Forum Discussion

Nick_MTB's avatar
Nick_MTB
Brass Contributor
Oct 26, 2022

Email Entity - Preview Email

Hello all,

I want to ask if there is a way to monitor and be alerted when someone is viewing an email from the email entity page by clicking "Email Preview". I couldn't find any documentation, and the action is not registered in any audit logs. Maybe I am missing something so please feel free to share some info regarding this issue since I believe it can have a major impact if a disgruntled security employee chooses to leak info from private emails.

Nick 

 

 

 

  • PatrickEl's avatar
    PatrickEl
    Copper Contributor
    Hey Nick,

    have you found a solution? I couldn't find any.
    Thanks a lot.
    Regards Patrick
    • PatrickEl's avatar
      PatrickEl
      Copper Contributor
      I found it! compliance portal - audits - Activities - operation names = AdminMailAccess
      • Nick_MTB's avatar
        Nick_MTB
        Brass Contributor

        Hello PatrickEl 

        I missed your reply my apologies.

        We did find a solution and we also found a KQL that we converted to an analytic rule

         

        CloudAppEvents
        | where ActionType == "AdminMailAccess"
        | extend data = RawEventData["ExtendedProperties"]
        | extend OpenedMailbox = data[1].["Value"]
        | extend OpenedEmail = url_decode(tostring(data[2].["Value"]))
        | project AccountDisplayName, ActionType, OpenedMailbox, OpenedEmail
        | join EmailEvents on $left.OpenedEmail == $right.InternetMessageId
        | project Timestamp , Actor = AccountDisplayName, ActionType, OpenedMailbox, SenderFromAddress, RecipientEmailAddress, Subject, ReportId
        | order by Timestamp desc

         

        Hope it helps
        Nick

Resources