Skip to content

Commit

Permalink
Add Unpacked Items to Packs (#1361)
Browse files Browse the repository at this point in the history
Co-authored-by: Ariel Ropek <[email protected]>
  • Loading branch information
ben-githubs and arielkr256 authored Sep 30, 2024
1 parent 79a1ff9 commit 9aafee1
Show file tree
Hide file tree
Showing 16 changed files with 52 additions and 5 deletions.
1 change: 1 addition & 0 deletions packs/auth0.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ PackID: PantherManaged.Auth0
Description: Group of all Auth0 detections
PackDefinition:
IDs:
- Auth0.CIC.Credential.Stuffing
- Auth0.Custom.Role.Created
- Auth0.Integration.Installed
- Auth0.MFA.Factor.Setting.Enabled
Expand Down
5 changes: 5 additions & 0 deletions packs/aws.yml
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ PackDefinition:
- AWS.PasswordPolicy.ComplexityGuidelines
- AWS.PasswordPolicy.PasswordAgeLimit
- AWS.PasswordPolicy.PasswordReuse
- AWS.Potentially.Stolen.Service.Role.Scheduled
- AWS.Suspicious.SAML.Activity
- AWS.User.Login.Profile.Modified
# General Policies and Rules
Expand Down Expand Up @@ -165,14 +166,18 @@ PackDefinition:
# Correlation Rules
- AWS.Potentially.Stolen.Service.Role
- AWS.Privilege.Escalation.Via.User.Compromise
- AWS.SSO.Access.Token.Retrieved.by.Unauthenticated.IP
- AWS.User.Takeover.Via.Password.Reset
# Signal Rules
- Role.Assumed.by.AWS.Service
- Role.Assumed.by.User
- AWS.CloudTrail.UserAccessKeyAuth
- AWS.CloudTrail.LoginProfileCreatedOrModified
- AWS.Console.Login
- Retrieve.SSO.access.token
- Sign-in.with.AWS.CLI.prompt
# Queries
- AWS Potentially Stolen Service Role
- Query.CloudTrail.Password.Spraying
- Query.VPC.DNS.Tunneling
- VPC Flow Port Scanning
Expand Down
1 change: 0 additions & 1 deletion packs/gcp_audit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,6 @@ PackDefinition:
- GCP.iam.roles.update.Privilege.Escalation
- GCP.iam.serviceAccountKeys.create
- GCP.Inbound.SSO.Profile.Created
- GCP.K8s.New.Daemonset.Deployed
- GCP.Log.Bucket.Or.Sink.Deleted
- GCP.Logging.Settings.Modified
- GCP.Logging.Sink.Modified
Expand Down
22 changes: 22 additions & 0 deletions packs/gcp_k8.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
AnalysisType: pack
PackID: PantherManaged.GCP.K8
DisplayName: "Panther GCP Kubernetes Pack"
Description: Group of all Google Cloud Platform (GCP) K8 detections
PackDefinition:
IDs:
# DataModel
- Standard.GCP.AuditLog
# Rules
- GCP.K8s.New.Daemonset.Deployed
- GCP.K8S.Pot.Create.Or.Modify.Host.Path.Volume.Mount
- GCP.K8S.Privileged.Pod.Created
- GCP.K8S.Service.Type.NodePort.Deployed
- GCP.K8s.IOC.Activity
- GCP.K8s.Pod.Attached.To.Node.Host.Network
- GCP.K8s.Pod.Using.Host.PID.Namespace
# Globals
- gcp_base_helpers
- panther_base_helpers
- panther_config
- panther_config_defaults
- panther_config_overrides
1 change: 0 additions & 1 deletion packs/github.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@ PackDefinition:
- Github.Repo.Archived
- Github.Repo.CollaboratorChange
- Github.Repo.Created
#- GitHub.Repo.HookModified
- GitHub.Repo.InitialAccess
- Github.Repo.VisibilityChange
- Github.Repo.VulnerabilityDismissed
Expand Down
5 changes: 4 additions & 1 deletion packs/multisource_correlations.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,9 @@ PackDefinition:
- Secret.Exposed.and.not.Quarantined
- GitHub.Secret.Scanning.Alert.Created
- AWS.CloudTrail.IAMCompromisedKeyQuarantine
- global_filter_github
- Okta.SSO.to.AWS
- AWS.Console.Sign-In
- AWS.Console.Sign-In.NOT.PRECEDED.BY.Okta

# Okta + Push Security
- Okta.Login.Without.Push
Expand All @@ -24,6 +26,7 @@ PackDefinition:
- Standard.AWS.CloudTrail

# Global Helpers
- global_filter_github
- panther_base_helpers
- panther_config
- panther_config_defaults
Expand Down
4 changes: 4 additions & 0 deletions packs/snowflake.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,9 @@ PackDefinition:
- Query.Snowflake.External.Shares
- Query.Snowflake.FileDownloaded
- Query.Snowflake.KeyUserPasswordLogin
- Query.Snowflake.MFALogin
- Query.Snowflake.Multiple.Logins.Followed.By.Success
- Query.Snowflake.PublicRoleGrant
- Query.Snowflake.SuspectedUserAccess
- Query.Snowflake.TempStageCreated
- Query.Snowflake.UserCreated
Expand All @@ -34,7 +36,9 @@ PackDefinition:
- Snowflake.External.Shares
- Snowflake.FileDownloaded
- Snowflake.KeyUserPasswordLogin
- Snowflake.LoginWithoutMFA
- Snowflake.Multiple.Failed.Logins.Followed.By.Success
- Snowflake.PublicRoleGrant
- Snowflake.TempStageCreated
- Snowflake.User.Access
- Snowflake.UserCreated
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -44,3 +44,5 @@ RuleID: "AWS.Authentication.From.CrowdStrike.Unmanaged.Device"
Threshold: 1
ScheduledQueries:
- AWS Authentication from CrowdStrike Unmanaged Device
Tags:
- Multi-Table Query
Original file line number Diff line number Diff line change
Expand Up @@ -162,3 +162,5 @@ RuleID: "Okta.Login.From.CrowdStrike.Unmanaged.Device"
Threshold: 1
ScheduledQueries:
- Okta Login From CrowdStrike Unmanaged Device
Tags:
- Multi-Table Query
Original file line number Diff line number Diff line change
Expand Up @@ -49,3 +49,5 @@ RuleID: "OnePassword.Login.From.CrowdStrike.Unmanaged.Device"
Threshold: 1
ScheduledQueries:
- 1Password Login From CrowdStrike Unmanaged Device Query
Tags:
- Multi-Table Query
2 changes: 2 additions & 0 deletions queries/dropbox_queries/Dropbox_Many_Deletes.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,3 +22,5 @@ RuleID: "Dropbox.Many.Deletes"
Threshold: 1
ScheduledQueries:
- Dropbox Many Deletes
Tags:
- Configuration Required
2 changes: 2 additions & 0 deletions queries/dropbox_queries/Dropbox_Many_Downloads.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,3 +22,5 @@ RuleID: "Dropbox.Many.Downloads"
Threshold: 1
ScheduledQueries:
- Dropbox Many Downloads
Tags:
- Configuration Required
5 changes: 3 additions & 2 deletions rules/github_rules/github_repo_hook_modified.yml
Original file line number Diff line number Diff line change
@@ -1,19 +1,20 @@
AnalysisType: rule
Filename: github_repo_hook_modified.py
RuleID: "GitHub.Repo.HookModified"
DisplayName: "GitHub Web Hook Modified"
DisplayName: "DEPRECATED - GitHub Web Hook Modified"
Enabled: false
LogTypes:
- GitHub.Audit
Tags:
- GitHub
- Exfiltration:Automated Exfiltration
- Deprecated
Reports:
MITRE ATT&CK:
- TA0010:T1020
Reference: https://docs.github.com/en/webhooks/about-webhooks
Severity: Info
Description: Detects when a web hook is added, modified, or deleted in an org repository.
Description: Deprecated. See GitHub.Webhook.Modified instead.
Tests:
- Name: GitHub - Webhook Created
ExpectedResult: true
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ LogTypes:
Tags:
- GitLab
- CVE-2023-7028
- No Pack
Reports:
MITRE ATT&CK:
- TA0001:T1195
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ LogTypes:
Tags:
- GitLab
- CVE-2023-7028
- No Pack
Reports:
MITRE ATT&CK:
- TA0001:T1195
Expand Down
1 change: 1 addition & 0 deletions templates/example_scheduled_rule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ ScheduledQueries:
- My Query Name
Tags:
- Tag
- No Pack
Severity: Medium
Description: >
An optional Description
Expand Down

0 comments on commit 9aafee1

Please sign in to comment.