Exchange Servers and Associated Security Alerts

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

This query will dynamically identify Exchange servers using common web paths used by the application in the csUriStem. The query will then collect MDE alerts from the SecurityAlert table using the identified Exchange Server hostnames.

Attribute	Value
Type	Hunting Query
Solution	GitHub Only
ID	84026aa0-7020-45d0-9f85-d526e43de2ab
Tactics	InitialAccess
Techniques	T1190
Required Connectors	AzureMonitor(IIS), MicrosoftDefenderAdvancedThreatProtection
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Transformations	Ingestion API	Lake-Only
SecurityAlert	✓	✗	?
W3CIISLog	✓	✗	?

Associated Connectors

The following connectors provide data for this content item:

Connector	Solution
AzureActiveDirectoryIdentityProtection	Microsoft Entra ID Protection
AzureAdvancedThreatProtection	Microsoft Defender for Identity
AzureSecurityCenter	Microsoft Defender for Cloud
ESI-Opt5ExchangeIISLogs	Microsoft Exchange Security - Exchange On-Premises
IoT	IoTOTThreatMonitoringwithDefenderforIoT
MicrosoftCloudAppSecurity	Microsoft Defender for Cloud Apps
MicrosoftDefenderAdvancedThreatProtection	MicrosoftDefenderForEndpoint
MicrosoftDefenderForCloudTenantBased	Microsoft Defender for Cloud
OfficeATP	Microsoft Defender for Office 365
OfficeIRM	MicrosoftPurviewInsiderRiskManagement

Solutions: IoTOTThreatMonitoringwithDefenderforIoT, Microsoft Defender for Cloud, Microsoft Defender for Cloud Apps, Microsoft Defender for Identity, Microsoft Defender for Office 365, Microsoft Entra ID Protection, Microsoft Exchange Security - Exchange On-Premises, MicrosoftDefenderForEndpoint, MicrosoftPurviewInsiderRiskManagement

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Hunting Queries