Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Exchange Server Vulnerabilities Disclosed March 2021 IoC Match

Back
Idd804b39c-03a4-417c-a949-bdbf21fa3305
RulenameExchange Server Vulnerabilities Disclosed March 2021 IoC Match
DescriptionThis detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements.

Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
SeverityMedium
TacticsInitialAccess
TechniquesT1190
Required data connectorsAWSS3
AzureMonitor(IIS)
AzureMonitor(WireData)
CEF
CheckPoint
CiscoASA
CiscoUmbrellaDataConnector
Corelight
DNS
F5
Fortinet
GCPDNSDataConnector
InfobloxNIOS
MicrosoftSysmonForLinux
NXLogDnsLogs
PaloAltoNetworks
SecurityEvents
WindowsFirewall
WindowsForwardedEvents
Zscaler
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml
Version1.7.4
Arm templated804b39c-03a4-417c-a949-bdbf21fa3305.json
Deploy To Azure
let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)
[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv"] with (format="csv", ignoreFirstRecord=True);
let file_paths = (iocs | where Type =~ "filepath" | project IoC);
let sha256s = (iocs | where Type =~ "sha256" | project IoC);
let ips = (iocs | where Type =~ "ip" | project IoC);
let domains = (iocs | where Type =~ "domainname" | project IoC);
let dyndomains = todynamic(toscalar((domains | summarize make_set(IoC))));
union isfuzzy=true
(SecurityEvent
| where EventID == 4663
| where ObjectName in (file_paths)
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
),
(WindowsEvent
| where EventID == 4663 and EventData has_any (file_paths)
| extend ObjectName = tostring(EventData.ObjectName) 
| where ObjectName in (file_paths)
| extend Account = strcat(tostring(EventData.SubjectDomainName), "\\", tostring(EventData.SubjectUserName))
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
),
(imFileEvent
| where TargetFileName in (file_paths)
  or
  TargetFileSHA256 in (sha256s)
| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname
),
(DeviceFileEvents
| where FolderPath in (file_paths)
| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName
),
(DeviceEvents
| where InitiatingProcessSHA256 in (sha256s)
| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName
),
  (CommonSecurityLog
| where FileHash in (sha256s)
| extend timestamp = TimeGenerated
),
(Event // File iocs
//This query uses sysmon data depending on table name used this may need updating
| where Source == "Microsoft-Windows-Sysmon"
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend Hashes = EventDetail.[16].["#text"]
| where isnotempty(Hashes)
| parse Hashes with * 'SHA256=' SHA256 ',' *
| where SHA256 in~ (sha256s)
| extend Type = strcat(Type, ": ", Source), Account = UserName, FileHash = Hashes
| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
),
(CommonSecurityLog
| where isnotempty(SourceIP) or isnotempty(DestinationIP)
| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))
| extend IPMatch = case(SourceIP in (ips), "SourceIP", DestinationIP in (ips), "DestinationIP", "Message")
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch
| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "IP in Message Field")
),
(Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 3
| extend EvData = parse_xml(EventData)
| extend EventDetail = EvData.DataItem.EventData.Data
| extend SourceIP = EventDetail.[9].["#text"], DestinationIP = EventDetail.[14].["#text"]
| where SourceIP in (ips) or DestinationIP in (ips)
| extend IPMatch = case( SourceIP in (ips), "SourceIP", DestinationIP in (ips), "DestinationIP", "None")
| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "None")
),
(WireData
| where isnotempty(RemoteIP)
| where RemoteIP in (ips)
| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer
),
(W3CIISLog
| where isnotempty(cIP)
| where cIP in (ips)
| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName
),
(
WindowsFirewall
| where SourceIP in (ips) or DestinationIP in (ips)
| extend IPMatch = case( SourceIP in (ips), "SourceIP", DestinationIP in (ips), "DestinationIP", "None")
),
(
  _Im_NetworkSession(srcipaddr_has_any_prefix=ips) 
  | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname
),
  (
  _Im_NetworkSession(dstipaddr_has_any_prefix=ips) 
  | extend IPCustomEntity = DstIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname
),
(_Im_Dns(domain_has_any=dyndomains)
| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc
)
name: Exchange Server Vulnerabilities Disclosed March 2021 IoC Match
query: |
  let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)
  [@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv"] with (format="csv", ignoreFirstRecord=True);
  let file_paths = (iocs | where Type =~ "filepath" | project IoC);
  let sha256s = (iocs | where Type =~ "sha256" | project IoC);
  let ips = (iocs | where Type =~ "ip" | project IoC);
  let domains = (iocs | where Type =~ "domainname" | project IoC);
  let dyndomains = todynamic(toscalar((domains | summarize make_set(IoC))));
  union isfuzzy=true
  (SecurityEvent
  | where EventID == 4663
  | where ObjectName in (file_paths)
  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
  ),
  (WindowsEvent
  | where EventID == 4663 and EventData has_any (file_paths)
  | extend ObjectName = tostring(EventData.ObjectName) 
  | where ObjectName in (file_paths)
  | extend Account = strcat(tostring(EventData.SubjectDomainName), "\\", tostring(EventData.SubjectUserName))
  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
  ),
  (imFileEvent
  | where TargetFileName in (file_paths)
    or
    TargetFileSHA256 in (sha256s)
  | extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname
  ),
  (DeviceFileEvents
  | where FolderPath in (file_paths)
  | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName
  ),
  (DeviceEvents
  | where InitiatingProcessSHA256 in (sha256s)
  | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName
  ),
    (CommonSecurityLog
  | where FileHash in (sha256s)
  | extend timestamp = TimeGenerated
  ),
  (Event // File iocs
  //This query uses sysmon data depending on table name used this may need updating
  | where Source == "Microsoft-Windows-Sysmon"
  | extend EvData = parse_xml(EventData)
  | extend EventDetail = EvData.DataItem.EventData.Data
  | extend Hashes = EventDetail.[16].["#text"]
  | where isnotempty(Hashes)
  | parse Hashes with * 'SHA256=' SHA256 ',' *
  | where SHA256 in~ (sha256s)
  | extend Type = strcat(Type, ": ", Source), Account = UserName, FileHash = Hashes
  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
  ),
  (CommonSecurityLog
  | where isnotempty(SourceIP) or isnotempty(DestinationIP)
  | where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))
  | extend IPMatch = case(SourceIP in (ips), "SourceIP", DestinationIP in (ips), "DestinationIP", "Message")
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch
  | extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "IP in Message Field")
  ),
  (Event
  | where Source == "Microsoft-Windows-Sysmon"
  | where EventID == 3
  | extend EvData = parse_xml(EventData)
  | extend EventDetail = EvData.DataItem.EventData.Data
  | extend SourceIP = EventDetail.[9].["#text"], DestinationIP = EventDetail.[14].["#text"]
  | where SourceIP in (ips) or DestinationIP in (ips)
  | extend IPMatch = case( SourceIP in (ips), "SourceIP", DestinationIP in (ips), "DestinationIP", "None")
  | extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == "SourceIP", SourceIP, IPMatch == "DestinationIP", DestinationIP, "None")
  ),
  (WireData
  | where isnotempty(RemoteIP)
  | where RemoteIP in (ips)
  | extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer
  ),
  (W3CIISLog
  | where isnotempty(cIP)
  | where cIP in (ips)
  | extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName
  ),
  (
  WindowsFirewall
  | where SourceIP in (ips) or DestinationIP in (ips)
  | extend IPMatch = case( SourceIP in (ips), "SourceIP", DestinationIP in (ips), "DestinationIP", "None")
  ),
  (
    _Im_NetworkSession(srcipaddr_has_any_prefix=ips) 
    | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname
  ),
    (
    _Im_NetworkSession(dstipaddr_has_any_prefix=ips) 
    | extend IPCustomEntity = DstIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname
  ),
  (_Im_Dns(domain_has_any=dyndomains)
  | extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc
  )  
metadata:
  source:
    kind: Community
  author:
    name: Pete Bryan
  categories:
    domains:
    - Security - Threat Protection
  support:
    tier: Community
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml
queryFrequency: 1h
triggerThreshold: 0
requiredDataConnectors:
- datatypes:
  - AWSVPCFlow
  connectorId: AWSS3
- dataTypes:
  - WindowsEvent
  connectorId: WindowsForwardedEvents
- dataTypes:
  - W3CIISLog
  connectorId: AzureMonitor(IIS)
- dataTypes:
  - WireData
  connectorId: AzureMonitor(WireData)
- dataTypes:
  - CommonSecurityLog (CheckPoint)
  connectorId: CheckPoint
- dataTypes:
  - CommonSecurityLog (Cisco)
  connectorId: CiscoASA
- dataTypes:
  - CommonSecurityLog
  connectorId: CEF
- dataTypes:
  - CommonSecurityLog (F5)
  connectorId: F5
- dataTypes:
  - CommonSecurityLog (Fortinet)
  connectorId: Fortinet
- dataTypes:
  - CommonSecurityLog (PaloAlto)
  connectorId: PaloAltoNetworks
- dataTypes:
  - SecurityEvents
  connectorId: SecurityEvents
- dataTypes:
  - WindowsFirewall
  connectorId: WindowsFirewall
- dataTypes:
  - DnsEvents
  connectorId: DNS
- dataTypes:
  - CommonSecurityLog
  connectorId: Zscaler
- dataTypes:
  - Syslog
  connectorId: InfobloxNIOS
- dataTypes:
  - Syslog
  connectorId: MicrosoftSysmonForLinux
- dataTypes:
  - GCP_DNS_CL
  connectorId: GCPDNSDataConnector
- dataTypes:
  - WindowsEvent
  connectorId: WindowsForwardedEvents
- dataTypes:
  - NXLog_DNS_Server_CL
  connectorId: NXLogDnsLogs
- dataTypes:
  - Cisco_Umbrella_dns_CL
  connectorId: CiscoUmbrellaDataConnector
- dataTypes:
  - Corelight_CL
  connectorId: Corelight
version: 1.7.4
status: Available
queryPeriod: 1h
id: d804b39c-03a4-417c-a949-bdbf21fa3305
triggerOperator: gt
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
- fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
  entityType: Account
- fieldMappings:
  - identifier: FullName
    columnName: HostCustomEntity
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
tags:
- Schema: ASIMDns
  SchemaVersion: 0.1.1
- Schema: ASIMFileEvent
  SchemaVersion: 0.1.0
relevantTechniques:
- T1190
severity: Medium
description: |
  'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements.
  Ref: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/'  
kind: Scheduled
tactics:
- InitialAccess
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d804b39c-03a4-417c-a949-bdbf21fa3305')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d804b39c-03a4-417c-a949-bdbf21fa3305')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Exchange Server Vulnerabilities Disclosed March 2021 IoC Match",
        "description": "'This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements.\nRef: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\n[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet file_paths = (iocs | where Type =~ \"filepath\" | project IoC);\nlet sha256s = (iocs | where Type =~ \"sha256\" | project IoC);\nlet ips = (iocs | where Type =~ \"ip\" | project IoC);\nlet domains = (iocs | where Type =~ \"domainname\" | project IoC);\nlet dyndomains = todynamic(toscalar((domains | summarize make_set(IoC))));\nunion isfuzzy=true\n(SecurityEvent\n| where EventID == 4663\n| where ObjectName in (file_paths)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(WindowsEvent\n| where EventID == 4663 and EventData has_any (file_paths)\n| extend ObjectName = tostring(EventData.ObjectName) \n| where ObjectName in (file_paths)\n| extend Account = strcat(tostring(EventData.SubjectDomainName), \"\\\\\", tostring(EventData.SubjectUserName))\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(imFileEvent\n| where TargetFileName in (file_paths)\n  or\n  TargetFileSHA256 in (sha256s)\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\n),\n(DeviceFileEvents\n| where FolderPath in (file_paths)\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\n),\n(DeviceEvents\n| where InitiatingProcessSHA256 in (sha256s)\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\n),\n  (CommonSecurityLog\n| where FileHash in (sha256s)\n| extend timestamp = TimeGenerated\n),\n(Event // File iocs\n//This query uses sysmon data depending on table name used this may need updating\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| where isnotempty(Hashes)\n| parse Hashes with * 'SHA256=' SHA256 ',' *\n| where SHA256 in~ (sha256s)\n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = Hashes\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(CommonSecurityLog\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\n| extend IPMatch = case(SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", \"Message\")\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"IP in Message Field\")\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"]\n| where SourceIP in (ips) or DestinationIP in (ips)\n| extend IPMatch = case( SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n),\n(WireData\n| where isnotempty(RemoteIP)\n| where RemoteIP in (ips)\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\n),\n(W3CIISLog\n| where isnotempty(cIP)\n| where cIP in (ips)\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\n),\n(\nWindowsFirewall\n| where SourceIP in (ips) or DestinationIP in (ips)\n| extend IPMatch = case( SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", \"None\")\n),\n(\n  _Im_NetworkSession(srcipaddr_has_any_prefix=ips) \n  | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\n),\n  (\n  _Im_NetworkSession(dstipaddr_has_any_prefix=ips) \n  | extend IPCustomEntity = DstIpAddr, AccountCustomEntity= User, HostCustomEntity=Hostname\n),\n(_Im_Dns(domain_has_any=dyndomains)\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\n)\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1190"
        ],
        "alertRuleTemplateName": "d804b39c-03a4-417c-a949-bdbf21fa3305",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ],
            "entityType": "IP"
          },
          {
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "HostCustomEntity"
              }
            ],
            "entityType": "Host"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ],
            "entityType": "IP"
          }
        ],
        "tags": [
          {
            "SchemaVersion": "0.1.1",
            "Schema": "ASIMDns"
          },
          {
            "SchemaVersion": "0.1.0",
            "Schema": "ASIMFileEvent"
          }
        ],
        "status": "Available",
        "templateVersion": "1.7.4",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Legacy IOC based Threat Protection/Analytic Rules/ExchangeServerVulnerabilitiesMarch2021IoCs.yaml"
      }
    }
  ]
}