Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prepare for v3.55.0 #1269

Closed
wants to merge 36 commits into from
Closed

Prepare for v3.55.0 #1269

wants to merge 36 commits into from

Commits on May 7, 2024

  1. Replace panther_analysis_tool import with updated import (#1230)

    Evan Gibler authored May 7, 2024
    Configuration menu
    Copy the full SHA
    cd042d2 View commit details
    Browse the repository at this point in the history

  2. Update Action versions; use SHAs (#1231) 

    * Update Action versions; use SHAs

* Add dependabot.yml to keep Actions updated

* Update PAT to 0.49.0
    Evan Gibler authored May 7, 2024
    Configuration menu
    Copy the full SHA
    5e5f196 View commit details
    Browse the repository at this point in the history

Commits on May 8, 2024

  1. migrates the gcp_storage_hmac_keys_create rule to (#1233) 

    python from sdyaml
    @arielkr256
    arielkr256 authored May 8, 2024
    Configuration menu
    Copy the full SHA
    0f28285 View commit details
    Browse the repository at this point in the history

  2. move scheduled rules to the queries directory (#1234)

    @arielkr256
    arielkr256 authored May 8, 2024
    Configuration menu
    Copy the full SHA
    83e6d74 View commit details
    Browse the repository at this point in the history

Commits on May 13, 2024

  1. consistency nit fixes (#1235) 

    * consistency nit fixes

* - somethings -> some things
    @kjihso
    kjihso authored May 13, 2024
    Configuration menu
    Copy the full SHA
    575cf47 View commit details
    Browse the repository at this point in the history

Commits on May 14, 2024

  1. AppOmni Alert passthrough (#1211) 

    * alert passthrough

* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <[email protected]>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* linting

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <[email protected]>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <[email protected]>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <[email protected]>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <[email protected]>
Co-authored-by: egibs <[email protected]>
Co-authored-by: Oleh Melenevskyi <[email protected]>

* Update PAT to 0.46.0 (#1216)

* add file/host state to msft graph alert context (#1220)

* fix timestamps (#1219)

* Update PAT to 0.46.1 (#1222)

* pack for traildiscover LUT (#1221)

* use event.deep_get and remove InlineFilters

* add pack

---------

Co-authored-by: Oleh Melenevskyi <[email protected]>
Co-authored-by: Ariel Ropek <[email protected]>
Co-authored-by: akozlovets098 <[email protected]>
Co-authored-by: Panos Sakkos <[email protected]>
Co-authored-by: ben-githubs <[email protected]>
Co-authored-by: egibs <[email protected]>
Co-authored-by: Evan Gibler <[email protected]>
Co-authored-by: Nick Hakmiller <[email protected]>
Co-authored-by: Ariel Ropek <[email protected]>
    @jzandona @melenevskyi
    @arielkr256 @akozlovets098 @le4ker @ben-githubs @nhakmiller
    10 people authored May 14, 2024
    Configuration menu
    Copy the full SHA
    c8b6ad9 View commit details
    Browse the repository at this point in the history

Commits on May 21, 2024

  1. Push Security rules (#1207) 

    * Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <[email protected]>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* Push Security rules

* remove codeowners (#1208)

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <[email protected]>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <[email protected]>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <[email protected]>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <[email protected]>
Co-authored-by: egibs <[email protected]>
Co-authored-by: Oleh Melenevskyi <[email protected]>

* Update PAT to 0.46.0 (#1216)

* add file/host state to msft graph alert context (#1220)

* fix timestamps (#1219)

* Update PAT to 0.46.1 (#1222)

* pack for traildiscover LUT (#1221)

* pack, fmt lint, event.deep_get

* pack update

---------

Co-authored-by: Oleh Melenevskyi <[email protected]>
Co-authored-by: Ariel Ropek <[email protected]>
Co-authored-by: akozlovets098 <[email protected]>
Co-authored-by: Panos Sakkos <[email protected]>
Co-authored-by: ben-githubs <[email protected]>
Co-authored-by: egibs <[email protected]>
Co-authored-by: Evan Gibler <[email protected]>
Co-authored-by: Nick Hakmiller <[email protected]>
Co-authored-by: Ariel Ropek <[email protected]>
    @jstanulis-push @melenevskyi
    @arielkr256 @akozlovets098 @le4ker @ben-githubs @nhakmiller
    10 people authored May 21, 2024
    Configuration menu
    Copy the full SHA
    8012f11 View commit details
    Browse the repository at this point in the history

  2. created pack and updated event.deep_get (#1239)

    @arielkr256
    arielkr256 authored May 21, 2024
    Configuration menu
    Copy the full SHA
    1252a70 View commit details
    Browse the repository at this point in the history

  3. Push logtype update (#1240) 

    * created pack and updated event.deep_get

* update logtype
    @arielkr256
    arielkr256 authored May 21, 2024
    Configuration menu
    Copy the full SHA
    63db6ce View commit details
    Browse the repository at this point in the history

Commits on May 22, 2024

  1. Remove Node/NPM/Prettier (#1241) 

    * Remove Node/NPM/Prettier

Signed-off-by: egibs <[email protected]>

* Update README; add removal notes

Signed-off-by: egibs <[email protected]>

---------

Signed-off-by: egibs <[email protected]>
    @egibs
    egibs authored May 22, 2024
    Configuration menu
    Copy the full SHA
    442849c View commit details
    Browse the repository at this point in the history

Commits on May 29, 2024

  1. Small Workflow tweaks (#1243) 

    Signed-off-by: egibs <[email protected]>
    @egibs
    egibs authored May 29, 2024
    Configuration menu
    Copy the full SHA
    c8b23bd View commit details
    Browse the repository at this point in the history

  2. Use harden-runner Action for all Workflows (#1244) 

    * Use harden-runner Action for all Workflows

Signed-off-by: egibs <[email protected]>

* Run Docker Workflow

Signed-off-by: egibs <[email protected]>

* Add blocking policy for docker.yml

Signed-off-by: egibs <[email protected]>

* Add permissions to Workflow

Signed-off-by: egibs <[email protected]>

* More permissions

Signed-off-by: egibs <[email protected]>

---------

Signed-off-by: egibs <[email protected]>
    @egibs
    egibs authored May 29, 2024
    Configuration menu
    Copy the full SHA
    dc7070c View commit details
    Browse the repository at this point in the history

Commits on May 30, 2024

  1. Threat 319 Replace geoinfo_from_ip with new version (#1242) 

    * Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <[email protected]>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <[email protected]>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <[email protected]>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <[email protected]>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <[email protected]>
Co-authored-by: egibs <[email protected]>
Co-authored-by: Oleh Melenevskyi <[email protected]>

* Update PAT to 0.46.0 (#1216)

* THREAT-319 Replace geoinfo_from_ip with new version

---------

Co-authored-by: Oleh Melenevskyi <[email protected]>
Co-authored-by: Ariel Ropek <[email protected]>
Co-authored-by: Panos Sakkos <[email protected]>
Co-authored-by: ben-githubs <[email protected]>
Co-authored-by: egibs <[email protected]>
Co-authored-by: Evan Gibler <[email protected]>
Co-authored-by: Evan Gibler <[email protected]>
    @akozlovets098 @melenevskyi
    @arielkr256 @le4ker @ben-githubs @egibs
    8 people authored May 30, 2024
    Configuration menu
    Copy the full SHA
    736c250 View commit details
    Browse the repository at this point in the history

  2. Use full Action SHAs rather than versioned releases (#1245) 

    Signed-off-by: egibs <[email protected]>
    @egibs
    egibs authored May 30, 2024
    Configuration menu
    Copy the full SHA
    cec5c8c View commit details
    Browse the repository at this point in the history

  3. auth0-cic-credential-stuffing rule and query (#1246)

    @arielkr256
    arielkr256 authored May 30, 2024
    Configuration menu
    Copy the full SHA
    ca6f7de View commit details
    Browse the repository at this point in the history

Commits on Jun 3, 2024

  1. Merge branch 'main' into release 

    Signed-off-by: egibs <[email protected]>
    @egibs
    egibs committed Jun 3, 2024
    Configuration menu
    Copy the full SHA
    7eed675 View commit details
    Browse the repository at this point in the history

  2. Update panther-core to 0.10.1 via PAT (#1249) 

    Signed-off-by: egibs <[email protected]>
    @egibs
    egibs authored Jun 3, 2024
    Configuration menu
    Copy the full SHA
    12ff27b View commit details
    Browse the repository at this point in the history

Commits on Jun 4, 2024

  1. Tweak Snowflake queries (#1250) 

    * Tweak Snowflake queries

Signed-off-by: egibs <[email protected]>

* Remove configuration drift query from Pack

Signed-off-by: egibs <[email protected]>

* Threat Hunting queries are okay

Signed-off-by: egibs <[email protected]>

* Fix comment Workflow

Signed-off-by: egibs <[email protected]>

* 12 hours -> 1 day

Signed-off-by: egibs <[email protected]>

* Update queries/snowflake_queries/snowflake_0108977_configuration_drift.yml

---------

Signed-off-by: egibs <[email protected]>
Co-authored-by: Ariel Ropek <[email protected]>
    @egibs @arielkr256
    egibs and arielkr256 authored Jun 4, 2024
    Configuration menu
    Copy the full SHA
    aa5ae8b View commit details
    Browse the repository at this point in the history

Commits on Jun 7, 2024

  1. Fixed typo in README.md (#1253) 

    fixed 'unintall' typo to 'npm uninstall prettier'
    @JPhenglavong
    JPhenglavong authored Jun 7, 2024
    Configuration menu
    Copy the full SHA
    d700925 View commit details
    Browse the repository at this point in the history

Commits on Jun 10, 2024

  1. build(deps): bump step-security/harden-runner from 2.8.0 to 2.8.1 (#1254 

    )

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.8.0 to 2.8.1.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@f086349...17d0e2b)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    9156338 View commit details
    Browse the repository at this point in the history

  2. Using GITHUB_OUTPUT env var instead of old ::set-output shorthand (#1255 

    )
    @c0nfleis
    c0nfleis authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    2f8c64f View commit details
    Browse the repository at this point in the history

  3. OCSF data model, VPC/DNS (#1214) 

    * Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <[email protected]>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <[email protected]>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <[email protected]>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <[email protected]>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <[email protected]>
Co-authored-by: egibs <[email protected]>
Co-authored-by: Oleh Melenevskyi <[email protected]>

* Update PAT to 0.46.0 (#1216)

* THREAT-278 OCSF data model, VPC

---------

Co-authored-by: Oleh Melenevskyi <[email protected]>
Co-authored-by: Ariel Ropek <[email protected]>
Co-authored-by: Panos Sakkos <[email protected]>
Co-authored-by: ben-githubs <[email protected]>
Co-authored-by: egibs <[email protected]>
Co-authored-by: Evan Gibler <[email protected]>
    @akozlovets098 @melenevskyi
    @arielkr256 @le4ker @ben-githubs
    7 people authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    41e0c46 View commit details
    Browse the repository at this point in the history

  4. fix: consider deny rules for ssh network acl policy (#1236) 

    * fix: consider deny rules for ssh network acl policy

* Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py

* Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py

---------

Co-authored-by: Ariel Ropek <[email protected]>
    @skeggse @arielkr256
    skeggse and arielkr256 authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    2b80d94 View commit details
    Browse the repository at this point in the history

  5. AWS Honeypot Detections threat-306 (#1252) 

    * AWS Honeypot Detections threat-306

AWS Security Finding rules on decoy AWS resources:
https://aws.amazon.com/blogs/security/how-to-detect-suspicious-activity-in-your-aws-account-by-using-private-decoy-resources/

* Update decoy_dynamodb_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_s3_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_dynamodb_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_s3_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_s3_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_dynamodb_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* reformatted and linted

* removed unused methods

* fixed trailing lines

* add decoy rules as a pack

---------

Co-authored-by: Ariel Ropek <[email protected]>
    @JPhenglavong @arielkr256
    JPhenglavong and arielkr256 authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    1772ca0 View commit details
    Browse the repository at this point in the history

  6. Update aws_console_login_without_mfa.py (#1237) 

    * Update aws_console_login_without_mfa.py

is_new_account has been checking with only recipientAccountId but our new aws account indicator creation rule has been checking for "new_account - recipientAccountId"

* Update aws_console_login_without_mfa.py

Casted str to account for NoneType

* Update new_user_account_logging.py

Added an alternative string in the case udm user is empty

* Update new_user_account_logging.yml

add mock test

* Standard user creation fixes (#1256)

* Prepare for `3.53.0` (#1232)

* Replace panther_analysis_tool import with updated import (#1230)

* Update Action versions; use SHAs (#1231)

* Update Action versions; use SHAs

* Add dependabot.yml to keep Actions updated

* Update PAT to 0.49.0

* auth0-cic-credential-stuffing rule and query (#1246)

* Add saved queries for ongoing Snowflake threats (#1248)

* Add saved queries for ongoing Snowflake threats

* Add limits

Signed-off-by: egibs <[email protected]>

* snowflake pack

* Add scheduled queries and rules

Signed-off-by: egibs <[email protected]>

* pack update

* ruleID fix

* make fmt

Signed-off-by: egibs <[email protected]>

* Fix merge conflicts

Signed-off-by: egibs <[email protected]>

* Turn off by default

Signed-off-by: egibs <[email protected]>

---------

Signed-off-by: egibs <[email protected]>
Co-authored-by: Ariel Ropek <[email protected]>

* Update panther-core to 0.10.1 via PAT (#1249)

Signed-off-by: egibs <[email protected]>

* Tweak Snowflake queries (#1250)

* Tweak Snowflake queries

Signed-off-by: egibs <[email protected]>

* Remove configuration drift query from Pack

Signed-off-by: egibs <[email protected]>

* Threat Hunting queries are okay

Signed-off-by: egibs <[email protected]>

* Fix comment Workflow

Signed-off-by: egibs <[email protected]>

* 12 hours -> 1 day

Signed-off-by: egibs <[email protected]>

* Update queries/snowflake_queries/snowflake_0108977_configuration_drift.yml

---------

Signed-off-by: egibs <[email protected]>
Co-authored-by: Ariel Ropek <[email protected]>

* Fixed typo in README.md (#1253)

fixed 'unintall' typo to 'npm uninstall prettier'

* build(deps): bump step-security/harden-runner from 2.8.0 to 2.8.1 (#1254)

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.8.0 to 2.8.1.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@f086349...17d0e2b)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Using GITHUB_OUTPUT env var instead of old ::set-output shorthand (#1255)

* OCSF data model, VPC/DNS (#1214)

* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <[email protected]>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <[email protected]>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <[email protected]>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <[email protected]>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <[email protected]>
Co-authored-by: egibs <[email protected]>
Co-authored-by: Oleh Melenevskyi <[email protected]>

* Update PAT to 0.46.0 (#1216)

* THREAT-278 OCSF data model, VPC

---------

Co-authored-by: Oleh Melenevskyi <[email protected]>
Co-authored-by: Ariel Ropek <[email protected]>
Co-authored-by: Panos Sakkos <[email protected]>
Co-authored-by: ben-githubs <[email protected]>
Co-authored-by: egibs <[email protected]>
Co-authored-by: Evan Gibler <[email protected]>

* fix: consider deny rules for ssh network acl policy (#1236)

* fix: consider deny rules for ssh network acl policy

* Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py

* Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py

---------

Co-authored-by: Ariel Ropek <[email protected]>

* AWS Honeypot Detections threat-306 (#1252)

* AWS Honeypot Detections threat-306

AWS Security Finding rules on decoy AWS resources:
https://aws.amazon.com/blogs/security/how-to-detect-suspicious-activity-in-your-aws-account-by-using-private-decoy-resources/

* Update decoy_dynamodb_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_s3_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_dynamodb_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_s3_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_s3_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_dynamodb_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* reformatted and linted

* removed unused methods

* fixed trailing lines

* add decoy rules as a pack

---------

Co-authored-by: Ariel Ropek <[email protected]>

---------

Signed-off-by: egibs <[email protected]>
Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Evan Gibler <[email protected]>
Co-authored-by: Ariel Ropek <[email protected]>
Co-authored-by: Evan Gibler <[email protected]>
Co-authored-by: Ariel Ropek <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: BJ Maldonado <[email protected]>
Co-authored-by: akozlovets098 <[email protected]>
Co-authored-by: Oleh Melenevskyi <[email protected]>
Co-authored-by: Panos Sakkos <[email protected]>
Co-authored-by: ben-githubs <[email protected]>
Co-authored-by: egibs <[email protected]>
Co-authored-by: Eli Skeggs <[email protected]>

---------

Signed-off-by: egibs <[email protected]>
Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Evan Gibler <[email protected]>
Co-authored-by: Ariel Ropek <[email protected]>
Co-authored-by: Evan Gibler <[email protected]>
Co-authored-by: Ariel Ropek <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: BJ Maldonado <[email protected]>
Co-authored-by: akozlovets098 <[email protected]>
Co-authored-by: Oleh Melenevskyi <[email protected]>
Co-authored-by: Panos Sakkos <[email protected]>
Co-authored-by: ben-githubs <[email protected]>
Co-authored-by: egibs <[email protected]>
Co-authored-by: Eli Skeggs <[email protected]>
    @JPhenglavong @arielkr256
    @egibs @dependabot @c0nfleis @akozlovets098 @melenevskyi @le4ker @ben-githubs @skeggse
    13 people authored Jun 10, 2024
    Configuration menu
    Copy the full SHA
    a15c5e6 View commit details
    Browse the repository at this point in the history

Commits on Jun 12, 2024

  1. Update PAT to 0.50.0 (#1259) 

    Signed-off-by: egibs <[email protected]>
    @egibs
    egibs authored Jun 12, 2024
    Configuration menu
    Copy the full SHA
    3fa12da View commit details
    Browse the repository at this point in the history

  2. schema rename (#1258)

    @arielkr256
    arielkr256 authored Jun 12, 2024
    Configuration menu
    Copy the full SHA
    69ad583 View commit details
    Browse the repository at this point in the history

Commits on Jun 13, 2024

  1. build(deps): bump actions/checkout from 4.1.6 to 4.1.7 (#1263) 

    Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.6 to 4.1.7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@a5ac7e5...692973e)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Jun 13, 2024
    Configuration menu
    Copy the full SHA
    73cdbde View commit details
    Browse the repository at this point in the history

  2. Update PAT to 0.50.1 (#1261) 

    Signed-off-by: egibs <[email protected]>
    @egibs
    egibs authored Jun 13, 2024
    Configuration menu
    Copy the full SHA
    1aaef4e View commit details
    Browse the repository at this point in the history

  3. improve error handling for dynamic functions (#1262) 

    * improve error handling for dynamic functions

* remove unused import

* additional fixes

* more fixes
    @arielkr256
    arielkr256 authored Jun 13, 2024
    Configuration menu
    Copy the full SHA
    327008e View commit details
    Browse the repository at this point in the history

Commits on Jun 17, 2024

  1. update vscode schema to honor correlation rules (#1264) 

    Co-authored-by: Ariel Ropek <[email protected]>
    @nskobov @arielkr256
    nskobov and arielkr256 authored Jun 17, 2024
    Configuration menu
    Copy the full SHA
    bcf9088 View commit details
    Browse the repository at this point in the history

Commits on Jun 18, 2024

  1. remove .husky directory (#1266)

    @le4ker
    le4ker authored Jun 18, 2024
    Configuration menu
    Copy the full SHA
    fbdd0c4 View commit details
    Browse the repository at this point in the history

  2. update snowflake queries with p_occurs_since (#1265) 

    * update snowflake queries with p_occurs_since

* a few more fixes

* typo
    @arielkr256
    arielkr256 authored Jun 18, 2024
    Configuration menu
    Copy the full SHA
    33335ca View commit details
    Browse the repository at this point in the history

  3. remove greynoise luts (#1267)

    @arielkr256
    arielkr256 authored Jun 18, 2024
    Configuration menu
    Copy the full SHA
    7ff3c9f View commit details
    Browse the repository at this point in the history

Commits on Jun 24, 2024

  1. added dynamic severity to okta vpn rule, with tests (#1268)

    @ben-githubs
    ben-githubs authored Jun 24, 2024
    Configuration menu
    Copy the full SHA
    1f1a05e View commit details
    Browse the repository at this point in the history

  2. Remove unnecessary pipenv step (#1270) 

    Signed-off-by: egibs <[email protected]>
    @egibs
    egibs authored Jun 24, 2024
    Configuration menu
    Copy the full SHA
    bc59473 View commit details
    Browse the repository at this point in the history