Get Threat Email Details and Delete workflow

The Security Incident Response - Get Threat Email Details and Delete workflow returns threat email details from an Exchange Server search. You can delete the emails upon approval.

About this task

In the security incident, the Delete from Exchange button on the Exchange Search form triggers the workflow when the Query result is set to Return details.
Exchange Search form example
Workflow process activities include:
  • Runs a script to fetch a search query from all associated active search criteria records to run on the Exchange Server using the Get Email Details from Exchange Server activity.
  • Runs a script to create search results from the previous activity.
    Field Value
    Action Search for Delete/Delete.
    Result type Details.
    Email count Integer (total number of emails found). Appears only with the Delete action.
    Search query Query text string runs on the Exchange Server.
    Email date received Timestamp for when the email arrived. Appears only with the Search for Delete action.
    Email read status Read/Not Read. Appears only with the Search for Delete action.
    Recipient Full email address. Appears only with the Search for Delete action.
    Search date Timestamp for when the workflow ran.
    Message ID Email message ID from the Exchange Server. Included only with the Search for Delete action. (Not displayed.)
  • Approval - User.
    Note: Users with sn_si.admin roles are automatically added as approvers. If any one admin approves, the workflow continues.
  • Runs a script to add a work note to all associated security incidents when approval is requested and when request is approved or rejected. Work note approval message example

  • Deletes emails upon approval using the Search/Delete Threat Email in Exchange activity.
  • Creates an Exchange Search Results record as follows:
    Note: The email details are not returned nor displayed in the Delete result.
    Exchange email deletion results example
  • Adds a work note to all associated security incidents with deletion result.
  • Log message.
    Note: Any PowerShell script errors are recorded in the system logs.
Get Threat Email Details and Delete workflow diagram