Hi all,
What I want to achieve is to identify the users that possibly leaking /auto-forwarding emails to his personal email address (e.g. gmail) based on Exchange logs
1- Detect possible Auto-forwarding rule
2- Detect possible email leakage
Company email ID: 123@123.com
Private Email ID: *@gmail.com and *@yahoo.com
1- Detect Possible Auto-Forwarding Rule
based on timestamp can I have splunk query to support me identify users that auto-forwarding ?
2- Detect possible email leakage
I want to capture if user sending 10+ emails to specific recipient using free email services e.g. gmail in duration of 3 minutes.
Sample Query
index=mail-1 sourcetype="MSExchange:*" sender=123@123.com
| search recipient IN("*@gmail","*@yahoo.com")
Thanks in Advance.
Regards,
please provide auto-forwarding sample log.
Hi @to4kawa,
I don't have filed or sample logs for auto-forwarding.
Maybe this case has been observed and identified by one of the users before. (It will be good to share)
2- Detect possible email leakage
In other hand, I would like to have query where that it will check if
specific sender sending 10 or more emails to specific recipient in 3 minutes duration.
This can give us possibility not assurance if user leaking emails.
Regards,
the recipients of Exchange is multivalue? single value?
Email logs are complex.
Field extraction is also a problem.
please provide the results| stats min(_time) as _time values(recipient) as recipients by sender sessionid | mvexpand recipients
If field name is wrong, please fix it.
Hi I tried it but there is not field for sessionid.
Would you please advice.?
Regards,
I don't know what's network-message-id field name in Splunk.
leaking emails is same message_id
?