I am looking for a log search query based on O365 log source, that will help identify the number of emails sent outside of the organization email domain. For examples, emails sent from corporate email to personal email account or outside email domains.
I don’t believe the email data is included in the O365 log source (except for emails that have been detected as part of a malicious email by Defender). If you have ICON, you can use the Defender Hunting plugin and build your query to retrieve that information.
Hey, I just checked that, and it´s no possible, just creating for example forwarding rules to external addresses… Maybe this helps.
Are you able to do Hunt Queries in Office 365 Threat Hunts with KQL?
Personally we forward Defender XDR Advanced Hunting logs to InsightIDR and use that data. I hesitate recommending this because we have had possible issues with all of the advanced hunting logs being available, but this is the most legible and full email data I’ve found I could feed into IDR.
What did you use to send the data to IDR?
InsightConnect query using the advanced hunting plugin or fully custom?
We’re using the Streaming API function in Defender XDR to forward to an event hub (since they removed functionality for other APIs) and the have a Microsoft Azure Cloud Service event source configured in InsightIDR that points to that event hub.
It’s similar setup to other SIEMs, they just don’t list InsightIDR specifically: Integrate your SIEM tools with Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn.