vikas891/UnderstandingRuleLogic

## UnderstandingRuleLogic
//Test Rule Logic 1
ObjectType = "process"
AND SrcProcParentName = "w3wp.exe"
AND SrcProcName In Contains Anycase  ( "cmd.exe" , "powershell.exe" )
AND TgtProcName in Contains Anycase  ( "ipconfig.exe" , "quser.exe" )

//Test Rule Logic 2
OfficeActivity
| where OfficeWorkload == “Exchange” and Operation == “Set-Mailbox”and Parameters has “DeliverToMailboxAndForward”
| extend Email = tostring(parse_json(Parameters)[1].Value)
| project TimeGenerated, OfficeWorkload, UserId, OfficeObjectId, Email
	//Test Rule Logic 1
	ObjectType = "process"
	AND SrcProcParentName = "w3wp.exe"
	AND SrcProcName In Contains Anycase ( "cmd.exe" , "powershell.exe" )
	AND TgtProcName in Contains Anycase ( "ipconfig.exe" , "quser.exe" )

	//Test Rule Logic 2
	OfficeActivity
	\| where OfficeWorkload == “Exchange” and Operation == “Set-Mailbox”and Parameters has “DeliverToMailboxAndForward”
	\| extend Email = tostring(parse_json(Parameters)[1].Value)
	\| project TimeGenerated, OfficeWorkload, UserId, OfficeObjectId, Email