Update ExchangeServerProxyLogonURI.yaml

Exclude local addresses, using the ipv4_is_private operator

Hunting Queries/W3CIISLog/ExchangeServerProxyLogonURI.yaml

@@ -15,7 +15,8 @@ tags:
 query: |
 
   W3CIISLog
-  | where not(ipv4_is_private(cIP))
+  //Exclude local addresses, using the ipv4_is_private operator
+  | where ipv4_is_private(cIP) == false and  cIP !startswith "fe80" and cIP !startswith "::" and cIP !startswith "127."
   | where (csUriStem matches regex @"\/owa\/auth\/[A-Za-z0-9]{1,30}\.js") or (csUriStem matches regex @"\/ecp\/[A-Za-z0-9]{1,30}\.(js|flt|css)")
   | project TimeGenerated, sSiteName, csMethod, csUriStem, sPort, sIP, cIP, csUserAgent
   | extend timestamp = TimeGenerated
@@ -27,4 +28,4 @@ entityMappings:
     - identifier: DestinationPort
       columnName: sPort
     - identifier: SourceAddress
-      columnName: cIP
+      columnName: cIP