Skip to content

New email hiding rule, fix typo and tags in email forwarding rule (m365 audit logs)#5844

Open
marcopedrinazzi wants to merge 1 commit intoSigmaHQ:masterfrom
marcopedrinazzi:inbox-rules-audit-log
Open

New email hiding rule, fix typo and tags in email forwarding rule (m365 audit logs)#5844
marcopedrinazzi wants to merge 1 commit intoSigmaHQ:masterfrom
marcopedrinazzi:inbox-rules-audit-log

Conversation

@marcopedrinazzi
Copy link
Contributor

Summary of the Pull Request

I have reopened #5838 due to a limitation of github that did not allow edits from maintainers in cross org commits (https://github.com/orgs/community/discussions/5634)

This pull request adds an email hiding rule using M365 audit logs and adds mitre tags and fixs a typo in the email forwarding rule in O365.

Changelog

new: Mail Hiding Activity in O365 (microsoft365_susp_email_hiding_activity.yml)
fix: Mail Forwarding/Redirecting Activity In O365 (microsoft365_susp_email_forwarding_activity.yml)

Example Log Event

Operation
New-InboxRule

Parameters:

[
    {
        "Name": "MarkAsRead",
        "Value": "True"
    },
    {
        "Name": "DeleteMessage",
        "Value": "True"
    },
    {
        "Name": "MoveToFolder",
        "Value": "<email_placeholder>:\\test"
    },
    {
        "Name": "Name",
        "Value": "marco"
    },
    {
        "Name": "SubjectOrBodyContainsWords",
        "Value": "sigma"
    }
]

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants