Query Details
DCA Detect Mailbox Forward
Query
//Use the Defender for Cloud Apps logs to detect when a mail forward is created on a mailbox (not an individual mailbox rule). Retrieve the address the mail was forwarded to and whether is both stored and forwarded
//Data connector required for this query - M365 Defender - CloudAppEvents
//Microsoft Sentinel query
CloudAppEvents
| where ActionType == "Set-Mailbox"
| extend UserId = tostring(RawEventData.UserId)
| extend ForwardingSetting = tostring(parse_json(tostring(RawEventData.Parameters))[1].Name)
| extend ForwardingAddress = tostring(parse_json(tostring(RawEventData.Parameters))[1].Value)
| extend StoreandForward = tostring(parse_json(tostring(RawEventData.Parameters))[2].Name)
| extend ['Email Stored and Forwarded'] = tostring(parse_json(tostring(RawEventData.Parameters))[2].Value)
| where ForwardingSetting == "ForwardingSmtpAddress" and isnotempty(ForwardingAddress)
| extend ['Forwarding Email Address']=split(ForwardingAddress, ":")[-1]
| project-away ForwardingSetting, StoreandForward
| project
TimeGenerated,
UserId,
IPAddress,
['Forwarding Email Address'],
['Email Stored and Forwarded']
//Advanced Hunting query
//Data connector required for this query - Advanced Hunting license
CloudAppEvents
| where ActionType == "Set-Mailbox"
| extend UserId = tostring(RawEventData.UserId)
| extend ForwardingSetting = tostring(parse_json(tostring(RawEventData.Parameters))[1].Name)
| extend ForwardingAddress = tostring(parse_json(tostring(RawEventData.Parameters))[1].Value)
| extend StoreandForward = tostring(parse_json(tostring(RawEventData.Parameters))[2].Name)
| extend ['Email Stored and Forwarded'] = tostring(parse_json(tostring(RawEventData.Parameters))[2].Value)
| where ForwardingSetting == "ForwardingSmtpAddress" and isnotempty(ForwardingAddress)
| extend ['Forwarding Email Address']=split(ForwardingAddress, ":")[-1]
| project-away ForwardingSetting, StoreandForward
| project
Timestamp,
UserId,
IPAddress,
['Forwarding Email Address'],
['Email Stored and Forwarded']Explanation
This query uses the Defender for Cloud Apps logs to detect when a mail forward is created on a mailbox. It retrieves the address the mail was forwarded to and whether it is both stored and forwarded. The query filters the CloudAppEvents data based on the ActionType "Set-Mailbox" and extracts the necessary information from the RawEventData. It then formats and projects the relevant fields for analysis.
Details
Matt Zorich
Released: June 17, 2022
Tables
CloudAppEvents
Keywords
CloudAppEvents,ActionType,Set-Mailbox,UserId,RawEventData,Parameters,ForwardingSetting,ForwardingAddress,StoreandForward,EmailStoredandForwarded,ForwardingEmailAddress,TimeGenerated,IPAddress,Timestamp
Operators
whereextendtostringparse_jsonisnotemptysplitproject-awayproject