Rules | Notion

Minimal Rules
- Transport Rule “CloudAppEvents | where ActionType in (”New-TransportRule“,”Set-TransportRule“,”Enable-TransportRule“,”Disable-TransportRule“,”Remove-TransportRule“) | extend TransportRuleName = tostring(RawEventData.ObjectId) | extend ActorEmail = tostring(RawEventData.UserId) | extend ExtraDetails = tostring(RawEventData.Parameters) | project TimeGenerated, ActionType, ActorName=AccountDisplayName, ActorEmail, TransportRuleName, ExtraDetails”
- Email Forwarding “CloudAppEvents | where ActionType ==”Set-Mailbox" | extend EmailsForwardedFrom = tostring(RawEventData.ObjectId) | extend EmailsForwardedbyMail = tostring(RawEventData.UserId) | mv-expand extracted = parse_json(tostring(RawEventData.Parameters)) | where extracted.Name in (“ForwardingSmtpAddress”, “ForwardingAddress”) | extend EmailsForwardedTo = iif(extracted.Name == “ForwardingSmtpAddress” and extracted.Value != "“, extracted.Value, iif(extracted.Name ==”ForwardingAddress" and extracted.Value != "“, extracted.Value, ’’)) | summarize EmailsForwardedTo = tostring(make_list(EmailsForwardedTo)) by TimeGenerated, EmailsForwardedbyName=AccountDisplayName, EmailsForwardedbyMail, IPAddress, EmailsForwardedFrom | extend EmailsForwardedTo = iif(isnull(EmailsForwardedTo) or EmailsForwardedTo ==”[]“,”“, EmailsForwardedTo) | project TimeGenerated, EmailsForwardedbyName, EmailsForwardedbyMail, IPAddress, EmailsForwardedFrom, EmailsForwardedTo | sort by TimeGenerated”
Quarantine Release “CloudAppEvents | where ActionType ==”QuarantineReleaseMessage" | extend EmailID = tostring(RawEventData.NetworkMessageId) | join kind=inner EmailEvents on $left.EmailID == $right.NetworkMessageId | project-rename ReleasedBy = AccountDisplayName | project TimeGenerated, NetworkMessageId, ActionType, ReleasedBy, SenderMailFromAddress, SenderDisplayName, RecipientEmailAddress, Subject "
- Quarantine Release
- Advanced - query is looking for the QuarantineReleaseMesssage action performed in the last hour and mail with the NetworkMessageId in the last 30 days. “let RecentReleaseMessages = CloudAppEvents | where ActionType ==”QuarantineReleaseMessage" and TimeGenerated >= ago(1d) | extend EmailID = tostring(RawEventData.NetworkMessageId); let ProcessedEmails = EmailEvents | where TimeGenerated >= ago(30d); RecentReleaseMessages | join kind=inner ProcessedEmails on $left.EmailID == $right.NetworkMessageId | project-rename ReleasedBy = AccountDisplayName | extend EDT = datetime_utc_to_local(TimeGenerated, “US/Eastern”) | project EDT, NetworkMessageId, ActionType, ReleasedBy, SenderMailFromAddress, SenderDisplayName, RecipientEmailAddress, Subject "
Email Forwarding “CloudAppEvents | where ActionType ==”Set-Mailbox" | extend EmailsForwaredFrom = tostring(RawEventData.ObjectId) | mv-expand extracted = parse_json(tostring(RawEventData.Parameters)) | where extracted.Name == “ForwardingSmtpAddress” | extend EmailsForwaredTo = substring(extracted.Value, 5) | project-rename EmailsForwardedBy=AccountDisplayName | project TimeGenerated, ActionType, EmailsForwardedBy, IPAddress, AccountType, EmailsForwaredFrom, EmailsForwaredTo "
- Email Forwarding
- working “CloudAppEvents | where ActionType ==”Set-Mailbox" | extend EmailsForwardedFrom = tostring(RawEventData.ObjectId) | extend EmailsForwardedbyMail = tostring(RawEventData.UserId) | mv-expand extracted = parse_json(tostring(RawEventData.Parameters)) | where extracted.Name in (“ForwardingSmtpAddress”, “ForwardingAddress”) | extend EmailsForwardedTo = iif(extracted.Name == “ForwardingSmtpAddress” and extracted.Value != "“, extracted.Value, iif(extracted.Name ==”ForwardingAddress" and extracted.Value != "“, extracted.Value, ”EmailForwardingDisabled“)) | project TimeGenerated, EmailsForwardedbyName=AccountDisplayName, EmailsForwardedbyMail, IPAddress, EmailsForwardedFrom, EmailsForwardedTo, RawEventData”
- dkjfk “CloudAppEvents | where ActionType ==”Set-Mailbox" | extend EmailsForwardedFrom = tostring(RawEventData.ObjectId) | extend EmailsForwardedbyMail = tostring(RawEventData.UserId) | mv-expand extracted = parse_json(tostring(RawEventData.Parameters)) | where extracted.Name == “ForwardingSmtpAddress” or extracted.Name == “ForwardingAddress” | extend EmailsForwardedTo = iif(extracted.Name == “ForwardingSmtpAddress” and extracted.Value != "“, extracted.Value, iif(extracted.Name ==”ForwardingAddress" and extracted.Value != "“, extracted.Value, ”EmailForwardingDisabled“)) | project TimeGenerated, EmailsForwardedbyName=AccountDisplayName, EmailsForwardedbyMail, IPAddress, EmailsForwardedFrom, EmailsForwardedTo, RawEventData”
- Perfect “CloudAppEvents | where ActionType ==”Set-Mailbox" | extend EmailsForwardedFrom = tostring(RawEventData.ObjectId) | extend EmailsForwardedbyMail = tostring(RawEventData.UserId) | mv-expand extracted = parse_json(tostring(RawEventData.Parameters)) | where extracted.Name in (“ForwardingSmtpAddress”, “ForwardingAddress”) | project TimeGenerated, EmailsForwardedbyName=AccountDisplayName, EmailsForwardedbyMail, IPAddress, EmailsForwardedFrom, RawEventData, ForwardingValue = iif(extracted.Name == “ForwardingSmtpAddress” and extracted.Value != "“, extracted.Value, iif(extracted.Name ==”ForwardingAddress" and extracted.Value != "“, extracted.Value, ’’)) | summarize ForwardingValue = tostring(make_list(ForwardingValue)) by TimeGenerated, EmailsForwardedbyName, EmailsForwardedbyMail, IPAddress, EmailsForwardedFrom | extend ForwardingValue = iif(isnull(ForwardingValue) or ForwardingValue ==”[]“,”EmailForwardingDisabled“, ForwardingValue)”
Transport Rule Change “CloudAppEvents | where ActionType ==”New-TransportRule" or ActionType == “Set-TransportRule” or ActionType == “Enable-TransportRule” or ActionType == “Disable-TransportRule” or ActionType == “Remove-TransportRule” | extend SessionID = tostring(parse_json(ActivityObjects[0])[“Value”]), TargetObjectName = tostring(parse_json(ActivityObjects[1])[“Name”]), Identity = tostring(parse_json(ActivityObjects[2])[“Value”]), Name = tostring(parse_json(ActivityObjects[3])[“Value”]), SentTo = tostring(parse_json(ActivityObjects[4])[“Value”]), RedirectMessageTo = tostring(parse_json(ActivityObjects[5])[“Value”]), ExceptIfSenderDomainIs = tostring(parse_json(ActivityObjects[6])[“Value”]), ActorName = tostring(parse_json(ActivityObjects[7])[“Name”]), ActorId = tostring(parse_json(ActivityObjects[7])[“Id”]) | project TimeGenerated, ObjectName, ActorName, ActorId, ActionType, Identity, RuleName=Name, MailSentTo=SentTo, RedirectMailTo=RedirectMessageTo, ExceptIfSenderDomainIs"
Send on Behalf Permission “CloudAppEvents | where ActionType ==”Set-Mailbox" | extend Operation = tostring(parse_json(ActivityObjects[2])[“Name”]) | where Operation == “GrantSendOnBehalfTo” | extend PermissionGrantedTo = tostring(RawEventData.ObjectId) | extend PermissionGrantedFor = substring(parse_json(ActivityObjects[2])[“Value”], 1) | project TimeGenerated, ActionType, AccountDisplayName, IPAddress, Operation, PermissionGrantedTo, PermissionGrantedFor "
- 1 unique entry for each action “CloudAppEvents | where ActionType ==”Set-Mailbox" | extend PermissionGrantedTo = RawEventData.ObjectId | mv-expand extracted = parse_json(tostring(RawEventData.Parameters)) | where extracted.Name == “GrantSendOnBehalfTo” | extend PermissionGrantedForId = substring(extracted.Value, 1) | join kind=inner IdentityInfo on $left.PermissionGrantedForId == $right.AccountObjectId | project TimeGenerated, ActionType, AccountDisplayName, IPAddress, PermissionGrantedTo, PermissionGrantedFor=AccountUPN | summarize by TimeGenerated, ActionType, AccountDisplayName, IPAddress, tostring(PermissionGrantedTo), PermissionGrantedFor | sort by TimeGenerated"
- Send on Behalf Permission
Sentinel Counts “SecurityIncident | where Status in (”Closed“,”Active“) | sort by TimeGenerated | project TimeGenerated, IncidentNumber, ModifiedBy, Title, Severity, Status, Classification, FirstModifiedTime, ClosedTime”
Rules
- Intitial “SecurityIncident | where Status in (”Closed“,”Active“) | sort by TimeGenerated | extend HandledBy = tostring(Owner.assignedTo), CreationDate = format_datetime(CreatedTime, ‘mm/dd/yyyy’), HandlingDate = format_datetime(FirstModifiedTime, ‘mm/dd/yyyy’), ClosingDate = format_datetime(ClosedTime, ‘mm/dd/yyyy’) | extend differenceInDays = datetime_diff(‘day’, CreatedTime, ClosedTime) | project HandledBy, IncidentNumber,Title, CreationDate, HandlingDate, ClosingDate, Status, ClosedIn7Days = iif(differenceInDays <= 7,”yes“,”no“)”
- M “SecurityIncident | where CreatedTime between (datetime(2023-08-01) .. datetime(2023-08-15)) // Set the desired time range | where Status in (”Closed“,”Active“) | where isnotempty(Owner.assignedTo) or isnotnull(Owner.assignedTo) // Filtering out blank values | sort by IncidentNumber desc | extend HandledBy = tostring(Owner.assignedTo) | extend differenceInDays = datetime_diff(‘day’, CreatedTime, ClosedTime) | project HandledBy, IncidentNumber, Title, CreatedTime, HandlingTime=FirstModifiedTime, ClosedTime, Status, ClosedIn7Days = iif(differenceInDays <= 7,”Yes“,”No“)”
- “SecurityIncident | where CreatedTime between (datetime(2023-08-01) .. datetime(2023-08-18)) // Set the desired time range | where Status in (”Closed“,”Active“) | where isnotempty(Owner.assignedTo) or isnotnull(Owner.assignedTo) // Filtering out blank values | sort by IncidentNumber desc | extend HandledBy = tostring(Owner.assignedTo) | extend differenceInDays = datetime_diff(‘day’, CreatedTime, ClosedTime) | extend ClosedIn7Days = iif(Status ==”Active“,”NotClosedYet“, iif(differenceInDays <= 7,”Yes“,”No“)) // Check Status and days difference | project HandledBy, IncidentNumber, Title, CreatedTime, HandlingTime=FirstModifiedTime, ClosedTime, Status, ClosedIn7Days”