Oct 26 2022 04:20 AM
Hello all,
I want to ask if there is a way to monitor and be alerted when someone is viewing an email from the email entity page by clicking "Email Preview". I couldn't find any documentation, and the action is not registered in any audit logs. Maybe I am missing something so please feel free to share some info regarding this issue since I believe it can have a major impact if a disgruntled security employee chooses to leak info from private emails.
Nick
Mar 07 2024 12:36 AM
Mar 07 2024 04:04 AM
Mar 26 2024 11:05 AM
Hello @PatrickEl
I missed your reply my apologies.
We did find a solution and we also found a KQL that we converted to an analytic rule
CloudAppEvents
| where ActionType == "AdminMailAccess"
| extend data = RawEventData["ExtendedProperties"]
| extend OpenedMailbox = data[1].["Value"]
| extend OpenedEmail = url_decode(tostring(data[2].["Value"]))
| project AccountDisplayName, ActionType, OpenedMailbox, OpenedEmail
| join EmailEvents on $left.OpenedEmail == $right.InternetMessageId
| project Timestamp , Actor = AccountDisplayName, ActionType, OpenedMailbox, SenderFromAddress, RecipientEmailAddress, Subject, ReportId
| order by Timestamp desc
Hope it helps
Nick