Feat/migrate search delete emails o365 to msg by Benimanela · Pull Request #44441 · demisto/content

Benimanela · 2026-05-27T18:24:15Z

Status

In Progress
Ready
In Hold - (Reason for hold)

Related Issues

[](relates: https://jira-dc.paloaltonetworks.com/browse/CIAC-16924)

Description

Migrate Search And Delete Emails from O365 S&C to MS Graph Security

Replace deprecated O365 Security & Compliance subplaybook with new
Microsoft Graph Security - Search And Delete Emails playbook in the
generic Search And Delete and Phishing v3 parent playbooks.

Must have

Tests
Documentation

…cases - Replace deprecated cs-falcon-resolve-incident with cs-falcon-resolve-case - Replace cs-falcon-list-incident-summaries with cs-falcon-list-case-summaries - Add new playbook: CrowdStrike Falcon - Get Detections by Case - Add cs-falcon-add-case-tag for case tagging in FP/TP handling flows - Add IsIntegrationAvailable checks at playbook entry points - Update mapper with External Category Name and External System ID fields - Migrate context paths from CrowdStrike.Incidents to CrowdStrike.Case - Fix label/nexttasks routing consistency for ngsiem_case across all playbooks - Update all READMEs to reflect new commands, inputs, and sub-playbooks

…oks-v2 Ciac 15071 cs falcon playbooks v2

…n-playbooks-v2" This reverts commit f4a2171, reversing changes made to 85c3562.

…rity Replace deprecated O365 Security & Compliance subplaybook with new Microsoft Graph Security - Search And Delete Emails playbook in the generic Search And Delete and Phishing v3 parent playbooks.

idovandijk · 2026-05-28T07:27:43Z

+    task:
+      id: e673ffea-1a46-4f7f-802f-86bad2df2f01
+      version: -1
+      name: Set MsGraph.eDiscoveryCase.CaseId


As we discussed please change the name of the key to something that doesn't resemble the integration's context - prefer a key name that indicates the purpose.
Example - task #59 Save created eDiscovery case in a new key for searching
task #45 Save existing eDiscovery case for the search

idovandijk · 2026-05-28T07:36:03Z

-      id: 027d5ff5-7e8e-41c0-8184-b33789251d51
+      id: 0b48e7f2-3db3-416f-8b46-a4183316217e
      iscommand: false
      name: Search this week only and query not already time-bounded?


The double negation is confusing - can we improve this to be clearer? You can modify the condition labels if that helps

idovandijk · 2026-05-28T07:49:18Z

+    task:
+      id: 2d6b537c-2036-4b5b-a812-8a22ec4b041c
+      version: -1
+      name: Route by cleanup search


Tasks #28 and #50 look the same. What is the difference between "delete" and "auto" for the cleanup?

The duplicate is necessary since the condition tasks can't route two branches to the same destination task. The tasks are identical in action but reachable from different conditions:

cleanup == "true" → always delete

cleanup == "auto" AND search_name is empty → delete only if the search was auto-generated

idovandijk · 2026-05-28T07:53:05Z

+    task:
+      id: 6405a7a3-8692-400f-83db-913fed6895cc
+      version: -1
+      name: Delete operationID from context


Instead of deleting context, prefer to do one of the following:

Save the old key under a new key. Then in the task that consumes ${MsGraph.eDiscoveryCase.Export.OperationID}, you can add a filter to take OperationID only where it doesn't equal to the ${MsGraph.eDiscoveryCase.Export.OperationID} you have in the new key.

OR:
2. You can use extend-context to force the command to save under a different key to begin with https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Extend-context

Added ResolvedOperationID key by extend-context

idovandijk

Looks good. Wrote some small changes in the comments.

Additionally, please go over the task names and rename them to reflect the human steps of the investigation (less mentioning of context keys and more about what the task is doing / what the condition is checking)

once done let me know and I'll go over the YMLs themselves to see we're ok there.

Well done!

content-bot · 2026-05-28T08:05:22Z

For the Reviewer: Trigger build request has been accepted for this contribution PR.

content-bot · 2026-05-28T08:05:29Z

For the Reviewer: Successfully created a pipeline in GitLab with url: https://gitlab.xdr.pan.local/xdr/cortex-content/content/-/pipelines/9489947

Benimanela and others added 8 commits April 12, 2026 22:53

add release notes for CrowdStrike Falcon v2.8.4

82612a9

Merge pull request #384 from qmasters-ltd/CIAC-15071-cs-falcon-playbo…

f4a2171

…oks-v2 Ciac 15071 cs falcon playbooks v2

Revert "Merge pull request #384 from qmasters-ltd/CIAC-15071-cs-falco…

552c9c6

…n-playbooks-v2" This reverts commit f4a2171, reversing changes made to 85c3562.

Merge branch 'demisto:master' into master

cbe4776

Merge branch 'demisto:master' into master

b8defff

feat: migrate Search And Delete Emails from O365 S&C to MS Graph Secu…

97ac2a6

…rity Replace deprecated O365 Security & Compliance subplaybook with new Microsoft Graph Security - Search And Delete Emails playbook in the generic Search And Delete and Phishing v3 parent playbooks.

added playbooks screenshots

b386c12

Benimanela requested review from JudahSchwartz, idovandijk, melamedbn and noydavidi as code owners May 27, 2026 18:24

content-bot added Contribution Thank you! Contributions are always welcome! External PR Xsoar Support Level Indicates that the contribution is for XSOAR supported pack labels May 27, 2026

content-bot changed the base branch from master to contrib/qmasters-ltd_feat/migrate-search-delete-emails-o365-to-msg May 27, 2026 18:26

content-bot assigned kamalq97 and Benimanela May 27, 2026

content-bot added the Security Review label May 27, 2026