You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Microsoft EWS Incoming Mail Daemon automatically retrieves emails. It enables seamless integration with security automation platforms by pulling in messages for further analysis and action.
24
+
### Use cases
25
+
26
+
* Automatically ingest emails from monitored mailboxes for phishing analysis or ticketing systems.
27
+
* Feed email content into security orchestration workflows.
28
+
* Process and analyze attachments (for example, .eml, .msg, documents) in near real-time.
29
+
* Extract and enrich sender/recipient metadata for further investigation.
30
+
31
+
### Supported versions
32
+
33
+
* Microsoft Exchange Online (Office 365)
34
+
35
+
### Prerequisites
36
+
* Active Azure subscription
37
+
* Application registration with:
38
+
* Client ID
39
+
* Client Secret
40
+
* Tenant ID
41
+
* EWS API permissions
42
+
* Basic authentication (legacy) or OAuth 2.0 with modern authentication
43
+
* Correctly configured EWS endpoint
44
+
* Valid credentials or token
45
+
46
+
### Limitations
47
+
* Certain attachments may be represented differently, which can result in missing or inconsistent file metadata (for example, name or type).
48
+
* Mailbox rate limits may apply depending on Microsoft tenant configuration
* Set retrieval parameters like polling frequency, folders to include/exclude.
55
+
* Enable the Daemon action in a rule or playbook.
56
+
* Emails are pulled automatically.
57
+
58
+
### Advanced usage
59
+
* Use filtering parameters to narrow email scope:
60
+
* Subject keywords
61
+
* Sender domain
62
+
* Date ranges
63
+
* Enable the Daemon action in a rule or playbook.
64
+
19
65
## Actions
20
66
21
67
***Microsoft EWS Incoming Mail Daemon***(Daemon)* - Automatically retrieve emails from EWS.
@@ -134,10 +180,66 @@ import IntegrationsAuth from '../../../../reuse/integrations-authentication.md';
134
180
135
181
<IntegrationsAuth/>
136
182
183
+
Use the information you set up in [Microsoft EWS configuration](#microsoft-ews-configuration) above:
184
+
***Host**. Enter the host name of the EWS instance, for example, `outlook.office365.com`.
185
+
***Authentication Method**. Select the [EWS authentication](https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/authentication-and-ews-in-exchange) method:
186
+
***Basic**
187
+
***NTLM**
188
+
***OAuth 2.0**
189
+
***Username**. Enter the Microsoft EWS username.
190
+
***Password**. Enter the Microsoft EWS password.
191
+
***Primary SMTP Address**. Enter the [primary SMTP address](https://learn.microsoft.com/en-us/exchange/client-developer/web-service-reference/primarysmtpaddress) for the user.
192
+
***Tenant ID**. Enter the [tenant ID](https://learn.microsoft.com/en-us/entra/fundamentals/how-to-find-tenant) for authentication.
193
+
***Client ID**. Enter the client ID for authentication.
194
+
***Client Secret**. Enter the client secret for authentication.
195
+
***Cloud SOAR API URL**. Enter the URL for your Cloud SOAR API, for example, `https://api.sumologic.com`. Enter the [API endpoint URL](/docs/api/getting-started/#sumo-logic-endpoints-by-deployment-and-firewall-security) for your region.
196
+
***Access ID**. Enter the access ID from a Sumo Logic [access key](/docs/manage/security/access-keys/). Select **Default** as the scope when generating access keys.
197
+
***Access Key**. Enter the access key associated with the Sumo Logic access ID entered above.
198
+
***Automation Engine**. Select whether to use [Cloud or Bridge execution](/docs/platform-services/automation-service/automation-service-integrations/#cloud-or-bridge-execution).
For information about Microsoft EWS, see [Microsoft Exchange Web Services documentation](https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth).
140
203
204
+
## API reference
205
+
206
+
### Configuration
207
+
Environment variables or parameters:
208
+
* Tenant
209
+
* Client ID
210
+
* Client secret
211
+
* Email: The service account email address
212
+
* Password or OAuth token: Authentication credentials
213
+
* Automation bridge
214
+
* And other fields info based on the requirement
215
+
216
+
### Containment APIs
217
+
218
+
### Rate Limits and Quotas
219
+
* Microsoft may enforce throttling based on:
220
+
* Number of concurrent EWS requests
221
+
* Number of items retrieved per call
222
+
* Number of mailbox accesses per day/hour
223
+
224
+
#### Troubleshooting
225
+
| Issue | Resolution | Resolution |
226
+
| :-- |:-- |:-- |
227
+
| No emails retrieved | Incorrect folder, filters too strict | Check filters, verify folder ID |
228
+
| Authentication failed | Invalid credentials or token | Update credentials and reauthorize |
229
+
230
+
### FAQ
231
+
232
+
#### Can I filter which emails are fetched?
233
+
Yes. Filtering can be applied based on folders, received time. Custom filters may be implemented depending on integration configuration.
234
+
235
+
#### How frequently does the Daemon poll for new messages?
236
+
The polling interval is determined by the configuration within the integration setup or automation rule.
237
+
238
+
### Support
239
+
* For issues, questions, or improvements:
240
+
* Microsoft [Q&A](https://learn.microsoft.com/answers)
241
+
* Review logs on the portal using log search.
242
+
141
243
## Category
142
244
143
245
Email Gateway
@@ -150,3 +252,4 @@ Email Gateway
150
252
* March 4, 2024 (v2.3) - Updated code for compatibility with Python 3.12
151
253
* March 21, 2024 (v2.4) - Resolved an issue related to the Email Body
152
254
* May 9, 2024 (v2.5) - A new field has been added to the integration resource for specifying the folder or path to search within
255
+
* May 16, 2025 (v2.6) - Enhanced attachment handling to ensure accurate detection and processing.
0 commit comments