Merge pull request #1350 from panther-labs/release

Prepare for 3.63.0
panther-labs · Sep 10, 2024 · 7adc688 · 7adc688
2 parents 428e614 + 0147335
commit 7adc688
Show file tree

Hide file tree

Showing 45 changed files with 308 additions and 119 deletions.
diff --git a/.github/workflows/check-packs.yml b/.github/workflows/check-packs.yml
@@ -25,7 +25,7 @@ jobs:
  uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
 
  - name: Set python version
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f #v5.1.1
+ uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 #v5.2.0
  with:
  python-version: "3.11"
 

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -22,7 +22,7 @@ jobs:
  uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
 
  - name: Set python version
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f #v5.1.1
+ uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 #v5.2.0
  with:
  python-version: "3.11"
 

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -29,7 +29,7 @@ jobs:
  aws-region: ${{ secrets.AWS_REGION }}
  role-session-name: panther-analysis-release
  - name: Install Python
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f #v5.1.1
+ uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 #v5.2.0
  with:
  python-version: "3.11"
  - name: Create new panther-analysis release

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -23,7 +23,7 @@ jobs:
  uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
 
  - name: Set python version
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f #v5.1.1
+ uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 #v5.2.0
  with:
  python-version: "3.11"
 

diff --git a/.github/workflows/upload.yml b/.github/workflows/upload.yml
@@ -27,7 +27,7 @@ jobs:
  uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
 
  - name: Set python version
- uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f #v5.1.1
+ uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 #v5.2.0
  with:
  python-version: "3.11"
 

diff --git a/data_models/gcp_data_model.py b/data_models/gcp_data_model.py
@@ -112,3 +112,10 @@ def get_verb(event):
  if deep_get(event, "protoPayload", "serviceName", default="") != "k8s.io":
  return ""
  return deep_get(event, "protoPayload", "methodName", default="").split(".")[-1]
+
+
+def get_actor_user(event):
+ authentication_info = deep_get(event, "protoPayload", "authenticationInfo", default={})
+ if principal_email := authentication_info.get("principalEmail"):
+ return principal_email
+ return authentication_info.get("principalSubject", "<UNKNOWN ACTOR USER>")
diff --git a/data_models/gcp_data_model.yml b/data_models/gcp_data_model.yml
@@ -7,7 +7,7 @@ Filename: gcp_data_model.py
 Enabled: true
 Mappings:
  - Name: actor_user
- Path: $.protoPayload.authenticationInfo.principalEmail
+ Method: get_actor_user
  - Name: assigned_admin_role
  Method: get_iam_roles
  - Name: event_type
@@ -35,7 +35,7 @@ Mappings:
  - Name: sourceIPs
  Method: get_source_ips
  - Name: username
- Path: $.protoPayload.authenticationInfo.principalEmail
+ Method: get_actor_user
  - Name: userAgent
  Path: $.protoPayload.requestMetadata.callerSuppliedUserAgent
  - Name: verb

diff --git a/packs/asana.yml b/packs/asana.yml
@@ -20,4 +20,7 @@ PackDefinition:
  - panther_config
  - panther_config_defaults
  - panther_config_overrides
+ - panther_event_type_helpers
+ # Data Model
+ - Standard.Asana.Audit
 DisplayName: "Panther Asana Pack"
diff --git a/packs/atlassian.yml b/packs/atlassian.yml
@@ -9,4 +9,7 @@ PackDefinition:
  - panther_config
  - panther_config_defaults
  - panther_config_overrides
+ - panther_event_type_helpers
+ # Data Model
+ - Standard.Atlassian.Audit
 DisplayName: "Panther Atlassian Pack"
diff --git a/packs/aws.yml b/packs/aws.yml
@@ -173,11 +173,17 @@ PackDefinition:
  - AWS.CloudTrail.UserAccessKeyAuth
  - AWS.CloudTrail.LoginProfileCreatedOrModified
  - AWS.Console.Login
-
+ # Queries
+ - AWS Authentication from CrowdStrike Unmanaged Device
+ - Query.CloudTrail.Password.Spraying
+ - Query.VPC.DNS.Tunneling
+ - VPC Flow Port Scanning
  # AWS DataModels
  - Standard.AWS.ALB
  - Standard.AWS.CloudTrail
+ - Standard.Amazon.EKS.Audit
  - Standard.AWS.S3ServerAccess
+ - Standard.AWS.VPCDns
  - Standard.AWS.VPCFlow
  - Standard.OCSF.NetworkActivity
  - Standard.OCSF.DnsActivity

diff --git a/packs/azure_signin.yml b/packs/azure_signin.yml
@@ -13,4 +13,7 @@ PackDefinition:
  - panther_config
  - panther_config_defaults
  - panther_config_overrides
+ - panther_event_type_helpers
+ # Data Models
+ - Standard.Azure.Audit.SignIn
 DisplayName: "Panther Azure.Audit SignIn Pack"
diff --git a/packs/box.yml b/packs/box.yml
@@ -18,4 +18,7 @@ PackDefinition:
  - panther_config
  - panther_config_defaults
  - panther_config_overrides
+ - panther_event_type_helpers
+ # Data Models
+ - Standard.Box.Event
 DisplayName: "Panther Box Pack"
diff --git a/packs/cisco_umbrella_dns.yml b/packs/cisco_umbrella_dns.yml
@@ -4,5 +4,6 @@ Description: Group of all Cisco Umbrella detections
 PackDefinition:
  IDs:
  - CiscoUmbrella.DNS.Blocked
- # Globals used in these detections
+ # Data Model
+ - Standard.CiscoUmbrella.DNS
 DisplayName: "Panther Cisco Umbrella Pack"
diff --git a/packs/cloudflare.yml b/packs/cloudflare.yml
@@ -14,3 +14,6 @@ PackDefinition:
  - panther_config
  - panther_config_defaults
  - panther_config_overrides
+ # Data Models
+ - Standard.Cloudflare.Firewall
+ - Standard.Cloudflare.HttpReq
diff --git a/packs/credential_security.yml b/packs/credential_security.yml
@@ -5,10 +5,16 @@ DisplayName: "Panther Credential Security Pack"
 PackDefinition:
  IDs:
  # Data Models
+ - Standard.Asana.Audit
  - Standard.Atlassian.Audit
+ - Standard.AWS.CloudTrail
+ - Standard.Crowdstrike.FDR
  - Standard.Github.Audit
  - Standard.Okta.SystemLog
+ - Standard.OneLogin.Events
+ - Standard.Slack.AuditLogs
  - Standard.Zendesk.AuditLog
+ - Standard.Zoom.Operation
  # Global Helpers
  - global_filter_auth0
  - global_filter_github

diff --git a/packs/crowdstrike.yml b/packs/crowdstrike.yml
@@ -24,5 +24,7 @@ PackDefinition:
  - panther_config_defaults
  - panther_config_overrides
  # Data models
+ - Standard.AWS.VPCDns
+ - Standard.CiscoUmbrella.DNS
  - Standard.Crowdstrike.FDR
 DisplayName: "Panther Crowdstrike Pack"
diff --git a/packs/crowdstrike_event_streams.yml b/packs/crowdstrike_event_streams.yml
@@ -5,6 +5,9 @@ PackDefinition:
  IDs:
  - crowdstrike_event_streams_helpers
  - panther_base_helpers
+ - panther_config
+ - panther_config_defaults
+ - panther_config_overrides
 
  - Crowdstrike.AdminRoleAssigned
  - Crowdstrike.AllowlistRemoved

diff --git a/packs/github.yml b/packs/github.yml
@@ -12,6 +12,7 @@ PackDefinition:
  - GitHub.Org.IpAllowlist
  - GitHub.Org.Moderators.Add
  - GitHub.Org.Modified
+ - Github.Repo.Archived
  - Github.Repo.CollaboratorChange
  - Github.Repo.Created
  #- GitHub.Repo.HookModified

diff --git a/packs/gsuite_reports.yml b/packs/gsuite_reports.yml
@@ -39,4 +39,9 @@ PackDefinition:
  - panther_config
  - panther_config_defaults
  - panther_config_overrides
+ - panther_event_type_helpers
+ - panther_lookuptable_helpers
+ # Queries
+ - GSuite Many Docs Deleted Query
+ - GSuite Many Docs Downloaded Query
 DisplayName: "Panther GSuite Pack"
diff --git a/packs/kubernetes.yml b/packs/kubernetes.yml
@@ -20,3 +20,19 @@ PackDefinition:
  - Kubernetes.ServiceTypeNodePortDeployed
  - Kubernetes.UnauthenticatedAPIRequest
  - Kubernetes.UnauthorizedPodExecution
+ # Queries
+ - IOC Activity in K8 Control Plane
+ - Kubernetes Cron Job Created or Modified
+ - Kubernetes Pod Created in Pre-Configured or Default Name Spaces
+ - Kubernetes Service with Type Node Port Deployed
+ - New Admission Controller Created
+ - New DaemonSet Deployed to Kubernetes
+ - Pod Created or Modified Using the Host IPC Namespace
+ - Pod Created or Modified Using the Host PID Namespace
+ - Pod Created with Overly Permissive Linux Capabilities
+ - Pod attached to the Node Host Network
+ - Pod creation or modification to a Host Path Volume Mount
+ - Privileged Pod Created
+ - Secret Enumeration by a User
+ - Unauthenticated Kubernetes API Request
+ - Unauthorized Kubernetes Pod Execution
diff --git a/packs/multisource_correlations.yml b/packs/multisource_correlations.yml
@@ -16,4 +16,16 @@ PackDefinition:
  - Okta.Login.Success
  - Push.Security.Authorized.IdP.Login
  - Okta.Login.Without.Push.Marker
- - Push.Security.Phishing.Attack
+ - Push.Security.Phishing.Attack
+
+ # Data Models
+ - Standard.Okta.SystemLog
+ - Standard.Github.Audit
+ - Standard.AWS.CloudTrail
+
+ # Global Helpers
+ - panther_base_helpers
+ - panther_config
+ - panther_config_defaults
+ - panther_config_overrides
+ - panther_event_type_helpers
diff --git a/packs/notion.yml b/packs/notion.yml
@@ -18,13 +18,16 @@ PackDefinition:
  - Notion.SharingSettingsUpdated
  - Notion.TeamspaceOwnerAdded
  # Globals used in these detections
- - panther_base_helpers
- - panther_oss_helpers
- - panther_notion_helpers
  - global_filter_notion
+ - panther_base_helpers
  - panther_config
  - panther_config_defaults
  - panther_config_overrides
+ - panther_event_type_helpers
+ - panther_ipinfo_helpers
+ - panther_lookuptable_helpers
+ - panther_notion_helpers
+ - panther_oss_helpers
  # Data Model
  - Standard.Notion.AuditLogs
 DisplayName: "Panther Notion Pack"
diff --git a/packs/okta.yml b/packs/okta.yml
@@ -35,6 +35,8 @@ PackDefinition:
  - panther_config
  - panther_config_defaults
  - panther_config_overrides
+ # Queries
+ - Okta Login From CrowdStrike Unmanaged Device
  # Data Model
  - Standard.Okta.SystemLog
 DisplayName: "Panther Okta Pack"
diff --git a/packs/onelogin.yml b/packs/onelogin.yml
@@ -20,4 +20,7 @@ PackDefinition:
  - panther_config
  - panther_config_defaults
  - panther_config_overrides
+ - panther_event_type_helpers
+ # Data Model
+ - Standard.OneLogin.Events
 DisplayName: "Panther OneLogin Pack"
diff --git a/packs/onepassword.yml b/packs/onepassword.yml
@@ -15,3 +15,5 @@ PackDefinition:
  - panther_config
  - panther_config_defaults
  - panther_config_overrides
+ # Queries
+ - 1Password Login From CrowdStrike Unmanaged Device Query
diff --git a/packs/slack.yml b/packs/slack.yml
@@ -32,3 +32,5 @@ PackDefinition:
  - panther_config
  - panther_config_defaults
  - panther_config_overrides
+ # Data Model
+ - Standard.Slack.AuditLogs
diff --git a/packs/snowflake.yml b/packs/snowflake.yml
@@ -13,6 +13,7 @@ PackDefinition:
  - Query.Snowflake.BruteForceByIp
  - Query.Snowflake.BruteForceByUsername
  - Query.Snowflake.ClientIp
+ - Query.Snowflake.ConfigurationDrift
  - Query.Snowflake.CopyIntoStage
  - Query.Snowflake.External.Shares
  - Query.Snowflake.FileDownloaded

diff --git a/packs/standard_ruleset.yml b/packs/standard_ruleset.yml
@@ -27,6 +27,12 @@ PackDefinition:
  - Standard.NewAWSAccountCreated
  - Standard.NewUserAccountCreated
  # Global Helpers
+ - panther_base_helpers
+ - panther_default
+ - panther_config
+ - panther_config_defaults
+ - panther_config_overrides
  - panther_event_type_helpers
+ - panther_ipinfo_helpers
+ - panther_lookuptable_helpers
  - panther_oss_helpers
- - panther_default
diff --git a/packs/wiz.yml b/packs/wiz.yml
@@ -5,3 +5,7 @@ DisplayName: "Panther Wiz Pack"
 PackDefinition:
  IDs:
  - Wiz.Alert.Passthrough
+ - panther_base_helpers
+ - panther_config
+ - panther_config_defaults
+ - panther_config_overrides
diff --git a/packs/zoom.yml b/packs/zoom.yml
@@ -16,8 +16,9 @@ PackDefinition:
  - Standard.Zoom.Operation
  # Globals used in these detections
  - panther_base_helpers
- - panther_oss_helpers
- - panther_zoom_helpers
  - panther_config
  - panther_config_defaults
  - panther_config_overrides
+ - panther_event_type_helpers
+ - panther_oss_helpers
+ - panther_zoom_helpers
diff --git a/rules/aws_cloudtrail_rules/aws_saml_activity.py b/rules/aws_cloudtrail_rules/aws_saml_activity.py
@@ -9,6 +9,9 @@ def rule(event):
  ":assumed-role/AWSServiceRoleForSSO/AWS-SSO"
  ):
  return False
+ # Don't alert on errors such as EntityAlreadyExistsException and NoSuchEntity
+ if event.get("errorCode"):
+ return False
  return (
  event.get("eventSource") == "iam.amazonaws.com" and event.get("eventName") in SAML_ACTIONS
  )

diff --git a/rules/gcp_audit_rules/gcp_iam_service_accounts_get_access_token_privilege_escalation.py b/rules/gcp_audit_rules/gcp_iam_service_accounts_get_access_token_privilege_escalation.py
@@ -17,9 +17,7 @@ def rule(event):
 
 
 def title(event):
- actor = deep_get(
- event, "protoPayload", "authenticationInfo", "principalEmail", default="<ACTOR_NOT_FOUND>"
- )
+ actor = event.udm("actor_user")
  operation = deep_get(event, "protoPayload", "methodName", default="<OPERATION_NOT_FOUND>")
  project_id = deep_get(event, "resource", "labels", "project_id", default="<PROJECT_NOT_FOUND>")