Query UpdateInboxRules or New-InboxRule from within Log Analytics

%3CLINGO-SUB%20id%3D%22lingo-sub-1025660%22%20slang%3D%22en-US%22%3EQuery%20UpdateInboxRules%20or%20New-InboxRule%20from%20within%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1025660%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Community%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20looking%20for%20an%20easier%20way%20to%20discover%20creation%20of%20forward%20rules%20in%20Exchange.%20Currently%20i%20have%20to%20manually%20go%20through%20each%20alert%20(Office%20365%20Security%20%26amp%3B%20Compliance)%20where%20the%20alerts%20is%20%22Creation%20of%20forwarding%2Fredirect%20rule%22%3CFONT%3E%2C%20open%20it%2C%20look%20in%20view%20activity%20list%2C%20in%20the%20specific%20UpdateInboxRule%2C%20click%20more%2C%20and%20finally%20look%20at%26nbsp%3BOperationProperties%20and%20then%20RuleAction%2C%20where%20the%20information%20might%20be.%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyone%20having%20experience%20with%20a%20query%20from%20Log%20Analytics%20that%20can%20do%20this%20for%20me%3F%3C%2FP%3E%3CP%3EThis%20Query%20doesnt%20contain%20the%20needed%20information%3A%26nbsp%3B%3C%2FP%3E%3CP%3EOfficeActivity%3CBR%20%2F%3E%7C%20where%20Operation%20in(%22UpdateInboxRules%22%2C%22New-InboxRule%22)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20advanced%20thanks%20alot.%3C%2FP%3E%3CP%3EBest%20regards%20Tim%20Gjerlufsen%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22Sq6dcBiY_yM5XiIF0nT-p%22%3E%3CDIV%3E%3CDIV%20class%3D%22_12YMiOBIhrjTuX-TMpNn2z%22%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1026578%22%20slang%3D%22en-US%22%3ERe%3A%20Query%20UpdateInboxRules%20or%20New-InboxRule%20from%20within%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1026578%22%20slang%3D%22en-US%22%3E%3CP%3EHavent%20bothered%20with%20Log%20analytics%2C%20but%20you%20can%20easily%20fetch%20the%20audit%20events%20from%20PowerShell%20and%20parse%20the%20extended%20information%20there.%20Or%20if%20you%20want%20to%20work%20directly%20with%20the%20alerts%2C%20use%20the%20Management%20Activity%20API's%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice%2Foffice-365-management-api%2Foffice-365-management-activity-api-reference%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice%2Foffice-365-management-api%2Foffice-365-management-activity-api-reference%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi Community

 

I looking for an easier way to discover creation of forward rules in Exchange. Currently i have to manually go through each alert (Office 365 Security & Compliance) where the alerts is "Creation of forwarding/redirect rule", open it, look in view activity list, in the specific UpdateInboxRule, click more, and finally look at OperationProperties and then RuleAction, where the information might be.

 

Anyone having experience with a query from Log Analytics that can do this for me?

This Query doesnt contain the needed information: 

OfficeActivity
| where Operation in("UpdateInboxRules","New-InboxRule")

 

In advanced thanks alot.

Best regards Tim Gjerlufsen

 

 

 
1 Reply

Havent bothered with Log analytics, but you can easily fetch the audit events from PowerShell and parse the extended information there. Or if you want to work directly with the alerts, use the Management Activity API's: https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api...