Email Entity - Preview Email

Nick_MTB · ‎Oct 26 2022

Hello all,

I want to ask if there is a way to monitor and be alerted when someone is viewing an email from the email entity page by clicking "Email Preview". I couldn't find any documentation, and the action is not registered in any audit logs. Maybe I am missing something so please feel free to share some info regarding this issue since I believe it can have a major impact if a disgruntled security employee chooses to leak info from private emails.

Nick

PatrickEl · ‎Mar 07 2024

Hey Nick,

have you found a solution? I couldn't find any.
Thanks a lot.
Regards Patrick

PatrickEl · ‎Mar 07 2024

I found it! compliance portal - audits - Activities - operation names = AdminMailAccess

Nick_MTB · ‎Mar 26 2024

Hello @PatrickEl

I missed your reply my apologies.

We did find a solution and we also found a KQL that we converted to an analytic rule

CloudAppEvents
| where ActionType == "AdminMailAccess"
| extend data = RawEventData["ExtendedProperties"]
| extend OpenedMailbox = data[1].["Value"]
| extend OpenedEmail = url_decode(tostring(data[2].["Value"]))
| project AccountDisplayName, ActionType, OpenedMailbox, OpenedEmail
| join EmailEvents on $left.OpenedEmail == $right.InternetMessageId
| project Timestamp , Actor = AccountDisplayName, ActionType, OpenedMailbox, SenderFromAddress, RecipientEmailAddress, Subject, ReportId
| order by Timestamp desc

Hope it helps
Nick

Email Entity - Preview Email

Email Entity - Preview Email

Re: Email Entity - Preview Email

Re: Email Entity - Preview Email

Re: Email Entity - Preview Email

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Email Entity - Preview Email