Splunk Enterprise Security
Highlighted

Possible Email Leakage and Auto-forwarding rules (Exchange Logs)

Hi all,

What I want to achieve is to identify the users that possibly leaking /auto-forwarding emails to his personal email address (e.g. gmail) based on Exchange logs
1- Detect possible Auto-forwarding rule
2- Detect possible email leakage
Company email ID: 123@123.com
Private Email ID: *@gmail.com and *@yahoo.com

1- Detect Possible Auto-Forwarding Rule
based on timestamp can I have splunk query to support me identify users that auto-forwarding ?

2- Detect possible email leakage
I want to capture if user sending 10+ emails to specific recipient using free email services e.g. gmail in duration of 3 minutes.

Sample Query

index=mail-1 sourcetype="MSExchange:*" sender=123@123.com
| search recipient IN("*@gmail","*@yahoo.com")

Thanks in Advance.

Regards,

0 Karma
Highlighted

Re: Possible Email Leakage and Auto-forwarding rules (Exchange Logs)

Ultra Champion

please provide auto-forwarding sample log.

0 Karma
Highlighted

Re: Possible Email Leakage and Auto-forwarding rules (Exchange Logs)

Hi @to4kawa,

I don't have filed or sample logs for auto-forwarding.
Maybe this case has been observed and identified by one of the users before. (It will be good to share)

2- Detect possible email leakage
In other hand, I would like to have query where that it will check if
specific sender sending 10 or more emails to specific recipient in 3 minutes duration.

This can give us possibility not assurance if user leaking emails.

Regards,

0 Karma
Highlighted

Re: Possible Email Leakage and Auto-forwarding rules (Exchange Logs)

Ultra Champion

the recipients of Exchange is multivalue? single value?
Email logs are complex.
Field extraction is also a problem.

please provide the results| stats min(_time) as _time values(recipient) as recipients by sender sessionid | mvexpand recipients
If field name is wrong, please fix it.

0 Karma
Highlighted

Re: Possible Email Leakage and Auto-forwarding rules (Exchange Logs)

Hi I tried it but there is not field for sessionid.

Would you please advice.?

Regards,

0 Karma
Highlighted

Re: Possible Email Leakage and Auto-forwarding rules (Exchange Logs)

Ultra Champion

https://docs.microsoft.com/ja-jp/exchange/mail-flow/transport-logs/message-tracking?view=exchserver-...

I don't know what's network-message-id field name in Splunk.

leaking emails is same message_id ?

0 Karma