Forum Discussion
Attachment Count for Exchange Online Traffic
Hello everyone, I'm managing a project on my customer, and they wish to block their users when an email sending inside-to-inside, outside-to-inside, inside-to-outside and if email contains 20 or m...
All I can think of is if you use Sentinel and create an alert with a playbook to block the user when the attachment count exceeds 20. For example, the query will list all the records of users who sent attachments with a count of 20 or higher:
OfficeActivity
| where RecordType contains "exchange"
| where Operation contains "send"
| extend InternetMessageId_ = tostring(parse_json(Item).InternetMessageId)
| join kind=innerunique EmailEvents on $left.InternetMessageId_ == $right.InternetMessageId
| extend Attachments_ = tostring(parse_json(Item).Attachments)
|where AttachmentCount >= 20
(sorry, query is not polished but it gets the job done)
OfficeActivity
| where RecordType contains "exchange"
| where Operation contains "send"
| extend InternetMessageId_ = tostring(parse_json(Item).InternetMessageId)
| join kind=innerunique EmailEvents on $left.InternetMessageId_ == $right.InternetMessageId
| extend Attachments_ = tostring(parse_json(Item).Attachments)
|where AttachmentCount >= 20
(sorry, query is not polished but it gets the job done)
Sentinel is not a part of the project yet. Thank you for the answer.
Just dicoverd insdier risk management data leak policy has "Sending email with attachments to recipients outside the organization" rule, also give you to set threshoulds. I coudn't get succeed to triggering policy with custome threshoulds but on default it's working and generatin alerts.
Just dicoverd insdier risk management data leak policy has "Sending email with attachments to recipients outside the organization" rule, also give you to set threshoulds. I coudn't get succeed to triggering policy with custome threshoulds but on default it's working and generatin alerts.