-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathO365_Email Auto Forward
29 lines (29 loc) · 2.07 KB
/
O365_Email Auto Forward
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
OfficeActivity
| where Operation == 'New-InboxRule'
| extend details = parse_json(Parameters)
| where details contains 'ForwardTo' or details contains 'RedirectTo'
| extend ForwardTo = iif(details[0].Name contains 'ForwardTo', details[0].Value,
iif(details[1].Name contains 'ForwardTo', details[1].Value,
iif(details[2].Name contains 'ForwardTo', details[2].Value,
iif(details[3].Name contains 'ForwardTo', details[3].Value,
iif(details[4].Name contains 'ForwardTo', details[4].Value,
'')))))
| extend RedirectTo = iif(details[0].Name contains 'RedirectTo', details[0].Value,
iif(details[1].Name contains 'RedirectTo', details[1].Value,
iif(details[2].Name contains 'RedirectTo', details[2].Value,
iif(details[3].Name contains 'RedirectTo', details[3].Value,
iif(details[4].Name contains 'RedirectTo', details[4].Value,
'')))))
| extend RuleName = iif(details[3].Name contains 'Name', details[3].Value,
iif(details[4].Name contains 'Name', details[4].Value,
iif(details[5].Name contains 'name', details[5].Value,
'Check Parameters')))
| extend RuleParameters = iif(details[2].Name != 'ForwardTo' and details[2].Name != 'RedirectTo',
strcat(tostring(details[2].Name), '-', tostring(details[2].Value)),
iif(details[3].Name != 'ForwardTo' and details[3].Name != 'RedirectTo' and details[3].Name != 'Name',
strcat(tostring(details[3].Name), '-', tostring(details[3].Value)),
iff(details[4].Name != 'ForwardTo' and details[4].Name != 'RedirectTo' and details[4].Name != 'Name' and details[4].Name != 'StopProcessingRules',
strcat(tostring(details[4].Name), '-', tostring(details[4].Value)),
'All Mail')))
| project TimeGenerated, Operation, RuleName, RuleParameters, iif(details contains 'ForwardTo', ForwardTo, RedirectTo), ClientIP, UserId
| project-rename Email_Forwarded_To = Column1, Creating_User = UserId