All Apps and Add-ons

Is it possible to pull a sender's display name from Exchange?

nick405060
Motivator

Hi there,

We are pulling MessageTracking data from Exchange 2010 and Exchange 2016 that we use to monitor possible spam/phishing attacks. One of the most obvious ways to programmatically detect spam/phishing attacks is to look at a display name vs. sending address mismatch. However, the display name isn't being properly pulled from Exchange for externally-originating emails. Technically the psender, user, and username fields are populated, but they are just defaulting to be the first part of the email address and not the display name. For internally-originating emails the display name does correctly populate for these fields.

Has anyone figured out a way to pull externally-originating display names from Exchange?

Edit: Bump

woodcock
Esteemed Legend
0 Karma

nickhills
Ultra Champion

Personally (and from experience)...

I would pull the data out of Active directory, and either write all your user data to a summary index or a lookup.
Then do an automatic lookup on your exchange data to using the smtp address as the input to the lookup. This means you can supplement your exchange data with all sorts of useful data such as who the sender/recipients manager is, when they last logged on etc, as well as Display Name.

For bonus points you want to collect all the smtp proxy addresses into your lookup too, as sometimes (particularly if you use a 365 tenant) you can see the 'onmicrosoft' domain from time to time.

If my comment helps, please give it a thumbs up!
0 Karma

johndigr
New Member

Thanks......

,

0 Karma

xavierashe
Contributor

Option 1: We could walk down the path of linking email addresses with real names in AD. But I'm guessing you want the name in the email, huh?

Option 2: Do you have any other email tools like ironport/proofpoint/mimecast? That's where I get my email logs.
Option 3: Do you have Splunk Streams installed?

0 Karma

nick405060
Motivator

Option 1: The display names are actually correctly populated for internal email addresses so I'm looking for a solution to ingest the display names for external senders
Option 2: Mimecast, but from prior experience integrating Mimecast with Splunk was messy and time consuming and we are looking for a quicker solution. It might be the only thing to do though.
Option 3: No, how would I go about using Splunk Streams to grab the display name? Set up heavy forwardesr on our Exchange servers and use Streams to send the raw packet data to Splunk? Seems easier said than done

0 Karma

deastman
SplunkTrust
SplunkTrust

Given that your prior experience from mimecast direct integration was messy, would it be possible to just dump a raw logset from mimecast on a regular interval and have those ingested into Splunk. Then you could write a custom field transformation based on the output of those logs, and use that to then make a field extraction to add to any external e-mails in your message tracking searches. Or was this possibly what you had tried before? I have not worked directly with mimecast, but after reading your use case and the other comments this was my first thought on how I might approach the situation.

Then perhaps if you have those mimecast logs and could include appropriately redacted logs the community may be able to assist with transformations and such if that is where things got sticky.
-Dustin

0 Karma

woodcock
Esteemed Legend

Post a sample event for us to play with.

0 Karma

nick405060
Motivator

Do you mean just post the raw event? I could post a censored _raw, but in the end the display name is not part of the raw string at all, so I'm not sure how that helps. Something with the configuration itself (either on the Exchange side or Splunk side, I'm not sure) has to be expanded

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...