- Product: Splunk Enterprise or Splunk Cloud Platform
- Feature: Search
- Function: Exchange message trace
Your users report receiving a large number of phishing emails lately. You want to gather information about these messages so that you can create better filters on your network.
To optimize the search shown below, you should specify an index and a time range.
- Run the following search:
sourcetype="ms:o365:reporting:messagetrace" |stats VALUES(FromIP) VALUES(SenderAddress) VALUES(Size) Values(Subject) BY RecipientAddressConclusion
|sourcetype="ms:o365:reporting:messagetrace"||Search only O365 message trace logs.|
||stats VALUES(FromIP) VALUES(SenderAddress) VALUES(Size) Values(Subject) BY RecipientAddress||Return the values shown for each message and group the results by recipient address.|
These additional Splunk resources might help you understand and implement these recommendations: