O365 - Security And Compliance - Search Action - Preview

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

This playbook perform:

  1. Creates a new compliance search action - Preview (Base on created compliance search).
  2. Waits for the preview action to complete.
  3. Retrieves the preview results.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • Waiting for search action to complete

Integrations

  • SecurityAndCompliance

Scripts

This playbook does not use any scripts.

Commands

  • o365-sc-get-search-action
  • o365-sc-new-search-action

Playbook Inputs


NameDescriptionDefault ValueRequired
search_nameThe name of the compliance search.Required

Playbook Outputs


PathDescriptionType
O365.SecurityAndCompliance.ContentSearch.SearchAction.ActionSecurity and compliance search action type. Either "Purge" or "Preview".String
O365.SecurityAndCompliance.ContentSearch.SearchAction.AllowNotFoundExchangeLocationsEnabledWhether to include mailboxes other than regular user mailboxes in the compliance search.Boolean
O365.SecurityAndCompliance.ContentSearch.SearchAction.AzureBatchFrameworkEnabledWhether the Azure Batch Framework is enabled for job processing.Boolean
O365.SecurityAndCompliance.ContentSearch.SearchAction.CaseIdIdentity of a Core eDiscovery case which is associated with the compliance search.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.CaseNameName of a Core eDiscovery case which is associated with the compliance search.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.CreatedBySecurity and compliance search action creator.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.CreatedTimeSecurity and compliance search action creation time.Date
O365.SecurityAndCompliance.ContentSearch.SearchAction.DescriptionSecurity and compliance search action description.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.ErrorsSecurity and compliance search action errors.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.EstimateSearchJobIdSecurity and compliance search action job ID estimation.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.EstimateSearchRunIdSecurity and compliance search action run ID estimation.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.ExchangeLocationSecurity and compliance search action exchange locations to include.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.ExchangeLocationExclusionSecurity and compliance search action exchange locations to exclude.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.IdentitySecurity and compliance search action identity.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.IsValidWhether the security and compliance search action is valid.Boolean
O365.SecurityAndCompliance.ContentSearch.SearchAction.JobEndTimeSecurity and compliance search action job end time.Date
O365.SecurityAndCompliance.ContentSearch.SearchAction.JobIdSecurity and compliance search action job ID.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.JobRunIdSecurity and compliance search action job run ID.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.JobStartTimeSecurity and compliance search action job start time.Date
O365.SecurityAndCompliance.ContentSearch.SearchAction.LastModifiedTimeSecurity and compliance search action last modified time.Date
O365.SecurityAndCompliance.ContentSearch.SearchAction.NameSecurity and compliance search action name.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.PublicFolderLocationSecurity and compliance search action public folder locations to include.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.PublicFolderLocationExclusionSecurity and compliance search action public folder locations to exclude.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.LocationSecurity and compliance search action result location.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.SenderSecurity and compliance search action result mail sender.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.SubjectSecurity and compliance search action result subject.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.TypeSecurity and compliance search action result type.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.SizeSecurity and compliance search action result size.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.ReceivedTimeSecurity and compliance search action result received time.Date
O365.SecurityAndCompliance.ContentSearch.SearchAction.Results.DataLinkSecurity and compliance search action data link.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.RetryWhether to retry if the search action failed.Boolean
O365.SecurityAndCompliance.ContentSearch.SearchAction.RunBySecurity and compliance search action run by UPN (email address).String
O365.SecurityAndCompliance.ContentSearch.SearchAction.RunspaceIdSecurity and compliance search action run space ID.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.SearchNameSecurity and compliance search action search name.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.SharePointLocationSecurity and compliance search action SharePoint locations to include.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.SharePointLocationExclusionSecurity and compliance search action SharePoint locations to exclude.String
O365.SecurityAndCompliance.ContentSearch.SearchAction.StatusSecurity and compliance search action status. Either "Started" or "Completed".String
O365.SecurityAndCompliance.ContentSearch.SearchAction.TenantIdSecurity and compliance search action Tenant ID.String

Playbook Image


O365 - Security And Compliance - Search Action - Preview

Known Limitations


  • Each security and compliance command creates a PSSession (PowerShell session). The security and compliance PowerShell limits the number of concurrent sessions to 3. Since this affects the behavior of multiple playbooks running concurrently it we recommend that you retry failed tasks when using the integration commands in playbooks.
  • In order to handle sessions limits, A retry mechanism is applied which will retry for 10 time with 30 sec breaks. (The retry isn't applied on the generic polling as its not supported yet)