One of the items you are supposed to check are "Review mailbox forwarding rules weekly".  If you expand the option, the description says: "There are several ways you can do this, including simply reviewing the list of mail forwarding rules to external domains on all of your mailboxes using a PowerShell script, or by reviewing mail forwarding rule creation activity in the last week from the Audit Log Search."  If you click on Learn More and click on the Review button, you are taken to this page: https://github.com/OfficeDev/O365-InvestigationTooling/blob/master/DumpDelegatesandForwardingRules.p... I have set up this in a schedule to run every Monday morning at 1am.  It takes about 8 hours to run and I receive an email of the results.  If it was successful, I am supposed to get a score of 5 points.  I am now at 0 today for that review.  I am curious how to search for newly created rules in mailboxes in the Audit Search.

Has anyone figured out a way to look at Mail Forwarding Rules for Secure Score using the Audit Log Search?

Owner-created rules are not audited afaik. But you can use the Get-InboxRule cmdlet to report on them.

The Mailbox Forwarding Rules does not seem to be working.  I have a report that is run from a server and sent to me as an excel attachment that has the mailbox forwarding rules.  What is the criteria for this to be considered as accomplished?

---

@Aaron Myers wrote:
I think the only way you get the score on the security & compliance Secure Score page is by actually clicking on the link to go to the github page where the PS is located. They need to add in a way to check it off for use cases where we are already running the script.

---

That. Is. Asinine. So, it doesn't check if you actually have checked the forwarding rules, but if you have actually visited the page where the PowerShell script resides.  Huh. I got credit doing that...  Just wish they would change the verbiage stating that you can go to the Audit Logs and check on who created rules (which is not possible).