[OFFICE 365 - EXCHANGE] Monitor in/out mails senders

%3CLINGO-SUB%20id%3D%22lingo-sub-1031544%22%20slang%3D%22en-US%22%3E%5BOFFICE%20365%20-%20EXCHANGE%5D%20Monitor%20in%2Fout%20mails%20senders%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1031544%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20currently%20trying%20to%20establish%20statistics%20regarding%20the%20email%20activities%20on%20Office%20365.%3C%2FP%3E%3CP%3EI%20spent%20some%20time%20trying%20to%20figure%20out%20how%20to%20access%20the%20sender%20%2F%20receiver%20email%20or%20account%20(and%20other%20related%20data).%20I%20didn't%20find%20anything%20concluant%20within%20the%20%3CEM%3EOfficeActivity%3C%2FEM%3E%20logs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20you%20try%20to%20achieve%20this%20%3F%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20answer.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1031831%22%20slang%3D%22en-US%22%3ERe%3A%20%5BOFFICE%20365%20-%20EXCHANGE%5D%20Monitor%20in%2Fout%20mails%20senders%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1031831%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F314167%22%20target%3D%22_blank%22%3E%40ClementBonnet%3C%2FA%3E%26nbsp%3BHave%20you%20looked%20at%20the%20Office%20365%20Workbook%3F%26nbsp%3B%20It%20may%20not%20be%20100%25%20what%20you%20are%20looking%20for%20but%20it%20should%20give%20you%20a%20hint%20of%20how%20to%20get%20what%20you%20want%20if%20it%20doesn't.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1033098%22%20slang%3D%22en-US%22%3ERe%3A%20%5BOFFICE%20365%20-%20EXCHANGE%5D%20Monitor%20in%2Fout%20mails%20senders%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1033098%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3BThanks%20for%20your%20answer!%3CBR%20%2F%3EI%20did%20look%20at%20Office%20365%20Workbook%2C%20but%20didn't%20find%20anything%20regarding%20email%20data.%20There%20are%20only%20information%20on%20the%20mailbox.%3C%2FP%3E%3CP%3EI%20wonder%20if%20sender%2Freceiver%20(and%20other%20data)%20are%20actually%20transmitted%20from%20Office%20365%20to%20Sentinel%20through%20the%20Office%20365%20connector.%20I%20try%20to%20figure%20out%20how%20to%20do%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1034070%22%20slang%3D%22fr-FR%22%3ERe%3A%20%5BOFFICE%20365%20-%20EXCHANGE%5D%20Monitor%20in%2Fout%20mails%20senders%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1034070%22%20slang%3D%22fr-FR%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3Ebushey%20%40Gary%3C%2FA%3E%26nbsp%3BThank%20you%20for%20your%20answer.%20I'm%20I'm%20also%20interesting.%20I%20think%2C%20what%20we%20would%20like%20it's%20to%20c%3CSPAN%3Eollects%20Message%20Trace%20data%20from%20Microsoft%20Office%20365%20including%20the%20following%3A%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3ESender%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3ESubject%3C%2FSPAN%3E%3CBR%20%2F%3ETo%3CSPAN%3EIP%20Address%3C%2FSPAN%3E%3CBR%20%2F%3EFrom%20IP%3CSPAN%3EAddress%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3ESize%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3EDate%20Received%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ELooks%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1041160%22%20slang%3D%22en-US%22%3ERe%3A%20%5BOFFICE%20365%20-%20EXCHANGE%5D%20Monitor%20in%2Fout%20mails%20senders%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1041160%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F469608%22%20target%3D%22_blank%22%3E%40thotho%3C%2FA%3E%26nbsp%3B%3A%20supporting%20email%20flow%20logs%20is%20on%20our%20roadmap.%20We%20hope%20to%20address%20your%20need%20soon.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1112120%22%20slang%3D%22en-US%22%3ERe%3A%20%5BOFFICE%20365%20-%20EXCHANGE%5D%20Monitor%20in%2Fout%20mails%20senders%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1112120%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWould%20be%20very%20nice%20to%20get%20Email%20Message%20Header%20information%20a%20part%20of%20this%20data.%3C%2FP%3E%3CP%3EI'm%20specific%20interessted%20to%20get%20the%20X-Forefront-Antispam-Report%20Header%2C%20so%20that%20it's%20possible%20to%20analyze%20Email%20SPAM.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20have%20any%20timeframe%20on%20when%20this%20exchange%20online%20email%20connector%20can%20be%20available%3F%20Q1%202020%3F%20Q2%202020%3F%20This%20year%3F%20Next%20year%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBr.%20Rune%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1112588%22%20slang%3D%22en-US%22%3ERe%3A%20%5BOFFICE%20365%20-%20EXCHANGE%5D%20Monitor%20in%2Fout%20mails%20senders%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1112588%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F314167%22%20target%3D%22_blank%22%3E%40ClementBonnet%3C%2FA%3E%26nbsp%3BThat%20information%20is%20not%20captured%20in%20Sentinel.%26nbsp%3B%20Not%20sure%20if%20it%20would%20be%20in%20the%20Security%20Graph%20or%20not%20but%20you%20can%20check%20that%20as%20well.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1604214%22%20slang%3D%22en-US%22%3ERe%3A%20%5BOFFICE%20365%20-%20EXCHANGE%5D%20Monitor%20in%2Fout%20mails%20senders%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1604214%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%2C%20whats%20the%20status%20of%20this%20roadmap%20item%3F%20is%20there%20a%20public%20ID%20we%20can%20follow%3F%20We%20need%20to%20see%20message%20tracking%20in%20sentinel.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1988104%22%20slang%3D%22en-US%22%3ERe%3A%20%5BOFFICE%20365%20-%20EXCHANGE%5D%20Monitor%20in%2Fout%20mails%20senders%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1988104%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%20%26nbsp%3Byear%20later%2C%20any%20progress%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1995150%22%20slang%3D%22en-US%22%3ERe%3A%20%5BOFFICE%20365%20-%20EXCHANGE%5D%20Monitor%20in%2Fout%20mails%20senders%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1995150%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F50850%22%20target%3D%22_blank%22%3E%40Heiko%20Fuhrmann%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHave%20you%20seen%20the%20methods%20here%3F%26nbsp%3B%20especially%20the%20%22%3CFONT%20color%3D%22%23FF0000%22%3EUpdate%3C%2FFONT%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E3rd%20June%202020%22%20solution.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Foffice-365-email-activity-and-data-exfiltration-detection%2Fba-p%2F1169652%22%20target%3D%22_blank%22%3EOffice%20365%20Email%20Activity%20and%20Data%20Exfiltration%20Detection%20-%20Microsoft%20Tech%20Community%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello,

 

I am currently trying to establish statistics regarding the email activities on Office 365.

I spent some time trying to figure out how to access the sender / receiver email or account (and other related data). I didn't find anything concluant within the OfficeActivity logs.

 

Did you try to achieve this ?

Thank you for your answer.

9 Replies

@ClementBonnet Have you looked at the Office 365 Workbook?  It may not be 100% what you are looking for but it should give you a hint of how to get what you want if it doesn't.

@Gary Bushey Thanks for your answer!
I did look at Office 365 Workbook, but didn't find anything regarding email data. There are only information on the mailbox.

I wonder if sender/receiver (and other data) are actually transmitted from Office 365 to Sentinel through the Office 365 connector. I try to figure out how to do this.

@Gary Bushey Thank you for your answer.I'm I'm also interesting. I think, what we would like it's to collects Message Trace data from Microsoft Office 365 including the following:
Sender
Recipient
Subject
To IP Address
From IP Address
Size
Date Received

 

Regards

@thotho : supporting email flow logs is on our roadmap. We hope to address your need soon.

@Ofer_Shezaf 

 

Would be very nice to get Email Message Header information a part of this data.

I'm specific interessted to get the X-Forefront-Antispam-Report Header, so that it's possible to analyze Email SPAM.

 

Do you have any timeframe on when this exchange online email connector can be available? Q1 2020? Q2 2020? This year? Next year?

 

Br. Rune

@ClementBonnet That information is not captured in Sentinel.  Not sure if it would be in the Security Graph or not but you can check that as well.

@Ofer_Shezaf, whats the status of this roadmap item? is there a public ID we can follow? We need to see message tracking in sentinel.

@Ofer_Shezaf   year later, any progress ?

Hello @Heiko Fuhrmann 

 

Have you seen the methods here?  especially the "Update 3rd June 2020" solution.

 

Office 365 Email Activity and Data Exfiltration Detection - Microsoft Tech Community

 

Thanks