Go to Marketplace, search for
Phishingand install the Phishing content pack.During installation, select Microsoft Exchange Online as the email gateway. The Microsoft Exchange Online content pack will install at the same time as the Phishing content pack.
After the content packs are installed, go to → → and search for
EWS O365.Add the EWS O365 integration instance, which fetches events, attachments, original emails from an inbox, and searches and deletes emails.
Click Add instance.
Choose Fetches incidents.
Verify the classifier is set to EWS - Classifier , which classifies incoming incidents as Phishing. If you were configuring an integration instance that did not have a classifier available, you would select Phishing for the Incident type (if classifier doesn’t exist) option.
Follow the instructions to authorize the Demisto app and enter the ID, Token, and Key that you receive.
Add the email address of the designated phishing inbox from which to fetch incidents.
If you want to designate a specific folder from which to fetch emails as phishing incidents, enter that folder name. Otherwise, leave the default as Inbox.
Add any other options as required.
After you click Test, Cortex XSOAR attempts to connect to EWS. If you receive an error message that auto discovery failed, you need to add details manually (the exchange server hostname, the domain username, the exchange server version, and the Advanced Mode Override Authentication type).
Save & exit
The system starts ingesting incidents from EWS. Every email creates an incident in Cortex XSOAR.