Join the Conversation
- Find Answers
- :
- Splunk Products
- :
- Splunk Enterprise Security
- :
- Re: Possible Email Leakage and Auto-forwarding rul...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Possible Email Leakage and Auto-forwarding rules (Exchange Logs)
Hi all,
What I want to achieve is to identify the users that possibly leaking /auto-forwarding emails to his personal email address (e.g. gmail) based on Exchange logs
1- Detect possible Auto-forwarding rule
2- Detect possible email leakage
Company email ID: 123@123.com
Private Email ID: *@gmail.com and *@yahoo.com
1- Detect Possible Auto-Forwarding Rule
based on timestamp can I have splunk query to support me identify users that auto-forwarding ?
2- Detect possible email leakage
I want to capture if user sending 10+ emails to specific recipient using free email services e.g. gmail in duration of 3 minutes.
Sample Query
index=mail-1 sourcetype="MSExchange:*" sender=123@123.com
| search recipient IN("*@gmail","*@yahoo.com")
Thanks in Advance.
Regards,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
please provide auto-forwarding sample log.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @to4kawa,
I don't have filed or sample logs for auto-forwarding.
Maybe this case has been observed and identified by one of the users before. (It will be good to share)
2- Detect possible email leakage
In other hand, I would like to have query where that it will check if
specific sender sending 10 or more emails to specific recipient in 3 minutes duration.
This can give us possibility not assurance if user leaking emails.
Regards,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the recipients of Exchange is multivalue? single value?
Email logs are complex.
Field extraction is also a problem.
please provide the results| stats min(_time) as _time values(recipient) as recipients by sender sessionid | mvexpand recipients
If field name is wrong, please fix it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi I tried it but there is not field for sessionid.
Would you please advice.?
Regards,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know what's network-message-id field name in Splunk.
leaking emails is same message_id ?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
