question

JoeGuancial-6646 avatar image
0 Votes"
JoeGuancial-6646 asked BoranDuzgun-7526 answered

Query in Log Parser for URI

Hi everyone. I think I need to run a simple query? I don't know 'how to' query for URI in Log Parser. I have log parser but i never write a query. I only use the defaults which work great.

I think I want to query the entire set of logs in Exchange/IIS for the URI below. And I want to know was this uri queried? How many times? When?

W3CIISLog
| where csUriStem == "/autodiscover/autodiscover.json"
| where csUriQuery has "/mapi/nspi/"

The reason I want to do this is that there may have been a compromise in Exchange. This query would help us to discover if an attempt was made.

Here is a url which explains the risk.

https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-servers-scanned-for-proxyshell-vulnerability-patch-now/

microsoft-sentinel
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @JoeGuancial-6646 ,

I read the link you provided and it advises administrators to use Azure Sentinel to check IIS logs. According to this we can know that you need to use Azure Sentinel tool. This tool is belong to Azure, not contain in IIS. Please forward to Azure community or add Azure tag to get help from Azure engineer.


0 Votes 0 ·

I understand that within the article it is mentioned that Azure Sentinel tool is used but that does not negate the use of Log Parser to parse an IIS log. Are you indicating that no person could ever use Log Parser again because a person used Azure Sentinel, once in some article? That makes no sense. Certainly we could use Log Parser. The question is how to write the query. The purpose of the article is to show the audience a bigger picture perspective of what I am trying to achieve.

0 Votes 0 ·

1 Answer

BoranDuzgun-7526 avatar image
0 Votes"
BoranDuzgun-7526 answered

Hello,

you may use the following query to get the result.

C:\Program Files (x86)\Log Parser 2.2>logparser "select c-ip,cs-uri-stem, count(c-ip) as hits from \\server1\l$\LogFiles\W3SVC1\u_ex2109* to c:\scripts\autojson.csv where cs-uri-stem like '%autodiscover/autodiscover.json%' and cs-uri-query like '%mapi/nspi%' group by c-ip,cs-uri-stem order by hits desc" -o:csv -i:w3c

Regards,
Boran.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.