Removing dupes

2021-03-15 09:54:45 -07:00 · 2021-03-15 09:54:45 -07:00 · 76319e27fa
--- a/Detections/SecurityEvent/HAFNIUMSuspiciousIMServiceError.yaml
+++ b/Detections/SecurityEvent/HAFNIUMSuspiciousIMServiceError.yaml
@ -1,28 +0,0 @@
-id: 0625fcce-6d52-491e-8c68-1d9b801d25b9
-name: HAFNIUM Suspicious UM Service Error
-description: |
-  'This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. 
-  Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'
-severity: Low
-requiredDataConnectors: []
-queryFrequency: 1d
-queryPeriod: 1d
-triggerOperator: gt
-triggerThreshold: 0
-tactics:
-  - InitialAccess
-relevantTechniques:
-  - T1190
-query: |
-  Event
-  | where EventLog =~ "Application"
-  | where Source startswith "MSExchange"
-  | where EventLevelName =~ "error"
-  | where (RenderedDescription startswith "Watson report" and RenderedDescription contains "umworkerprocess" and RenderedDescription contains "TextFormattingRunProperties") or RenderedDescription startswith "An unhandled exception occurred in a UM worker process" or RenderedDescription startswith "The Microsoft Exchange Unified Messaging service"
-  | where RenderedDescription !contains "System.OutOfMemoryException"
-  | extend timestamp = TimeGenerated, HostCustomEntity = Computer
-entityMappings:
-  - entityType: Host
-    fieldMappings:
-      - identifier: FullName
-        columnName: HostCustomEntity
--- a/Detections/W3CIISLog/HAFNIUMSuspiciousRequestPattern.yaml
+++ b/Detections/W3CIISLog/HAFNIUMSuspiciousRequestPattern.yaml
@ -1,44 +0,0 @@
-id: 23005e87-2d3a-482b-b03d-edbebd1ae151
-name: HAFNIUM Suspicious Exchange Request
-description: |
-  'This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors.
-  The same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.
-  Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'
-severity: Medium
-requiredDataConnectors:
-  - connectorId: AzureMonitor(IIS)
-    dataTypes:
-      - W3CIISLog
-queryFrequency: 1d
-queryPeriod: 14d
-triggerOperator: gt
-triggerThreshold: 0
-tactics:
-  - InitialAccess
-relevantTechniques:
-  - T1190
-query: |
-  let exchange_servers = (
-  W3CIISLog
-  | where TimeGenerated > ago(14d)
-  | where sSiteName =~ "Exchange Back End"
-  | summarize by Computer);
-  W3CIISLog
-  | where TimeGenerated > ago(1d)
-  | where Computer in (exchange_servers)
-  | where csUriQuery startswith "t="
-  | project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP
-  | extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP
-entityMappings:
-  - entityType: Account
-    fieldMappings:
-      - identifier: FullName
-        columnName: AccountCustomEntity
-  - entityType: Host
-    fieldMappings:
-      - identifier: FullName
-        columnName: HostCustomEntity
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: IPCustomEntity