Skip to content

[pull] dev from KelvinTegelaar:dev#1070

Merged
pull[bot] merged 8 commits into
bmsimp:devfrom
KelvinTegelaar:dev
Jul 6, 2026
Merged

[pull] dev from KelvinTegelaar:dev#1070
pull[bot] merged 8 commits into
bmsimp:devfrom
KelvinTegelaar:dev

Conversation

@pull

@pull pull Bot commented Jul 6, 2026

Copy link
Copy Markdown

See Commits and Changes for more details.


Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

kris6673 and others added 8 commits July 2, 2026 21:08
The BEC report only listed inbox rules that still exist on the
mailbox, so rules an attacker created, used and then deleted were
invisible. Add a user-scoped audit log search for rule create,
change and remove events over the last 7 days, expose it as
InboxRuleChanges, and flag surviving rules as RecentlyChanged.

Also harden the run: audit log search failures and timeouts were
killing the entire BEC run, so wrap the search in try/catch and
degrade to partial results with a warning instead. Drop the unused
high-volume MailboxLogin/UserLoggedIn operations from the
tenant-wide search (nothing downstream consumed them) and log
Get-InboxRule failures properly instead of a broken Write-Host.
# Conflicts:
#	Modules/CIPPActivityTriggers/Public/Entrypoints/Activity Triggers/BEC/Push-BECRun.ps1
## Problem

The BEC investigation only lists inbox rules that **still exist** on the
mailbox (`Get-InboxRule`). Attackers commonly create a rule, use it, and
then delete it to cover their tracks — those rules were completely
invisible in the report.

Separately, when the unified audit log search failed or timed out, the
exception killed the **entire** BEC run instead of producing a partial
report.

## Changes

- **New `InboxRuleChanges` field**: a user-scoped
`Search-UnifiedAuditLog` for `New-InboxRule`, `Set-InboxRule`,
`Remove-InboxRule` and `UpdateInboxRules` events over the last 7 days,
so created/changed/deleted rules show up even if they no longer exist.
- **`RecentlyChanged` flag on existing rules**: rules returned by
`Get-InboxRule` are flagged when their name matches a 7-day audit event.
(Inbox rules carry no timestamps, so name-matching is the best available
signal; Outlook-client `UpdateInboxRules` events carry no rule name and
stay unflagged.)
- **Resilience**: the tenant-wide audit search is wrapped in try/catch —
on failure it logs a warning and degrades to partial results instead of
failing the whole run. `Get-InboxRule` failures now log via
`Write-LogMessage` (the old `Write-Host` string concat was broken).
- **Trimmed the tenant-wide search**: dropped
`MailboxLogin`/`UserLoggedIn` operations — nothing downstream consumed
them (`$PermissionsLog` filters to permission ops only) and sign-in
events are high-volume, bloating the search.
- Error-path result now includes `ExtractedAt` so the frontend gets a
timestamp even on failure.

## Companion PR

Frontend PR (displays `InboxRuleChanges` + `RecentlyChanged` in the BEC
page and PDF report): KelvinTegelaar/CIPP#6281

This PR is safe to merge on its own — it only adds fields to the BEC
result.

🤖 Generated with [Claude Code](https://claude.com/claude-code)
…moval on offboarding (#2129)

- Fixes KelvinTegelaar/CIPP#6280
- Remove users from mail-enabled security groups during license removal
on offboarding
@pull pull Bot locked and limited conversation to collaborators Jul 6, 2026
@pull pull Bot added the ⤵️ pull label Jul 6, 2026
@pull pull Bot merged commit 10c73eb into bmsimp:dev Jul 6, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants