Hello Everyone,
I am trying to create an exception for the inbox forwarding rule detections. If the recipient email address is within my organization I do not want an alert. For example, if the email domain is @gmail.com it should not trigger the inbox forward alert since the email is internal.
Thank you!
Hey! same here… we are trying but we have not enought logs to parse it and make a rule based on the custom field…
I think there should be a cleaner way… @support_rapid7
If you can provide a sample obfuscated log event I could suggest an exception to the rule.
If you are trying to build a custom parsing rule @mmur_gt4e and are having difficulties I’d suggest raising a support case
Sure, here you have
{
"timestamp": "2024-02-05T09:32:31.000Z",
"source_user": "User 1111",
"service": "o365",
"action": "UpdateInboxRules",
"source_account": "account1@mydomain.com",
"source_json": {
"CreationTime": "2024-02-05T09:32:31",
"Id": "XXXXXXXXXXXXXXXXXXXXX",
"Operation": "UpdateInboxRules",
"OrganizationId": "XXXXXXXXXXXXXXXXXXXXXXXX",
"RecordType": 2,
"ResultStatus": "Succeeded",
"UserKey": "XXXXXXXXXXXXXXXX",
"UserType": 0,
"Version": 1,
"Workload": "Exchange",
"ClientIP": "11.22.33.44",
"UserId": "account1@mydomain.com",
"ClientIPAddress": "11.22.33.44",
"ClientInfoString": "Client=MSExchangeRPC",
"ClientProcessName": "OUTLOOK.EXE",
"ClientRequestId": "{XXXXXXXXXXXXXXXXXXXXXXX}",
"ClientVersion": "XXXXXXXX",
"ExternalAccess": false,
"InternalLogonType": 0,
"LogonType": 2,
"LogonUserSid": "XXXXXXXXXXXXXXXXXXXXX",
"MailboxGuid": "XXXXXXXXXXXXX",
"MailboxOwnerMasterAccountSid": "XXXXXXXXXXXXX",
"MailboxOwnerSid": "XXXXXXXXXXXXX",
"MailboxOwnerUPN": "inbox@mydomain.com",
"OperationProperties": [
{
"Name": "RuleOperation",
"Value": "AddMailboxRule"
},
{
"Name": "RuleId",
"Value": "0"
},
{
"Name": "RuleState",
"Value": "0"
},
{
"Name": "RuleCondition",
"Value": "{(&((SubString IgnoreCase(SubjectProperty)=XXXXXXXXXXXXX)(|((SubString IgnoreCase(TextBody)=XXXXXXXXXXXXX)(SubString IgnoreCase(TextBody)=XXXXXXXXXXXXX)(SubString IgnoreCase(TextBody)=XXXXXXXXXXXXX)))))}"
},
{
"Name": "RuleName",
"Value": "RULE 1"
},
{
"Name": "RuleProvider",
"Value": "RuleOrganizer"
},
{
"Name": "RuleActions",
"Value": "[{"ActionType":"Forward","Recipients":["account2@mydomain.com"],"ForwardFlags":"None"}]"
}
],
"OrganizationName": "mydomain.onmicrosoft.com",
"OriginatingServer": "XXXXXXXXXXXXX (X.X.X.X)
\n",
"SessionId": "XXXXXXXXXXXXX",
"Item": {
"Id": "XXXXXXXXXXXXX+XXXXXXXXXXXXX",
"ParentFolder": {
"Id": "XXXXXXXXXXXXX+XXXXXXXXXXXXX",
"Name": "Bandeja de entrada",
"Path": "\Bandeja de entrada"
}
}
},
"r7_context": {
"source_user": {
"type": "user",
"rrn": "rrn:uba:XXXXXXXXXXXX",
"name": "XXXXXXXXXXXXX"
},
"source_account": {
"type": "account",
"rrn": "rrn:uba:XXXXXXXXXXXX",
"name": "account1@mydomain.com"
}
}
}It can be a pain but I like the inbox forwarding rule detection. We had a user that was compromised and could see that her inbox rule was changed to move emails to the RSS Feeds folder so the hacker could do whatever they wanted with emails and the user didn’t receive any emails.
My $.02 worth.
Yo!
We had this issue as well and I ended up taking the LEQL for the default inbox forwarding alert and giving it to ChatGPT with the same request. Then tested it and verified it works, for us at least. We also have multiple internal domains so there are additional fields should you need them. Unfortunately R7’s implementation of LEQL doesn’t let you define a variable for internal domains which would make it a little prettier but oh well, it works.
from( event_type = "cloud_service_activity" ) where( ( source_json.Operation IIN [ "New-InboxRule", "Set-InboxRule" ] AND source_json.Parameters.Name ICONTAINS "Forward" AND NOT ( source_json.Parameters.Value ICONTAINS "@yourdomain1.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain2.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain3.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain4.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain5.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain6.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain7.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain8.com" ) ) OR ( source_json.Parameters.Name = NOCASE("ForwardingSmtpAddress") AND source_json.Parameters.Value ICONTAINS "smtp:" AND NOT ( source_json.Parameters.Value ICONTAINS "@yourdomain1.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain2.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain3.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain4.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain5.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain6.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain7.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain8.com" ) ) OR ( source_json.OperationProperties.Name ICONTAINS "RuleActions" AND source_json.OperationProperties.Value ICONTAINS "ActionType\\\":\\\"Forward" AND NOT ( source_json.OperationProperties.Value ICONTAINS "@yourdomain1.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain2.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain3.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain4.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain5.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain6.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain7.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain8.com" ) ) OR ( source_json.OperationProperties.Name ICONTAINS "RuleActions" AND source_json.OperationProperties.Value ICONTAINS "ActionType\":\"Forward" AND NOT ( source_json.OperationProperties.Value ICONTAINS "@yourdomain1.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain2.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain3.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain4.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain5.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain6.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain7.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain8.com" ) ) )
Edit: Formatting from Code Block to Preformatted Text
It would be slightly more efficient to use
source_json.Parameters.Value ICONTAINS-ANY [“@yourdomain1.com”,"@yourdomain2.com","@yourdomain4.com",“etc”]
This way you only need to write the key name once.
https://docs.rapid7.com/insightidr/components-for-building-a-query/#comparison-operators
Hey! Thank you!!
But unfortunately I cannot make it run, I attach a picture, Am I missing something?
Quotes are used to delimit the value. As your value has double quotes in it, you should surround the entire value in single quotes.
InsightIDR Seems not to understand the “source_json.Parameters.Value” as it needs the property that is actually dinamic and changes from one log to another.
Not sure but maybe the preformatted version would help?
Copy paste this instead:
from( event_type = "cloud_service_activity" ) where( ( source_json.Operation IIN [ "New-InboxRule", "Set-InboxRule" ] AND source_json.Parameters.Name ICONTAINS "Forward" AND NOT ( source_json.Parameters.Value ICONTAINS "@yourdomain1.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain2.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain3.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain4.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain5.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain6.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain7.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain8.com" ) ) OR ( source_json.Parameters.Name = NOCASE("ForwardingSmtpAddress") AND source_json.Parameters.Value ICONTAINS "smtp:" AND NOT ( source_json.Parameters.Value ICONTAINS "@yourdomain1.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain2.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain3.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain4.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain5.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain6.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain7.com" OR source_json.Parameters.Value ICONTAINS "@yourdomain8.com" ) ) OR ( source_json.OperationProperties.Name ICONTAINS "RuleActions" AND source_json.OperationProperties.Value ICONTAINS "ActionType\\\":\\\"Forward" AND NOT ( source_json.OperationProperties.Value ICONTAINS "@yourdomain1.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain2.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain3.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain4.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain5.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain6.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain7.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain8.com" ) ) OR ( source_json.OperationProperties.Name ICONTAINS "RuleActions" AND source_json.OperationProperties.Value ICONTAINS "ActionType\":\"Forward" AND NOT ( source_json.OperationProperties.Value ICONTAINS "@yourdomain1.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain2.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain3.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain4.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain5.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain6.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain7.com" OR source_json.OperationProperties.Value ICONTAINS "@yourdomain8.com" ) ) )
Edit: Yeah this should work, I pasted the original in a code block which seems to have stripped some forward slashes vs. this as preformatted text.
This Seems to Work, thank you for the effort!! I think Rapid7 should cover this by default…