This site is scheduled for a small content update on Thursday, March 28th, between the hours of 8:00am and 12:00pm (noon) Pacific Time (Mar 28 15:00 – Feb 22 19:00 UTC). Access to this site may be slightly delayed during that time.

Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.
  • Madrid
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store

Search and Delete Threat Emails workflow

Log in to subscribe to topics and get notified when content changes.

Search and Delete Threat Emails workflow

The -Security Incident Response - Get Threat Email Details and Delete workflow returns the number of threat emails from an Exchange Server search and lets you delete them.

About this task

The search query can take some time to complete. Once the count is received, approval is required to delete emails from an Exchange email server.

In the security incident, the Delete from Exchange button on the Exchange Search form triggers the workflow when the Query result is set to Return count.
Exchange Search form example
Workflow process activities include:
  • Runs a script to fetch a search query from all associated active search criteria records to run on the Exchange Server using the Search/Delete Threat Email in Exchange activity.
  • Runs a script to create search results from the previous activity.
    Field Value
    Action Search for Delete
    Result type Count
    Email count Integer (total number of emails found)
    Search query Query text string runs on the Exchange Server
    Email date received N/A
    Email read status N/A
    Recipient N/A
    Search date Timestamp for when the workflow ran
  • Approval - User.
    Note: Users with sn_si.admin roles are automatically added as approvers. If any one admin approves, the workflow continues.
  • Runs a script to add a work note to all associated security incidents when approval is requested and when request is approved or rejected.

  • Deletes emails upon approval using the Search/Delete Threat Email in Exchange activity.
  • Creates an Exchange Search Results record as follows:
    Exchange email deletion results example
  • Adds a work note to all associated security incidents with deletion result.
    Work note deletion message example
  • Logs Message.
    Note: Any PowerShell script errors are recorded in the system logs.
Search/Delete Threat Email in Exchange workflow diagram