Email remains the primary form of formal communication in most organizations. As such, mail server databases and logs are some of the most important business records. Due to their size and tendency to grow without bounds, email data management typically requires both data retention and archival policies so that only important records are held and inactive data is moved to low cost storage.
Mail server transaction and error logs also are essential debugging tools for IT problem resolution and also may be used for usage-based billing. Mail server data can help identify malicious attachments, malicious domain links and redirects, emails from known malicious domains, and emails from unknown domains. It can also be used to identify emails with abnormal or excessive message sizes, and abnormal email activities times. In the Common Information Model, mail server data is typically mapped to the Email data model.
Use cases for the Splunk platform
Use cases for Splunk security products
Explore the Splunk Security Content site to see what detections you can run in Splunk Enterprise Security with mail server data.