Query in Log Parser for URI

Joe Guancial 1 Reputation point
2021-08-12T15:46:11.69+00:00

Hi everyone. I think I need to run a simple query? I don't know 'how to' query for URI in Log Parser. I have log parser but i never write a query. I only use the defaults which work great.

I think I want to query the entire set of logs in Exchange/IIS for the URI below. And I want to know was this uri queried? How many times? When?

W3CIISLog
| where csUriStem == "/autodiscover/autodiscover.json"
| where csUriQuery has "/mapi/nspi/"

The reason I want to do this is that there may have been a compromise in Exchange. This query would help us to discover if an attempt was made.

Here is a url which explains the risk.

https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-servers-scanned-for-proxyshell-vulnerability-patch-now/

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
996 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Boran Duzgun 1 Reputation point
    2021-09-08T17:14:41.71+00:00

    Hello,

    you may use the following query to get the result.

    C:\Program Files (x86)\Log Parser 2.2>logparser "select c-ip,cs-uri-stem, count(c-ip) as hits from \server1\l$\LogFiles\W3SVC1\u_ex2109* to c:\scripts\autojson.csv where cs-uri-stem like '%autodiscover/autodiscover.json%' and cs-uri-query like '%mapi/nspi%' group by c-ip,cs-uri-stem order by hits desc" -o:csv -i:w3c

    Regards,
    Boran.

    0 comments No comments