none
Azure sentinel Mail forwarding rule RRS feed

  • Question

  • Hi for some reason it was marked as spam can you please help?


    Hello Everyone,
    I work as a partner to Azure sentinel customer,
    The customer requested to create Sentinel rule that will catch any attempt to forward mail outside organization mail.
    For example, User at username@company.com forwarded an email to his user@gmail.com account.
    I have tried with the customer to create simulation in which he forwarded (using Outlook web application)
    Email subject: Test
    Contained file named : text.txt
    To my Gmail account : XXXXX@gmail.com

    After he forwarded this mail i created a query with log analytics on the customer's workspace:


    OfficeActivity

    | search "Test" or "test.txt" or "XXXX@gmail.com"


    No results were found, could this be because the not all office365 logs are being ingested to azure?
    Also can you please give me guide me on how to create a query that retrive email Forwarding?

    Thank you very much.
    Thursday, February 20, 2020 5:10 PM

Answers