Mail Redirect In Sentinel.

Copper Contributor


I'm new to Sentinel and I'm working on a project about email forwarding by users.

I need help writing a kql query to find out if email users are forwarding internally, or externally.

Any help will be very helpful.

2 Replies
Thank you Clive for the response and I did see the example. However, when I ran the query, it is not fetching any data. I know for sure that two rules were created on 03/02 by two users. Based on the below alert.
An informational alert has been triggered

⚠ Creation of forwarding/redirect rule

Severity: ● Informational

Time: 3/2/2022 3:15:00 PM (UTC)

Activity: MailRedirect

User: Email address removed

Details: MailRedirect. This alert is triggered whenever someone gets access to read your user's email.