EWS for O365 SOAR app. Message Id error.

Samu · ‎08-28-2023

Hi all,

After running several actions from the EWS for O365 app (version 2.12.0) in phantom, the following error is received:

"API failed. Status code: ErrorInvalidIdMalformed. Message: Id is malformed.".

As per the app documentation, the expected field format for "Message ID" is not specified.

I´m using the Message Id field extracted from the original email headers. Is this correct? Is there any other way to obtain the message id? Wich is the expected format?

Thanks in advance!

Topper · ‎02-29-2024

How did you go with this? I'm facing the same issue.

Samu · ‎03-06-2024

I finally found the way. To obtain the ID, it is required to launch the "run query" action first. In the action fields, set the email address in the email field and the clean Message ID in the query field. Do not select any other option, nor fill any other field.

In the response you should see another ID base64 like format. This is the ID used to operate emails. Keep in mind that this ID changes everytime you perform any action over the email (moving it to a different folder for instance).

Hope this helps.

Topper · ‎03-11-2024

I thank you for the help. Turns out we were ingesting the required ID, but the field was email Id not Message-ID.

It's also listed under the Event INFO in the container under Details Source ID:

Got there in the end.

Thank you for the query though, wouldn't have found this without it.

EWS for O365 SOAR app. Message Id error.

configuration

troubleshooting

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases