Prepare for v3.55.0
#1271
Merged
Prepare for v3.55.0
#1271
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Update Action versions; use SHAs * Add dependabot.yml to keep Actions updated * Update PAT to 0.49.0
python from sdyaml
* consistency nit fixes * - somethings -> some things
* alert passthrough * Deprecate GreyNoise detections (#1205) * Deprecate GreyNoise detections * Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml * Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml * Update cloudflare_httpreq_bot_high_volume_greynoise.yml --------- Co-authored-by: Ariel Ropek <[email protected]> * fix - Notion Login From New Location - NoneType error (#1206) * fix - Notion Login From New Location - NoneType error * fix - Notion Login From New Location - NoneType error - linter fix * remove codeowners (#1208) * linting * fix - GCP rules - AttributeError (#1210) * fix - GCP rules - AttributeError * fix - GCP rules - AttributeError - linter fix * MITRE ATT&CK Mappings for MS Rules (#1209) * added MITRE mappings for microsoft rules * fixed formatting on some helper files --------- Co-authored-by: Ariel Ropek <[email protected]> * traildiscover enrichment with managed schema (#1177) * traildiscover enrichment with managed schema * Add npm install in dockerfile (#1172) * add npm install in dockerfile * Remove Python optimizations; add prettier to PATH --------- Co-authored-by: egibs <[email protected]> * schema name: TrailDiscover.CloudTrail * Fix Dockerfile; add Workflow to test image * updated data set * Add MongoDB.2FA.Disabled rule (#1190) Co-authored-by: Ariel Ropek <[email protected]> * lint and fmt * fmt * add OCSF selector * additional OCSF mappings * Fix Pipfile * Rebase changes --------- Co-authored-by: Panos Sakkos <[email protected]> Co-authored-by: egibs <[email protected]> Co-authored-by: Oleh Melenevskyi <[email protected]> * Update PAT to 0.46.0 (#1216) * add file/host state to msft graph alert context (#1220) * fix timestamps (#1219) * Update PAT to 0.46.1 (#1222) * pack for traildiscover LUT (#1221) * use event.deep_get and remove InlineFilters * add pack --------- Co-authored-by: Oleh Melenevskyi <[email protected]> Co-authored-by: Ariel Ropek <[email protected]> Co-authored-by: akozlovets098 <[email protected]> Co-authored-by: Panos Sakkos <[email protected]> Co-authored-by: ben-githubs <[email protected]> Co-authored-by: egibs <[email protected]> Co-authored-by: Evan Gibler <[email protected]> Co-authored-by: Nick Hakmiller <[email protected]> Co-authored-by: Ariel Ropek <[email protected]>
* Deprecate GreyNoise detections (#1205) * Deprecate GreyNoise detections * Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml * Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml * Update cloudflare_httpreq_bot_high_volume_greynoise.yml --------- Co-authored-by: Ariel Ropek <[email protected]> * fix - Notion Login From New Location - NoneType error (#1206) * fix - Notion Login From New Location - NoneType error * fix - Notion Login From New Location - NoneType error - linter fix * Push Security rules * remove codeowners (#1208) * fix - GCP rules - AttributeError (#1210) * fix - GCP rules - AttributeError * fix - GCP rules - AttributeError - linter fix * MITRE ATT&CK Mappings for MS Rules (#1209) * added MITRE mappings for microsoft rules * fixed formatting on some helper files --------- Co-authored-by: Ariel Ropek <[email protected]> * traildiscover enrichment with managed schema (#1177) * traildiscover enrichment with managed schema * Add npm install in dockerfile (#1172) * add npm install in dockerfile * Remove Python optimizations; add prettier to PATH --------- Co-authored-by: egibs <[email protected]> * schema name: TrailDiscover.CloudTrail * Fix Dockerfile; add Workflow to test image * updated data set * Add MongoDB.2FA.Disabled rule (#1190) Co-authored-by: Ariel Ropek <[email protected]> * lint and fmt * fmt * add OCSF selector * additional OCSF mappings * Fix Pipfile * Rebase changes --------- Co-authored-by: Panos Sakkos <[email protected]> Co-authored-by: egibs <[email protected]> Co-authored-by: Oleh Melenevskyi <[email protected]> * Update PAT to 0.46.0 (#1216) * add file/host state to msft graph alert context (#1220) * fix timestamps (#1219) * Update PAT to 0.46.1 (#1222) * pack for traildiscover LUT (#1221) * pack, fmt lint, event.deep_get * pack update --------- Co-authored-by: Oleh Melenevskyi <[email protected]> Co-authored-by: Ariel Ropek <[email protected]> Co-authored-by: akozlovets098 <[email protected]> Co-authored-by: Panos Sakkos <[email protected]> Co-authored-by: ben-githubs <[email protected]> Co-authored-by: egibs <[email protected]> Co-authored-by: Evan Gibler <[email protected]> Co-authored-by: Nick Hakmiller <[email protected]> Co-authored-by: Ariel Ropek <[email protected]>
* created pack and updated event.deep_get * update logtype
* Remove Node/NPM/Prettier Signed-off-by: egibs <[email protected]> * Update README; add removal notes Signed-off-by: egibs <[email protected]> --------- Signed-off-by: egibs <[email protected]>
Signed-off-by: egibs <[email protected]>
* Use harden-runner Action for all Workflows Signed-off-by: egibs <[email protected]> * Run Docker Workflow Signed-off-by: egibs <[email protected]> * Add blocking policy for docker.yml Signed-off-by: egibs <[email protected]> * Add permissions to Workflow Signed-off-by: egibs <[email protected]> * More permissions Signed-off-by: egibs <[email protected]> --------- Signed-off-by: egibs <[email protected]>
* Deprecate GreyNoise detections (#1205) * Deprecate GreyNoise detections * Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml * Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml * Update cloudflare_httpreq_bot_high_volume_greynoise.yml --------- Co-authored-by: Ariel Ropek <[email protected]> * fix - Notion Login From New Location - NoneType error (#1206) * fix - Notion Login From New Location - NoneType error * fix - Notion Login From New Location - NoneType error - linter fix * remove codeowners (#1208) * fix - GCP rules - AttributeError (#1210) * fix - GCP rules - AttributeError * fix - GCP rules - AttributeError - linter fix * MITRE ATT&CK Mappings for MS Rules (#1209) * added MITRE mappings for microsoft rules * fixed formatting on some helper files --------- Co-authored-by: Ariel Ropek <[email protected]> * traildiscover enrichment with managed schema (#1177) * traildiscover enrichment with managed schema * Add npm install in dockerfile (#1172) * add npm install in dockerfile * Remove Python optimizations; add prettier to PATH --------- Co-authored-by: egibs <[email protected]> * schema name: TrailDiscover.CloudTrail * Fix Dockerfile; add Workflow to test image * updated data set * Add MongoDB.2FA.Disabled rule (#1190) Co-authored-by: Ariel Ropek <[email protected]> * lint and fmt * fmt * add OCSF selector * additional OCSF mappings * Fix Pipfile * Rebase changes --------- Co-authored-by: Panos Sakkos <[email protected]> Co-authored-by: egibs <[email protected]> Co-authored-by: Oleh Melenevskyi <[email protected]> * Update PAT to 0.46.0 (#1216) * THREAT-319 Replace geoinfo_from_ip with new version --------- Co-authored-by: Oleh Melenevskyi <[email protected]> Co-authored-by: Ariel Ropek <[email protected]> Co-authored-by: Panos Sakkos <[email protected]> Co-authored-by: ben-githubs <[email protected]> Co-authored-by: egibs <[email protected]> Co-authored-by: Evan Gibler <[email protected]> Co-authored-by: Evan Gibler <[email protected]>
Signed-off-by: egibs <[email protected]>
Signed-off-by: egibs <[email protected]>
Signed-off-by: egibs <[email protected]>
* Tweak Snowflake queries Signed-off-by: egibs <[email protected]> * Remove configuration drift query from Pack Signed-off-by: egibs <[email protected]> * Threat Hunting queries are okay Signed-off-by: egibs <[email protected]> * Fix comment Workflow Signed-off-by: egibs <[email protected]> * 12 hours -> 1 day Signed-off-by: egibs <[email protected]> * Update queries/snowflake_queries/snowflake_0108977_configuration_drift.yml --------- Signed-off-by: egibs <[email protected]> Co-authored-by: Ariel Ropek <[email protected]>
fixed 'unintall' typo to 'npm uninstall prettier'
) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.8.0 to 2.8.1. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@f086349...17d0e2b) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Deprecate GreyNoise detections (#1205) * Deprecate GreyNoise detections * Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml * Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml * Update cloudflare_httpreq_bot_high_volume_greynoise.yml --------- Co-authored-by: Ariel Ropek <[email protected]> * fix - Notion Login From New Location - NoneType error (#1206) * fix - Notion Login From New Location - NoneType error * fix - Notion Login From New Location - NoneType error - linter fix * remove codeowners (#1208) * fix - GCP rules - AttributeError (#1210) * fix - GCP rules - AttributeError * fix - GCP rules - AttributeError - linter fix * MITRE ATT&CK Mappings for MS Rules (#1209) * added MITRE mappings for microsoft rules * fixed formatting on some helper files --------- Co-authored-by: Ariel Ropek <[email protected]> * traildiscover enrichment with managed schema (#1177) * traildiscover enrichment with managed schema * Add npm install in dockerfile (#1172) * add npm install in dockerfile * Remove Python optimizations; add prettier to PATH --------- Co-authored-by: egibs <[email protected]> * schema name: TrailDiscover.CloudTrail * Fix Dockerfile; add Workflow to test image * updated data set * Add MongoDB.2FA.Disabled rule (#1190) Co-authored-by: Ariel Ropek <[email protected]> * lint and fmt * fmt * add OCSF selector * additional OCSF mappings * Fix Pipfile * Rebase changes --------- Co-authored-by: Panos Sakkos <[email protected]> Co-authored-by: egibs <[email protected]> Co-authored-by: Oleh Melenevskyi <[email protected]> * Update PAT to 0.46.0 (#1216) * THREAT-278 OCSF data model, VPC --------- Co-authored-by: Oleh Melenevskyi <[email protected]> Co-authored-by: Ariel Ropek <[email protected]> Co-authored-by: Panos Sakkos <[email protected]> Co-authored-by: ben-githubs <[email protected]> Co-authored-by: egibs <[email protected]> Co-authored-by: Evan Gibler <[email protected]>
* fix: consider deny rules for ssh network acl policy * Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py * Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py --------- Co-authored-by: Ariel Ropek <[email protected]>
* AWS Honeypot Detections threat-306 AWS Security Finding rules on decoy AWS resources: https://aws.amazon.com/blogs/security/how-to-detect-suspicious-activity-in-your-aws-account-by-using-private-decoy-resources/ * Update decoy_dynamodb_accessed.py * Update decoy_iam_assumed.py * Update decoy_s3_accessed.py * Update decoy_secret_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_dynamodb_accessed.py * Update decoy_iam_assumed.py * Update decoy_s3_accessed.py * Update decoy_secret_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_secret_accessed.py * Update decoy_s3_accessed.py * Update decoy_iam_assumed.py * Update decoy_dynamodb_accessed.py * Update decoy_systems_manager_parameter_accessed.py * reformatted and linted * removed unused methods * fixed trailing lines * add decoy rules as a pack --------- Co-authored-by: Ariel Ropek <[email protected]>
* Update aws_console_login_without_mfa.py is_new_account has been checking with only recipientAccountId but our new aws account indicator creation rule has been checking for "new_account - recipientAccountId" * Update aws_console_login_without_mfa.py Casted str to account for NoneType * Update new_user_account_logging.py Added an alternative string in the case udm user is empty * Update new_user_account_logging.yml add mock test * Standard user creation fixes (#1256) * Prepare for `3.53.0` (#1232) * Replace panther_analysis_tool import with updated import (#1230) * Update Action versions; use SHAs (#1231) * Update Action versions; use SHAs * Add dependabot.yml to keep Actions updated * Update PAT to 0.49.0 * auth0-cic-credential-stuffing rule and query (#1246) * Add saved queries for ongoing Snowflake threats (#1248) * Add saved queries for ongoing Snowflake threats * Add limits Signed-off-by: egibs <[email protected]> * snowflake pack * Add scheduled queries and rules Signed-off-by: egibs <[email protected]> * pack update * ruleID fix * make fmt Signed-off-by: egibs <[email protected]> * Fix merge conflicts Signed-off-by: egibs <[email protected]> * Turn off by default Signed-off-by: egibs <[email protected]> --------- Signed-off-by: egibs <[email protected]> Co-authored-by: Ariel Ropek <[email protected]> * Update panther-core to 0.10.1 via PAT (#1249) Signed-off-by: egibs <[email protected]> * Tweak Snowflake queries (#1250) * Tweak Snowflake queries Signed-off-by: egibs <[email protected]> * Remove configuration drift query from Pack Signed-off-by: egibs <[email protected]> * Threat Hunting queries are okay Signed-off-by: egibs <[email protected]> * Fix comment Workflow Signed-off-by: egibs <[email protected]> * 12 hours -> 1 day Signed-off-by: egibs <[email protected]> * Update queries/snowflake_queries/snowflake_0108977_configuration_drift.yml --------- Signed-off-by: egibs <[email protected]> Co-authored-by: Ariel Ropek <[email protected]> * Fixed typo in README.md (#1253) fixed 'unintall' typo to 'npm uninstall prettier' * build(deps): bump step-security/harden-runner from 2.8.0 to 2.8.1 (#1254) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.8.0 to 2.8.1. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@f086349...17d0e2b) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Using GITHUB_OUTPUT env var instead of old ::set-output shorthand (#1255) * OCSF data model, VPC/DNS (#1214) * Deprecate GreyNoise detections (#1205) * Deprecate GreyNoise detections * Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml * Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml * Update cloudflare_httpreq_bot_high_volume_greynoise.yml --------- Co-authored-by: Ariel Ropek <[email protected]> * fix - Notion Login From New Location - NoneType error (#1206) * fix - Notion Login From New Location - NoneType error * fix - Notion Login From New Location - NoneType error - linter fix * remove codeowners (#1208) * fix - GCP rules - AttributeError (#1210) * fix - GCP rules - AttributeError * fix - GCP rules - AttributeError - linter fix * MITRE ATT&CK Mappings for MS Rules (#1209) * added MITRE mappings for microsoft rules * fixed formatting on some helper files --------- Co-authored-by: Ariel Ropek <[email protected]> * traildiscover enrichment with managed schema (#1177) * traildiscover enrichment with managed schema * Add npm install in dockerfile (#1172) * add npm install in dockerfile * Remove Python optimizations; add prettier to PATH --------- Co-authored-by: egibs <[email protected]> * schema name: TrailDiscover.CloudTrail * Fix Dockerfile; add Workflow to test image * updated data set * Add MongoDB.2FA.Disabled rule (#1190) Co-authored-by: Ariel Ropek <[email protected]> * lint and fmt * fmt * add OCSF selector * additional OCSF mappings * Fix Pipfile * Rebase changes --------- Co-authored-by: Panos Sakkos <[email protected]> Co-authored-by: egibs <[email protected]> Co-authored-by: Oleh Melenevskyi <[email protected]> * Update PAT to 0.46.0 (#1216) * THREAT-278 OCSF data model, VPC --------- Co-authored-by: Oleh Melenevskyi <[email protected]> Co-authored-by: Ariel Ropek <[email protected]> Co-authored-by: Panos Sakkos <[email protected]> Co-authored-by: ben-githubs <[email protected]> Co-authored-by: egibs <[email protected]> Co-authored-by: Evan Gibler <[email protected]> * fix: consider deny rules for ssh network acl policy (#1236) * fix: consider deny rules for ssh network acl policy * Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py * Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py --------- Co-authored-by: Ariel Ropek <[email protected]> * AWS Honeypot Detections threat-306 (#1252) * AWS Honeypot Detections threat-306 AWS Security Finding rules on decoy AWS resources: https://aws.amazon.com/blogs/security/how-to-detect-suspicious-activity-in-your-aws-account-by-using-private-decoy-resources/ * Update decoy_dynamodb_accessed.py * Update decoy_iam_assumed.py * Update decoy_s3_accessed.py * Update decoy_secret_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_dynamodb_accessed.py * Update decoy_iam_assumed.py * Update decoy_s3_accessed.py * Update decoy_secret_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_secret_accessed.py * Update decoy_s3_accessed.py * Update decoy_iam_assumed.py * Update decoy_dynamodb_accessed.py * Update decoy_systems_manager_parameter_accessed.py * reformatted and linted * removed unused methods * fixed trailing lines * add decoy rules as a pack --------- Co-authored-by: Ariel Ropek <[email protected]> --------- Signed-off-by: egibs <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: Evan Gibler <[email protected]> Co-authored-by: Ariel Ropek <[email protected]> Co-authored-by: Evan Gibler <[email protected]> Co-authored-by: Ariel Ropek <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: BJ Maldonado <[email protected]> Co-authored-by: akozlovets098 <[email protected]> Co-authored-by: Oleh Melenevskyi <[email protected]> Co-authored-by: Panos Sakkos <[email protected]> Co-authored-by: ben-githubs <[email protected]> Co-authored-by: egibs <[email protected]> Co-authored-by: Eli Skeggs <[email protected]> --------- Signed-off-by: egibs <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: Evan Gibler <[email protected]> Co-authored-by: Ariel Ropek <[email protected]> Co-authored-by: Evan Gibler <[email protected]> Co-authored-by: Ariel Ropek <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: BJ Maldonado <[email protected]> Co-authored-by: akozlovets098 <[email protected]> Co-authored-by: Oleh Melenevskyi <[email protected]> Co-authored-by: Panos Sakkos <[email protected]> Co-authored-by: ben-githubs <[email protected]> Co-authored-by: egibs <[email protected]> Co-authored-by: Eli Skeggs <[email protected]>
Signed-off-by: egibs <[email protected]>
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.6 to 4.1.7. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@a5ac7e5...692973e) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: egibs <[email protected]>
* improve error handling for dynamic functions * remove unused import * additional fixes * more fixes
Co-authored-by: Ariel Ropek <[email protected]>
* update snowflake queries with p_occurs_since * a few more fixes * typo
Signed-off-by: egibs <[email protected]>
le4ker
approved these changes
Jun 27, 2024
|
😱 [INFO][root]: ignoring file dependabot.yml |
arielkr256
approved these changes
Jun 27, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Background
Move PRs for 3.55.0 into main
Changes
Testing