Use-Case	Activity Type (Legacy Event Type)/Parsers	MITRE ATT&CK® TTP	Content
Compromised Credentials	app-activity:success (app-activity) ↳microsoft-exchange-str-app-activity-success-isaweblog ↳microsoft-exchange-kv-app-activity-appactivity ↳microsoft-o365-cef-app-file-success-modifiedproperties app-login:success (app-login) ↳microsoft-exchange-kv-app-login-success-serverexchange ↳microsoft-exchange-csv-app-authentication-success-server app-login:fail (failed-app-login) ↳microsoft-exchange-kv-app-login-fail-imap4	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 24 Models
Data Access	app-activity:success (app-activity) ↳microsoft-exchange-str-app-activity-success-isaweblog ↳microsoft-exchange-kv-app-activity-appactivity ↳microsoft-o365-cef-app-file-success-modifiedproperties app-login:success (app-login) ↳microsoft-exchange-kv-app-login-success-serverexchange ↳microsoft-exchange-csv-app-authentication-success-server app-login:fail (failed-app-login) ↳microsoft-exchange-kv-app-login-fail-imap4	T1078 - Valid Accounts	20 Rules 11 Models
Data Leak	app-activity:success (app-activity) ↳microsoft-exchange-str-app-activity-success-isaweblog ↳microsoft-exchange-kv-app-activity-appactivity ↳microsoft-o365-cef-app-file-success-modifiedproperties email-send:success (dlp-email-alert-out) ↳microsoft-x-csv-email-send-success-mailboxrule ↳microsoft-exchange-str-email-send-success-outbound ↳microsoft-x-kv-email-send-success-catrs ↳microsoft-x-csv-email-send-success-routing ↳microsoft-x-csv-email-received ↳microsoft-exchange-cef-email-send-originating ↳microsoft-exchange-csv-email-send-receive-delivered ↳microsoft-exchange-csv-email-receive-success-deliver ↳microsoft-exchange-csv-email-send-receive-expanded ↳microsoft-exchange-json-email-success-5290 ↳microsoft-exchange-kv-email-send-success-send ↳microsoft-exchange-kv-email-send-originating ↳microsoft-exchange-kv-email-send-originating-1 ↳microsoft-exchange-kv-email-send-fail-sendfailed-1 ↳microsoft-exchange-kv-email-send-success-deliver ↳microsoft-exchange-str-email-success-internal ↳microsoft-exchange-csv-email-send-success-receive ↳microsoft-exchange-json-email-send-originating email-send:fail (dlp-email-alert-out-failed) ↳microsoft-x-csv-email-send-failed ↳microsoft-x-csv-email-received ↳microsoft-exchange-cef-email-send-originating ↳microsoft-exchange-json-email-send-originating ↳microsoft-exchange-kv-email-send-success-send ↳microsoft-exchange-kv-email-send-originating ↳microsoft-exchange-kv-email-send-originating-1 ↳microsoft-exchange-kv-email-send-fail-sendfailed	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1114 - Email Collection T1114.003 - Email Collection: Email Forwarding Rule	37 Rules 16 Models
Malware	app-login:success (app-login) ↳microsoft-exchange-kv-app-login-success-serverexchange ↳microsoft-exchange-csv-app-authentication-success-server email-receive:success (dlp-email-alert-in) ↳microsoft-x-kv-email-receive-success-smtp ↳microsoft-x-csv-email-receive-success-incoming ↳microsoft-exchange-kv-email-receive-success-redirect ↳microsoft-exchange-kv-email-receive-success-send ↳microsoft-exchange-json-email-receive-incoming ↳microsoft-exchange-kv-email-receive-success-smtp ↳microsoft-x-csv-email-deliver ↳microsoft-exchange-kv-email-receive-deliver ↳microsoft-exchange-cef-email-receive-incoming ↳microsoft-exchange-csv-email-send-receive-delivered ↳microsoft-exchange-csv-email-receive-success-deliver ↳microsoft-exchange-csv-email-send-receive-expanded ↳microsoft-exchange-json-email-success-5290 ↳microsoft-exchange-kv-email-receive-incoming ↳microsoft-exchange-str-email-receive-success-inbound ↳microsoft-exchange-str-email-success-internal ↳microsoft-x-csv-email-received ↳microsoft-exchange-cef-email-send-originating email-send:success (dlp-email-alert-out) ↳microsoft-x-csv-email-send-success-mailboxrule ↳microsoft-exchange-str-email-send-success-outbound ↳microsoft-x-kv-email-send-success-catrs ↳microsoft-x-csv-email-send-success-routing ↳microsoft-x-csv-email-received ↳microsoft-exchange-cef-email-send-originating ↳microsoft-exchange-csv-email-send-receive-delivered ↳microsoft-exchange-csv-email-receive-success-deliver ↳microsoft-exchange-csv-email-send-receive-expanded ↳microsoft-exchange-json-email-success-5290 ↳microsoft-exchange-kv-email-send-success-send ↳microsoft-exchange-kv-email-send-originating ↳microsoft-exchange-kv-email-send-originating-1 ↳microsoft-exchange-kv-email-send-fail-sendfailed-1 ↳microsoft-exchange-kv-email-send-success-deliver ↳microsoft-exchange-str-email-success-internal ↳microsoft-exchange-csv-email-send-success-receive ↳microsoft-exchange-json-email-send-originating	T1078 - Valid Accounts T1190 - Exploit Public Fasing Application	2 Rules
Phishing	email-send:success (dlp-email-alert-out) ↳microsoft-x-csv-email-send-success-mailboxrule ↳microsoft-exchange-str-email-send-success-outbound ↳microsoft-x-kv-email-send-success-catrs ↳microsoft-x-csv-email-send-success-routing ↳microsoft-x-csv-email-received ↳microsoft-exchange-cef-email-send-originating ↳microsoft-exchange-csv-email-send-receive-delivered ↳microsoft-exchange-csv-email-receive-success-deliver ↳microsoft-exchange-csv-email-send-receive-expanded ↳microsoft-exchange-json-email-success-5290 ↳microsoft-exchange-kv-email-send-success-send ↳microsoft-exchange-kv-email-send-originating ↳microsoft-exchange-kv-email-send-originating-1 ↳microsoft-exchange-kv-email-send-fail-sendfailed-1 ↳microsoft-exchange-kv-email-send-success-deliver ↳microsoft-exchange-str-email-success-internal ↳microsoft-exchange-csv-email-send-success-receive ↳microsoft-exchange-json-email-send-originating	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	1 Rules 1 Models
Privilege Abuse	app-activity:success (app-activity) ↳microsoft-exchange-str-app-activity-success-isaweblog ↳microsoft-exchange-kv-app-activity-appactivity ↳microsoft-o365-cef-app-file-success-modifiedproperties app-activity:fail (app-activity-failed) ↳microsoft-exchange-kv-app-activity-appactivity app-login:success (app-login) ↳microsoft-exchange-kv-app-login-success-serverexchange ↳microsoft-exchange-csv-app-authentication-success-server email-receive:success (dlp-email-alert-in) ↳microsoft-x-kv-email-receive-success-smtp ↳microsoft-x-csv-email-receive-success-incoming ↳microsoft-exchange-kv-email-receive-success-redirect ↳microsoft-exchange-kv-email-receive-success-send ↳microsoft-exchange-json-email-receive-incoming ↳microsoft-exchange-kv-email-receive-success-smtp ↳microsoft-x-csv-email-deliver ↳microsoft-exchange-kv-email-receive-deliver ↳microsoft-exchange-cef-email-receive-incoming ↳microsoft-exchange-csv-email-send-receive-delivered ↳microsoft-exchange-csv-email-receive-success-deliver ↳microsoft-exchange-csv-email-send-receive-expanded ↳microsoft-exchange-json-email-success-5290 ↳microsoft-exchange-kv-email-receive-incoming ↳microsoft-exchange-str-email-receive-success-inbound ↳microsoft-exchange-str-email-success-internal ↳microsoft-x-csv-email-received ↳microsoft-exchange-cef-email-send-originating email-receive:fail (dlp-email-alert-in-failed) ↳microsoft-x-csv-email-receive-failed ↳microsoft-x-csv-email-deliver ↳microsoft-exchange-kv-email-receive-deliver ↳microsoft-exchange-cef-email-receive-incoming ↳microsoft-exchange-json-email-receive-incoming ↳microsoft-exchange-kv-email-receive-incoming ↳microsoft-x-csv-email-send-failed ↳microsoft-x-csv-email-received ↳microsoft-exchange-cef-email-send-originating email-send:success (dlp-email-alert-out) ↳microsoft-x-csv-email-send-success-mailboxrule ↳microsoft-exchange-str-email-send-success-outbound ↳microsoft-x-kv-email-send-success-catrs ↳microsoft-x-csv-email-send-success-routing ↳microsoft-x-csv-email-received ↳microsoft-exchange-cef-email-send-originating ↳microsoft-exchange-csv-email-send-receive-delivered ↳microsoft-exchange-csv-email-receive-success-deliver ↳microsoft-exchange-csv-email-send-receive-expanded ↳microsoft-exchange-json-email-success-5290 ↳microsoft-exchange-kv-email-send-success-send ↳microsoft-exchange-kv-email-send-originating ↳microsoft-exchange-kv-email-send-originating-1 ↳microsoft-exchange-kv-email-send-fail-sendfailed-1 ↳microsoft-exchange-kv-email-send-success-deliver ↳microsoft-exchange-str-email-success-internal ↳microsoft-exchange-csv-email-send-success-receive ↳microsoft-exchange-json-email-send-originating email-send:fail (dlp-email-alert-out-failed) ↳microsoft-x-csv-email-send-failed ↳microsoft-x-csv-email-received ↳microsoft-exchange-cef-email-send-originating ↳microsoft-exchange-json-email-send-originating ↳microsoft-exchange-kv-email-send-success-send ↳microsoft-exchange-kv-email-send-originating ↳microsoft-exchange-kv-email-send-originating-1 ↳microsoft-exchange-kv-email-send-fail-sendfailed app-login:fail (failed-app-login) ↳microsoft-exchange-kv-app-login-fail-imap4	T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	6 Rules 2 Models
Privileged Activity	app-activity:success (app-activity) ↳microsoft-exchange-str-app-activity-success-isaweblog ↳microsoft-exchange-kv-app-activity-appactivity ↳microsoft-o365-cef-app-file-success-modifiedproperties app-activity:fail (app-activity-failed) ↳microsoft-exchange-kv-app-activity-appactivity app-login:success (app-login) ↳microsoft-exchange-kv-app-login-success-serverexchange ↳microsoft-exchange-csv-app-authentication-success-server email-receive:success (dlp-email-alert-in) ↳microsoft-x-kv-email-receive-success-smtp ↳microsoft-x-csv-email-receive-success-incoming ↳microsoft-exchange-kv-email-receive-success-redirect ↳microsoft-exchange-kv-email-receive-success-send ↳microsoft-exchange-json-email-receive-incoming ↳microsoft-exchange-kv-email-receive-success-smtp ↳microsoft-x-csv-email-deliver ↳microsoft-exchange-kv-email-receive-deliver ↳microsoft-exchange-cef-email-receive-incoming ↳microsoft-exchange-csv-email-send-receive-delivered ↳microsoft-exchange-csv-email-receive-success-deliver ↳microsoft-exchange-csv-email-send-receive-expanded ↳microsoft-exchange-json-email-success-5290 ↳microsoft-exchange-kv-email-receive-incoming ↳microsoft-exchange-str-email-receive-success-inbound ↳microsoft-exchange-str-email-success-internal ↳microsoft-x-csv-email-received ↳microsoft-exchange-cef-email-send-originating email-receive:fail (dlp-email-alert-in-failed) ↳microsoft-x-csv-email-receive-failed ↳microsoft-x-csv-email-deliver ↳microsoft-exchange-kv-email-receive-deliver ↳microsoft-exchange-cef-email-receive-incoming ↳microsoft-exchange-json-email-receive-incoming ↳microsoft-exchange-kv-email-receive-incoming ↳microsoft-x-csv-email-send-failed ↳microsoft-x-csv-email-received ↳microsoft-exchange-cef-email-send-originating email-send:success (dlp-email-alert-out) ↳microsoft-x-csv-email-send-success-mailboxrule ↳microsoft-exchange-str-email-send-success-outbound ↳microsoft-x-kv-email-send-success-catrs ↳microsoft-x-csv-email-send-success-routing ↳microsoft-x-csv-email-received ↳microsoft-exchange-cef-email-send-originating ↳microsoft-exchange-csv-email-send-receive-delivered ↳microsoft-exchange-csv-email-receive-success-deliver ↳microsoft-exchange-csv-email-send-receive-expanded ↳microsoft-exchange-json-email-success-5290 ↳microsoft-exchange-kv-email-send-success-send ↳microsoft-exchange-kv-email-send-originating ↳microsoft-exchange-kv-email-send-originating-1 ↳microsoft-exchange-kv-email-send-fail-sendfailed-1 ↳microsoft-exchange-kv-email-send-success-deliver ↳microsoft-exchange-str-email-success-internal ↳microsoft-exchange-csv-email-send-success-receive ↳microsoft-exchange-json-email-send-originating email-send:fail (dlp-email-alert-out-failed) ↳microsoft-x-csv-email-send-failed ↳microsoft-x-csv-email-received ↳microsoft-exchange-cef-email-send-originating ↳microsoft-exchange-json-email-send-originating ↳microsoft-exchange-kv-email-send-success-send ↳microsoft-exchange-kv-email-send-originating ↳microsoft-exchange-kv-email-send-originating-1 ↳microsoft-exchange-kv-email-send-fail-sendfailed app-login:fail (failed-app-login) ↳microsoft-exchange-kv-app-login-fail-imap4	T1078 - Valid Accounts	2 Rules 1 Models
Workforce Protection	email-send:success (dlp-email-alert-out) ↳microsoft-x-csv-email-send-success-mailboxrule ↳microsoft-exchange-str-email-send-success-outbound ↳microsoft-x-kv-email-send-success-catrs ↳microsoft-x-csv-email-send-success-routing ↳microsoft-x-csv-email-received ↳microsoft-exchange-cef-email-send-originating ↳microsoft-exchange-csv-email-send-receive-delivered ↳microsoft-exchange-csv-email-receive-success-deliver ↳microsoft-exchange-csv-email-send-receive-expanded ↳microsoft-exchange-json-email-success-5290 ↳microsoft-exchange-kv-email-send-success-send ↳microsoft-exchange-kv-email-send-originating ↳microsoft-exchange-kv-email-send-originating-1 ↳microsoft-exchange-kv-email-send-fail-sendfailed-1 ↳microsoft-exchange-kv-email-send-success-deliver ↳microsoft-exchange-str-email-success-internal ↳microsoft-exchange-csv-email-send-success-receive ↳microsoft-exchange-json-email-send-originating	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 1 Models

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

2_ds_microsoft_microsoft_exchange.md

2_ds_microsoft_microsoft_exchange.md

Files

2_ds_microsoft_microsoft_exchange.md

Latest commit

History

2_ds_microsoft_microsoft_exchange.md

File metadata and controls