The analytic designed to detect Exchange PowerShell abuse via Server-Side Request Forgery (SSRF) targets on-premise Microsoft Exchange servers. It focuses on identifying suspicious HTTP POST requests directed at `autodiscover.json` where the URI contains `PowerShell`. The underlying principle is to monitor for exploitation patterns that suggest an attempt to leverage SSRF vulnerabilities to gain access to backend PowerShell functionalities. This gives potential attackers the ability to execute arbitrary commands on the Exchange server, leading to serious security issues including unauthorized access, privilege escalation, and persistence within the environment. The detection rule processes logs ingested from Exchange servers into Splunk, and careful monitoring of this activity is essential for identifying potential threats before they result in significant damage.