question

MuhammadWaqar-0957 avatar image
0 Votes"
MuhammadWaqar-0957 asked ChaitanyaNaykodiMSFT-9638 commented

How to create a playbook in Azure Sentinel that detects, alerts, and removes email forwarding rule(s) from Office 365?

Hi All,
I would like to know how to create an Azure Sentinel playbook that does the following:
1. Detects email forwarding rule(s) in Office 365
2. If there are any, delete the forwarding rule(s)
3. sends an alert email to the admin(s) regarding the forwarding rule(s)

Regards,
Muhammad

azure-logic-appsazure-sentinel
· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I've added the Azure Logic Apps tag, we will update you shortly!

1 Vote 1 ·

Thanks!

0 Votes 0 ·

Hello @MuhammadWaqar-0957, Thank you for reaching out. The functionality requested can be achieved natively in Office 365. Is there any particular reason why you are trying achieve this functionality using Azure Sentinel and/or Azure Logic App?


0 Votes 0 ·
MuhammadWaqar-0957 avatar image MuhammadWaqar-0957 ChaitanyaNaykodiMSFT-9638 ·

Hi @ChaitanyaNaykodiMSFT-9638,
My client requested that it should be done through Azure Sentinel/Azure Logic apps.

0 Votes 0 ·

Hello @MuhammadWaqar-0957, Please let me know if you need any additional help.

0 Votes 0 ·

1 Answer

ChaitanyaNaykodiMSFT-9638 avatar image
0 Votes"
ChaitanyaNaykodiMSFT-9638 answered

Hello @MuhammadWaqar-0957, I am sorry for the delay in my response. For detecting a forwarding rule in Sentinel you can use the fusion technology to detect suspicious inbox forwarding rule or you can use query office 365 logs something familiar as shown here. Regarding deleting forwarding rules, I could not find anything specific in Sentinel/ Logic App and I am not sure if it is possible using Office 365 Management API but you can definitely explore it and use Logic Apps custom connector integrate if needed. This new upcoming feature of Office 365 ATP might also interest you. Regarding sending alerts to the Admin, you can generate a playbook to send alerts or use the Office 365 connector for logic app. Please let me know if there are any additional concerns.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.