[Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created (#1939)

* [Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created

* Update non-ecs-schema.json

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

etc/non-ecs-schema.json

@@ -46,10 +46,7 @@
     "powershell.file.script_block_text": "text"
   },
   "filebeat-*": {
-    "o365.audit.NewValue": "keyword",
-    "o365audit.Parameters.ForwardTo": "keyword",
-    "o365audit.Parameters.ForwardAsAttachmentTo": "keyword",
-    "o365audit.Parameters.RedirectTo": "keyword"
+    "o365.audit.NewValue": "keyword"
   },
   "logs-endpoint.events.*": {
     "process.Ext.token.integrity_level_name": "keyword",

rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/03/29"
 maturity = "production"
-updated_date = "2022/02/28"
+updated_date = "2022/04/25"
 integration = "o365"
 
 [rule]
@@ -43,9 +43,9 @@ query = '''
 event.dataset:o365.audit and event.provider:Exchange and
 event.category:web and event.action:"New-InboxRule" and
     (
-        o365audit.Parameters.ForwardTo:* or
-        o365audit.Parameters.ForwardAsAttachmentTo:* or
-        o365audit.Parameters.RedirectTo:*
+        o365.audit.Parameters.ForwardTo:* or
+        o365.audit.Parameters.ForwardAsAttachmentTo:* or
+        o365.audit.Parameters.RedirectTo:*
     ) 
     and event.outcome:success
 '''