Merge pull request Azure#174 from petebryan/patch-1

Update Office Mailbox forwarding hunt query

Hunting Queries/OfficeActivity/OfficeMailForwarding_hunting.txt

@@ -9,10 +9,11 @@
 // Techniques: #Exfiltration
 //
 OfficeActivity
-| where Operation == "Set-Mailbox"
 | where TimeGenerated >= ago(30d)
-| where Parameters contains "ForwardingSmtpAddress"
+| where (Operation == "Set-Mailbox" and Parameters contains 'ForwardingSmtpAddress') 
+    or (Operation == 'New-InboxRule' and Parameters contains 'ForwardTo')
 | extend parsed=parse_json(Parameters)
-| extend parameterName=parsed[1].Name, fwdingDestination=tostring(parsed[1].Value)
+| extend fwdingDestination = iif(Operation=="Set-Mailbox", tostring(parsed[1].Value), tostring(parsed[2].Value))
 | where fwdingDestination != ""
-
+| project TimeGenerated, UserId, Operation, fwdingDestination, ClientIP 
+