Search And Delete Emails - Generic v2
This playbook searches and deletes emails with similar attributes of a malicious email using one of the following integrations: * EWS * Microsoft Graph Security * Gmail * Agari Phishing Defense.
Common Playbooks · 23 tasks · 11 inputs · 0 outputs
Inputs
From— The value of the malicious email's "From" attribute.Subject— The value of the malicious email's "Subject" attribute.AttachmentName— The value of the malicious email's "AttachmentName" attribute.SearchAndDeleteIntegration— The integration in which to run the search and delete action. Can be MS Graph, Gmail, EWS, or Agari Phishing Defense.SearchThisWeek— Whether to limit the search to the current week. Disabling this may increase search scope, execution time, and risk of timeout for large mailboxes.MsgCase— Used only with Microsoft Graph Security. The eDiscovery case name to use. Looked up by name and created if missing.MsgKQL— Used only with Microsoft Graph Security. KQL query identifying the emails to search and delete. Built automatically from the From, Subject, and AttachmentName inputs if left empty.MsgRecipients— Used only with Microsoft Graph Security. CSV of recipient email addresses to scope the search when MsgMailboxScope is recipientsOnly.MsgMailboxScope— Used only with Microsoft Graph Security. Determines which mailboxes to search. Use recipientsOnly to limit to specific recipients, allTenantMailboxes to search the entire tenant.MsgDeleteType— Used only with Microsoft Graph Security. The delete type to perform on the search results. Possible values are Hard or Soft, or leave empty to select manually (Hard = unrecoverable, Soft = recoverable).MsgMailboxExclusion— Used only with Microsoft Graph Security. CSV of mailboxes to exclude from the search. Honored only when MsgMailboxScope is allTenantMailboxes. Note: exclusion works at the message level, not the mailbox level — see subplaybook description for details.
Commands used
apd-remediate-message