Splunk® Intelligence Management (Legacy)

User Guide

Automatically forward emails to a specific enclave

This document explains how to enable automated email forwarding to the email inbox of a specified Enclave.

This procedure is useful when you have automated alerts set up in your inbox and want to automatically submit such alerts as a report to your Splunk Intelligence Management enclave.

Set up automatic forwarding in Microsoft Outlook (Office 365)

  1. At the top of the page, select Settings > View All Outlook settings.
  2. Select Mail > Forwarding.
  3. Select Enable forwarding.
  4. Enter the email address for the enclave inbox and select Save.
  5. Select the Keep a copy of forwarded messages checkbox if you want a copy of the original message to remain in your mailbox.

When using Outlook, certain Splunk Intelligence Management features, such as Phishing Triage, require that emails to be submitted as attachments. This preserves crucial information, such as source IP address, original sender address and header information, and all observables in the original email. (Forwarding emails directly to Splunk Intelligence Management only includes the spoofed email address information.)

You can set up Outlook to automatically forward emails as attachments by following these steps:

  1. Go to the File tab and select Options.
  2. Select the Mail category.
  3. In the Replies and forwards section, select the When forwarding a message dropdown arrow and then choose Attach original message.
  4. Select OK.

Read Turn on automatic forwarding in Outlook on the web in the Microsoft documentation for more information.

Set up automatic forwarding in Gmail

You can only forward messages for a single-user Gmail address, not for an email group or alias.

  1. In the top right of the Gmail window, click Settings (gear icon) and then select Settings on the dropdown menu.
  2. Click the Forwarding and POP/IMAP tab to display the Forwarding settings.
  3. Click Add a forwarding address.
  4. Enter the email address of the Enclave inbox and click Next.
  5. On the confirmation popup, click Proceed, then click OK on the Add a forwarding address popup. This sends a verification email to that address.
  6. Check the Enclave inbox in Splunk Intelligence Management for a verification email. You can either copy the confirmation code in the email and paste it into the text box in the Gmail/Forwarding... section or copy the link provided in the email and paste it into a a new browser window. This completes the verification of the forwarding address. If the Enclave Inbox filters on Accepted Sender Emails, you must add forwarding-noreply@google.com to that list in order to receive the verification email.
  7. Go back to the settings page for the Gmail account and refresh your browser.
  8. In Gmail, return to the Settings -> Forwarding and POP/IMAP tab.
  9. Select Forward a copy of incoming mail to.
  10. Choose what you want to happen with the Gmail copy of your emails. Splunk Intelligence Management recommends keeping a copy in your inbox (Keep Gmail's copy in the inbox).
  11. Click Save Changes.
Last modified on 21 April, 2022
Tag, bulk upload, export, and safelist indicators   Set up an enclave inbox to email incident and alert information directly to your enclaves

This documentation applies to the following versions of Splunk® Intelligence Management (Legacy): current

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters