Forum Discussion

Copper Contributor

Mar 07, 2022

Mail Redirect In Sentinel.

Hello, I'm new to Sentinel and I'm working on a project about email forwarding by users. I need help writing a kql query to find out if email users are forwarding internally, or externally. Any he...

detection

Clive_Watson

Bronze Contributor

Mar 07, 2022

There is an example here

https://github.com/Azure/Azure-Sentinel/blob/679cda26617a106a85eb51d76c5bbbc86c7f45b5/Hunting%20Queries/OfficeActivity/OfficeMailForwarding_hunting.yaml

ismylaw
Copper Contributor
Mar 07, 2022
Thank you Clive for the response and I did see the example. However, when I ran the query, it is not fetching any data. I know for sure that two rules were created on 03/02 by two users. Based on the below alert.
An informational alert has been triggered

⚠ Creation of forwarding/redirect rule

Severity: ● Informational

Time: 3/2/2022 3:15:00 PM (UTC)

Activity: MailRedirect

User: Email address removed

Details: MailRedirect. This alert is triggered whenever someone gets access to read your user's email.

Forum Discussion

Mail Redirect In Sentinel.

Share

Resources