Hi everyone. I think I need to run a simple query? I don't know 'how to' query for URI in Log Parser. I have log parser but i never write a query. I only use the defaults which work great.
I think I want to query the entire set of logs in Exchange/IIS for the URI below. And I want to know was this uri queried? How many times? When?
W3CIISLog
| where csUriStem == "/autodiscover/autodiscover.json"
| where csUriQuery has "/mapi/nspi/"
The reason I want to do this is that there may have been a compromise in Exchange. This query would help us to discover if an attempt was made.
Here is a url which explains the risk.