I'm looking for information specifically about 365 Defender query examples regarding BEC compromises. We normally see during cases of BEC's that the actors will create new inbox rules to delete emails, delete sent emails, and setup forwarding.
I can easily create a rule to look for new "inbox-rule" creations however we want to decrease noise. I can't seem to find any examples of these queries.
Example: A query that looks for a new rule that deletes all incoming mail.
I'm still in the process of learning the KQL language but just wanted to see if anyone had any additional information on what specific functions I need for the above example.