Detecting Attachments in Microsoft Exchange Server 2013

One of the common recurring themes I get is how to detect attachments and log those attachments in Splunk. Let me get the obvious piece of this out of the way first – you cannot log the attachment names or contents without a Transport Agent. This is a special piece of code that is deployed on all your Exchange Servers that intercepts the messages as they go through the system and does something to them. You will normally see a transport agent deployed for anti-virus scanning, for example.

However, logging the fact that there is an attachment is relatively easy. You can create a Transport Rule to log a message when attachments are created. To create the rule, you need to log into the Exchange Control Panel (ECP) using the path https://your-exchange-server/ecp. Follow this process:

1. Browse to Mail Flow, then Rules
2. Click on the + sign to create a new rule
3. Fill in the relevant information. I like:
   • Predicate: When the attachment size is greater than or equal to 10Kb
   • Action: Add a Message Header “X-Attachment” value “yes”
4. Check the box next to Audit and select a Level
5. Select Test and send notifications (near the bottom)
6. Click on Save

In small environments, this rule will propagate quickly. However, the larger the environment, the slower the process; bear this in mind – I’ve seen some systems take up to 24 hours to propagate a change. I’ve picked a value for attachment size of 10Kb because a lot of organizations like to add a graphic as a signature. This graphic is technically an attachment.

Now that your rule is in place, how can you tell? The logging is done in the Message Tracking logs and looks like this:

2013-11-22T17:11:42.270Z,,EX-MBX01,,,,,AGENT,AGENTINFO,9543417331719,,b692227ef81649f5083608d0b5bd0c4f,a-ahall@bd.splunk.com,,19574,1,,,test-attachment,ahall@testlab.local,whayes@testlab.local,,Undefined,,,,S:AMA=SUM|v=0|action=|error=|atch=1;S:AMA=EV|engine=M|v=0|sig=1.163.371.0|name=|file=;S:TRA=ETR|ruleId=ff1d0524-bcae-4c75-9dd1-3b56728aa029|st=11/22/2013 4:57:23 PM|action=SetAuditSeverity|action=SetHeader|sev=3|mode=AuditAndNotify

If you are using the Splunk App for Exchange, then this is decoded for you. In particular, you can see that some things are actually decoded automatically for you. The ruleId is a GUID that identifies your rule. You can get this with the Get-TransportRule cmdlet. You can also see the action (SetHeader in our case), severity (1 is low, 2 is medium and 3 is high). In the extractions within the Splunk App for Exchange you can get the sender, recipients and subject fields. To get a list of people who have sent attachments you can do the following search:

sourcetype=MSExchange:*:MessageTracking ruleId="ff1d0524-bcae-4c75-9dd1-3b56728aa029"|table _time,sender,recipients,subject,total_bytes

Replace the ruleId with the ruleId of the transport rule that you have created and you have your report. Who sends the most attachments?

sourcetype=MSExchange:*:MessageTracking ruleId="ff1d0524-bcae-4c75-9dd1-3b56728aa029"|top sender

Given the flexibility of Transport Rules, this makes the possibilities of reporting endless.

If you are running Exchange Server 2007 or 2010, things are a little different, and I’ll cover them in a different blog post.