From f050b0ce0c8b3b0135c74efa78f9ea1d636a7693 Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Wed, 27 Apr 2022 09:09:25 -0300
Subject: [PATCH] [Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created
 (#1939)

* [Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created

* Update non-ecs-schema.json

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
---
 etc/non-ecs-schema.json                                   | 5 +----
 .../o365/collection_microsoft_365_new_inbox_rule.toml     | 8 ++++----
 2 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/etc/non-ecs-schema.json b/etc/non-ecs-schema.json
index a3173e65b..daf6dcdd5 100644
--- a/etc/non-ecs-schema.json
+++ b/etc/non-ecs-schema.json
@@ -46,10 +46,7 @@
     "powershell.file.script_block_text": "text"
   },
   "filebeat-*": {
-    "o365.audit.NewValue": "keyword",
-    "o365audit.Parameters.ForwardTo": "keyword",
-    "o365audit.Parameters.ForwardAsAttachmentTo": "keyword",
-    "o365audit.Parameters.RedirectTo": "keyword"
+    "o365.audit.NewValue": "keyword"
   },
   "logs-endpoint.events.*": {
     "process.Ext.token.integrity_level_name": "keyword",
diff --git a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml
index 230ea7384..077a538ff 100644
--- a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml
+++ b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/03/29"
 maturity = "production"
-updated_date = "2022/02/28"
+updated_date = "2022/04/25"
 integration = "o365"
 
 [rule]
@@ -43,9 +43,9 @@ query = '''
 event.dataset:o365.audit and event.provider:Exchange and
 event.category:web and event.action:"New-InboxRule" and
     (
-        o365audit.Parameters.ForwardTo:* or
-        o365audit.Parameters.ForwardAsAttachmentTo:* or
-        o365audit.Parameters.RedirectTo:*
+        o365.audit.Parameters.ForwardTo:* or
+        o365.audit.Parameters.ForwardAsAttachmentTo:* or
+        o365.audit.Parameters.RedirectTo:*
     ) 
     and event.outcome:success
 '''