Hi, I’m trying to create a query on our Cloud Activity logs to find any forwarding rules set up to forward to external domains.
This query is finding all the forwarding rules as expected, but i’m having trouble then excluding those to our domain:
where(“source_json.Operation” = “UpdateInboxRules”
AND “source_json.OperationProperties.6.Name” = “RuleActions”
AND “source_json.OperationProperties.6.Value” /Forward/)
Adding this to the rule does produce a recent example, so I know there is data that matches my desired rule:
AND “source_json.OperationProperties.6.Value” /hotmail/
Howver, I’ve tried changing the statement above as below, but then i get no results:
AND NOT “source_json.OperationProperties.6.Value” /mydomain/
Please could you someone let me know what I’m doing wrong or if there is a better way to do this?