https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-it-possible-to-pull-a-sender-s-display-name-from-Exchange/m-p/426559#M52157 <P>Option 1: The display names are actually correctly populated for internal email addresses so I'm looking for a solution to ingest the display names for external senders<BR /> Option 2: Mimecast, but from prior experience integrating Mimecast with Splunk was messy and time consuming and we are looking for a quicker solution. It might be the only thing to do though.<BR /> Option 3: No, how would I go about using Splunk Streams to grab the display name? Set up heavy forwardesr on our Exchange servers and use Streams to send the raw packet data to Splunk? Seems easier said than done</P> Wed, 26 Dec 2018 22:26:08 GMT nick405060 2018-12-26T22:26:08Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-it-possible-to-pull-a-sender-s-display-name-from-Exchange/m-p/426555#M52153 <P>Hi there,</P> <P>We are pulling MessageTracking data from Exchange 2010 and Exchange 2016 that we use to monitor possible spam/phishing attacks. One of the most obvious ways to programmatically detect spam/phishing attacks is to look at a display name vs. sending address mismatch. However, the display name isn't being properly pulled from Exchange for externally-originating emails. Technically the psender, user, and username fields are populated, but they are just defaulting to be the first part of the email address and not the display name. For internally-originating emails the display name does correctly populate for these fields.</P> <P>Has anyone figured out a way to pull externally-originating display names from Exchange?</P> <P>Edit: Bump</P> Fri, 07 Dec 2018 20:20:37 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-it-possible-to-pull-a-sender-s-display-name-from-Exchange/m-p/426555#M52153 nick405060 2018-12-07T20:20:37Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-it-possible-to-pull-a-sender-s-display-name-from-Exchange/m-p/426556#M52154 <P>Post a sample event for us to play with.</P> Sat, 08 Dec 2018 19:18:00 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-it-possible-to-pull-a-sender-s-display-name-from-Exchange/m-p/426556#M52154 woodcock 2018-12-08T19:18:00Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-it-possible-to-pull-a-sender-s-display-name-from-Exchange/m-p/426557#M52155 <P>Do you mean just post the raw event? I could post a censored _raw, but in the end the display name is not part of the raw string at all, so I'm not sure how that helps. Something with the configuration itself (either on the Exchange side or Splunk side, I'm not sure) has to be expanded</P> Mon, 10 Dec 2018 17:38:49 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-it-possible-to-pull-a-sender-s-display-name-from-Exchange/m-p/426557#M52155 nick405060 2018-12-10T17:38:49Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-it-possible-to-pull-a-sender-s-display-name-from-Exchange/m-p/426558#M52156 <P>Option 1: We could walk down the path of linking email addresses with real names in AD. But I'm guessing you want the name in the email, huh?<BR /><BR /> Option 2: Do you have any other email tools like ironport/proofpoint/mimecast? That's where I get my email logs.<BR /> Option 3: Do you have Splunk Streams installed? </P> Mon, 24 Dec 2018 16:57:05 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-it-possible-to-pull-a-sender-s-display-name-from-Exchange/m-p/426558#M52156 xavierashe 2018-12-24T16:57:05Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-it-possible-to-pull-a-sender-s-display-name-from-Exchange/m-p/426559#M52157 <P>Option 1: The display names are actually correctly populated for internal email addresses so I'm looking for a solution to ingest the display names for external senders<BR /> Option 2: Mimecast, but from prior experience integrating Mimecast with Splunk was messy and time consuming and we are looking for a quicker solution. It might be the only thing to do though.<BR /> Option 3: No, how would I go about using Splunk Streams to grab the display name? Set up heavy forwardesr on our Exchange servers and use Streams to send the raw packet data to Splunk? Seems easier said than done</P> Wed, 26 Dec 2018 22:26:08 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-it-possible-to-pull-a-sender-s-display-name-from-Exchange/m-p/426559#M52157 nick405060 2018-12-26T22:26:08Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-it-possible-to-pull-a-sender-s-display-name-from-Exchange/m-p/426560#M52158 <P>Given that your prior experience from mimecast direct integration was messy, would it be possible to just dump a raw logset from mimecast on a regular interval and have those ingested into Splunk. Then you could write a custom field transformation based on the output of those logs, and use that to then make a field extraction to add to any external e-mails in your message tracking searches. Or was this possibly what you had tried before? I have not worked directly with mimecast, but after reading your use case and the other comments this was my first thought on how I might approach the situation. </P> <P>Then perhaps if you have those mimecast logs and could include appropriately redacted logs the community may be able to assist with transformations and such if that is where things got sticky.<BR /> -Dustin</P> Mon, 31 Dec 2018 15:48:16 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-it-possible-to-pull-a-sender-s-display-name-from-Exchange/m-p/426560#M52158 deastman 2018-12-31T15:48:16Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-it-possible-to-pull-a-sender-s-display-name-from-Exchange/m-p/426561#M52159 <P>Thanks...<A href="https://asphaltmodapk.com">.</A>..</P> <P>,</P> Thu, 03 Jan 2019 20:36:41 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-it-possible-to-pull-a-sender-s-display-name-from-Exchange/m-p/426561#M52159 johndigr 2019-01-03T20:36:41Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-it-possible-to-pull-a-sender-s-display-name-from-Exchange/m-p/426562#M52160 <P>Personally (and from experience)...</P> <P>I would pull the data out of Active directory, and either write all your user data to a summary index or a lookup.<BR /> Then do an automatic lookup on your exchange data to using the smtp address as the input to the lookup. This means you can supplement your exchange data with all sorts of useful data such as who the sender/recipients manager is, when they last logged on etc, as well as Display Name.</P> <P>For bonus points you want to collect all the smtp proxy addresses into your lookup too, as sometimes (particularly if you use a 365 tenant) you can see the 'onmicrosoft' domain from time to time.</P> Thu, 14 Feb 2019 11:24:38 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-it-possible-to-pull-a-sender-s-display-name-from-Exchange/m-p/426562#M52160 nickhills 2019-02-14T11:24:38Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-it-possible-to-pull-a-sender-s-display-name-from-Exchange/m-p/426563#M52161 <P>You can use the <CODE>SecKit</CODE> series of apps to mine all of your user identity information from AD and store it in lookups:<BR /> <A href="https://splunkbase.splunk.com/app/3055/">https://splunkbase.splunk.com/app/3055/</A><BR /> <A href="https://seckit-sa-idm-windows.readthedocs.io/en/develop/quickstart.html">https://seckit-sa-idm-windows.readthedocs.io/en/develop/quickstart.html</A><BR /> <A href="https://media.readthedocs.org/pdf/seckit-sa-idm-windows/latest/seckit-sa-idm-windows.pdf">https://media.readthedocs.org/pdf/seckit-sa-idm-windows/latest/seckit-sa-idm-windows.pdf</A></P> Thu, 14 Feb 2019 21:07:21 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Is-it-possible-to-pull-a-sender-s-display-name-from-Exchange/m-p/426563#M52161 woodcock 2019-02-14T21:07:21Z