2_ds_microsoft_microsoft_iis.md

April 15, 2026 · View on GitHub

Use-CaseActivity Types/ParsersMITRE ATT&CK® TTPContent
Cryptominingweb-activity-allowed
microsoft-iis-str-http-session-webactivity
microsoft-iis-cef-http-session-internetinformationserver
microsoft-iis-xml-http-session-6200
microsoft-exchange-kv-app-login-success-401
microsoft-iis-str-http-session-optionsoab
microsoft-iis-str-http-session-headapi
microsoft-iis-str-http-session-putoab
microsoft-iis-str-http-session-getstatus
microsoft-iis-str-http-session-getews-1
microsoft-iis-str-http-session-headecp
microsoft-iis-str-http-session-putrpc
microsoft-iis-str-http-session-getecp
microsoft-iis-str-http-session-headautodiscover
microsoft-iis-str-http-session-deleteapi
microsoft-iis-str-http-session-postecp
microsoft-iis-str-http-session-getapi
microsoft-iis-str-http-session-postautodiscover-1
microsoft-iis-str-http-session-patchapi
microsoft-iis-str-http-session-postapi
microsoft-iis-str-http-session-postmicrosoftserver
microsoft-iis-str-http-session-optionsapi
microsoft-iis-str-http-session-getmicrosoftserver
microsoft-iis-str-http-session-postsignin
microsoft-iis-str-http-session-optionsecp
microsoft-iis-str-http-session-headrpc
microsoft-iis-str-http-session-getsignin
microsoft-iis-str-http-session-getowa
microsoft-iis-str-http-session-putecp
microsoft-iis-str-http-session-deleteoab
microsoft-iis-str-http-session-patchrpc
microsoft-iis-str-http-session-headsignin
microsoft-iis-str-http-session-postowa
microsoft-iis-str-http-session-getews
microsoft-iis-str-http-session-putapi
microsoft-iis-str-http-session-headoab
microsoft-iis-str-http-session-optionsowa
microsoft-iis-str-http-session-getautodiscover
microsoft-iis-str-http-session-postews
microsoft-iis-str-http-session-headmapi
microsoft-iis-str-http-session-putmapi
microsoft-iis-str-http-session-getoab
microsoft-iis-str-http-session-headews
microsoft-iis-str-http-session-postoab
microsoft-iis-str-http-session-getautodiscover-1
microsoft-iis-str-http-session-headmicrosoftserver
microsoft-iis-str-http-session-headowa
microsoft-iis-str-http-session-putowa
microsoft-iis-str-http-session-optionsrpc
microsoft-iis-str-http-session-getrpc
microsoft-iis-str-http-session-postews-1
microsoft-iis-str-http-session-optionsmicrosoftserver
microsoft-iis-str-http-session-getmapi
microsoft-iis-str-http-session-putews
microsoft-iis-str-http-session-postautodiscover
microsoft-iis-str-http-session-patchoab
microsoft-iis-str-http-session-postmapi
microsoft-iis-str-http-session-postrpc
microsoft-iis-str-http-session-deleterpc
microsoft-iis-str-http-request-post80
microsoft-iis-str-http-request-headotherports
microsoft-iis-str-http-request-post443
microsoft-iis-str-http-request-get443
microsoft-iis-str-http-request-postotherports
microsoft-iis-str-http-request-get80
microsoft-iis-str-http-request-head80
microsoft-iis-str-http-request-getotherports
microsoft-iis-str-http-request-head443

web-activity-denied
microsoft-iis-str-http-session-webactivity
microsoft-iis-cef-http-session-internetinformationserver
microsoft-iis-xml-http-session-6200
microsoft-exchange-kv-app-login-success-401
microsoft-iis-str-http-request-post80
microsoft-iis-str-http-request-headotherports
microsoft-iis-str-http-request-post443
microsoft-iis-str-http-request-get443
microsoft-iis-str-http-request-postotherports
microsoft-iis-str-http-request-get80
microsoft-iis-str-http-request-head80
microsoft-iis-str-http-request-getotherports
microsoft-iis-str-http-request-head443
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1496 - Resource Hijacking
  • 1 Rules
Data Exfiltrationweb-activity-allowed
microsoft-iis-str-http-session-webactivity
microsoft-iis-cef-http-session-internetinformationserver
microsoft-iis-xml-http-session-6200
microsoft-exchange-kv-app-login-success-401
microsoft-iis-str-http-session-optionsoab
microsoft-iis-str-http-session-headapi
microsoft-iis-str-http-session-putoab
microsoft-iis-str-http-session-getstatus
microsoft-iis-str-http-session-getews-1
microsoft-iis-str-http-session-headecp
microsoft-iis-str-http-session-putrpc
microsoft-iis-str-http-session-getecp
microsoft-iis-str-http-session-headautodiscover
microsoft-iis-str-http-session-deleteapi
microsoft-iis-str-http-session-postecp
microsoft-iis-str-http-session-getapi
microsoft-iis-str-http-session-postautodiscover-1
microsoft-iis-str-http-session-patchapi
microsoft-iis-str-http-session-postapi
microsoft-iis-str-http-session-postmicrosoftserver
microsoft-iis-str-http-session-optionsapi
microsoft-iis-str-http-session-getmicrosoftserver
microsoft-iis-str-http-session-postsignin
microsoft-iis-str-http-session-optionsecp
microsoft-iis-str-http-session-headrpc
microsoft-iis-str-http-session-getsignin
microsoft-iis-str-http-session-getowa
microsoft-iis-str-http-session-putecp
microsoft-iis-str-http-session-deleteoab
microsoft-iis-str-http-session-patchrpc
microsoft-iis-str-http-session-headsignin
microsoft-iis-str-http-session-postowa
microsoft-iis-str-http-session-getews
microsoft-iis-str-http-session-putapi
microsoft-iis-str-http-session-headoab
microsoft-iis-str-http-session-optionsowa
microsoft-iis-str-http-session-getautodiscover
microsoft-iis-str-http-session-postews
microsoft-iis-str-http-session-headmapi
microsoft-iis-str-http-session-putmapi
microsoft-iis-str-http-session-getoab
microsoft-iis-str-http-session-headews
microsoft-iis-str-http-session-postoab
microsoft-iis-str-http-session-getautodiscover-1
microsoft-iis-str-http-session-headmicrosoftserver
microsoft-iis-str-http-session-headowa
microsoft-iis-str-http-session-putowa
microsoft-iis-str-http-session-optionsrpc
microsoft-iis-str-http-session-getrpc
microsoft-iis-str-http-session-postews-1
microsoft-iis-str-http-session-optionsmicrosoftserver
microsoft-iis-str-http-session-getmapi
microsoft-iis-str-http-session-putews
microsoft-iis-str-http-session-postautodiscover
microsoft-iis-str-http-session-patchoab
microsoft-iis-str-http-session-postmapi
microsoft-iis-str-http-session-postrpc
microsoft-iis-str-http-session-deleterpc
microsoft-iis-str-http-request-post80
microsoft-iis-str-http-request-headotherports
microsoft-iis-str-http-request-post443
microsoft-iis-str-http-request-get443
microsoft-iis-str-http-request-postotherports
microsoft-iis-str-http-request-get80
microsoft-iis-str-http-request-head80
microsoft-iis-str-http-request-getotherports
microsoft-iis-str-http-request-head443

web-activity-denied
microsoft-iis-str-http-session-webactivity
microsoft-iis-cef-http-session-internetinformationserver
microsoft-iis-xml-http-session-6200
microsoft-exchange-kv-app-login-success-401
microsoft-iis-str-http-request-post80
microsoft-iis-str-http-request-headotherports
microsoft-iis-str-http-request-post443
microsoft-iis-str-http-request-get443
microsoft-iis-str-http-request-postotherports
microsoft-iis-str-http-request-get80
microsoft-iis-str-http-request-head80
microsoft-iis-str-http-request-getotherports
microsoft-iis-str-http-request-head443
T1041 - Exfiltration Over C2 Channel
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models
Data Leakweb-activity-allowed
microsoft-iis-str-http-session-webactivity
microsoft-iis-cef-http-session-internetinformationserver
microsoft-iis-xml-http-session-6200
microsoft-exchange-kv-app-login-success-401
microsoft-iis-str-http-session-optionsoab
microsoft-iis-str-http-session-headapi
microsoft-iis-str-http-session-putoab
microsoft-iis-str-http-session-getstatus
microsoft-iis-str-http-session-getews-1
microsoft-iis-str-http-session-headecp
microsoft-iis-str-http-session-putrpc
microsoft-iis-str-http-session-getecp
microsoft-iis-str-http-session-headautodiscover
microsoft-iis-str-http-session-deleteapi
microsoft-iis-str-http-session-postecp
microsoft-iis-str-http-session-getapi
microsoft-iis-str-http-session-postautodiscover-1
microsoft-iis-str-http-session-patchapi
microsoft-iis-str-http-session-postapi
microsoft-iis-str-http-session-postmicrosoftserver
microsoft-iis-str-http-session-optionsapi
microsoft-iis-str-http-session-getmicrosoftserver
microsoft-iis-str-http-session-postsignin
microsoft-iis-str-http-session-optionsecp
microsoft-iis-str-http-session-headrpc
microsoft-iis-str-http-session-getsignin
microsoft-iis-str-http-session-getowa
microsoft-iis-str-http-session-putecp
microsoft-iis-str-http-session-deleteoab
microsoft-iis-str-http-session-patchrpc
microsoft-iis-str-http-session-headsignin
microsoft-iis-str-http-session-postowa
microsoft-iis-str-http-session-getews
microsoft-iis-str-http-session-putapi
microsoft-iis-str-http-session-headoab
microsoft-iis-str-http-session-optionsowa
microsoft-iis-str-http-session-getautodiscover
microsoft-iis-str-http-session-postews
microsoft-iis-str-http-session-headmapi
microsoft-iis-str-http-session-putmapi
microsoft-iis-str-http-session-getoab
microsoft-iis-str-http-session-headews
microsoft-iis-str-http-session-postoab
microsoft-iis-str-http-session-getautodiscover-1
microsoft-iis-str-http-session-headmicrosoftserver
microsoft-iis-str-http-session-headowa
microsoft-iis-str-http-session-putowa
microsoft-iis-str-http-session-optionsrpc
microsoft-iis-str-http-session-getrpc
microsoft-iis-str-http-session-postews-1
microsoft-iis-str-http-session-optionsmicrosoftserver
microsoft-iis-str-http-session-getmapi
microsoft-iis-str-http-session-putews
microsoft-iis-str-http-session-postautodiscover
microsoft-iis-str-http-session-patchoab
microsoft-iis-str-http-session-postmapi
microsoft-iis-str-http-session-postrpc
microsoft-iis-str-http-session-deleterpc
microsoft-iis-str-http-request-post80
microsoft-iis-str-http-request-headotherports
microsoft-iis-str-http-request-post443
microsoft-iis-str-http-request-get443
microsoft-iis-str-http-request-postotherports
microsoft-iis-str-http-request-get80
microsoft-iis-str-http-request-head80
microsoft-iis-str-http-request-getotherports
microsoft-iis-str-http-request-head443

web-activity-denied
microsoft-iis-str-http-session-webactivity
microsoft-iis-cef-http-session-internetinformationserver
microsoft-iis-xml-http-session-6200
microsoft-exchange-kv-app-login-success-401
microsoft-iis-str-http-request-post80
microsoft-iis-str-http-request-headotherports
microsoft-iis-str-http-request-post443
microsoft-iis-str-http-request-get443
microsoft-iis-str-http-request-postotherports
microsoft-iis-str-http-request-get80
microsoft-iis-str-http-request-head80
microsoft-iis-str-http-request-getotherports
microsoft-iis-str-http-request-head443
T1041 - Exfiltration Over C2 Channel
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
  • 6 Rules
  • 2 Models
Lateral Movementweb-activity-allowed
microsoft-iis-str-http-session-webactivity
microsoft-iis-cef-http-session-internetinformationserver
microsoft-iis-xml-http-session-6200
microsoft-exchange-kv-app-login-success-401
microsoft-iis-str-http-session-optionsoab
microsoft-iis-str-http-session-headapi
microsoft-iis-str-http-session-putoab
microsoft-iis-str-http-session-getstatus
microsoft-iis-str-http-session-getews-1
microsoft-iis-str-http-session-headecp
microsoft-iis-str-http-session-putrpc
microsoft-iis-str-http-session-getecp
microsoft-iis-str-http-session-headautodiscover
microsoft-iis-str-http-session-deleteapi
microsoft-iis-str-http-session-postecp
microsoft-iis-str-http-session-getapi
microsoft-iis-str-http-session-postautodiscover-1
microsoft-iis-str-http-session-patchapi
microsoft-iis-str-http-session-postapi
microsoft-iis-str-http-session-postmicrosoftserver
microsoft-iis-str-http-session-optionsapi
microsoft-iis-str-http-session-getmicrosoftserver
microsoft-iis-str-http-session-postsignin
microsoft-iis-str-http-session-optionsecp
microsoft-iis-str-http-session-headrpc
microsoft-iis-str-http-session-getsignin
microsoft-iis-str-http-session-getowa
microsoft-iis-str-http-session-putecp
microsoft-iis-str-http-session-deleteoab
microsoft-iis-str-http-session-patchrpc
microsoft-iis-str-http-session-headsignin
microsoft-iis-str-http-session-postowa
microsoft-iis-str-http-session-getews
microsoft-iis-str-http-session-putapi
microsoft-iis-str-http-session-headoab
microsoft-iis-str-http-session-optionsowa
microsoft-iis-str-http-session-getautodiscover
microsoft-iis-str-http-session-postews
microsoft-iis-str-http-session-headmapi
microsoft-iis-str-http-session-putmapi
microsoft-iis-str-http-session-getoab
microsoft-iis-str-http-session-headews
microsoft-iis-str-http-session-postoab
microsoft-iis-str-http-session-getautodiscover-1
microsoft-iis-str-http-session-headmicrosoftserver
microsoft-iis-str-http-session-headowa
microsoft-iis-str-http-session-putowa
microsoft-iis-str-http-session-optionsrpc
microsoft-iis-str-http-session-getrpc
microsoft-iis-str-http-session-postews-1
microsoft-iis-str-http-session-optionsmicrosoftserver
microsoft-iis-str-http-session-getmapi
microsoft-iis-str-http-session-putews
microsoft-iis-str-http-session-postautodiscover
microsoft-iis-str-http-session-patchoab
microsoft-iis-str-http-session-postmapi
microsoft-iis-str-http-session-postrpc
microsoft-iis-str-http-session-deleterpc
microsoft-iis-str-http-request-post80
microsoft-iis-str-http-request-headotherports
microsoft-iis-str-http-request-post443
microsoft-iis-str-http-request-get443
microsoft-iis-str-http-request-postotherports
microsoft-iis-str-http-request-get80
microsoft-iis-str-http-request-head80
microsoft-iis-str-http-request-getotherports
microsoft-iis-str-http-request-head443

web-activity-denied
microsoft-iis-str-http-session-webactivity
microsoft-iis-cef-http-session-internetinformationserver
microsoft-iis-xml-http-session-6200
microsoft-exchange-kv-app-login-success-401
microsoft-iis-str-http-request-post80
microsoft-iis-str-http-request-headotherports
microsoft-iis-str-http-request-post443
microsoft-iis-str-http-request-get443
microsoft-iis-str-http-request-postotherports
microsoft-iis-str-http-request-get80
microsoft-iis-str-http-request-head80
microsoft-iis-str-http-request-getotherports
microsoft-iis-str-http-request-head443
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1090 - Proxy
T1090.003 - Proxy: Multi-hop Proxy
T1190 - Exploit Public Fasing Application
  • 9 Rules
Malwareweb-activity-allowed
microsoft-iis-str-http-session-webactivity
microsoft-iis-cef-http-session-internetinformationserver
microsoft-iis-xml-http-session-6200
microsoft-exchange-kv-app-login-success-401
microsoft-iis-str-http-session-optionsoab
microsoft-iis-str-http-session-headapi
microsoft-iis-str-http-session-putoab
microsoft-iis-str-http-session-getstatus
microsoft-iis-str-http-session-getews-1
microsoft-iis-str-http-session-headecp
microsoft-iis-str-http-session-putrpc
microsoft-iis-str-http-session-getecp
microsoft-iis-str-http-session-headautodiscover
microsoft-iis-str-http-session-deleteapi
microsoft-iis-str-http-session-postecp
microsoft-iis-str-http-session-getapi
microsoft-iis-str-http-session-postautodiscover-1
microsoft-iis-str-http-session-patchapi
microsoft-iis-str-http-session-postapi
microsoft-iis-str-http-session-postmicrosoftserver
microsoft-iis-str-http-session-optionsapi
microsoft-iis-str-http-session-getmicrosoftserver
microsoft-iis-str-http-session-postsignin
microsoft-iis-str-http-session-optionsecp
microsoft-iis-str-http-session-headrpc
microsoft-iis-str-http-session-getsignin
microsoft-iis-str-http-session-getowa
microsoft-iis-str-http-session-putecp
microsoft-iis-str-http-session-deleteoab
microsoft-iis-str-http-session-patchrpc
microsoft-iis-str-http-session-headsignin
microsoft-iis-str-http-session-postowa
microsoft-iis-str-http-session-getews
microsoft-iis-str-http-session-putapi
microsoft-iis-str-http-session-headoab
microsoft-iis-str-http-session-optionsowa
microsoft-iis-str-http-session-getautodiscover
microsoft-iis-str-http-session-postews
microsoft-iis-str-http-session-headmapi
microsoft-iis-str-http-session-putmapi
microsoft-iis-str-http-session-getoab
microsoft-iis-str-http-session-headews
microsoft-iis-str-http-session-postoab
microsoft-iis-str-http-session-getautodiscover-1
microsoft-iis-str-http-session-headmicrosoftserver
microsoft-iis-str-http-session-headowa
microsoft-iis-str-http-session-putowa
microsoft-iis-str-http-session-optionsrpc
microsoft-iis-str-http-session-getrpc
microsoft-iis-str-http-session-postews-1
microsoft-iis-str-http-session-optionsmicrosoftserver
microsoft-iis-str-http-session-getmapi
microsoft-iis-str-http-session-putews
microsoft-iis-str-http-session-postautodiscover
microsoft-iis-str-http-session-patchoab
microsoft-iis-str-http-session-postmapi
microsoft-iis-str-http-session-postrpc
microsoft-iis-str-http-session-deleterpc
microsoft-iis-str-http-request-post80
microsoft-iis-str-http-request-headotherports
microsoft-iis-str-http-request-post443
microsoft-iis-str-http-request-get443
microsoft-iis-str-http-request-postotherports
microsoft-iis-str-http-request-get80
microsoft-iis-str-http-request-head80
microsoft-iis-str-http-request-getotherports
microsoft-iis-str-http-request-head443

web-activity-denied
microsoft-iis-str-http-session-webactivity
microsoft-iis-cef-http-session-internetinformationserver
microsoft-iis-xml-http-session-6200
microsoft-exchange-kv-app-login-success-401
microsoft-iis-str-http-request-post80
microsoft-iis-str-http-request-headotherports
microsoft-iis-str-http-request-post443
microsoft-iis-str-http-request-get443
microsoft-iis-str-http-request-postotherports
microsoft-iis-str-http-request-get80
microsoft-iis-str-http-request-head80
microsoft-iis-str-http-request-getotherports
microsoft-iis-str-http-request-head443
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 25 Rules
  • 7 Models
Phishingweb-activity-allowed
microsoft-iis-str-http-session-webactivity
microsoft-iis-cef-http-session-internetinformationserver
microsoft-iis-xml-http-session-6200
microsoft-exchange-kv-app-login-success-401
microsoft-iis-str-http-session-optionsoab
microsoft-iis-str-http-session-headapi
microsoft-iis-str-http-session-putoab
microsoft-iis-str-http-session-getstatus
microsoft-iis-str-http-session-getews-1
microsoft-iis-str-http-session-headecp
microsoft-iis-str-http-session-putrpc
microsoft-iis-str-http-session-getecp
microsoft-iis-str-http-session-headautodiscover
microsoft-iis-str-http-session-deleteapi
microsoft-iis-str-http-session-postecp
microsoft-iis-str-http-session-getapi
microsoft-iis-str-http-session-postautodiscover-1
microsoft-iis-str-http-session-patchapi
microsoft-iis-str-http-session-postapi
microsoft-iis-str-http-session-postmicrosoftserver
microsoft-iis-str-http-session-optionsapi
microsoft-iis-str-http-session-getmicrosoftserver
microsoft-iis-str-http-session-postsignin
microsoft-iis-str-http-session-optionsecp
microsoft-iis-str-http-session-headrpc
microsoft-iis-str-http-session-getsignin
microsoft-iis-str-http-session-getowa
microsoft-iis-str-http-session-putecp
microsoft-iis-str-http-session-deleteoab
microsoft-iis-str-http-session-patchrpc
microsoft-iis-str-http-session-headsignin
microsoft-iis-str-http-session-postowa
microsoft-iis-str-http-session-getews
microsoft-iis-str-http-session-putapi
microsoft-iis-str-http-session-headoab
microsoft-iis-str-http-session-optionsowa
microsoft-iis-str-http-session-getautodiscover
microsoft-iis-str-http-session-postews
microsoft-iis-str-http-session-headmapi
microsoft-iis-str-http-session-putmapi
microsoft-iis-str-http-session-getoab
microsoft-iis-str-http-session-headews
microsoft-iis-str-http-session-postoab
microsoft-iis-str-http-session-getautodiscover-1
microsoft-iis-str-http-session-headmicrosoftserver
microsoft-iis-str-http-session-headowa
microsoft-iis-str-http-session-putowa
microsoft-iis-str-http-session-optionsrpc
microsoft-iis-str-http-session-getrpc
microsoft-iis-str-http-session-postews-1
microsoft-iis-str-http-session-optionsmicrosoftserver
microsoft-iis-str-http-session-getmapi
microsoft-iis-str-http-session-putews
microsoft-iis-str-http-session-postautodiscover
microsoft-iis-str-http-session-patchoab
microsoft-iis-str-http-session-postmapi
microsoft-iis-str-http-session-postrpc
microsoft-iis-str-http-session-deleterpc
microsoft-iis-str-http-request-post80
microsoft-iis-str-http-request-headotherports
microsoft-iis-str-http-request-post443
microsoft-iis-str-http-request-get443
microsoft-iis-str-http-request-postotherports
microsoft-iis-str-http-request-get80
microsoft-iis-str-http-request-head80
microsoft-iis-str-http-request-getotherports
microsoft-iis-str-http-request-head443

web-activity-denied
microsoft-iis-str-http-session-webactivity
microsoft-iis-cef-http-session-internetinformationserver
microsoft-iis-xml-http-session-6200
microsoft-exchange-kv-app-login-success-401
microsoft-iis-str-http-request-post80
microsoft-iis-str-http-request-headotherports
microsoft-iis-str-http-request-post443
microsoft-iis-str-http-request-get443
microsoft-iis-str-http-request-postotherports
microsoft-iis-str-http-request-get80
microsoft-iis-str-http-request-head80
microsoft-iis-str-http-request-getotherports
microsoft-iis-str-http-request-head443
T1189 - Drive-by Compromise
T1204 - User Execution
T1204.001 - T1204.001
T1534 - Internal Spearphishing
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1598 - T1598
T1598.003 - T1598.003
  • 3 Rules
Privilege Abuseweb-activity-allowed
microsoft-iis-str-http-session-webactivity
microsoft-iis-cef-http-session-internetinformationserver
microsoft-iis-xml-http-session-6200
microsoft-exchange-kv-app-login-success-401
microsoft-iis-str-http-session-optionsoab
microsoft-iis-str-http-session-headapi
microsoft-iis-str-http-session-putoab
microsoft-iis-str-http-session-getstatus
microsoft-iis-str-http-session-getews-1
microsoft-iis-str-http-session-headecp
microsoft-iis-str-http-session-putrpc
microsoft-iis-str-http-session-getecp
microsoft-iis-str-http-session-headautodiscover
microsoft-iis-str-http-session-deleteapi
microsoft-iis-str-http-session-postecp
microsoft-iis-str-http-session-getapi
microsoft-iis-str-http-session-postautodiscover-1
microsoft-iis-str-http-session-patchapi
microsoft-iis-str-http-session-postapi
microsoft-iis-str-http-session-postmicrosoftserver
microsoft-iis-str-http-session-optionsapi
microsoft-iis-str-http-session-getmicrosoftserver
microsoft-iis-str-http-session-postsignin
microsoft-iis-str-http-session-optionsecp
microsoft-iis-str-http-session-headrpc
microsoft-iis-str-http-session-getsignin
microsoft-iis-str-http-session-getowa
microsoft-iis-str-http-session-putecp
microsoft-iis-str-http-session-deleteoab
microsoft-iis-str-http-session-patchrpc
microsoft-iis-str-http-session-headsignin
microsoft-iis-str-http-session-postowa
microsoft-iis-str-http-session-getews
microsoft-iis-str-http-session-putapi
microsoft-iis-str-http-session-headoab
microsoft-iis-str-http-session-optionsowa
microsoft-iis-str-http-session-getautodiscover
microsoft-iis-str-http-session-postews
microsoft-iis-str-http-session-headmapi
microsoft-iis-str-http-session-putmapi
microsoft-iis-str-http-session-getoab
microsoft-iis-str-http-session-headews
microsoft-iis-str-http-session-postoab
microsoft-iis-str-http-session-getautodiscover-1
microsoft-iis-str-http-session-headmicrosoftserver
microsoft-iis-str-http-session-headowa
microsoft-iis-str-http-session-putowa
microsoft-iis-str-http-session-optionsrpc
microsoft-iis-str-http-session-getrpc
microsoft-iis-str-http-session-postews-1
microsoft-iis-str-http-session-optionsmicrosoftserver
microsoft-iis-str-http-session-getmapi
microsoft-iis-str-http-session-putews
microsoft-iis-str-http-session-postautodiscover
microsoft-iis-str-http-session-patchoab
microsoft-iis-str-http-session-postmapi
microsoft-iis-str-http-session-postrpc
microsoft-iis-str-http-session-deleterpc
microsoft-iis-str-http-request-post80
microsoft-iis-str-http-request-headotherports
microsoft-iis-str-http-request-post443
microsoft-iis-str-http-request-get443
microsoft-iis-str-http-request-postotherports
microsoft-iis-str-http-request-get80
microsoft-iis-str-http-request-head80
microsoft-iis-str-http-request-getotherports
microsoft-iis-str-http-request-head443

web-activity-denied
microsoft-iis-str-http-session-webactivity
microsoft-iis-cef-http-session-internetinformationserver
microsoft-iis-xml-http-session-6200
microsoft-exchange-kv-app-login-success-401
microsoft-iis-str-http-request-post80
microsoft-iis-str-http-request-headotherports
microsoft-iis-str-http-request-post443
microsoft-iis-str-http-request-get443
microsoft-iis-str-http-request-postotherports
microsoft-iis-str-http-request-get80
microsoft-iis-str-http-request-head80
microsoft-iis-str-http-request-getotherports
microsoft-iis-str-http-request-head443
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 1 Rules
Privileged Activityweb-activity-allowed
microsoft-iis-str-http-session-webactivity
microsoft-iis-cef-http-session-internetinformationserver
microsoft-iis-xml-http-session-6200
microsoft-exchange-kv-app-login-success-401
microsoft-iis-str-http-session-optionsoab
microsoft-iis-str-http-session-headapi
microsoft-iis-str-http-session-putoab
microsoft-iis-str-http-session-getstatus
microsoft-iis-str-http-session-getews-1
microsoft-iis-str-http-session-headecp
microsoft-iis-str-http-session-putrpc
microsoft-iis-str-http-session-getecp
microsoft-iis-str-http-session-headautodiscover
microsoft-iis-str-http-session-deleteapi
microsoft-iis-str-http-session-postecp
microsoft-iis-str-http-session-getapi
microsoft-iis-str-http-session-postautodiscover-1
microsoft-iis-str-http-session-patchapi
microsoft-iis-str-http-session-postapi
microsoft-iis-str-http-session-postmicrosoftserver
microsoft-iis-str-http-session-optionsapi
microsoft-iis-str-http-session-getmicrosoftserver
microsoft-iis-str-http-session-postsignin
microsoft-iis-str-http-session-optionsecp
microsoft-iis-str-http-session-headrpc
microsoft-iis-str-http-session-getsignin
microsoft-iis-str-http-session-getowa
microsoft-iis-str-http-session-putecp
microsoft-iis-str-http-session-deleteoab
microsoft-iis-str-http-session-patchrpc
microsoft-iis-str-http-session-headsignin
microsoft-iis-str-http-session-postowa
microsoft-iis-str-http-session-getews
microsoft-iis-str-http-session-putapi
microsoft-iis-str-http-session-headoab
microsoft-iis-str-http-session-optionsowa
microsoft-iis-str-http-session-getautodiscover
microsoft-iis-str-http-session-postews
microsoft-iis-str-http-session-headmapi
microsoft-iis-str-http-session-putmapi
microsoft-iis-str-http-session-getoab
microsoft-iis-str-http-session-headews
microsoft-iis-str-http-session-postoab
microsoft-iis-str-http-session-getautodiscover-1
microsoft-iis-str-http-session-headmicrosoftserver
microsoft-iis-str-http-session-headowa
microsoft-iis-str-http-session-putowa
microsoft-iis-str-http-session-optionsrpc
microsoft-iis-str-http-session-getrpc
microsoft-iis-str-http-session-postews-1
microsoft-iis-str-http-session-optionsmicrosoftserver
microsoft-iis-str-http-session-getmapi
microsoft-iis-str-http-session-putews
microsoft-iis-str-http-session-postautodiscover
microsoft-iis-str-http-session-patchoab
microsoft-iis-str-http-session-postmapi
microsoft-iis-str-http-session-postrpc
microsoft-iis-str-http-session-deleterpc
microsoft-iis-str-http-request-post80
microsoft-iis-str-http-request-headotherports
microsoft-iis-str-http-request-post443
microsoft-iis-str-http-request-get443
microsoft-iis-str-http-request-postotherports
microsoft-iis-str-http-request-get80
microsoft-iis-str-http-request-head80
microsoft-iis-str-http-request-getotherports
microsoft-iis-str-http-request-head443

web-activity-denied
microsoft-iis-str-http-session-webactivity
microsoft-iis-cef-http-session-internetinformationserver
microsoft-iis-xml-http-session-6200
microsoft-exchange-kv-app-login-success-401
microsoft-iis-str-http-request-post80
microsoft-iis-str-http-request-headotherports
microsoft-iis-str-http-request-post443
microsoft-iis-str-http-request-get443
microsoft-iis-str-http-request-postotherports
microsoft-iis-str-http-request-get80
microsoft-iis-str-http-request-head80
microsoft-iis-str-http-request-getotherports
microsoft-iis-str-http-request-head443
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
  • 2 Rules
Ransomwareweb-activity-allowed
microsoft-iis-str-http-session-webactivity
microsoft-iis-cef-http-session-internetinformationserver
microsoft-iis-xml-http-session-6200
microsoft-exchange-kv-app-login-success-401
microsoft-iis-str-http-session-optionsoab
microsoft-iis-str-http-session-headapi
microsoft-iis-str-http-session-putoab
microsoft-iis-str-http-session-getstatus
microsoft-iis-str-http-session-getews-1
microsoft-iis-str-http-session-headecp
microsoft-iis-str-http-session-putrpc
microsoft-iis-str-http-session-getecp
microsoft-iis-str-http-session-headautodiscover
microsoft-iis-str-http-session-deleteapi
microsoft-iis-str-http-session-postecp
microsoft-iis-str-http-session-getapi
microsoft-iis-str-http-session-postautodiscover-1
microsoft-iis-str-http-session-patchapi
microsoft-iis-str-http-session-postapi
microsoft-iis-str-http-session-postmicrosoftserver
microsoft-iis-str-http-session-optionsapi
microsoft-iis-str-http-session-getmicrosoftserver
microsoft-iis-str-http-session-postsignin
microsoft-iis-str-http-session-optionsecp
microsoft-iis-str-http-session-headrpc
microsoft-iis-str-http-session-getsignin
microsoft-iis-str-http-session-getowa
microsoft-iis-str-http-session-putecp
microsoft-iis-str-http-session-deleteoab
microsoft-iis-str-http-session-patchrpc
microsoft-iis-str-http-session-headsignin
microsoft-iis-str-http-session-postowa
microsoft-iis-str-http-session-getews
microsoft-iis-str-http-session-putapi
microsoft-iis-str-http-session-headoab
microsoft-iis-str-http-session-optionsowa
microsoft-iis-str-http-session-getautodiscover
microsoft-iis-str-http-session-postews
microsoft-iis-str-http-session-headmapi
microsoft-iis-str-http-session-putmapi
microsoft-iis-str-http-session-getoab
microsoft-iis-str-http-session-headews
microsoft-iis-str-http-session-postoab
microsoft-iis-str-http-session-getautodiscover-1
microsoft-iis-str-http-session-headmicrosoftserver
microsoft-iis-str-http-session-headowa
microsoft-iis-str-http-session-putowa
microsoft-iis-str-http-session-optionsrpc
microsoft-iis-str-http-session-getrpc
microsoft-iis-str-http-session-postews-1
microsoft-iis-str-http-session-optionsmicrosoftserver
microsoft-iis-str-http-session-getmapi
microsoft-iis-str-http-session-putews
microsoft-iis-str-http-session-postautodiscover
microsoft-iis-str-http-session-patchoab
microsoft-iis-str-http-session-postmapi
microsoft-iis-str-http-session-postrpc
microsoft-iis-str-http-session-deleterpc
microsoft-iis-str-http-request-post80
microsoft-iis-str-http-request-headotherports
microsoft-iis-str-http-request-post443
microsoft-iis-str-http-request-get443
microsoft-iis-str-http-request-postotherports
microsoft-iis-str-http-request-get80
microsoft-iis-str-http-request-head80
microsoft-iis-str-http-request-getotherports
microsoft-iis-str-http-request-head443

web-activity-denied
microsoft-iis-str-http-session-webactivity
microsoft-iis-cef-http-session-internetinformationserver
microsoft-iis-xml-http-session-6200
microsoft-exchange-kv-app-login-success-401
microsoft-iis-str-http-request-post80
microsoft-iis-str-http-request-headotherports
microsoft-iis-str-http-request-post443
microsoft-iis-str-http-request-get443
microsoft-iis-str-http-request-postotherports
microsoft-iis-str-http-request-get80
microsoft-iis-str-http-request-head80
microsoft-iis-str-http-request-getotherports
microsoft-iis-str-http-request-head443
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Workforce Protectionweb-activity-allowed
microsoft-iis-str-http-session-webactivity
microsoft-iis-cef-http-session-internetinformationserver
microsoft-iis-xml-http-session-6200
microsoft-exchange-kv-app-login-success-401
microsoft-iis-str-http-session-optionsoab
microsoft-iis-str-http-session-headapi
microsoft-iis-str-http-session-putoab
microsoft-iis-str-http-session-getstatus
microsoft-iis-str-http-session-getews-1
microsoft-iis-str-http-session-headecp
microsoft-iis-str-http-session-putrpc
microsoft-iis-str-http-session-getecp
microsoft-iis-str-http-session-headautodiscover
microsoft-iis-str-http-session-deleteapi
microsoft-iis-str-http-session-postecp
microsoft-iis-str-http-session-getapi
microsoft-iis-str-http-session-postautodiscover-1
microsoft-iis-str-http-session-patchapi
microsoft-iis-str-http-session-postapi
microsoft-iis-str-http-session-postmicrosoftserver
microsoft-iis-str-http-session-optionsapi
microsoft-iis-str-http-session-getmicrosoftserver
microsoft-iis-str-http-session-postsignin
microsoft-iis-str-http-session-optionsecp
microsoft-iis-str-http-session-headrpc
microsoft-iis-str-http-session-getsignin
microsoft-iis-str-http-session-getowa
microsoft-iis-str-http-session-putecp
microsoft-iis-str-http-session-deleteoab
microsoft-iis-str-http-session-patchrpc
microsoft-iis-str-http-session-headsignin
microsoft-iis-str-http-session-postowa
microsoft-iis-str-http-session-getews
microsoft-iis-str-http-session-putapi
microsoft-iis-str-http-session-headoab
microsoft-iis-str-http-session-optionsowa
microsoft-iis-str-http-session-getautodiscover
microsoft-iis-str-http-session-postews
microsoft-iis-str-http-session-headmapi
microsoft-iis-str-http-session-putmapi
microsoft-iis-str-http-session-getoab
microsoft-iis-str-http-session-headews
microsoft-iis-str-http-session-postoab
microsoft-iis-str-http-session-getautodiscover-1
microsoft-iis-str-http-session-headmicrosoftserver
microsoft-iis-str-http-session-headowa
microsoft-iis-str-http-session-putowa
microsoft-iis-str-http-session-optionsrpc
microsoft-iis-str-http-session-getrpc
microsoft-iis-str-http-session-postews-1
microsoft-iis-str-http-session-optionsmicrosoftserver
microsoft-iis-str-http-session-getmapi
microsoft-iis-str-http-session-putews
microsoft-iis-str-http-session-postautodiscover
microsoft-iis-str-http-session-patchoab
microsoft-iis-str-http-session-postmapi
microsoft-iis-str-http-session-postrpc
microsoft-iis-str-http-session-deleterpc
microsoft-iis-str-http-request-post80
microsoft-iis-str-http-request-headotherports
microsoft-iis-str-http-request-post443
microsoft-iis-str-http-request-get443
microsoft-iis-str-http-request-postotherports
microsoft-iis-str-http-request-get80
microsoft-iis-str-http-request-head80
microsoft-iis-str-http-request-getotherports
microsoft-iis-str-http-request-head443
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 4 Rules
  • 2 Models