Skip to content

Commit

Permalink
misc pack management
Browse files Browse the repository at this point in the history
  • Loading branch information
@ben-githubs
ben-githubs committed Sep 23, 2024
1 parent 4f54068 commit 29d4e1e
Show file tree
Hide file tree
Showing 12 changed files with 27 additions and 1 deletion.
1 change: 1 addition & 0 deletions packs/auth0.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ PackID: PantherManaged.Auth0
Description: Group of all Auth0 detections
PackDefinition:
IDs:
- Auth0.CIC.Credential.Stuffing
- Auth0.Custom.Role.Created
- Auth0.Integration.Installed
- Auth0.MFA.Factor.Setting.Enabled
Expand Down
5 changes: 5 additions & 0 deletions packs/aws.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ PackDefinition:
- AWS.PasswordPolicy.ComplexityGuidelines
- AWS.PasswordPolicy.PasswordAgeLimit
- AWS.PasswordPolicy.PasswordReuse
- AWS.Potentially.Stolen.Service.Role.Scheduled
- AWS.Suspicious.SAML.Activity
- AWS.User.Login.Profile.Modified
# General Policies and Rules
Expand Down Expand Up @@ -165,14 +166,18 @@ PackDefinition:
# Correlation Rules
- AWS.Potentially.Stolen.Service.Role
- AWS.Privilege.Escalation.Via.User.Compromise
- AWS.SSO.Access.Token.Retrieved.by.Unauthenticated.IP
- AWS.User.Takeover.Via.Password.Reset
# Signal Rules
- Role.Assumed.by.AWS.Service
- Role.Assumed.by.User
- AWS.CloudTrail.UserAccessKeyAuth
- AWS.CloudTrail.LoginProfileCreatedOrModified
- AWS.Console.Login
- Retrieve.SSO.access.token
- Sign-in.with.AWS.CLI.prompt
# Queries
- AWS Potentially Stolen Service Role
- Query.CloudTrail.Password.Spraying
- Query.VPC.DNS.Tunneling
- VPC Flow Port Scanning
Expand Down
5 changes: 4 additions & 1 deletion packs/multisource_correlations.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,9 @@ PackDefinition:
- Secret.Exposed.and.not.Quarantined
- GitHub.Secret.Scanning.Alert.Created
- AWS.CloudTrail.IAMCompromisedKeyQuarantine
- global_filter_github
- Okta.SSO.to.AWS
- AWS.Console.Sign-In
- AWS.Console.Sign-In.NOT.PRECEDED.BY.Okta

# Okta + Push Security
- Okta.Login.Without.Push
Expand All @@ -24,6 +26,7 @@ PackDefinition:
- Standard.AWS.CloudTrail

# Global Helpers
- global_filter_github
- panther_base_helpers
- panther_config
- panther_config_defaults
Expand Down
4 changes: 4 additions & 0 deletions packs/snowflake.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,9 @@ PackDefinition:
- Query.Snowflake.External.Shares
- Query.Snowflake.FileDownloaded
- Query.Snowflake.KeyUserPasswordLogin
- Query.Snowflake.MFALogin
- Query.Snowflake.Multiple.Logins.Followed.By.Success
- Query.Snowflake.PublicRoleGrant
- Query.Snowflake.SuspectedUserAccess
- Query.Snowflake.TempStageCreated
- Query.Snowflake.UserCreated
Expand All @@ -34,7 +36,9 @@ PackDefinition:
- Snowflake.External.Shares
- Snowflake.FileDownloaded
- Snowflake.KeyUserPasswordLogin
- Snowflake.LoginWithoutMFA
- Snowflake.Multiple.Failed.Logins.Followed.By.Success
- Snowflake.PublicRoleGrant
- Snowflake.TempStageCreated
- Snowflake.User.Access
- Snowflake.UserCreated
Expand Down
2 changes: 2 additions & 0 deletions queries/crowdstrike_queries/AWS_Authentication_from_CrowdStrike_Unmanaged_Device.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,3 +44,5 @@ RuleID: "AWS.Authentication.From.CrowdStrike.Unmanaged.Device"
Threshold: 1
ScheduledQueries:
- AWS Authentication from CrowdStrike Unmanaged Device
Tags:
- Multi-Table Query
2 changes: 2 additions & 0 deletions queries/crowdstrike_queries/Okta_Login_From_CrowdStrike_Unmanaged_Device.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -162,3 +162,5 @@ RuleID: "Okta.Login.From.CrowdStrike.Unmanaged.Device"
Threshold: 1
ScheduledQueries:
- Okta Login From CrowdStrike Unmanaged Device
Tags:
- Multi-Table Query
2 changes: 2 additions & 0 deletions queries/crowdstrike_queries/onepassword_login_from_crowdstrike_unmanaged_device.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,3 +49,5 @@ RuleID: "OnePassword.Login.From.CrowdStrike.Unmanaged.Device"
Threshold: 1
ScheduledQueries:
- 1Password Login From CrowdStrike Unmanaged Device Query
Tags:
- Multi-Table Query
2 changes: 2 additions & 0 deletions queries/dropbox_queries/Dropbox_Many_Deletes.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,3 +22,5 @@ RuleID: "Dropbox.Many.Deletes"
Threshold: 1
ScheduledQueries:
- Dropbox Many Deletes
Tags:
- Configuration Required
2 changes: 2 additions & 0 deletions queries/dropbox_queries/Dropbox_Many_Downloads.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,3 +22,5 @@ RuleID: "Dropbox.Many.Downloads"
Threshold: 1
ScheduledQueries:
- Dropbox Many Downloads
Tags:
- Configuration Required
1 change: 1 addition & 0 deletions rules/gitlab_rules/gitlab_audit_password_reset_multiple_emails.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ LogTypes:
Tags:
- GitLab
- CVE-2023-7028
- No Pack
Reports:
MITRE ATT&CK:
- TA0001:T1195
Expand Down
1 change: 1 addition & 0 deletions rules/gitlab_rules/gitlab_production_password_reset_multiple_emails.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ LogTypes:
Tags:
- GitLab
- CVE-2023-7028
- No Pack
Reports:
MITRE ATT&CK:
- TA0001:T1195
Expand Down
1 change: 1 addition & 0 deletions templates/example_scheduled_rule.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ ScheduledQueries:
- My Query Name
Tags:
- Tag
- No Pack
Severity: Medium
Description: >
An optional Description
Expand Down

0 comments on commit 29d4e1e

Please sign in to comment.