Query Details
Office Activity Inbox Rule Parse
Query
//Query to retrieve the name of inbox rules created via mv-apply //Data connector required for this query - Office 365 OfficeActivity | where TimeGenerated > ago (30d) | where Operation == "New-InboxRule" | mv-apply p=todynamic(Parameters) on ( where p.Name == "Name" | extend RuleName = tostring(p.Value) ) | project TimeGenerated, UserId, ClientIP, RuleName //Additionally search for inbox rule names that have no alphanumeric characters, can be a sign of threat actor activity | where RuleName matches regex @"^[^a-zA-Z0-9]*$"
Explanation
This query retrieves the names of inbox rules created in Office 365 within the last 30 days. It uses a data connector for Office 365. The query filters for operations that are "New-InboxRule" and retrieves the parameters associated with those operations. It then applies a function to convert the parameters to a dynamic type and filters for parameters with the name "Name". The query extends the RuleName property to convert it to a string and projects the TimeGenerated, UserId, ClientIP, and RuleName properties. Additionally, it searches for inbox rule names that do not contain any alphanumeric characters, which could indicate potential threat actor activity.
Details
Matt Zorich
Released: November 30, 2022
Tables
OfficeActivity
Keywords
Devices,Intune,User
Operators
whereTimeGenerated>ago30dOperation=="New-InboxRule"mv-applyp=todynamicParametersonwherep.Name=="Name"extendRuleNametostringp.ValueprojectTimeGeneratedUserIdClientIPRuleNamewhereRuleNamematchesregex@"^[^a-zA-Z0-9]*$"