Roar Enhancement Ideas

Submit and upvote ideas to make Roar better! You get 10 votes so vote wisely!
To learn more about our Ideas Portal, check out our FAQs.
To schedule a feedback session with a member of the Liongard Research Team, click here.

Office 365 Inspector - Add forwarding rules/addresses to data print

A common action after a mailbox is compromised is to forward inbound mail somewhere else to intercept future communications. Surface that data in Roar and allow for rules/change detections.

  • Matt Miller
  • Jun 1 2019
  • Shipped
  • Attach files
  • Stephen Moody commented
    5 Nov, 2019 12:16am

    Nice! This is a good start. We'd want to be able to specifically flag rules with email forwarding set to an email address outside the org/not associated with their 365 tenant.

    Unfortunately it doesn't appear the Graph API yet allows for interaction with the "global" forwarding setting which is at least as important to us. That info is retrievable with partner powershell so hopefully it will be added to Graph soon.

    (Vote here: https://microsoftgraph.uservoice.com/forums/920506-microsoft-graph-feature-requests/suggestions/38033548-graph-api-to-list-the-mail-forwarding-details-for)

  • Stephen Moody commented
    29 Oct, 2019 11:31pm

    Just chiming in to agree that this tied to an  alert when a new forward is created would be extremely useful for breach incident awareness.

  • Seth Morgan commented
    22 Oct, 2019 09:27pm

    This, plus Transport Rule monitoring, would definitely improve response time to address security breaches as well as speed up  the process of cleaning up malicious changes to the environment.

  • Steve King commented
    20 Aug, 2019 01:35pm

    Yes! This is a clear candidate for an alert category as well.