I have created a query that finds inbox rules that is created on non-managed devices, some feedback on it? I want to reset mfa session of this happen, as it´s probably a compromised user.

let lookback = ago(1130d);

OfficeActivity

| where TimeGenerated > lookback

| where OfficeWorkload =~ "Exchange"

| where Operation =~ "New-InboxRule" and (ResultStatus =~ "True" or ResultStatus =~ "Succeeded")

| where Parameters has "Deleted Items" or Parameters has "Junk Email" or Parameters has "DeleteMessage" or Parameters has "RSS"

| extend AADSessionId = tostring(parse_json(tostring(AppAccessContext)).AADSessionId)

| join kind=leftouter (

SigninLogs

| where TimeGenerated > lookback

| where AppDisplayName == "OfficeHome"

| extend isManaged_ = tostring(DeviceDetail.isManaged)

| extend isCompliant_ = tostring(DeviceDetail.isCompliant)

| project SessionId, SignInTime = TimeGenerated, UserPrincipalName, AppDisplayName,

IPAddress, Location, DeviceDetail, ConditionalAccessStatus, RiskLevelDuringSignIn,

ClientAppUsed, ResourceDisplayName, isManaged_, isCompliant_

) on $left.AADSessionId == $right.SessionId

| where isManaged_ == "false"