List and query all emails.

Basic Parameters

ParameterDescription
FromQuery by the sender of the email.
SubjectQuery by words from the email subject. Multiple words must be separated by spaces.
ToQuery be the address of the recipient of the email.

Advanced Parameters

ParameterDescription
Alert IDThe ID of the alert the email is connected to.
EndThe end time of the query window.
LimitThe amount of results returned. Valid range is 1-1000.
Message IDThe message ID of the email.
SinceThe start time of the query window.

Example Output

{
	"data": [
		{
			"client_name": "mr. client",
			"client_recipients": [
				"rebecca@example.com"
			],
			"envelope_to": [
				"rebecca@example.com"
			],
			"final_disposition": "NONE",
			"from": "kelsey@example.com",
			"message_id": "<DM3P159M258D4E0@DM3P159MB001.PROD.OUTLOOK.COM>",
			"phish_submission": false,
			"postfix_id": "47Jjcz1H88z11M4F",
			"postfix_ident": "47Jjcz1H88z11M4F",
			"postfix_ident_outbound": "47Jjdp3WRsz11M1D",
			"properties": {
				"whitelisted_message": true,
				"whitelisted_pattern": "quarantine@area1reports.com",
				"whitelisted_pattern_type": "ALLOWED_SENDER"
			},
			"redressed_actions": [
				{
					"completed_timestamp": "2022-12-30T13:44:15",
					"destination": "RecoverableItemsPurges",
					"message_id": "<DM3P159M258D4E0@DM3P159MB001.PROD.OUTLOOK.COM>",
					"operation": "RETRACTION",
					"properties": {
						"findings": [
							{
								"action": "PROMOTE",
								"detail": "ThreatType_Link",
								"detection": "MALICIOUS",
								"field": "metadata",
								"name": "yara_hit_finding",
								"portion": "MESSAGE",
								"reason": "Message matched malicious signature SentimentCM_Voicemail.All.RecentlyCreatedDomain.URL.Phishing",
								"score": 0,
								"value": "SentimentCM_Voicemail.All.RecentlyCreatedDomain.URL.Phishing"
							},
							{
								"action": "PROMOTE",
								"detail": "post_delivery",
								"detection": "MALICIOUS",
								"name": "post_delivery_response",
								"reason": "Message detected as malicious by 'Post Delivery Response'",
								"score": 0,
								"value": "Post Delivery Response"
							}
						],
						"folder": "RecoverableItemsPurges",
						"requested_by": "apr_pdr@area1security.com",
						"requested_disposition": "MALICIOUS"
					},
					"recipient": "rebecca@example.com",
					"started_timestamp": "2022-12-30T13:44:15",
					"status": "message id not found"
				}
			],
			"subject": "[EXTERNAL] RE: Lost and found",
			"ts": "2019-11-21T15:09:33"
		}
	],
	"query_time": 1574294490485
}

Workflow Library Example

List Emails with Area 1 and Send Results Via Email

Preview this Workflow on desktop

List and query all emails.

Basic Parameters

ParameterDescription
FromQuery by the sender of the email.
SubjectQuery by words from the email subject. Multiple words must be separated by spaces.
ToQuery be the address of the recipient of the email.

Advanced Parameters

ParameterDescription
Alert IDThe ID of the alert the email is connected to.
EndThe end time of the query window.
LimitThe amount of results returned. Valid range is 1-1000.
Message IDThe message ID of the email.
SinceThe start time of the query window.

Example Output

{
	"data": [
		{
			"client_name": "mr. client",
			"client_recipients": [
				"rebecca@example.com"
			],
			"envelope_to": [
				"rebecca@example.com"
			],
			"final_disposition": "NONE",
			"from": "kelsey@example.com",
			"message_id": "<DM3P159M258D4E0@DM3P159MB001.PROD.OUTLOOK.COM>",
			"phish_submission": false,
			"postfix_id": "47Jjcz1H88z11M4F",
			"postfix_ident": "47Jjcz1H88z11M4F",
			"postfix_ident_outbound": "47Jjdp3WRsz11M1D",
			"properties": {
				"whitelisted_message": true,
				"whitelisted_pattern": "quarantine@area1reports.com",
				"whitelisted_pattern_type": "ALLOWED_SENDER"
			},
			"redressed_actions": [
				{
					"completed_timestamp": "2022-12-30T13:44:15",
					"destination": "RecoverableItemsPurges",
					"message_id": "<DM3P159M258D4E0@DM3P159MB001.PROD.OUTLOOK.COM>",
					"operation": "RETRACTION",
					"properties": {
						"findings": [
							{
								"action": "PROMOTE",
								"detail": "ThreatType_Link",
								"detection": "MALICIOUS",
								"field": "metadata",
								"name": "yara_hit_finding",
								"portion": "MESSAGE",
								"reason": "Message matched malicious signature SentimentCM_Voicemail.All.RecentlyCreatedDomain.URL.Phishing",
								"score": 0,
								"value": "SentimentCM_Voicemail.All.RecentlyCreatedDomain.URL.Phishing"
							},
							{
								"action": "PROMOTE",
								"detail": "post_delivery",
								"detection": "MALICIOUS",
								"name": "post_delivery_response",
								"reason": "Message detected as malicious by 'Post Delivery Response'",
								"score": 0,
								"value": "Post Delivery Response"
							}
						],
						"folder": "RecoverableItemsPurges",
						"requested_by": "apr_pdr@area1security.com",
						"requested_disposition": "MALICIOUS"
					},
					"recipient": "rebecca@example.com",
					"started_timestamp": "2022-12-30T13:44:15",
					"status": "message id not found"
				}
			],
			"subject": "[EXTERNAL] RE: Lost and found",
			"ts": "2019-11-21T15:09:33"
		}
	],
	"query_time": 1574294490485
}

Workflow Library Example

List Emails with Area 1 and Send Results Via Email

Preview this Workflow on desktop