Made Office Mailbox Forwarding Parser a Function

Functions/OfficeMailForwardingParser.txt

@@ -0,0 +1,52 @@
+// KQL Office 365 Mailbox Forwarding Rule Creation Activity Parser Function
+// Last Updated Date: June 20, 2019
+//
+// Description:
+// This parser takes all Office 365 Activity data from the last 30 days, looks for entries that indicate the creation of a
+// new mailbox forwarding or redirect rule being created and then parses out relevent fields including:
+//      Email_Forwarded_To - the email address the maibox rule is fowarding
+//      RuleName - The name assigned to the mailbox rule when it was created
+//      RuleParameters - The first parameter set in the rule to decide if an email should be forwarded 
+//            (further parameters are not parsed to aid readability)
+//      Creating_User - The Office 365 User who created the rule
+//
+// Parser Notes:
+// This parser attempts to identity the correct element for each field parsed, however mailbox rules with a large number of parameters 
+// may not parse correctly. If you see 'Check Parameters' in the field value project the Parameters field and expand the JSON to find 
+// the correct value
+//
+// Usage Instruction : 
+// Either run this parser as a stand alone query within Azure Sentinel or save it as a KQL function for later use. Further details pm
+// functions can be found here: https://techcommunity.microsoft.com/t5/Azure-Sentinel/Using-KQL-functions-to-speed-up-analysis-in-Azure-Sentinel/ba-p/712381
+//
+//
+OfficeActivity
+    | where TimeGenerated >= ago(30d)
+    | where Operation == 'New-InboxRule'
+    | extend details = parse_json(Parameters)
+    | where details contains 'ForwardTo' or details contains 'RedirectTo'
+    | extend ForwardTo = iif(details[0].Name contains 'ForwardTo', details[0].Value,
+        iif(details[1].Name contains 'ForwardTo', details[1].Value, 
+            iif(details[2].Name contains 'ForwardTo', details[2].Value,  
+                iif(details[3].Name contains 'ForwardTo', details[3].Value, 
+                    iif(details[4].Name contains 'ForwardTo', details[4].Value,
+                        '')))))
+    | extend RedirectTo = iif(details[0].Name contains 'RedirectTo', details[0].Value,
+        iif(details[1].Name contains 'RedirectTo', details[1].Value,
+            iif(details[2].Name contains 'RedirectTo', details[2].Value,
+                iif(details[3].Name contains 'RedirectTo', details[3].Value,
+                    iif(details[4].Name contains 'RedirectTo', details[4].Value,
+                        '')))))
+    | extend RuleName = iif(details[3].Name contains 'Name', details[3].Value,
+         iif(details[4].Name contains 'Name', details[4].Value,
+            iif(details[5].Name contains 'name', details[5].Value,
+                'Check Parameters')))
+    | extend RuleParameters = iif(details[2].Name != 'ForwardTo' and  details[2].Name != 'RedirectTo', 
+        strcat(tostring(details[2].Name), '-', tostring(details[2].Value)),
+        iif(details[3].Name != 'ForwardTo' and  details[3].Name != 'RedirectTo' and details[3].Name != 'Name',
+            strcat(tostring(details[3].Name), '-', tostring(details[3].Value)), 
+                iff(details[4].Name != 'ForwardTo' and details[4].Name != 'RedirectTo' and details[4].Name != 'Name' and details[4].Name != 'StopProcessingRules',
+                strcat(tostring(details[4].Name), '-', tostring(details[4].Value)),
+                'All Mail')))
+    | project TimeGenerated, Operation, RuleName, RuleParameters, iif(details contains 'ForwardTo', ForwardTo, RedirectTo), ClientIP, UserId, details
+    | project-rename Email_Forwarded_To = Column1, Creating_User = UserId