2_ds_microsoft_microsoft_exchange.md

April 15, 2026 · View on GitHub

Use-CaseActivity Types/ParsersMITRE ATT&CK® TTPContent
Compromised Credentialsapp-activity
microsoft-exchange-json-email-receive-incoming
microsoft-exchange-csv-app-notification-hadiscard
microsoft-exchange-csv-app-notification-agentresubmit
microsoft-exchange-csv-app-notification-agentdefer
microsoft-exchange-csv-app-notification-agentinfo
microsoft-exchange-csv-app-notification-routingexpand
microsoft-exchange-csv-app-notification-routingtransfer
microsoft-exchange-csv-app-notification-processmeetingmessage
microsoft-exchange-csv-app-notification-success-smtpfail
microsoft-exchange-csv-app-notification-routingdrop
microsoft-exchange-csv-app-notification-dsn
microsoft-exchange-csv-app-notification-routing
microsoft-exchange-csv-app-notification-routingduplicateredirect
microsoft-exchange-csv-app-notification-transfer
microsoft-exchange-csv-app-notification-success-storedriver
microsoft-exchange-csv-app-notification-redirecting
microsoft-exchange-csv-app-notification-smtpharedirect
microsoft-exchange-csv-app-notification-success-safetynetresubmit
microsoft-exchange-csv-app-notification-smtpharedirectfail
microsoft-exchange-csv-app-notification-smtpdefer
microsoft-exchange-csv-app-notification-success-queuetransfer
microsoft-exchange-csv-app-notification-success-routingsuppressed
microsoft-exchange-csv-app-notification-success-queueresubmit
microsoft-exchange-str-app-activity-success-isaweblog
microsoft-o365-cef-app-file-success-modifiedproperties
microsoft-o365-sk4-app-activity-success-softdelete
microsoft-exchange-sk4-app-activity-success-harddelete
microsoft-o365-cef-app-file-success-modifiedproperties

app-login
microsoft-exchange-csv-app-authentication-success-server
microsoft-exchange-kv-app-login-success-serverexchange

authentication-successful
microsoft-exchange-kv-app-authentication-success-exserver

security-alert
microsoft-exchange-csv-alert-trigger-dsnbadmail
T1027 - Obfuscated Files or Information
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 65 Rules
  • 33 Models
Data Accessapp-activity
microsoft-exchange-json-email-receive-incoming
microsoft-exchange-csv-app-notification-hadiscard
microsoft-exchange-csv-app-notification-agentresubmit
microsoft-exchange-csv-app-notification-agentdefer
microsoft-exchange-csv-app-notification-agentinfo
microsoft-exchange-csv-app-notification-routingexpand
microsoft-exchange-csv-app-notification-routingtransfer
microsoft-exchange-csv-app-notification-processmeetingmessage
microsoft-exchange-csv-app-notification-success-smtpfail
microsoft-exchange-csv-app-notification-routingdrop
microsoft-exchange-csv-app-notification-dsn
microsoft-exchange-csv-app-notification-routing
microsoft-exchange-csv-app-notification-routingduplicateredirect
microsoft-exchange-csv-app-notification-transfer
microsoft-exchange-csv-app-notification-success-storedriver
microsoft-exchange-csv-app-notification-redirecting
microsoft-exchange-csv-app-notification-smtpharedirect
microsoft-exchange-csv-app-notification-success-safetynetresubmit
microsoft-exchange-csv-app-notification-smtpharedirectfail
microsoft-exchange-csv-app-notification-smtpdefer
microsoft-exchange-csv-app-notification-success-queuetransfer
microsoft-exchange-csv-app-notification-success-routingsuppressed
microsoft-exchange-csv-app-notification-success-queueresubmit
microsoft-exchange-str-app-activity-success-isaweblog
microsoft-o365-cef-app-file-success-modifiedproperties
microsoft-o365-sk4-app-activity-success-softdelete
microsoft-exchange-sk4-app-activity-success-harddelete
microsoft-o365-cef-app-file-success-modifiedproperties

app-login
microsoft-exchange-csv-app-authentication-success-server
microsoft-exchange-kv-app-login-success-serverexchange
T1078 - Valid Accounts
  • 19 Rules
  • 11 Models
Data Leakapp-activity
microsoft-exchange-json-email-receive-incoming
microsoft-exchange-csv-app-notification-hadiscard
microsoft-exchange-csv-app-notification-agentresubmit
microsoft-exchange-csv-app-notification-agentdefer
microsoft-exchange-csv-app-notification-agentinfo
microsoft-exchange-csv-app-notification-routingexpand
microsoft-exchange-csv-app-notification-routingtransfer
microsoft-exchange-csv-app-notification-processmeetingmessage
microsoft-exchange-csv-app-notification-success-smtpfail
microsoft-exchange-csv-app-notification-routingdrop
microsoft-exchange-csv-app-notification-dsn
microsoft-exchange-csv-app-notification-routing
microsoft-exchange-csv-app-notification-routingduplicateredirect
microsoft-exchange-csv-app-notification-transfer
microsoft-exchange-csv-app-notification-success-storedriver
microsoft-exchange-csv-app-notification-redirecting
microsoft-exchange-csv-app-notification-smtpharedirect
microsoft-exchange-csv-app-notification-success-safetynetresubmit
microsoft-exchange-csv-app-notification-smtpharedirectfail
microsoft-exchange-csv-app-notification-smtpdefer
microsoft-exchange-csv-app-notification-success-queuetransfer
microsoft-exchange-csv-app-notification-success-routingsuppressed
microsoft-exchange-csv-app-notification-success-queueresubmit
microsoft-exchange-str-app-activity-success-isaweblog
microsoft-o365-cef-app-file-success-modifiedproperties
microsoft-o365-sk4-app-activity-success-softdelete
microsoft-exchange-sk4-app-activity-success-harddelete
microsoft-o365-cef-app-file-success-modifiedproperties

dlp-email-alert-out
microsoft-exchange-csv-email-send-receive-delivered
microsoft-exchange-csv-email-receive-success-deliver
microsoft-exchange-csv-email-send-receive-expanded
microsoft-x-csv-email-send-success-mailboxrule
microsoft-exchange-str-email-send-success-outbound
microsoft-x-kv-email-send-success-catrs
microsoft-x-csv-email-send-success-routing
microsoft-x-csv-email-resolved
microsoft-x-csv-email-received
microsoft-exchange-csv-email-send-success-smtpsend
microsoft-exchange-str-email-success-internal
microsoft-exchange-json-email-send-originating

dlp-email-alert-out-failed
microsoft-x-csv-email-failed
microsoft-x-csv-email-send-failed
microsoft-x-csv-email-received
microsoft-exchange-json-email-send-originating
T1048 - Exfiltration Over Alternative Protocol
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1114 - Email Collection
T1114.003 - Email Collection: Email Forwarding Rule
  • 37 Rules
  • 16 Models
Lateral Movementapp-login
microsoft-exchange-csv-app-authentication-success-server
microsoft-exchange-kv-app-login-success-serverexchange

authentication-successful
microsoft-exchange-kv-app-authentication-success-exserver

security-alert
microsoft-exchange-csv-alert-trigger-dsnbadmail
T1027 - Obfuscated Files or Information
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1090 - Proxy
T1090.003 - Proxy: Multi-hop Proxy
  • 3 Rules
Malwareapp-login
microsoft-exchange-csv-app-authentication-success-server
microsoft-exchange-kv-app-login-success-serverexchange

authentication-successful
microsoft-exchange-kv-app-authentication-success-exserver

dlp-email-alert-in
microsoft-exchange-csv-email-receive-smtpreceive
microsoft-exchange-csv-email-receive-agentreceive
microsoft-exchange-csv-email-receive-smtphareceive
microsoft-x-kv-email-receive-success-smtp
microsoft-x-csv-email-receive-success-incoming
microsoft-x-csv-email-resolved
microsoft-exchange-json-email-receive-incoming
microsoft-x-csv-email-deliver
microsoft-exchange-csv-email-send-receive-delivered
microsoft-exchange-csv-email-receive-success-deliver
microsoft-exchange-csv-email-send-receive-expanded
microsoft-exchange-str-email-receive-success-inbound
microsoft-exchange-str-email-success-internal
microsoft-x-csv-email-received

dlp-email-alert-out
microsoft-exchange-csv-email-send-receive-delivered
microsoft-exchange-csv-email-receive-success-deliver
microsoft-exchange-csv-email-send-receive-expanded
microsoft-x-csv-email-send-success-mailboxrule
microsoft-exchange-str-email-send-success-outbound
microsoft-x-kv-email-send-success-catrs
microsoft-x-csv-email-send-success-routing
microsoft-x-csv-email-resolved
microsoft-x-csv-email-received
microsoft-exchange-csv-email-send-success-smtpsend
microsoft-exchange-str-email-success-internal
microsoft-exchange-json-email-send-originating

security-alert
microsoft-exchange-csv-alert-trigger-dsnbadmail
T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
TA0002 - TA0002
  • 6 Rules
  • 2 Models
Phishingdlp-email-alert-out
microsoft-exchange-csv-email-send-receive-delivered
microsoft-exchange-csv-email-receive-success-deliver
microsoft-exchange-csv-email-send-receive-expanded
microsoft-x-csv-email-send-success-mailboxrule
microsoft-exchange-str-email-send-success-outbound
microsoft-x-kv-email-send-success-catrs
microsoft-x-csv-email-send-success-routing
microsoft-x-csv-email-resolved
microsoft-x-csv-email-received
microsoft-exchange-csv-email-send-success-smtpsend
microsoft-exchange-str-email-success-internal
microsoft-exchange-json-email-send-originating
T1048 - Exfiltration Over Alternative Protocol
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
  • 1 Rules
  • 1 Models
Privilege Abuseapp-activity
microsoft-exchange-json-email-receive-incoming
microsoft-exchange-csv-app-notification-hadiscard
microsoft-exchange-csv-app-notification-agentresubmit
microsoft-exchange-csv-app-notification-agentdefer
microsoft-exchange-csv-app-notification-agentinfo
microsoft-exchange-csv-app-notification-routingexpand
microsoft-exchange-csv-app-notification-routingtransfer
microsoft-exchange-csv-app-notification-processmeetingmessage
microsoft-exchange-csv-app-notification-success-smtpfail
microsoft-exchange-csv-app-notification-routingdrop
microsoft-exchange-csv-app-notification-dsn
microsoft-exchange-csv-app-notification-routing
microsoft-exchange-csv-app-notification-routingduplicateredirect
microsoft-exchange-csv-app-notification-transfer
microsoft-exchange-csv-app-notification-success-storedriver
microsoft-exchange-csv-app-notification-redirecting
microsoft-exchange-csv-app-notification-smtpharedirect
microsoft-exchange-csv-app-notification-success-safetynetresubmit
microsoft-exchange-csv-app-notification-smtpharedirectfail
microsoft-exchange-csv-app-notification-smtpdefer
microsoft-exchange-csv-app-notification-success-queuetransfer
microsoft-exchange-csv-app-notification-success-routingsuppressed
microsoft-exchange-csv-app-notification-success-queueresubmit
microsoft-exchange-str-app-activity-success-isaweblog
microsoft-o365-cef-app-file-success-modifiedproperties
microsoft-o365-sk4-app-activity-success-softdelete
microsoft-exchange-sk4-app-activity-success-harddelete
microsoft-o365-cef-app-file-success-modifiedproperties

app-login
microsoft-exchange-csv-app-authentication-success-server
microsoft-exchange-kv-app-login-success-serverexchange

dlp-email-alert-in
microsoft-exchange-csv-email-receive-smtpreceive
microsoft-exchange-csv-email-receive-agentreceive
microsoft-exchange-csv-email-receive-smtphareceive
microsoft-x-kv-email-receive-success-smtp
microsoft-x-csv-email-receive-success-incoming
microsoft-x-csv-email-resolved
microsoft-exchange-json-email-receive-incoming
microsoft-x-csv-email-deliver
microsoft-exchange-csv-email-send-receive-delivered
microsoft-exchange-csv-email-receive-success-deliver
microsoft-exchange-csv-email-send-receive-expanded
microsoft-exchange-str-email-receive-success-inbound
microsoft-exchange-str-email-success-internal
microsoft-x-csv-email-received

dlp-email-alert-in-failed
microsoft-x-csv-email-failed
microsoft-x-csv-email-receive-failed
microsoft-x-csv-email-deliver
microsoft-exchange-json-email-receive-incoming
microsoft-x-csv-email-send-failed
microsoft-x-csv-email-received

dlp-email-alert-out
microsoft-exchange-csv-email-send-receive-delivered
microsoft-exchange-csv-email-receive-success-deliver
microsoft-exchange-csv-email-send-receive-expanded
microsoft-x-csv-email-send-success-mailboxrule
microsoft-exchange-str-email-send-success-outbound
microsoft-x-kv-email-send-success-catrs
microsoft-x-csv-email-send-success-routing
microsoft-x-csv-email-resolved
microsoft-x-csv-email-received
microsoft-exchange-csv-email-send-success-smtpsend
microsoft-exchange-str-email-success-internal
microsoft-exchange-json-email-send-originating

dlp-email-alert-out-failed
microsoft-x-csv-email-failed
microsoft-x-csv-email-send-failed
microsoft-x-csv-email-received
microsoft-exchange-json-email-send-originating
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 2 Models
Privilege Escalationapp-activity
microsoft-exchange-json-email-receive-incoming
microsoft-exchange-csv-app-notification-hadiscard
microsoft-exchange-csv-app-notification-agentresubmit
microsoft-exchange-csv-app-notification-agentdefer
microsoft-exchange-csv-app-notification-agentinfo
microsoft-exchange-csv-app-notification-routingexpand
microsoft-exchange-csv-app-notification-routingtransfer
microsoft-exchange-csv-app-notification-processmeetingmessage
microsoft-exchange-csv-app-notification-success-smtpfail
microsoft-exchange-csv-app-notification-routingdrop
microsoft-exchange-csv-app-notification-dsn
microsoft-exchange-csv-app-notification-routing
microsoft-exchange-csv-app-notification-routingduplicateredirect
microsoft-exchange-csv-app-notification-transfer
microsoft-exchange-csv-app-notification-success-storedriver
microsoft-exchange-csv-app-notification-redirecting
microsoft-exchange-csv-app-notification-smtpharedirect
microsoft-exchange-csv-app-notification-success-safetynetresubmit
microsoft-exchange-csv-app-notification-smtpharedirectfail
microsoft-exchange-csv-app-notification-smtpdefer
microsoft-exchange-csv-app-notification-success-queuetransfer
microsoft-exchange-csv-app-notification-success-routingsuppressed
microsoft-exchange-csv-app-notification-success-queueresubmit
microsoft-exchange-str-app-activity-success-isaweblog
microsoft-o365-cef-app-file-success-modifiedproperties
microsoft-o365-sk4-app-activity-success-softdelete
microsoft-exchange-sk4-app-activity-success-harddelete
microsoft-o365-cef-app-file-success-modifiedproperties
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Privileged Activityapp-activity
microsoft-exchange-json-email-receive-incoming
microsoft-exchange-csv-app-notification-hadiscard
microsoft-exchange-csv-app-notification-agentresubmit
microsoft-exchange-csv-app-notification-agentdefer
microsoft-exchange-csv-app-notification-agentinfo
microsoft-exchange-csv-app-notification-routingexpand
microsoft-exchange-csv-app-notification-routingtransfer
microsoft-exchange-csv-app-notification-processmeetingmessage
microsoft-exchange-csv-app-notification-success-smtpfail
microsoft-exchange-csv-app-notification-routingdrop
microsoft-exchange-csv-app-notification-dsn
microsoft-exchange-csv-app-notification-routing
microsoft-exchange-csv-app-notification-routingduplicateredirect
microsoft-exchange-csv-app-notification-transfer
microsoft-exchange-csv-app-notification-success-storedriver
microsoft-exchange-csv-app-notification-redirecting
microsoft-exchange-csv-app-notification-smtpharedirect
microsoft-exchange-csv-app-notification-success-safetynetresubmit
microsoft-exchange-csv-app-notification-smtpharedirectfail
microsoft-exchange-csv-app-notification-smtpdefer
microsoft-exchange-csv-app-notification-success-queuetransfer
microsoft-exchange-csv-app-notification-success-routingsuppressed
microsoft-exchange-csv-app-notification-success-queueresubmit
microsoft-exchange-str-app-activity-success-isaweblog
microsoft-o365-cef-app-file-success-modifiedproperties
microsoft-o365-sk4-app-activity-success-softdelete
microsoft-exchange-sk4-app-activity-success-harddelete
microsoft-o365-cef-app-file-success-modifiedproperties

app-login
microsoft-exchange-csv-app-authentication-success-server
microsoft-exchange-kv-app-login-success-serverexchange

dlp-email-alert-in
microsoft-exchange-csv-email-receive-smtpreceive
microsoft-exchange-csv-email-receive-agentreceive
microsoft-exchange-csv-email-receive-smtphareceive
microsoft-x-kv-email-receive-success-smtp
microsoft-x-csv-email-receive-success-incoming
microsoft-x-csv-email-resolved
microsoft-exchange-json-email-receive-incoming
microsoft-x-csv-email-deliver
microsoft-exchange-csv-email-send-receive-delivered
microsoft-exchange-csv-email-receive-success-deliver
microsoft-exchange-csv-email-send-receive-expanded
microsoft-exchange-str-email-receive-success-inbound
microsoft-exchange-str-email-success-internal
microsoft-x-csv-email-received

dlp-email-alert-in-failed
microsoft-x-csv-email-failed
microsoft-x-csv-email-receive-failed
microsoft-x-csv-email-deliver
microsoft-exchange-json-email-receive-incoming
microsoft-x-csv-email-send-failed
microsoft-x-csv-email-received

dlp-email-alert-out
microsoft-exchange-csv-email-send-receive-delivered
microsoft-exchange-csv-email-receive-success-deliver
microsoft-exchange-csv-email-send-receive-expanded
microsoft-x-csv-email-send-success-mailboxrule
microsoft-exchange-str-email-send-success-outbound
microsoft-x-kv-email-send-success-catrs
microsoft-x-csv-email-send-success-routing
microsoft-x-csv-email-resolved
microsoft-x-csv-email-received
microsoft-exchange-csv-email-send-success-smtpsend
microsoft-exchange-str-email-success-internal
microsoft-exchange-json-email-send-originating

dlp-email-alert-out-failed
microsoft-x-csv-email-failed
microsoft-x-csv-email-send-failed
microsoft-x-csv-email-received
microsoft-exchange-json-email-send-originating

security-alert
microsoft-exchange-csv-alert-trigger-dsnbadmail
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
  • 3 Rules
  • 1 Models
Workforce Protectiondlp-email-alert-out
microsoft-exchange-csv-email-send-receive-delivered
microsoft-exchange-csv-email-receive-success-deliver
microsoft-exchange-csv-email-send-receive-expanded
microsoft-x-csv-email-send-success-mailboxrule
microsoft-exchange-str-email-send-success-outbound
microsoft-x-kv-email-send-success-catrs
microsoft-x-csv-email-send-success-routing
microsoft-x-csv-email-resolved
microsoft-x-csv-email-received
microsoft-exchange-csv-email-send-success-smtpsend
microsoft-exchange-str-email-success-internal
microsoft-exchange-json-email-send-originating
T1048 - Exfiltration Over Alternative Protocol
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
  • 4 Rules
  • 1 Models