Microsoft Exchange Online integration

  • Release version: Washingtondc
  • Updated March 5, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Microsoft Exchange Online integration

    The Microsoft Exchange Online integration by ServiceNow allows security analysts to search for and manage phishing threats within the Microsoft Exchange Online environment. This integration enables the detection and remediation of phishing emails, enhancing the capabilities of the Security Incident Response (SIR) product.

    Show full answer Show less

    Key Features

    • Define search criteria for phishing threats using sender, recipient, and subject details.
    • Email notifications inform analysts when large searches are complete, detailing matched messages.
    • Status updates indicate if suspicious emails have been read or deleted.
    • Optional approval process for deleting suspicious emails adds an extra layer of control.
    • Complete audit trails document delete requests and actions taken within security incidents.
    • Tagging capabilities allow for tracking the status of email search and delete workflows.

    Key Outcomes

    By implementing this integration, organizations can effectively identify and respond to phishing threats, reducing the risk of email-based attacks. Analysts can streamline the investigation process, ensuring that suspicious emails are swiftly dealt with, thereby protecting corporate users and maintaining email security.

    Prerequisites

    To utilize the Microsoft Exchange Online integration, the com.snc.sidep plugin must be installed to support the Security Incident Response product. Other applications from the Security Operations suite should be activated in the specified order for successful installation.

    Setup and Configuration

    Setup involves configuring your Microsoft Azure account and ServiceNow AI Platform instance. This includes installing the integration application, defining email search criteria, and establishing delete approval processes. Analysts can recover deleted emails if necessary.

    Checklist and Troubleshooting

    A checklist is provided to ensure all tasks are completed for seamless integration installation and configuration. Troubleshooting tips are available for common permission issues related to the integration.

    For the Microsoft Exchange Online integration application by ServiceNow, the ServiceNow AI Platform® Security Incident Response (SIR) product is integrated with the Microsoft Exchange Online service, one of the cloud-based services in the Microsoft Office 365 suite of products. Your Security Operation Center (SOC) analyst can search your corporate email environment for security-related threats and remove and remediate phishing emails with email search and delete capabilities.

    Overview

    As the security incident analyst, you execute the integration from the security analyst interface, and the workflow returns email message details that match search criteria. Email searches are based on criteria that include subject lines as well as sender and recipient email addresses. After the email search is complete, you can delete suspicious emails from the Microsoft Exchange Online service, and, an optional approval process can be configured to request approval prior to deleting emails.

    This email search and delete integration can be used with a broader phishing response incident workflow or runbook. After a corporate user or employee receives a suspicious email and reports it to the company's phishing response team or inbox, the reported email is forwarded to the ServiceNow AI Platform and categorized as a security incident. After you have verified that an email is a phishing attack, as the analyst responsible for investigating phishing incidents, you can initiate an email search to determine if other corporate users have received this phishing email. The search allows you to locate related emails from the same phishing campaign and identify other potential victims who may have received the email, read it, and also potentially clicked a malicious URL or opened an attachment.

    Key features

    The integration includes the following key features:

    • Configure search criteria for phishing threats in Security Incident Response based on combinations of the sender, recipient, and subject fields on email messages.
    • For large and lengthy email searches, the security incident analyst is notified via email when the search has successfully completed, along with the number of matched messages.
    • Status for individual messages informs you if recipients have read or deleted suspicious emails.
    • If configured, optional approval processes ensure that suspicious emails are not deleted without prior approval.
    • A complete audit trail for delete requests that includes the number of deleted emails is logged in the work notes of security incidents.
    • If tagging is configured, security tags record when email search and delete workflows are initiated and successfully completed on security incidents.

    Supported Microsoft Exchange Online versions

    This integration supports Microsoft Exchange Online services, which are part of the Microsoft Office 365 suite. The integration does not support hosted Microsoft Exchange environments. Microsoft runs Microsoft Exchange Online services on the Exchange 2016 version.

    Prerequisites

    The com.snc.si_dep plugin is required for any ServiceNow AI Platform version. This plugin automatically installs all the dependencies that are required to support the Security Incident Response product. Install and activate this plugin before installing and activating the other Security Operations applications.

    The following Security Operations applications must be installed and activated from the ServiceNow Store. Install and then activate one application at a time in the order listed below to ensure a smooth installation:
    1. Security Integration Framework
    2. Security Support Common
    3. Security Support Orchestration
    4. Security Incident Response

    Integration architecture and systems connection

    For more information about the architecture of the integration, including key terms and external systems connection details, see Integration architecture and external systems connection for the Microsoft Exchange Online integration.

    Checklist

    The following topics are numbered. Follow the topics that are listed below in the order that they are presented for a smooth installation and configuration of the application.

    For a printable checklist of these steps, see Checklist for the Microsoft Exchange Online integration. You can use this list to monitor your progress as you work through the end-to-end tasks of the integration set up, configuration, and verification of results.

    Limitations

    1. The availability of data through the Microsoft Threat Hunting API is subject to delays caused by latency between the Exchange Server, Graph API, and Hunting API. Synchronization between the Hunting API and the Exchange server may require a few minutes. The latency period is variable and can differ from one instance to another.
    2. Limitations of hunting API, Quotas and resource allocation are explained here: https://learn.microsoft.com/en-us/graph/api/resources/security-api-overview?view=graph-rest-1.0#advanced-hunting