Prep for 1 2 8 (#392)

* Move test rules to internal repo * Missing sublevel function * Indent error in Yaml
panther-labs · Mar 23, 2022 · 9474ba9 · 9474ba9
1 parent c335a7d
commit 9474ba9
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 146 deletions.
diff --git a/global_helpers/panther_greynoise_helpers.py b/global_helpers/panther_greynoise_helpers.py
@@ -189,6 +189,9 @@ def __init__(self, event):
  self.riot = deep_get(event, "p_enrichment", "greynoise_riot_advanced")
  self.sublevel = "advanced"
 
+ def subscription_level(self):
+ return self.sublevel
+
  def ip_address(self, match_field) -> str:
  return deep_get(self.riot, match_field, "provider", "ip")
 

diff --git a/greynoise_test_rules/greynoise_noise_test.py b/greynoise_test_rules/greynoise_noise_test.py
diff --git a/greynoise_test_rules/greynoise_noise_test.yml b/greynoise_test_rules/greynoise_noise_test.yml
diff --git a/okta_queries/okta_session_id_audit.yml b/okta_queries/okta_session_id_audit.yml
@@ -19,7 +19,8 @@ AthenaQuery: >
  WHERE p_occurs_since('7 days')
  -- Uncomment the line below and replace 'sessionId' with the sessionId you are investigating
  -- and authenticationContext:externalSessionId = 'sessionId'
- SnowflakeQuery: >
+ ORDER BY event_time DESC
+SnowflakeQuery: >
  SELECT 
  p_event_time as event_time,
  actor:alternateId as actor_email,
@@ -35,6 +36,7 @@ AthenaQuery: >
  WHERE p_occurs_since('7 days')
  -- Uncomment the line below and replace 'sessionId' with the sessionId you are investigating
  -- and authenticationContext:externalSessionId = 'sessionId'
+ ORDER BY event_time DESC
 Schedule:
  RateMinutes: 43200
  TimeoutMinutes: 1