Fixes issue with EWS Search and Delete (#1696)

* Fixes issue with EWS Search and Delete

* CR fixes
* Fix typo and releaseNotes
* Add Test playbook
* Remove forward/ replay prefixes only from beginning of Subject

Author: JonathanMeler

Playbooks/playbook-Search_And_Delete_Emails_-_EWS.yml

@@ -2,6 +2,7 @@ id: search_and_delete_emails_-_ews
 version: -1
 name: Search And Delete Emails - EWS
 fromversion: 3.6.0
+releaseNotes: "Added targe-mail-box to delete task"
 description: This playbook searches EWS to identify and delete emails with similar
   attributes of a malicious email.
 starttaskid: "0"
@@ -263,7 +264,10 @@ tasks:
         complex:
           root: EWS
           accessor: Items.itemId
-      target-mailbox: {}
+      target-mailbox:
+        complex:
+          root: EWS
+          accessor: Items.mailbox
     separatecontext: false
     view: |-
       {

Scripts/script-BuildEWSQuery.yml

@@ -2,7 +2,13 @@ commonfields:
   id: BuildEWSQuery
   version: -1
 name: BuildEWSQuery
+releaseNotes: "Add parameter for stripping the subject from prefixes"
 script: |-
+  import re
+
+  # Regex for removing forward/replay prefixes
+  p = re.compile('([\[\(] *)?(RE|FWD?) *([-:;)\]][ :;\])-]*|$)|\]+ *$', re.IGNORECASE)
+
   args = {}
 
   if demisto.args().get("from"):
@@ -14,6 +20,20 @@ script: |-
   if demisto.args().get("body"):
       args["Body"] = demisto.args().get("body")
 
+  stripSubject = True if demisto.args().get("stripSubject").lower() == "true" else False
+  if stripSubject and args["Subject"]:
+      # Recursively remove the regex matches only from the beginning of the string
+      match_string = args["Subject"]
+      location_match = p.match(match_string)
+      location = location_match.start() if location_match else -1
+
+      while(location==0 and match_string):
+          match_string = p.sub("",match_string,1)
+          location_match = p.match(match_string)
+          location = location_match.start() if location_match else -1
+
+      args["Subject"] = match_string
+
   query = " AND ".join('{0}:"{1}"'.format(key,value) for (key,value) in args.items())
 
   search_last_week = True if demisto.args().get("searchThisWeek").lower() == "true" else False
@@ -49,6 +69,13 @@ args:
   - "false"
   description: Limit the search to the current week (true/false).
   defaultValue: "true"
+- name: stripSubject
+  auto: PREDEFINED
+  predefined:
+  - "true"
+  - "false"
+  description: Removes the prefix from the subject of reply and forward messages (e.g., FW:).
+  defaultValue: "true"
 outputs:
 - contextPath: EWS.Query
   description: The result query

TestPlaybooks/playbook-BuildEWSQuery_Test.yml

@@ -0,0 +1,127 @@
+id: buildewsquery_test
+version: 6
+name: BuildEWSQuery Test
+starttaskid: "0"
+tasks:
+  "0":
+    id: "0"
+    taskid: 9c8a5ad7-0bf6-4355-8578-26a3d7d23b14
+    type: start
+    task:
+      id: 9c8a5ad7-0bf6-4355-8578-26a3d7d23b14
+      version: -1
+      name: ""
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "1"
+    reputationcalc: 0
+    separatecontext: false
+    view: |-
+      {
+        "position": {
+          "x": 50,
+          "y": 50
+        }
+      }
+  "1":
+    id: "1"
+    taskid: ad4f0f93-2d75-4125-8044-195cbaf6466f
+    type: regular
+    task:
+      id: ad4f0f93-2d75-4125-8044-195cbaf6466f
+      version: -1
+      name: Build EWS Query
+      scriptName: BuildEWSQuery
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "2"
+    scriptarguments:
+      attachmentName: {}
+      body: {}
+      from:
+        simple: [email protected]
+      searchThisWeek:
+        simple: "true"
+      stripSubject:
+        simple: "true"
+      subject:
+        simple: 'RE: RE: FWD: hello RE: world'
+    reputationcalc: 0
+    separatecontext: false
+    view: |-
+      {
+        "position": {
+          "x": 50,
+          "y": 195
+        }
+      }
+  "2":
+    id: "2"
+    taskid: 77878e94-c11b-415c-8cf7-d0dbaef65626
+    type: regular
+    task:
+      id: 77878e94-c11b-415c-8cf7-d0dbaef65626
+      version: -1
+      name: Verify query
+      scriptName: VerifyContext
+      type: regular
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#none#':
+      - "3"
+    scriptarguments:
+      expectedValue:
+        simple: 'From:"[email protected]" AND Subject:"hello RE: world" AND Received:"this
+          week"'
+      fields: {}
+      path:
+        simple: EWS.Query
+    reputationcalc: 0
+    separatecontext: false
+    view: |-
+      {
+        "position": {
+          "x": 50,
+          "y": 370
+        }
+      }
+  "3":
+    id: "3"
+    taskid: d6e4eb15-eac3-4dab-8ef5-9b00d0a83e38
+    type: title
+    task:
+      id: d6e4eb15-eac3-4dab-8ef5-9b00d0a83e38
+      version: -1
+      name: Done
+      type: title
+      iscommand: false
+      brand: ""
+    reputationcalc: 0
+    separatecontext: false
+    view: |-
+      {
+        "position": {
+          "x": 50,
+          "y": 545
+        }
+      }
+view: |-
+  {
+    "linkLabelsPosition": {},
+    "paper": {
+      "dimensions": {
+        "height": 560,
+        "width": 380,
+        "x": 50,
+        "y": 50
+      }
+    }
+  }
+inputs: []
+outputs: []

Tests/conf.json

@@ -2,6 +2,9 @@
     "testTimeout": 160,
     "testInterval": 20,
     "tests": [
+        {
+            "playbookID": "buildewsquery_test"
+        },
         {
             "integrations": "Palo Alto Minemeld",
             "playbookID": "minemeld_test"