Vendor: Microsoft Product: Microsoft Exchange Rules Models MITRE ATT&CK® TTPs Activity Types Parsers 229 91 27 13 13 Use-Case Activity Types/Parsers MITRE ATT&CK® TTP Content Abnormal Authentication & Access app-activity ↳microsoft-exchange-str-app-activity-success-isaweblog app-login ↳microsoft-exchange-kv-app-login-success-serverexchange ↳microsoft-exchange-csv-app-authentication-success-server audit-log-clear ↳microsoft-exchange-csv-app-notification-hadiscard ↳microsoft-exchange-csv-app-notification-agentresubmit ↳microsoft-exchange-csv-app-notification-agentdefer ↳microsoft-exchange-csv-app-notification-agentinfo ↳microsoft-exchange-csv-app-notification-routingexpand ↳microsoft-exchange-csv-app-notification-routingtransfer ↳microsoft-exchange-csv-app-notification-processmeetingmessage ↳microsoft-exchange-csv-app-notification-success-smtpfail ↳microsoft-exchange-csv-app-notification-routingdrop ↳microsoft-exchange-csv-app-notification-dsn ↳microsoft-exchange-csv-app-notification-routing ↳microsoft-exchange-csv-app-notification-routingduplicateredirect ↳microsoft-exchange-csv-app-notification-transfer ↳microsoft-exchange-csv-app-notification-success-storedriver ↳microsoft-exchange-csv-app-notification-redirecting ↳microsoft-exchange-csv-app-notification-smtpharedirect ↳microsoft-exchange-csv-app-notification-success-safetynetresubmit ↳microsoft-exchange-csv-app-notification-smtpharedirectfail ↳microsoft-exchange-csv-app-notification-smtpdefer ↳microsoft-exchange-csv-app-notification-success-queuetransfer ↳microsoft-exchange-csv-app-notification-success-routingsuppressed ↳microsoft-exchange-csv-app-notification-success-queueresubmit authentication-failed ↳microsoft-exchange-csv-email-send-success-smtpsend failed-app-login ↳microsoft-exchange-kv-app-login-success-401 ↳microsoft-exchange-kv-app-login-fail-imap4 nac-logon ↳microsoft-exchange-kv-app-activity-success-list web-activity-allowed ↳microsoft-exchange-csv-email-receive-smtpreceive ↳microsoft-exchange-csv-email-receive-agentreceive ↳microsoft-exchange-csv-email-receive-smtphareceive ↳microsoft-exchange-str-app-authentication-fail-auth ↳microsoft-exchange-kv-app-authentication-success-exserver T1021 - Remote ServicesT1071.001 - Application Layer Protocol: Web ProtocolsT1078 - Valid AccountsT1133 - External Remote Services 27 Rules13 Models Account Manipulation app-activity ↳microsoft-exchange-str-app-activity-success-isaweblog T1098.002 - Account Manipulation: Exchange Email Delegate Permissions 3 Rules1 Models Privilege Escalation app-activity ↳microsoft-exchange-str-app-activity-success-isaweblog T1098.002 - Account Manipulation: Exchange Email Delegate Permissions 3 Rules1 Models Next Page -->> MITRE ATT&CK® Framework for Enterprise Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact Phishing: Spearphishing LinkExternal Remote ServicesValid AccountsDrive-by CompromiseExploit Public Fasing ApplicationReplication Through Removable MediaPhishing User Execution External Remote ServicesValid AccountsAccount ManipulationAccount Manipulation: Exchange Email Delegate Permissions Valid AccountsExploitation for Privilege Escalation Impair DefensesIndicator Removal on Host: Clear Windows Event LogsObfuscated Files or Information: Indicator Removal from ToolsValid AccountsIndicator Removal on HostObfuscated Files or Information Remote ServicesReplication Through Removable MediaInternal Spearphishing Email CollectionEmail Collection: Email Forwarding Rule Web ServiceApplication Layer Protocol: Web ProtocolsDynamic ResolutionDynamic Resolution: Domain Generation AlgorithmsProxy: Multi-hop ProxyApplication Layer ProtocolProxy Exfiltration Over Alternative ProtocolExfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolExfiltration Over Physical Medium: Exfiltration over USBExfiltration Over C2 ChannelExfiltration Over Physical MediumExfiltration Over Web Service: Exfiltration to Cloud StorageExfiltration Over Web Service Resource Hijacking