Update detections/cloud/o365_email_new_inbox_rule_created.yml

nterl0k · 0xC0FFEEEE · web-flow · commit 101865e32b64 · 2025-02-14T19:14:16.000-05:00
Add IPv6 suggestion

Co-authored-by: 0xC0FFEEEE &lt;119874251+0xC0FFEEEE@users.noreply.github.com&gt;
diff --git a/detections/cloud/o365_email_new_inbox_rule_created.yml b/detections/cloud/o365_email_new_inbox_rule_created.yml
@@ -10,7 +10,8 @@ data_source:
 - Office 365 Universal Audit Log
 search: |-
   `o365_management_activity` Workload=Exchange AND (Operation=New-InboxRule OR Operation=Set-InboxRule) Parameters{}.Name IN (SoftDeleteMessage,DeleteMessage,ForwardTo,ForwardAsAttachmentTo,RedirectTo,MoveToFolder,CopyToFolder)
-  | eval file_path = mvappend(MoveToFolder,CopyToFolder), recipient=mvappend(ForwardTo, ForwardAsAttachmentTo, RedirectTo), user = lower(UserId), signature = Operation, src = mvindex(split(ClientIP,":"),0), desc = Name, action = 'Parameters{}.Name'
+  | eval file_path = mvappend(MoveToFolder,CopyToFolder), recipient=mvappend(ForwardTo, ForwardAsAttachmentTo, RedirectTo), user = lower(UserId), signature = Operation, src = if(match(ClientIP, "^\["), ltrim(mvindex(split(ClientIP, "]:"), 0), "["), mvindex(split(ClientIP,":"),0)), desc = Name, action = 'Parameters{}.Name'
+
   | stats values(action) as action, values(src) as src, values(recipient) as recipient, values(file_path) as file_path, count, min(_time) as firstTime, max(_time) as lastTime by user, signature, desc
   | `security_content_ctime(firstTime)` 
   | `security_content_ctime(lastTime)` 
