I would like to know how to create an Azure Sentinel playbook that does the following:
- Detects email forwarding rule(s) in Office 365
- If there are any, delete the forwarding rule(s)
- sends an alert email to the admin(s) regarding the forwarding rule(s)
Regards,
Please check this link for better understanding.
For detecting a forwarding rule in Sentinel you can use the fusion technology to detect suspicious inbox forwarding rule or you can use query office 365 logs something familiar as shown here. Regarding deleting forwarding rules, I could not find anything specific in Sentinel/ Logic App and I am not sure if it is possible using Office 365 Management API but you can definitely explore it and use Logic Apps custom connector integrate if needed. This new upcoming feature of Office 365 ATP might also interest you. Regarding sending alerts to the Admin, you can generate a playbook to send alerts or use the Office 365 connector for logic app. Please let me know if there are any additional concerns. [ Ref : link ]