We are pulling MessageTracking data from Exchange 2010 and Exchange 2016 that we use to monitor possible spam/phishing attacks. One of the most obvious ways to programmatically detect spam/phishing attacks is to look at a display name vs. sending address mismatch. However, the display name isn't being properly pulled from Exchange for externally-originating emails. Technically the psender, user, and username fields are populated, but they are just defaulting to be the first part of the email address and not the display name. For internally-originating emails the display name does correctly populate for these fields.
Has anyone figured out a way to pull externally-originating display names from Exchange?
You can use the
SecKit series of apps to mine all of your user identity information from AD and store it in lookups:
Personally (and from experience)...
I would pull the data out of Active directory, and either write all your user data to a summary index or a lookup.
Then do an automatic lookup on your exchange data to using the smtp address as the input to the lookup. This means you can supplement your exchange data with all sorts of useful data such as who the sender/recipients manager is, when they last logged on etc, as well as Display Name.
For bonus points you want to collect all the smtp proxy addresses into your lookup too, as sometimes (particularly if you use a 365 tenant) you can see the 'onmicrosoft' domain from time to time.
Option 1: We could walk down the path of linking email addresses with real names in AD. But I'm guessing you want the name in the email, huh?
Option 2: Do you have any other email tools like ironport/proofpoint/mimecast? That's where I get my email logs.
Option 3: Do you have Splunk Streams installed?
Option 1: The display names are actually correctly populated for internal email addresses so I'm looking for a solution to ingest the display names for external senders
Option 2: Mimecast, but from prior experience integrating Mimecast with Splunk was messy and time consuming and we are looking for a quicker solution. It might be the only thing to do though.
Option 3: No, how would I go about using Splunk Streams to grab the display name? Set up heavy forwardesr on our Exchange servers and use Streams to send the raw packet data to Splunk? Seems easier said than done
Given that your prior experience from mimecast direct integration was messy, would it be possible to just dump a raw logset from mimecast on a regular interval and have those ingested into Splunk. Then you could write a custom field transformation based on the output of those logs, and use that to then make a field extraction to add to any external e-mails in your message tracking searches. Or was this possibly what you had tried before? I have not worked directly with mimecast, but after reading your use case and the other comments this was my first thought on how I might approach the situation.
Then perhaps if you have those mimecast logs and could include appropriately redacted logs the community may be able to assist with transformations and such if that is where things got sticky.
Do you mean just post the raw event? I could post a censored _raw, but in the end the display name is not part of the raw string at all, so I'm not sure how that helps. Something with the configuration itself (either on the Exchange side or Splunk side, I'm not sure) has to be expanded