Vendor: Microsoft

November 7, 2023 · View on GitHub

Product: Exchange

RulesModelsMITRE ATT&CK® TTPsEvent TypesParsers
138631199
Use-CaseEvent Types/ParsersMITRE ATT&CK® TTPContent
Abnormal Authentication & Accessapp-activity
s-owa-activity
cef-exchange-app-activity
outlook-exchange-app-activity-8
outlook-exchange-app-activity-9
outlook-exchange-app-activity-10
cef-exchange-app-activity-4
outlook-exchange-app-activity-2
cef-exchange-app-activity-3
outlook-exchange-app-activity-3
cef-exchange-app-activity-2
cef-exchange-app-activity-1
outlook-exchange-app-activity-1
outlook-exchange-app-activity-6
cef-exchange-app-activity-7
outlook-exchange-app-activity-7
cef-exchange-app-activity-6
outlook-exchange-app-activity-4
s-exchange-app-activity
cef-exchange-app-activity-5
outlook-exchange-app-activity-5

app-login
exchange-app-login-1
exchange-app-login

failed-app-login
exchange-failed-app-login
T1078 - Valid Accounts
T1133 - External Remote Services
  • 15 Rules
  • 4 Models
Account Manipulationapp-activity
s-owa-activity
cef-exchange-app-activity
outlook-exchange-app-activity-8
outlook-exchange-app-activity-9
outlook-exchange-app-activity-10
cef-exchange-app-activity-4
outlook-exchange-app-activity-2
cef-exchange-app-activity-3
outlook-exchange-app-activity-3
cef-exchange-app-activity-2
cef-exchange-app-activity-1
outlook-exchange-app-activity-1
outlook-exchange-app-activity-6
cef-exchange-app-activity-7
outlook-exchange-app-activity-7
cef-exchange-app-activity-6
outlook-exchange-app-activity-4
s-exchange-app-activity
cef-exchange-app-activity-5
outlook-exchange-app-activity-5
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Data Exfiltrationdlp-alert
exchange-dlp-alert
exchange-dlp-alert-1
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0010 - TA0010
  • 29 Rules
  • 18 Models
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
External Remote Services

Valid Accounts

Exploit Public Fasing Application

External Remote Services

Valid Accounts

Account Manipulation

Account Manipulation: Exchange Email Delegate Permissions

Valid Accounts

Valid Accounts

Email Collection

Email Collection: Email Forwarding Rule

Proxy: Multi-hop Proxy

Application Layer Protocol

Proxy

Exfiltration Over Alternative Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Automated Exfiltration