Azure sentinel Mail forwarding rule RRS feed

  • Question

  • Hi for some reason it was marked as spam can you please help?

    Hello Everyone,
    I work as a partner to Azure sentinel customer,
    The customer requested to create Sentinel rule that will catch any attempt to forward mail outside organization mail.
    For example, User at forwarded an email to his account.
    I have tried with the customer to create simulation in which he forwarded (using Outlook web application)
    Email subject: Test
    Contained file named : text.txt
    To my Gmail account :

    After he forwarded this mail i created a query with log analytics on the customer's workspace:


    | search "Test" or "test.txt" or ""

    No results were found, could this be because the not all office365 logs are being ingested to azure?
    Also can you please give me guide me on how to create a query that retrive email Forwarding?

    Thank you very much.
    Thursday, February 20, 2020 5:10 PM