LoFP / short rule names may trigger false positives. adjust the entropy and length thresholds as needed.

`o365_management_activity` Workload=Exchange Operation="New-InboxRule" 
| stats values(Name) as Name, values(MarkAsRead) as MarkAsRead, values(MoveToFolder) as MoveToFolder by _time Id user 
| lookup ut_shannon_lookup word as Name 
| eval entropy_score=if(ut_shannon<=2, 1, 0) 
| eval len_score=if(len(Name)<=3, 1,0) 
| eval read_score=if(MarkAsRead="True", 1, 0) 
| eval folder_score=if(match(MoveToFolder, "^(RSS
|Conversation History
|Archive)"), 1, 0) 
| eval suspicious_score=entropy_score+len_score+read_score+folder_score 
| where suspicious_score>2 
| `o365_bec_email_hiding_rule_created_filter`