53 строки
3.5 KiB
Plaintext
53 строки
3.5 KiB
Plaintext
// KQL Office 365 Mailbox Forwarding Rule Creation Activity Parser Function
|
|
// Last Updated Date: June 20, 2019
|
|
//
|
|
// Description:
|
|
// This parser takes all Office 365 Activity data from the last 30 days, looks for entries that indicate the creation of a
|
|
// new mailbox forwarding or redirect rule being created and then parses out relevent fields including:
|
|
// Email_Forwarded_To - the email address the maibox rule is fowarding
|
|
// RuleName - The name assigned to the mailbox rule when it was created
|
|
// RuleParameters - The first parameter set in the rule to decide if an email should be forwarded
|
|
// (further parameters are not parsed to aid readability)
|
|
// Creating_User - The Office 365 User who created the rule
|
|
//
|
|
// Parser Notes:
|
|
// This parser attempts to identity the correct element for each field parsed, however mailbox rules with a large number of parameters
|
|
// may not parse correctly. If you see 'Check Parameters' in the field value project the Parameters field and expand the JSON to find
|
|
// the correct value
|
|
//
|
|
// Usage Instruction :
|
|
// Either run this parser as a stand alone query within Azure Sentinel or save it as a KQL function for later use. Further details on
|
|
// functions can be found here: https://techcommunity.microsoft.com/t5/Azure-Sentinel/Using-KQL-functions-to-speed-up-analysis-in-Azure-Sentinel/ba-p/712381
|
|
// If running as a stand alone qeury consider adding customised time range to the query at run time.
|
|
//
|
|
//
|
|
OfficeActivity
|
|
| where Operation == 'New-InboxRule'
|
|
| extend details = parse_json(Parameters)
|
|
| where details contains 'ForwardTo' or details contains 'RedirectTo'
|
|
| extend ForwardTo = iif(details[0].Name contains 'ForwardTo', details[0].Value,
|
|
iif(details[1].Name contains 'ForwardTo', details[1].Value,
|
|
iif(details[2].Name contains 'ForwardTo', details[2].Value,
|
|
iif(details[3].Name contains 'ForwardTo', details[3].Value,
|
|
iif(details[4].Name contains 'ForwardTo', details[4].Value,
|
|
'')))))
|
|
| extend RedirectTo = iif(details[0].Name contains 'RedirectTo', details[0].Value,
|
|
iif(details[1].Name contains 'RedirectTo', details[1].Value,
|
|
iif(details[2].Name contains 'RedirectTo', details[2].Value,
|
|
iif(details[3].Name contains 'RedirectTo', details[3].Value,
|
|
iif(details[4].Name contains 'RedirectTo', details[4].Value,
|
|
'')))))
|
|
| extend RuleName = iif(details[3].Name contains 'Name', details[3].Value,
|
|
iif(details[4].Name contains 'Name', details[4].Value,
|
|
iif(details[5].Name contains 'name', details[5].Value,
|
|
'Check Parameters')))
|
|
| extend RuleParameters = iif(details[2].Name != 'ForwardTo' and details[2].Name != 'RedirectTo',
|
|
strcat(tostring(details[2].Name), '-', tostring(details[2].Value)),
|
|
iif(details[3].Name != 'ForwardTo' and details[3].Name != 'RedirectTo' and details[3].Name != 'Name',
|
|
strcat(tostring(details[3].Name), '-', tostring(details[3].Value)),
|
|
iff(details[4].Name != 'ForwardTo' and details[4].Name != 'RedirectTo' and details[4].Name != 'Name' and details[4].Name != 'StopProcessingRules',
|
|
strcat(tostring(details[4].Name), '-', tostring(details[4].Value)),
|
|
'All Mail')))
|
|
| project TimeGenerated, Operation, RuleName, RuleParameters, iif(details contains 'ForwardTo', ForwardTo, RedirectTo), ClientIP, UserId, details
|
|
| project-rename Email_Forwarded_To = Column1, Creating_User = UserId
|