Microsoft Exchange Message Tracking
Exchange Server 2019 message tracking — SMTP receive/send, mailbox delivery, transport routing, shadow redundancy, anti-spam filtering, distribution group expansion, and delivery failure DSNs.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/email-exchange/generator.yml \
--id exch \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| RECEIVE | Message received (SMTP/mailbox) | ~26% | |
| DELIVER | Message delivered to mailbox | ~24% | |
| SEND | Message sent between transport services | ~12% | |
| SUBMIT | Submitted from Mailbox to Transport | ~10% | |
| HAREDIRECT | Shadow redundancy copy created | ~7% | |
| AGENTINFO | Anti-spam verdicts, transport rules | ~6% | |
| NOTIFYMAPI | Message detected in Outbox via MAPI | ~5% | |
| RESOLVE | Recipient resolved via Active Directory | ~2% | |
| HADISCARD | Shadow message discarded | ~2% | |
| EXPAND | Distribution group expanded | ~2% | |
| DEFER | Delivery temporarily delayed | ~1% | |
| TRANSFER | Message forked (content conversion) | ~1% | |
| FAIL | Permanent delivery failure | ~0.5% | |
| DSN | Delivery Status Notification (bounce) | ~0.5% | |
| REDIRECT | Message redirected to alternate recipient | ~0.3% | |
| DROP | Message silently dropped (spam/policy) | ~0.3% |
Realism Features
- Cross-template message correlation — RECEIVE pushes message context; downstream events consume from pool
- Lognormal message sizes — realistic right-skewed distribution (most 2–75 KB, some up to 25 MB)
- Anti-spam verdicts — SCL, SFV, IPV, BCL, and country code fields with weighted distributions
- Distribution group expansion — EXPAND events reference real group names with member counts
- Categorized email subjects — business, automated, newsletter, spam, phishing with weighted selection
- DSN correlation — bounce events reference original message-id with empty return-path
Sample Output
{
"@timestamp": "2026-02-22T17:06:16+00:00",
"event": {
"action": "receive",
"category": ["email"],
"dataset": "microsoft_exchange.messagetracking",
"outcome": "success"
},
"email": {
"direction": "inbound",
"from": { "address": ["jdoe@partner-corp.com"] },
"subject": "MFA enrollment reminder",
"to": { "address": ["d.brown@contoso.com"] }
},
"microsoft_exchange": {
"messagetracking": {
"event_id": "RECEIVE",
"source": "SMTP",
"directionality": "Incoming"
}
},
"observer": { "product": "Exchange Server", "vendor": "Microsoft" }
}Parameters
| Parameter | Default | Description |
|---|---|---|
| hostname | EXCH01 | Exchange server short name |
| domain | contoso.com | Organization domain |
| server_ip | 10.0.1.10 | Exchange server IP |
| dag_name | DAG01 | Database Availability Group name |
| agent_id | a1b2c3d4-... | Elastic Agent UUID |
| agent_version | 8.17.0 | Elastic Agent version |
Related Generators
Kaspersky Secure Mail Gateway
Kaspersky Secure Mail Gateway (KSMG) ScanLogic events — anti-virus, anti-spam, anti-phishing, content filtering, mail authentication (SPF/DKIM/DMARC), KATA integration, message backup, and scan failure events in ECS-compatible JSON.
Fortinet FortiMail
FortiMail email security gateway — mail statistics, SMTP protocol events, antispam verdict (clean/spam/phishing), antivirus scanning with quarantine actions, and system administration logs.
Windows Security Event Log
The Security channel of Windows Event Log — logon/logoff sessions, process creation, privilege escalation, account management, and audit policy changes from a 120-host Active Directory fleet.