Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Threat-274 OCSF data model, CloudTrail #1238

Draft
wants to merge 33 commits into
base: develop
Choose a base branch
from
Draft

Threat-274 OCSF data model, CloudTrail #1238

wants to merge 33 commits into from

Commits on Apr 11, 2024

  1. Deprecate GreyNoise detections (#1205) 

    * Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <[email protected]>
    @melenevskyi @arielkr256
    melenevskyi and arielkr256 authored Apr 11, 2024
    Configuration menu
    Copy the full SHA
    8b4be20 View commit details
    Browse the repository at this point in the history

Commits on Apr 15, 2024

  1. fix - Notion Login From New Location - NoneType error (#1206) 

    * fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix
    @akozlovets098
    akozlovets098 authored Apr 15, 2024
    Configuration menu
    Copy the full SHA
    319fd15 View commit details
    Browse the repository at this point in the history

Commits on Apr 16, 2024

  1. remove codeowners (#1208)

    @le4ker
    le4ker authored Apr 16, 2024
    Configuration menu
    Copy the full SHA
    3fde677 View commit details
    Browse the repository at this point in the history

Commits on Apr 23, 2024

  1. fix - GCP rules - AttributeError (#1210) 

    * fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix
    @akozlovets098
    akozlovets098 authored Apr 23, 2024
    Configuration menu
    Copy the full SHA
    9239b29 View commit details
    Browse the repository at this point in the history

  2. MITRE ATT&CK Mappings for MS Rules (#1209) 

    * added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <[email protected]>
    @ben-githubs @arielkr256
    ben-githubs and arielkr256 authored Apr 23, 2024
    Configuration menu
    Copy the full SHA
    f1180d4 View commit details
    Browse the repository at this point in the history

  3. traildiscover enrichment with managed schema (#1177) 

    * traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <[email protected]>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <[email protected]>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <[email protected]>
Co-authored-by: egibs <[email protected]>
Co-authored-by: Oleh Melenevskyi <[email protected]>
    @arielkr256 @le4ker @melenevskyi
    4 people authored Apr 23, 2024
    Configuration menu
    Copy the full SHA
    6eeb515 View commit details
    Browse the repository at this point in the history

  4. Update PAT to 0.46.0 (#1216)

    Evan Gibler authored Apr 23, 2024
    Configuration menu
    Copy the full SHA
    e2e9b4f View commit details
    Browse the repository at this point in the history

Commits on May 7, 2024

  1. Replace panther_analysis_tool import with updated import (#1230)

    Evan Gibler authored May 7, 2024
    Configuration menu
    Copy the full SHA
    cd042d2 View commit details
    Browse the repository at this point in the history

  2. Update Action versions; use SHAs (#1231) 

    * Update Action versions; use SHAs

* Add dependabot.yml to keep Actions updated

* Update PAT to 0.49.0
    Evan Gibler authored May 7, 2024
    Configuration menu
    Copy the full SHA
    5e5f196 View commit details
    Browse the repository at this point in the history

Commits on May 8, 2024

  1. migrates the gcp_storage_hmac_keys_create rule to (#1233) 

    python from sdyaml
    @arielkr256
    arielkr256 authored May 8, 2024
    Configuration menu
    Copy the full SHA
    0f28285 View commit details
    Browse the repository at this point in the history

  2. move scheduled rules to the queries directory (#1234)

    @arielkr256
    arielkr256 authored May 8, 2024
    Configuration menu
    Copy the full SHA
    83e6d74 View commit details
    Browse the repository at this point in the history

Commits on May 13, 2024

  1. consistency nit fixes (#1235) 

    * consistency nit fixes

* - somethings -> some things
    @kjihso
    kjihso authored May 13, 2024
    Configuration menu
    Copy the full SHA
    575cf47 View commit details
    Browse the repository at this point in the history

Commits on May 14, 2024

  1. AppOmni Alert passthrough (#1211) 

    * alert passthrough

* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <[email protected]>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* linting

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <[email protected]>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <[email protected]>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <[email protected]>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <[email protected]>
Co-authored-by: egibs <[email protected]>
Co-authored-by: Oleh Melenevskyi <[email protected]>

* Update PAT to 0.46.0 (#1216)

* add file/host state to msft graph alert context (#1220)

* fix timestamps (#1219)

* Update PAT to 0.46.1 (#1222)

* pack for traildiscover LUT (#1221)

* use event.deep_get and remove InlineFilters

* add pack

---------

Co-authored-by: Oleh Melenevskyi <[email protected]>
Co-authored-by: Ariel Ropek <[email protected]>
Co-authored-by: akozlovets098 <[email protected]>
Co-authored-by: Panos Sakkos <[email protected]>
Co-authored-by: ben-githubs <[email protected]>
Co-authored-by: egibs <[email protected]>
Co-authored-by: Evan Gibler <[email protected]>
Co-authored-by: Nick Hakmiller <[email protected]>
Co-authored-by: Ariel Ropek <[email protected]>
    @jzandona @melenevskyi
    @arielkr256 @akozlovets098 @le4ker @ben-githubs @nhakmiller
    10 people authored May 14, 2024
    Configuration menu
    Copy the full SHA
    c8b6ad9 View commit details
    Browse the repository at this point in the history

Commits on May 15, 2024

  1. Merge remote-tracking branch 'origin/release' into release 

    # Conflicts:
#	.github/CODEOWNERS
#	Pipfile
#	Pipfile.lock
    @akozlovets098
    akozlovets098 committed May 15, 2024
    Configuration menu
    Copy the full SHA
    1cb6695 View commit details
    Browse the repository at this point in the history

Commits on May 21, 2024

  1. Push Security rules (#1207) 

    * Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <[email protected]>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* Push Security rules

* remove codeowners (#1208)

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <[email protected]>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <[email protected]>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <[email protected]>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <[email protected]>
Co-authored-by: egibs <[email protected]>
Co-authored-by: Oleh Melenevskyi <[email protected]>

* Update PAT to 0.46.0 (#1216)

* add file/host state to msft graph alert context (#1220)

* fix timestamps (#1219)

* Update PAT to 0.46.1 (#1222)

* pack for traildiscover LUT (#1221)

* pack, fmt lint, event.deep_get

* pack update

---------

Co-authored-by: Oleh Melenevskyi <[email protected]>
Co-authored-by: Ariel Ropek <[email protected]>
Co-authored-by: akozlovets098 <[email protected]>
Co-authored-by: Panos Sakkos <[email protected]>
Co-authored-by: ben-githubs <[email protected]>
Co-authored-by: egibs <[email protected]>
Co-authored-by: Evan Gibler <[email protected]>
Co-authored-by: Nick Hakmiller <[email protected]>
Co-authored-by: Ariel Ropek <[email protected]>
    @jstanulis-push @melenevskyi
    @arielkr256 @akozlovets098 @le4ker @ben-githubs @nhakmiller
    10 people authored May 21, 2024
    Configuration menu
    Copy the full SHA
    8012f11 View commit details
    Browse the repository at this point in the history

  2. created pack and updated event.deep_get (#1239)

    @arielkr256
    arielkr256 authored May 21, 2024
    Configuration menu
    Copy the full SHA
    1252a70 View commit details
    Browse the repository at this point in the history

  3. Push logtype update (#1240) 

    * created pack and updated event.deep_get

* update logtype
    @arielkr256
    arielkr256 authored May 21, 2024
    Configuration menu
    Copy the full SHA
    63db6ce View commit details
    Browse the repository at this point in the history

Commits on May 22, 2024

  1. Remove Node/NPM/Prettier (#1241) 

    * Remove Node/NPM/Prettier

Signed-off-by: egibs <[email protected]>

* Update README; add removal notes

Signed-off-by: egibs <[email protected]>

---------

Signed-off-by: egibs <[email protected]>
    @egibs
    egibs authored May 22, 2024
    Configuration menu
    Copy the full SHA
    442849c View commit details
    Browse the repository at this point in the history

Commits on May 27, 2024

  1. Merge remote-tracking branch 'origin/release' into release

    @akozlovets098
    akozlovets098 committed May 27, 2024
    Configuration menu
    Copy the full SHA
    309c401 View commit details
    Browse the repository at this point in the history

Commits on May 29, 2024

  1. Small Workflow tweaks (#1243) 

    Signed-off-by: egibs <[email protected]>
    @egibs
    egibs authored May 29, 2024
    Configuration menu
    Copy the full SHA
    c8b23bd View commit details
    Browse the repository at this point in the history

  2. Use harden-runner Action for all Workflows (#1244) 

    * Use harden-runner Action for all Workflows

Signed-off-by: egibs <[email protected]>

* Run Docker Workflow

Signed-off-by: egibs <[email protected]>

* Add blocking policy for docker.yml

Signed-off-by: egibs <[email protected]>

* Add permissions to Workflow

Signed-off-by: egibs <[email protected]>

* More permissions

Signed-off-by: egibs <[email protected]>

---------

Signed-off-by: egibs <[email protected]>
    @egibs
    egibs authored May 29, 2024
    Configuration menu
    Copy the full SHA
    dc7070c View commit details
    Browse the repository at this point in the history

Commits on May 30, 2024

  1. Threat 319 Replace geoinfo_from_ip with new version (#1242) 

    * Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <[email protected]>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <[email protected]>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <[email protected]>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <[email protected]>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <[email protected]>
Co-authored-by: egibs <[email protected]>
Co-authored-by: Oleh Melenevskyi <[email protected]>

* Update PAT to 0.46.0 (#1216)

* THREAT-319 Replace geoinfo_from_ip with new version

---------

Co-authored-by: Oleh Melenevskyi <[email protected]>
Co-authored-by: Ariel Ropek <[email protected]>
Co-authored-by: Panos Sakkos <[email protected]>
Co-authored-by: ben-githubs <[email protected]>
Co-authored-by: egibs <[email protected]>
Co-authored-by: Evan Gibler <[email protected]>
Co-authored-by: Evan Gibler <[email protected]>
    @akozlovets098 @melenevskyi
    @arielkr256 @le4ker @ben-githubs @egibs
    8 people authored May 30, 2024
    Configuration menu
    Copy the full SHA
    736c250 View commit details
    Browse the repository at this point in the history

  2. Use full Action SHAs rather than versioned releases (#1245) 

    Signed-off-by: egibs <[email protected]>
    @egibs
    egibs authored May 30, 2024
    Configuration menu
    Copy the full SHA
    cec5c8c View commit details
    Browse the repository at this point in the history

  3. auth0-cic-credential-stuffing rule and query (#1246)

    @arielkr256
    arielkr256 authored May 30, 2024
    Configuration menu
    Copy the full SHA
    ca6f7de View commit details
    Browse the repository at this point in the history

Commits on Jun 3, 2024

  1. Merge branch 'main' into release 

    Signed-off-by: egibs <[email protected]>
    @egibs
    egibs committed Jun 3, 2024
    Configuration menu
    Copy the full SHA
    7eed675 View commit details
    Browse the repository at this point in the history

  2. Update panther-core to 0.10.1 via PAT (#1249) 

    Signed-off-by: egibs <[email protected]>
    @egibs
    egibs authored Jun 3, 2024
    Configuration menu
    Copy the full SHA
    12ff27b View commit details
    Browse the repository at this point in the history

Commits on Jun 4, 2024

  1. Merge remote-tracking branch 'origin/release' into release

    @akozlovets098
    akozlovets098 committed Jun 4, 2024
    Configuration menu
    Copy the full SHA
    c331931 View commit details
    Browse the repository at this point in the history

  2. THREAT-278 OCSF data model, CloudTrail

    @akozlovets098
    akozlovets098 committed Jun 4, 2024
    Configuration menu
    Copy the full SHA
    88becd1 View commit details
    Browse the repository at this point in the history

  3. THREAT-278 OCSF data model, CloudTrail - update deps, fix errors

    @akozlovets098
    akozlovets098 committed Jun 4, 2024
    Configuration menu
    Copy the full SHA
    63439fc View commit details
    Browse the repository at this point in the history

  4. THREAT-278 OCSF data model, CloudTrail - fix pack & formatting

    @akozlovets098
    akozlovets098 committed Jun 4, 2024
    Configuration menu
    Copy the full SHA
    40e9e64 View commit details
    Browse the repository at this point in the history

  5. THREAT-278 OCSF data model, CloudTrail - added auth0 rule to pack

    @akozlovets098
    akozlovets098 committed Jun 4, 2024
    Configuration menu
    Copy the full SHA
    1ddcd0e View commit details
    Browse the repository at this point in the history

  6. Tweak Snowflake queries (#1250) 

    * Tweak Snowflake queries

Signed-off-by: egibs <[email protected]>

* Remove configuration drift query from Pack

Signed-off-by: egibs <[email protected]>

* Threat Hunting queries are okay

Signed-off-by: egibs <[email protected]>

* Fix comment Workflow

Signed-off-by: egibs <[email protected]>

* 12 hours -> 1 day

Signed-off-by: egibs <[email protected]>

* Update queries/snowflake_queries/snowflake_0108977_configuration_drift.yml

---------

Signed-off-by: egibs <[email protected]>
Co-authored-by: Ariel Ropek <[email protected]>
    @egibs @arielkr256
    egibs and arielkr256 authored Jun 4, 2024
    Configuration menu
    Copy the full SHA
    aa5ae8b View commit details
    Browse the repository at this point in the history

  7. Merge branch 'release' into THREAT-274-OCSF-data-model,-CloudTrail

    @egibs
    egibs authored Jun 4, 2024
    Configuration menu
    Copy the full SHA
    a854c16 View commit details
    Browse the repository at this point in the history