MailMessage Enrichment

[briandelmsft]

Enrich mailmessage entities with the new analyzed message API

[briandelmsft]

@piaudonn I've been thinking about taking this on next. I think initially I'd be looking to modify the base module to normalize the mail message entity to ensure that we have these properties:

• Sender
• Recipient
• Subject
• NetworkMessageId
• InternetMessageId
• URLs from the message
• File hashes from attachments
• Message Delivery location

But likely just bring everything back from https://learn.microsoft.com/en-us/graph/api/security-analyzedemail-get?view=graph-rest-beta&tabs=http

From there I think we have a few options to make that useful like:

• Base module comment with basic message information and link to the email page where they could take action on the message
• Threat Intel module update to look at the URLs/File hash data and cross reference Sentinel TI
• We may need to see if we need to extract the Sender/Recipient and turn these into account entities as well, if the incidents don't consistently already do that, so that we could do analysis on the account in other STAT modules

Any other use cases you can think of?