add missing pack items (#1345)

Co-authored-by: Ariel Ropek <[email protected]>
panther-labs · Sep 10, 2024 · 0147335 · 0147335
1 parent dfa4abf
commit 0147335
Show file tree

Hide file tree

Showing 7 changed files with 30 additions and 1 deletion.
diff --git a/packs/aws.yml b/packs/aws.yml
@@ -173,7 +173,11 @@ PackDefinition:
     - AWS.CloudTrail.UserAccessKeyAuth
     - AWS.CloudTrail.LoginProfileCreatedOrModified
     - AWS.Console.Login
-
+    # Queries
+    - AWS Authentication from CrowdStrike Unmanaged Device
+    - Query.CloudTrail.Password.Spraying
+    - Query.VPC.DNS.Tunneling
+    - VPC Flow Port Scanning
     # AWS DataModels
     - Standard.AWS.ALB
     - Standard.AWS.CloudTrail

diff --git a/packs/github.yml b/packs/github.yml
@@ -12,6 +12,7 @@ PackDefinition:
     - GitHub.Org.IpAllowlist
     - GitHub.Org.Moderators.Add
     - GitHub.Org.Modified
+    - Github.Repo.Archived
     - Github.Repo.CollaboratorChange
     - Github.Repo.Created
     #- GitHub.Repo.HookModified

diff --git a/packs/gsuite_reports.yml b/packs/gsuite_reports.yml
@@ -41,4 +41,7 @@ PackDefinition:
     - panther_config_overrides
     - panther_event_type_helpers
     - panther_lookuptable_helpers
+    # Queries
+    - GSuite Many Docs Deleted Query
+    - GSuite Many Docs Downloaded Query
 DisplayName: "Panther GSuite Pack"
diff --git a/packs/kubernetes.yml b/packs/kubernetes.yml
@@ -20,3 +20,19 @@ PackDefinition:
     - Kubernetes.ServiceTypeNodePortDeployed
     - Kubernetes.UnauthenticatedAPIRequest
     - Kubernetes.UnauthorizedPodExecution
+    # Queries
+    - IOC Activity in K8 Control Plane
+    - Kubernetes Cron Job Created or Modified
+    - Kubernetes Pod Created in Pre-Configured or Default Name Spaces
+    - Kubernetes Service with Type Node Port Deployed
+    - New Admission Controller Created
+    - New DaemonSet Deployed to Kubernetes
+    - Pod Created or Modified Using the Host IPC Namespace
+    - Pod Created or Modified Using the Host PID Namespace
+    - Pod Created with Overly Permissive Linux Capabilities
+    - Pod attached to the Node Host Network
+    - Pod creation or modification to a Host Path Volume Mount
+    - Privileged Pod Created
+    - Secret Enumeration by a User
+    - Unauthenticated Kubernetes API Request
+    - Unauthorized Kubernetes Pod Execution
diff --git a/packs/okta.yml b/packs/okta.yml
@@ -35,6 +35,8 @@ PackDefinition:
     - panther_config
     - panther_config_defaults
     - panther_config_overrides
+    # Queries
+    - Okta Login From CrowdStrike Unmanaged Device
     # Data Model
     - Standard.Okta.SystemLog
 DisplayName: "Panther Okta Pack"
diff --git a/packs/onepassword.yml b/packs/onepassword.yml
@@ -15,3 +15,5 @@ PackDefinition:
     - panther_config
     - panther_config_defaults
     - panther_config_overrides
+    # Queries
+    - 1Password Login From CrowdStrike Unmanaged Device Query
diff --git a/packs/snowflake.yml b/packs/snowflake.yml
@@ -13,6 +13,7 @@ PackDefinition:
     - Query.Snowflake.BruteForceByIp
     - Query.Snowflake.BruteForceByUsername
     - Query.Snowflake.ClientIp
+    - Query.Snowflake.ConfigurationDrift
     - Query.Snowflake.CopyIntoStage
     - Query.Snowflake.External.Shares
     - Query.Snowflake.FileDownloaded