Forum Discussion
Nick_MTB
Oct 26, 2022Brass Contributor
Email Entity - Preview Email
Hello all,
I want to ask if there is a way to monitor and be alerted when someone is viewing an email from the email entity page by clicking "Email Preview". I couldn't find any documentation, and the action is not registered in any audit logs. Maybe I am missing something so please feel free to share some info regarding this issue since I believe it can have a major impact if a disgruntled security employee chooses to leak info from private emails.
Nick
- PatrickElCopper ContributorHey Nick,
have you found a solution? I couldn't find any.
Thanks a lot.
Regards Patrick- PatrickElCopper ContributorI found it! compliance portal - audits - Activities - operation names = AdminMailAccess
- Nick_MTBBrass Contributor
Hello PatrickEl
I missed your reply my apologies.
We did find a solution and we also found a KQL that we converted to an analytic rule
CloudAppEvents
| where ActionType == "AdminMailAccess"
| extend data = RawEventData["ExtendedProperties"]
| extend OpenedMailbox = data[1].["Value"]
| extend OpenedEmail = url_decode(tostring(data[2].["Value"]))
| project AccountDisplayName, ActionType, OpenedMailbox, OpenedEmail
| join EmailEvents on $left.OpenedEmail == $right.InternetMessageId
| project Timestamp , Actor = AccountDisplayName, ActionType, OpenedMailbox, SenderFromAddress, RecipientEmailAddress, Subject, ReportId
| order by Timestamp descHope it helps
Nick