | string | |
| action_result.data.*.internetMessageHeaders.Authentication-Results-Original | string | |
| action_result.data.*.internetMessageHeaders.Content-Language | string | |
| action_result.data.*.internetMessageHeaders.Content-Transfer-Encoding | string | |
| action_result.data.*.internetMessageHeaders.Content-Type | string | |
| action_result.data.*.internetMessageHeaders.DKIM-Signature | string | |
| action_result.data.*.internetMessageHeaders.Date | string | |
| action_result.data.*.internetMessageHeaders.From | string | |
| action_result.data.*.internetMessageHeaders.In-Reply-To | string | |
| action_result.data.*.internetMessageHeaders.MIME-Version | string | |
| action_result.data.*.internetMessageHeaders.Message-ID | string | |
| action_result.data.*.internetMessageHeaders.Received | string | |
| action_result.data.*.internetMessageHeaders.Received-SPF | string | |
| action_result.data.*.internetMessageHeaders.References | string | |
| action_result.data.*.internetMessageHeaders.Return-Path | string | email |
| action_result.data.*.internetMessageHeaders.Subject | string | |
| action_result.data.*.internetMessageHeaders.Thread-Index | string | |
| action_result.data.*.internetMessageHeaders.Thread-Topic | string | |
| action_result.data.*.internetMessageHeaders.To | string | |
| action_result.data.*.internetMessageHeaders.X-EOPAttributedMessage | string | |
| action_result.data.*.internetMessageHeaders.X-EOPTenantAttributedMessage | string | |
| action_result.data.*.internetMessageHeaders.X-Forefront-Antispam-Report | string | |
| action_result.data.*.internetMessageHeaders.X-Forefront-Antispam-Report-Untrusted | string | |
| action_result.data.*.internetMessageHeaders.X-Gm-Message-State | string | |
| action_result.data.*.internetMessageHeaders.X-Google-DKIM-Signature | string | |
| action_result.data.*.internetMessageHeaders.X-Google-Smtp-Source | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-AntiSpam-MessageData | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-AntiSpam-MessageData-Original-0 | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-AntiSpam-MessageData-Original-ChunkCount | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-CrossTenant-AuthAs | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-CrossTenant-AuthSource | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-CrossTenant-FromEntityHeader | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-CrossTenant-Id | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-CrossTenant-MailboxType | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-CrossTenant-Network-Message-Id | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-CrossTenant-OriginalArrivalTime | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-CrossTenant-UserPrincipalName | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-Organization-AuthAs | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-Organization-AuthMechanism | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-Organization-AuthSource | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-Organization-ExpirationInterval | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-Organization-ExpirationIntervalReason | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-Organization-ExpirationStartTime | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-Organization-ExpirationStartTimeReason | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-Organization-MessageDirectionality | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-Organization-Network-Message-Id | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-Organization-SCL | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-Processed-By-BccFoldering | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-Transport-CrossTenantHeadersPromoted | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-Transport-CrossTenantHeadersStamped | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-Transport-CrossTenantHeadersStripped | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-Transport-EndToEndLatency | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Has-Attach | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Office365-Filtering-Correlation-Id | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Office365-Filtering-Correlation-Id-Prvs | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Oob-TLC-OOBClassifiers | string | |
| action_result.data.*.internetMessageHeaders.X-MS-PublicTrafficType | string | |
| action_result.data.*.internetMessageHeaders.X-MS-TNEF-Correlator | string | |
| action_result.data.*.internetMessageHeaders.X-MS-TrafficTypeDiagnostic | string | |
| action_result.data.*.internetMessageHeaders.X-Microsoft-Antispam | string | |
| action_result.data.*.internetMessageHeaders.X-Microsoft-Antispam-Mailbox-Delivery | string | |
| action_result.data.*.internetMessageHeaders.X-Microsoft-Antispam-Message-Info | string | |
| action_result.data.*.internetMessageHeaders.X-Microsoft-Antispam-Message-Info-Original | string | |
| action_result.data.*.internetMessageHeaders.X-Microsoft-Antispam-Untrusted | string | |
| action_result.data.*.internetMessageHeaders.X-Originating-IP | string | |
| action_result.data.*.internetMessageHeaders.X-Received | string | |
| action_result.data.*.internetMessageHeaders.subject | string | |
| action_result.data.*.internetMessageHeaders.x-ms-exchange-antispam-relay | string | |
| action_result.data.*.internetMessageHeaders.x-ms-exchange-calendar-series-instance-id | string | |
| action_result.data.*.internetMessageHeaders.x-ms-exchange-senderadcheck | string | |
| action_result.data.*.internetMessageHeaders.x-ms-traffictypediagnostic | string | |
| action_result.data.*.internetMessageId | string | msgoffice365 internet message id |
| action_result.data.*.isAllDay | boolean | |
| action_result.data.*.isDelegated | boolean | |
| action_result.data.*.isDeliveryReceiptRequested | boolean | |
| action_result.data.*.isDraft | boolean | |
| action_result.data.*.isOutOfDate | boolean | |
| action_result.data.*.isRead | boolean | |
| action_result.data.*.isReadReceiptRequested | boolean | |
| action_result.data.*.lastModifiedDateTime | string | |
| action_result.data.*.meetingMessageType | string | |
| action_result.data.*.meetingRequestType | string | |
| action_result.data.*.parentFolderId | string | msgoffice365 folder id |
| action_result.data.*.previousEndDateTime | string | |
| action_result.data.*.previousLocation | string | |
| action_result.data.*.previousStartDateTime | string | |
| action_result.data.*.previousEndDateTime.dateTime | string | |
| action_result.data.*.previousEndDateTime.timeZone | string | |
| action_result.data.*.previousStartDateTime.dateTime | string | |
| action_result.data.*.previousStartDateTime.timeZone | string | |
| action_result.data.*.receivedDateTime | string | |
| action_result.data.*.recurrence | string | |
| action_result.data.*.replyTo | string | |
| action_result.data.*.responseRequested | boolean | |
| action_result.data.*.sender.emailAddress.address | string | email |
| action_result.data.*.sender.emailAddress.name | string | email |
| action_result.data.*.sentDateTime | string | |
| action_result.data.*.startDateTime.dateTime | string | |
| action_result.data.*.startDateTime.timeZone | string | |
| action_result.data.*.subject | string | msgoffice365 subject |
| action_result.data.*.toRecipients.*.emailAddress.address | string | email |
| action_result.data.*.toRecipients.*.emailAddress.name | string | |
| action_result.data.*.type | string | |
| action_result.data.*.vaultId | string | |
| action_result.data.*.webLink | string | url |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Get non-standard email properties from the server
Type: investigate
Read only: True
For a list of possible properties to retrieve, visit https://docs.microsoft.com/en-us/graph/api/message-get?view=graph-rest-1.0&tabs=http.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| id | required | Message ID to get properties of | string | msgoffice365 message id |
| email_address | required | Email address of the mailbox owner | string | email |
| get_headers | optional | Get email headers | boolean | |
| get_body | optional | Get email body | boolean | |
| get_unique_body | optional | Get unique email body | boolean | |
| get_sender | optional | Get email sender | boolean | |
| properties_list | optional | Other properties to get (comma-separated list) | string |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.email_address | string | email |
| action_result.parameter.get_body | boolean | |
| action_result.parameter.get_headers | boolean | |
| action_result.parameter.get_sender | boolean | |
| action_result.parameter.get_unique_body | boolean | |
| action_result.parameter.id | string | msgoffice365 message id |
| action_result.parameter.properties_list | string | |
| action_result.data.*[email protected] | string | url |
| action_result.data.*[email protected] | string | |
| action_result.data.*.body.content | string | |
| action_result.data.*.body.contentType | string | |
| action_result.data.*.id | string | |
| action_result.data.*.internetMessageHeaders.Accept-Language | string | |
| action_result.data.*.internetMessageHeaders.Authentication-Results | string | |
| action_result.data.*.internetMessageHeaders.Content-Language | string | |
| action_result.data.*.internetMessageHeaders.Content-Transfer-Encoding | string | |
| action_result.data.*.internetMessageHeaders.Content-Type | string | |
| action_result.data.*.internetMessageHeaders.DKIM-Signature | string | |
| action_result.data.*.internetMessageHeaders.Date | string | |
| action_result.data.*.internetMessageHeaders.From | string | |
| action_result.data.*.internetMessageHeaders.In-Reply-To | string | |
| action_result.data.*.internetMessageHeaders.MIME-Version | string | |
| action_result.data.*.internetMessageHeaders.Message-ID | string | |
| action_result.data.*.internetMessageHeaders.Received | string | |
| action_result.data.*.internetMessageHeaders.Received-SPF | string | |
| action_result.data.*.internetMessageHeaders.References | string | |
| action_result.data.*.internetMessageHeaders.Return-Path | string | email |
| action_result.data.*.internetMessageHeaders.Subject | string | |
| action_result.data.*.internetMessageHeaders.Thread-Index | string | |
| action_result.data.*.internetMessageHeaders.Thread-Topic | string | |
| action_result.data.*.internetMessageHeaders.To | string | |
| action_result.data.*.internetMessageHeaders.X-EOPAttributedMessage | string | |
| action_result.data.*.internetMessageHeaders.X-EOPTenantAttributedMessage | string | |
| action_result.data.*.internetMessageHeaders.X-Forefront-Antispam-Report | string | |
| action_result.data.*.internetMessageHeaders.X-Gm-Message-State | string | |
| action_result.data.*.internetMessageHeaders.X-Google-DKIM-Signature | string | |
| action_result.data.*.internetMessageHeaders.X-Google-Smtp-Source | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-AntiSpam-MessageData | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-CrossTenant-AuthAs | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-CrossTenant-AuthSource | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-CrossTenant-FromEntityHeader | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-CrossTenant-Id | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-CrossTenant-MailboxType | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-CrossTenant-Network-Message-Id | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-CrossTenant-OriginalArrivalTime | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-CrossTenant-UserPrincipalName | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-Organization-AuthAs | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-Organization-AuthMechanism | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-Organization-AuthSource | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-Organization-ExpirationInterval | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-Organization-ExpirationIntervalReason | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-Organization-ExpirationStartTime | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-Organization-ExpirationStartTimeReason | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-Organization-MessageDirectionality | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-Organization-Network-Message-Id | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-Organization-SCL | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-Processed-By-BccFoldering | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-Transport-CrossTenantHeadersStamped | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Exchange-Transport-EndToEndLatency | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Has-Attach | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Office365-Filtering-Correlation-Id | string | |
| action_result.data.*.internetMessageHeaders.X-MS-Oob-TLC-OOBClassifiers | string | |
| action_result.data.*.internetMessageHeaders.X-MS-PublicTrafficType | string | |
| action_result.data.*.internetMessageHeaders.X-MS-TNEF-Correlator | string | |
| action_result.data.*.internetMessageHeaders.X-MS-TrafficTypeDiagnostic | string | |
| action_result.data.*.internetMessageHeaders.X-Microsoft-Antispam | string | |
| action_result.data.*.internetMessageHeaders.X-Microsoft-Antispam-Mailbox-Delivery | string | |
| action_result.data.*.internetMessageHeaders.X-Microsoft-Antispam-Message-Info | string | |
| action_result.data.*.internetMessageHeaders.X-Originating-IP | string | |
| action_result.data.*.internetMessageHeaders.X-Received | string | |
| action_result.data.*.internetMessageHeaders.subject | string | |
| action_result.data.*.receivedDateTime | string | |
| action_result.data.*.sender.emailAddress.address | string | email |
| action_result.data.*.sender.emailAddress.name | string | email |
| action_result.data.*.subject | string | |
| action_result.data.*.uniqueBody.content | string | |
| action_result.data.*.uniqueBody.contentType | string | |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Search emails
Type: investigate
Read only: True
If the query or internet_message_id parameters are included, the subject, sender, body, and range parameters will be ignored. The internet_message_id parameter will take precedence over the query parameter.
For information on formatting the query parameter, see https://developer.microsoft.com/en-us/graph/docs/concepts/query_parameters.
If the limit parameter is not included, the action will default to limiting to ten emails that match the rest of the query. The get_folder_id parameter should be enabled only when you specified folder name/folder path in the folder parameter. If you provide folder ID in the folder parameter and set get_folder_id parameter to true, it will throw an error of folder ID not found for given folder name (because the action considers folder parameter value as folder name/folder path). The folder parameter must be either a (case sensitive) well-known name [list here; https://docs.microsoft.com/en-us/graph/api/resources/mailfolder?view=graph-rest-1.0] or the internal o365 folder ID. The action supports searching for a folder that is nested within another. To copy in such a folder, specify the complete folder path using the '/' (forward slash) as the separator.
e.g. to search in a folder named phishing which is nested within (is a child of) Inbox, set the value as Inbox/phishing. If a folder name has a literal forward slash('/') in the name escape it with a backslash('\') to differentiate.
When the search_well_known_folders parameter is set to true, action will ignore values provided in the folder and get_folder_id parameters and the user will get details from all 17 well-known folders which are listed below:
- Archive
- Clutter
- Conflicts
- Conversation History
- Deleted Items
- Drafts
- Inbox
- Junk Email
- Local Failures
- Msg Folder Root
- Outbox
- Recoverable Items Deletions
- Scheduled
- Search Folders
- Sent Items
- Server Failures
- Sync Issues
If the limit parameter is provided, the user will get the number of messages provided in the limit from every folder if present.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| email_address | required | User's email (mailbox to search in) | string | email |
| folder | optional | Destination folder; this must be either a (case-sensitive) well-known name or the internal o365 folder ID | string | msgoffice365 mail folder msgoffice365 mail folder path msgoffice365 folder id |
| search_well_known_folders | optional | Checks all well known folders for messages, ignores folder name provided in parameter | boolean | |
| get_folder_id | optional | Assume the folder parameter contains a folder name/folder path, separated by '/'(forward slash) ; i.e. Inbox/dir1/dir2/dir3. If this parameter is enabled, it retrieves the folder ID for the provided folder name/folder path automatically and replaces the parameter value | boolean | |
| subject | optional | Substring to search in subject | string | msgoffice365 subject |
| body | optional | Substring to search in body | string | |
| sender | optional | Sender email address to match | string | email |
| limit | optional | Maximum emails to return | numeric | |
| query | optional | MS Graph query string | string | |
| internet_message_id | optional | Internet message ID | string | msgoffice365 internet message id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.body | string | |
| action_result.parameter.email_address | string | email |
| action_result.parameter.folder | string | msgoffice365 mail folder msgoffice365 mail folder path msgoffice365 folder id |
| action_result.parameter.get_folder_id | boolean | |
| action_result.parameter.internet_message_id | string | msgoffice365 internet message id |
| action_result.parameter.limit | numeric | |
| action_result.parameter.query | string | |
| action_result.parameter.search_well_known_folders | boolean | |
| action_result.parameter.sender | string | email |
| action_result.parameter.subject | string | msgoffice365 subject |
| action_result.data.*[email protected] | string | |
| action_result.data.*[email protected] | string | |
| action_result.data.*.allowNewTimeProposals | string | |
| action_result.data.*.bccRecipients.*.emailAddress.address | string | |
| action_result.data.*.bccRecipients.*.emailAddress.name | string | |
| action_result.data.*.bccRecipients.email | string | email |
| action_result.data.*.bccRecipients.name | string | |
| action_result.data.*.body.content | string | |
| action_result.data.*.body.contentType | string | |
| action_result.data.*.bodyPreview | string | |
| action_result.data.*.categories | string | |
| action_result.data.*.ccRecipients.*.emailAddress.address | string | |
| action_result.data.*.ccRecipients.*.emailAddress.name | string | |
| action_result.data.*.ccRecipients.email | string | email |
| action_result.data.*.ccRecipients.name | string | |
| action_result.data.*.changeKey | string | |
| action_result.data.*.conversationId | string | |
| action_result.data.*.conversationIndex | string | |
| action_result.data.*.createdDateTime | string | |
| action_result.data.*.endDateTime.dateTime | string | |
| action_result.data.*.endDateTime.timeZone | string | |
| action_result.data.*.flag.flagStatus | string | |
| action_result.data.*.from.emailAddress.address | string | email |
| action_result.data.*.from.emailAddress.name | string | |
| action_result.data.*.hasAttachments | boolean | |
| action_result.data.*.id | string | msgoffice365 message id |
| action_result.data.*.importance | string | |
| action_result.data.*.inferenceClassification | string | |
| action_result.data.*.internetMessageId | string | msgoffice365 internet message id |
| action_result.data.*.isAllDay | boolean | |
| action_result.data.*.isDelegated | boolean | |
| action_result.data.*.isDeliveryReceiptRequested | boolean | |
| action_result.data.*.isDraft | boolean | |
| action_result.data.*.isOutOfDate | boolean | |
| action_result.data.*.isRead | boolean | |
| action_result.data.*.isReadReceiptRequested | boolean | |
| action_result.data.*.lastModifiedDateTime | string | |
| action_result.data.*.meetingMessageType | string | |
| action_result.data.*.meetingRequestType | string | |
| action_result.data.*.parentFolderId | string | msgoffice365 folder id |
| action_result.data.*.previousEndDateTime | string | |
| action_result.data.*.previousEndDateTime.dateTime | string | |
| action_result.data.*.previousEndDateTime.timeZone | string | |
| action_result.data.*.previousLocation | string | |
| action_result.data.*.previousStartDateTime | string | |
| action_result.data.*.previousStartDateTime.dateTime | string | |
| action_result.data.*.previousStartDateTime.timeZone | string | |
| action_result.data.*.receivedDateTime | string | |
| action_result.data.*.recurrence | string | |
| action_result.data.*.replyTo | string | |
| action_result.data.*.replyTo.*.emailAddress.address | string | |
| action_result.data.*.replyTo.*.emailAddress.name | string | |
| action_result.data.*.responseRequested | boolean | |
| action_result.data.*.sender.emailAddress.address | string | email |
| action_result.data.*.sender.emailAddress.name | string | |
| action_result.data.*.sentDateTime | string | |
| action_result.data.*.startDateTime.dateTime | string | |
| action_result.data.*.startDateTime.timeZone | string | |
| action_result.data.*.subject | string | msgoffice365 subject |
| action_result.data.*.toRecipients.*.emailAddress.address | string | email |
| action_result.data.*.toRecipients.*.emailAddress.name | string | |
| action_result.data.*.type | string | |
| action_result.data.*.vaultId | string | sha1 vault id |
| action_result.data.*.webLink | string | url |
| action_result.summary.emails_matched | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Create a new folder
Type: generic
Read only: False
Create a new folder either in the mailbox root or inside an existing folder. The action supports creating a folder that is nested within another. To create in such a folder, specify the complete path using the '/' (forward slash) as the separator.
e.g. to search in a folder named phishing which is nested within (is a child of) Inbox, set the value as Inbox/phishing. If a folder name has a literal forward slash('/') in the name escape it with a backslash('\') to differentiate.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| email_address | required | User's email (mailbox to create folders) | string | email |
| folder | required | Folder Name/Path. Use '/'to separate folder elements; i.e. Inbox/dir1/dir2/dir3 | string | msgoffice365 mail folder msgoffice365 mail folder path |
| all_subdirs | optional | Make any missing directories in the path if they don't exist instead of failing | boolean |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.all_subdirs | boolean | |
| action_result.parameter.email_address | string | email |
| action_result.parameter.folder | string | msgoffice365 mail folder msgoffice365 mail folder path |
| action_result.data.*[email protected] | string | url |
| action_result.data.*[email protected] | string | |
| action_result.data.*.childFolderCount | numeric | |
| action_result.data.*.displayName | string | |
| action_result.data.*.id | string | msgoffice365 folder id |
| action_result.data.*.isHidden | boolean | |
| action_result.data.*.parentFolderId | string | msgoffice365 folder id |
| action_result.data.*.sizeInBytes | numeric | |
| action_result.data.*.totalItemCount | numeric | |
| action_result.data.*.unreadItemCount | numeric | |
| action_result.summary.folder | string | |
| action_result.summary.folders created | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Get the API ID of the folder
Type: investigate
Read only: True
The action supports searching a folder that is nested within another. To search in such a folder, specify the complete path using the '/' (forward slash) as the separator.
e.g. to search in a folder named phishing which is nested within (is a child of) Inbox, set the value as Inbox/phishing. If a folder name has a literal forward slash('/') in the name escape it with a backslash('\') to differentiate.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| email_address | required | User's email (mailbox) | string | email |
| folder | required | Folder Name/Path. Use '/' to separate folder elements; i.e. Inbox/dir1/dir2/dir3 | string | msgoffice365 mail folder msgoffice365 mail folder path |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.email_address | string | email |
| action_result.parameter.folder | string | msgoffice365 mail folder msgoffice365 mail folder path |
| action_result.data.*.folder | string | msgoffice365 mail folder msgoffice365 mail folder path |
| action_result.data.*.folder_id | string | msgoffice365 folder id |
| action_result.data.*.path | string | msgoffice365 mail folder msgoffice365 mail folder path |
| action_result.summary.folder_id | string | msgoffice365 folder id |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Ingest emails from Office 365 using Graph API
Type: ingest
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| start_time | optional | Parameter Ignored in this app | numeric | |
| end_time | optional | Parameter Ignored in this app | numeric | |
| container_id | optional | Parameter Ignored in this app | string | |
| container_count | required | Maximum number of emails to ingest | numeric | |
| artifact_count | optional | Parameter Ignored in this app | numeric |
No Output