Merge pull request #2191 from Azure/pebryan/2021-4-22_OABVirtualDirectory_fix

AOB updated to handle missing items

Detections/SecurityEvent/ExchangeOABVirtualDirectoryAttributeContainingPotentialWebshell.yaml

@@ -24,15 +24,19 @@ query: |
   | extend EventData = parse_xml(EventData).EventData.Data
   | mv-expand bagexpansion = array EventData
   | evaluate bag_unpack(EventData)
-  | extend Key =tostring(['@Name']), Value = ['#text']
+  | extend Key = tostring(column_ifexists('@Name', "")), Value = column_ifexists('#text', "")
   | evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)
   // Where changes relate to Exchange OAB
+  | extend ObjectClass = column_ifexists("ObjectClass", "")
   | where ObjectClass =~ "msExchOABVirtualDirectory"
   // Look for InternalHostName or ExternalHostName properties being changed
+  | extend AttributeLDAPDisplayName = column_ifexists("AttributeLDAPDisplayName", "")
   | where AttributeLDAPDisplayName in ("msExchExternalHostName", "msExchInternalHostName")
   // Look for suspected webshell activity
+  | extend AttributeValue = column_ifexists("AttributeValue", "")
   | where AttributeValue has "script"
   | project-rename LastSeen = TimeGenerated
+  | extend ObjectDN = column_ifexists("ObjectDN", "")
   | project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue
   | extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer
 entityMappings: