A common action after a mailbox is compromised is to forward inbound mail somewhere else to intercept future communications. Surface that data in Roar and allow for rules/change detections.
We have queued up development work to add message rule data to the data print and then to create Actionable Alert and Change Detection rules from it. For reference, this is the Microsoft API endpoint that we are looking at using and an example of the data that will be available to us: https://docs.microsoft.com/en-us/graph/api/mailfolder-list-messagerules?view=graph-rest-1.0&tabs=http
Thanks for taking the time to give us this feedback!