PR comment

2021-08-30 10:24:33 -07:00 · 2021-08-30 10:24:33 -07:00 · ba2dc07d54
--- a/Queries/W3CIISLog/SuspectedProxyTokenExploitation.yaml
+++ b/Queries/W3CIISLog/SuspectedProxyTokenExploitation.yaml
@ -15,7 +15,7 @@ query: |
  W3CIISLog
  | where not(ipv4_is_private(cIP))
  | where csMethod =~ "POST"
-  | where csUriStem has "ecp"
+  | where csUriStem has "/ecp"
  | where isnotempty(csCookie) and csCookie has "SecurityToken"
  | where csUriQuery has "msExchEcpCanary"
  | extend timestamp=TimeGenerated, HostCustomEntity=Computer, IPCustomEntity=cIP