Overview Monitoring mail outbound (egress) using Splunk isn’t as straight forward as you might think. I’ve put together a nice search string that will help identify egress email from an Ubuntu server.
Domain and Records Before you start anything, you need a domain. If you don’t have one, purchase one. Because it takes time to replicate the records, you need to start this processes first. You will need to create A records for the domain, I created the following: @ www mail smtp imap webmail I have… Read more »
As part of your security auditing, especially if the server is exposed to the internet, you should have an email configured to be sent to you in the event a user shells into the server. This will give you a clear indication the server has been compromised if you are not expecting a login event…. Read more »