Threat Essentials - Mail redirect via ExO transport rule

OfficeActivity
| where OfficeWorkload == "Exchange"
| where Operation in~ ("New-TransportRule", "Set-TransportRule")
| extend p = parse_json(Parameters)
| extend RuleName = case(
  Operation =~ "Set-TransportRule", tostring(OfficeObjectId),
  Operation =~ "New-TransportRule", tostring(p[1].Value),
  "Unknown"
  )
| mvexpand p
| where (p.Name =~ "BlindCopyTo" or p.Name =~ "RedirectMessageTo") and isnotempty(p.Value)
| extend RedirectTo = p.Value
| extend ClientIPOnly = case(
  ClientIP has "." and ClientIP has ":", tostring(split(ClientIP,":")[0]),
  ClientIP has "." and ClientIP has "-", tostring(split(ClientIP,"-")[0]),
  ClientIP has "[", tostring(trim_start(@'[[]',tostring(split(ClientIP,"]")[0]))),
  ClientIP
  )
| extend Port = case(
  ClientIP has "." and ClientIP has ":", (split(ClientIP,":")[1]),
  ClientIP has "." and ClientIP has "-", (split(ClientIP,"-")[1]),
  ClientIP has "[" and ClientIP has ":", tostring(split(ClientIP,"]:")[1]),
  ClientIP has "[" and ClientIP has "-", tostring(split(ClientIP,"]-")[1]),
  ClientIP
  )
| extend ClientIP = ClientIPOnly
| project TimeGenerated, RedirectTo, ClientIP, Port, UserId, Operation, RuleName
| extend Name=split(UserId, "@")[0], UPNSuffix=split(UserId, "@")[1]

description: |
  'Identifies when Exchange Online transport rule configured to forward emails.
  This could be an adversary mailbox configured to collect mail from multiple user accounts.'  
kind: Scheduled
tactics:
- Collection
- Exfiltration
requiredDataConnectors:
- connectorId: Office365
  dataTypes:
  - OfficeActivity
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityThreatEssentialSolution/Analytic Rules/Threat_Essentials_Mail_redirect_via_ExO_transport_rule.yaml
severity: Medium
name: Threat Essentials - Mail redirect via ExO transport rule
triggerThreshold: 0
queryPeriod: 1d
query: |
  OfficeActivity
  | where OfficeWorkload == "Exchange"
  | where Operation in~ ("New-TransportRule", "Set-TransportRule")
  | extend p = parse_json(Parameters)
  | extend RuleName = case(
    Operation =~ "Set-TransportRule", tostring(OfficeObjectId),
    Operation =~ "New-TransportRule", tostring(p[1].Value),
    "Unknown"
    )
  | mvexpand p
  | where (p.Name =~ "BlindCopyTo" or p.Name =~ "RedirectMessageTo") and isnotempty(p.Value)
  | extend RedirectTo = p.Value
  | extend ClientIPOnly = case(
    ClientIP has "." and ClientIP has ":", tostring(split(ClientIP,":")[0]),
    ClientIP has "." and ClientIP has "-", tostring(split(ClientIP,"-")[0]),
    ClientIP has "[", tostring(trim_start(@'[[]',tostring(split(ClientIP,"]")[0]))),
    ClientIP
    )
  | extend Port = case(
    ClientIP has "." and ClientIP has ":", (split(ClientIP,":")[1]),
    ClientIP has "." and ClientIP has "-", (split(ClientIP,"-")[1]),
    ClientIP has "[" and ClientIP has ":", tostring(split(ClientIP,"]:")[1]),
    ClientIP has "[" and ClientIP has "-", tostring(split(ClientIP,"]-")[1]),
    ClientIP
    )
  | extend ClientIP = ClientIPOnly
  | project TimeGenerated, RedirectTo, ClientIP, Port, UserId, Operation, RuleName
  | extend Name=split(UserId, "@")[0], UPNSuffix=split(UserId, "@")[1]  
relevantTechniques:
- T1114
- T1020
id: d7c575b2-84f5-48cb-92c5-70d7e8246284
queryFrequency: 1d
status: Available
triggerOperator: gt
version: 1.0.2
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
- entityType: IP
  fieldMappings:
  - columnName: ClientIP
    identifier: Address