Merge branch 'main' into fix/ben/panther_audit_dynamic_params

queries/kubernetes_queries/kubernetes_overly_permissive_linux_capabilities_query.yml

@@ -15,7 +15,7 @@ Query: |-
                  WHERE
                  verb IN ('create', 'update')
                  AND objectRef:resource = 'pods'
-                 AND ARRAY_INTERSECTION(REQUEST_OBJECT:spec:containers[0]:securityContext:capabilities:add, ARRAY_CONSTRUCT('BPF','NET_ADMIN','SYS_ADMIN')) != [] --linux capabilities array intersect to identify if any are present
+                 AND ARRAY_INTERSECTION(requestObject:spec:containers[0]:securityContext:capabilities:add, ARRAY_CONSTRUCT('BPF','NET_ADMIN','SYS_ADMIN')) != [] --linux capabilities array intersect to identify if any are present
                  AND requestObject:spec:containers[0]:securityContext is not null
                  AND p_occurs_since('30 minutes')
                  --insert allow-list for pods that are expected to have privileged linux capabilities, for example a observability agent

queries/kubernetes_queries/kubernetes_pod_create_or_modify_host_path_vol_mount_query.yml

@@ -14,7 +14,7 @@ Query: >
                  WHERE
                  verb IN ('create', 'update', 'patch')
                  AND objectRef:resource = 'pods'
-                 AND request_object:spec:volumes[0]:hostPath:path ilike ANY ('/var/run/docker.sock','/var/run/crio/crio.sock','/var/lib/kubelet','/var/lib/kubelet/pki','/var/lib/docker/overlay2','/etc/kubernetes','/etc/kubernetes/manifests','/etc/kubernetes/pki','/home/admin')                  
+                 AND requestObject:spec:volumes[0]:hostPath:path ilike ANY ('/var/run/docker.sock','/var/run/crio/crio.sock','/var/lib/kubelet','/var/lib/kubelet/pki','/var/lib/docker/overlay2','/etc/kubernetes','/etc/kubernetes/manifests','/etc/kubernetes/pki','/home/admin')                  
                  AND p_occurs_since('30 minutes')
                  --insert allow-list for expected workloads that require a sensitive mount
                  LIMIT 10

queries/kubernetes_queries/kubernetes_service_type_node_port_deployed_query.yml

@@ -7,21 +7,21 @@ Description: >
   This detection monitors for any kubernetes service deployed with type node port. A Node Port service allows an attacker to expose a set of pods hosting the service to the internet by opening their port and redirecting traffic here. This can be used to bypass network controls and intercept traffic, creating a direct line to the outside network.
 Query: >
                  SELECT *,
-                        OBJECT_REF:name as service,
-                        OBJECT_REF:namespace as namespace,
-                        OBJECT_REF:resource as resource_type,                        
+                        objectRef:name as service,
+                        objectRef:namespace as namespace,
+                        objectRef:resource as resource_type,                        
                         COALESCE(impersonated_user, USER:username) as src_user,
-                        USER_AGENT,
-                        RESPONSE_OBJECT:spec:externalTrafficPolicy as external_traffic_policy,
-                        RESPONSE_OBJECT:spec:internalTrafficPolicy as internal_traffic_policy,
-                        RESPONSE_OBJECT:spec:clusterIP as cluster_ip_address,
+                        userAgent,
+                        responseObject:spec:externalTrafficPolicy as external_traffic_policy,
+                        responseObject:spec:internalTrafficPolicy as internal_traffic_policy,
+                        responseObject:spec:clusterIP as cluster_ip_address,
                         VALUE:port as port, --port where traffic gets forwarded to in the pod 
                         VALUE:protocol as protocol, --protocol the service uses
                         VALUE:nodePort as node_port, --which port acts as the nodeport on all the nodes 
-                        REQUEST_OBJECT:spec:type as type,
-                        IFF(REQUEST_OBJECT:spec:status:loadBalancer is null, 'No LB Present', 
-                        REQUEST_OBJECT:spec:status:loadBalancer) as load_balancer,
-                        RESPONSE_STATUS:code as response_status
+                        requestObject:spec:type as type,
+                        IFF(requestObject:spec:status:loadBalancer is null, 'No LB Present', 
+                        requestObject:spec:status:loadBalancer) as load_balancer,
+                        responseStatus:code as response_status
                         FROM panther_logs.public.kubernetes_control_plane, lateral flatten(response_object:spec:ports)
                         WHERE
                         objectRef:resource = 'services'

rules/asana_rules/asana_service_account_created.yml

@@ -4,6 +4,7 @@ DisplayName: "Asana Service Account Created"
 Enabled: true
 Filename: asana_service_account_created.py
 Runbook: Confirm this user acted with valid business intent and determine whether this activity was authorized.
+Reference: https://help.asana.com/hc/en-us/articles/14217496838427-Service-Accounts
 Severity: Medium
 Tests:
     - ExpectedResult: false

rules/asana_rules/asana_team_privacy_public.yml

@@ -3,6 +3,7 @@ Description: An Asana team's privacy setting was changed to public to the organi
 DisplayName: "Asana Team Privacy Public"
 Enabled: true
 Filename: asana_team_privacy_public.py
+Reference: https://help.asana.com/hc/en-us/articles/14211433439387-Team-permissions
 Severity: Low
 Tests:
     - ExpectedResult: true

rules/asana_rules/asana_workspace_default_session_duration_never.yml

@@ -3,6 +3,7 @@ Description: 'An Asana workspace''s default session duration (how often users ne
 DisplayName: "Asana Workspace Default Session Duration Never"
 Enabled: true
 Filename: asana_workspace_default_session_duration_never.py
+Reference: https://help.asana.com/hc/en-us/articles/14218320495899-Manage-Session-Duration
 Severity: Low
 Tests:
     - ExpectedResult: true

rules/asana_rules/asana_workspace_email_domain_added.yml

@@ -3,6 +3,7 @@ Description: 'A new email domain has been added to an Asana workspace. Reviewer
 DisplayName: "Asana Workspace Email Domain Added"
 Enabled: true
 Filename: asana_workspace_email_domain_added.py
+Reference: https://help.asana.com/hc/en-us/articles/15901227439515-Email-domain-management-for-Asana-organizations
 Severity: Low
 Tests:
     - ExpectedResult: true

rules/asana_rules/asana_workspace_form_link_auth_requirement_disabled.yml

@@ -3,6 +3,7 @@ Description: 'An Asana Workspace Form Link is a unique URL that allows you to cr
 DisplayName: "Asana Workspace Form Link Auth Requirement Disabled"
 Enabled: true
 Filename: asana_workspace_form_link_auth_requirement_disabled.py
+Reference: https://help.asana.com/hc/en-us/articles/14111697664923-Forms-access-permissions#:~:text=SSO%2C%20SAML%2C%20or-,no%20authentication%20method,-).%20If%20no%20authentication
 Severity: Low
 Tests:
     - ExpectedResult: true

rules/asana_rules/asana_workspace_guest_invite_permissions_anyone.yml

@@ -3,6 +3,7 @@ Description: Typically inviting guests to Asana is permitted by few users. Enabl
 DisplayName: "Asana Workspace Guest Invite Permissions Anyone"
 Enabled: true
 Filename: asana_workspace_guest_invite_permissions_anyone.py
+Reference: https://help.asana.com/hc/en-us/articles/14109494654875-Admin-console#:~:text=Google%20SSO%20password.-,Guest%20invite%20controls,-Super%20admins%20of
 Severity: Low
 Tests:
     - ExpectedResult: true

rules/asana_rules/asana_workspace_new_admin.yml

@@ -1,8 +1,9 @@
 AnalysisType: rule
-Description:  Asana Workspace New Admin
+Description:  Admin role was granted to the user who previously did not have admin permissions
 DisplayName: Asana Workspace New Admin
 Enabled: true
 Filename: asana_workspace_new_admin.py
+Reference: https://help.asana.com/hc/en-us/articles/14141552580635-Admin-and-super-admin-roles-in-Asana
 Severity: High
 Tests:
     - ExpectedResult: False

rules/asana_rules/asana_workspace_org_export.yml

@@ -4,6 +4,7 @@ DisplayName: Asana Workspace Org Export
 Enabled: true
 Filename: asana_workspace_org_export.py
 Runbook: Confirm this user acted with valid business intent and determine whether this activity was authorized.
+Reference: https://help.asana.com/hc/en-us/articles/14139896860955-Privacy-and-security#:~:text=like%20to%20see.-,Full%20export%20of%20an%20organization,-Available%20on%20Asana
 Severity: Medium
 Tests:
     - ExpectedResult: false

rules/asana_rules/asana_workspace_password_requirements_simple.yml

@@ -4,6 +4,7 @@ DisplayName: "Asana Workspace Password Requirements Simple"
 Enabled: true
 Filename: asana_workspace_password_requirements_simple.py
 Runbook: Confirm this user acted with valid business intent and determine whether this activity was authorized.
+Reference: https://help.asana.com/hc/en-us/articles/14075208738587-Authentication-and-access-management-options-for-paid-plans
 Severity: Medium
 Tests:
     - ExpectedResult: true

rules/asana_rules/asana_workspace_require_app_approvals_disabled.yml

@@ -4,6 +4,7 @@ DisplayName: Asana Workspace Require App Approvals Disabled
 Enabled: true
 Filename: asana_workspace_require_app_approvals_disabled.py
 Runbook: Confirm this user acted with valid business intent and determine whether this activity was authorized.
+Reference: https://help.asana.com/hc/en-us/articles/14109494654875-Admin-console#:~:text=used%20by%20default-,Require%20app%20approval,-Admins%20manage%20a
 Severity: Medium
 Tests:
     - ExpectedResult: false

rules/asana_rules/asana_workspace_saml_optional.yml

@@ -4,6 +4,7 @@ DisplayName: "Asana Workspace SAML Optional"
 Enabled: true
 Filename: asana_workspace_saml_optional.py
 Runbook: Confirm this user acted with valid business intent and determine whether this activity was authorized.
+Reference: https://help.asana.com/hc/en-us/articles/14075208738587-Premium-Business-and-Enterprise-authentication#gl-saml:~:text=to%20your%20organization.-,SAML,-If%20your%20company
 Severity: Medium
 Tests:
     - ExpectedResult: false

rules/auth0_rules/auth0_custom_role_created.yml

@@ -4,6 +4,7 @@ DisplayName: "Auth0 Custom Role Created"
 Enabled: true
 Filename: auth0_custom_role_created.py
 Runbook: Assess if this was done by the user for a valid business reason. Be vigilant if a user created a role without proper authorization.
+Reference: https://auth0.com/docs/manage-users/access-control/configure-core-rbac/roles/create-roles
 Severity: High
 Tests:
   - ExpectedResult: false

rules/auth0_rules/auth0_integration_installed.yml

@@ -4,6 +4,7 @@ DisplayName: "Auth0 Integration Installed"
 Enabled: true
 Filename: auth0_integration_installed.py
 Runbook: Assess if this was done by the user for a valid business reason. Be vigilant to re-enable this setting as it's in the best security interest for your organization's security posture.
+Reference: https://auth0.com/blog/actions-integrations-are-now-ga/
 Severity: Info
 Tests:
   - ExpectedResult: true

rules/auth0_rules/auth0_mfa_factor_setting_enabled.yml

@@ -4,6 +4,7 @@ DisplayName: "Auth0 mfa factor enabled"
 Enabled: true
 Filename: auth0_mfa_factor_setting_enabled.py
 Runbook: Assess if this was done by the user for a valid business reason. Be vigilant to re-enable this setting as it's in the best security interest for your organization's security posture.
+Reference: https://auth0.com/docs/secure/multi-factor-authentication/multi-factor-authentication-factors
 Severity: Info
 Tests:
   - ExpectedResult: true

rules/auth0_rules/auth0_mfa_policy_disabled.yml

@@ -4,6 +4,7 @@ DisplayName: "Auth0 MFA Policy Disabled"
 Enabled: true
 Filename: auth0_mfa_policy_disabled.py
 Runbook: Assess if this was done by the user for a valid business reason. Be vigilant to re-enable this setting as it's in the best security interest for your organization's security posture.
+Reference: https://auth0.com/docs/secure/multi-factor-authentication/enable-mfa#:~:text=prompted%20for%20MFA.-,Never,-%3A%20MFA%20is%20not
 Severity: High
 Tests:
     - ExpectedResult: false

rules/auth0_rules/auth0_mfa_policy_enabled.yml

@@ -4,6 +4,7 @@ DisplayName: "Auth0 MFA Policy Enabled"
 Enabled: true
 Filename: auth0_mfa_policy_enabled.py
 Runbook: Assess if this was done by the user for a valid business reason and was expected. This alert indicates a setting change that aligns with best security practices, follow-up may be unnecessary.
+Reference: https://auth0.com/docs/secure/multi-factor-authentication/enable-mfa#:~:text=In%20the-,Define%20policies,-section%2C%20select%20a
 Severity: Medium
 Tests:
     - ExpectedResult: true

rules/auth0_rules/auth0_mfa_risk_assessment_disabled.yml

@@ -4,6 +4,7 @@ DisplayName: "Auth0 MFA Risk Assessment Disabled"
 Enabled: true
 Filename: auth0_mfa_risk_assessment_disabled.py
 Runbook: Assess if this was done by the user for a valid business reason. Be vigilant to re-enable this setting as it's in the best security interest for your organization's security posture.
+Reference: https://auth0.com/docs/secure/multi-factor-authentication/enable-mfa#:~:text=Always%20policy%2C%20the-,MFA%20Risk%20Assessors,-section%20appears.%20By
 Severity: High
 Tests:
     - ExpectedResult: false

rules/auth0_rules/auth0_mfa_risk_assessment_enabled.yml

@@ -4,6 +4,7 @@ DisplayName: "Auth0 MFA Risk Assessment Enabled"
 Enabled: true
 Filename: auth0_mfa_risk_assessment_enabled.py
 Runbook: Assess if this was done by the user for a valid business reason. Be vigilant when enabling this setting as it's in the best security interest for your organization's security posture.
+Reference: https://auth0.com/docs/secure/multi-factor-authentication/enable-mfa#:~:text=Always%20policy%2C%20the-,MFA%20Risk%20Assessors,-section%20appears.%20By
 Severity: Info
 Tests:
     - ExpectedResult: false

rules/auth0_rules/auth0_post_login_action_flow.yml

@@ -4,6 +4,7 @@ DisplayName: "Auth0 Post Login Action Flow Updated"
 Enabled: true
 Filename: auth0_post_login_action_flow.py
 Runbook: Assess if this was done by the user for a valid business reason. Be sure to replace any steps that were removed without authorization. 
+Reference: https://auth0.com/docs/customize/actions/flows-and-triggers/login-flow/api-object
 Severity: Medium
 Tests:
     - ExpectedResult: false

rules/auth0_rules/auth0_user_invitation_created.yml

@@ -2,6 +2,7 @@ AnalysisType: rule
 DisplayName: "Auth0 User Invitation Created"
 Enabled: true
 Filename: auth0_user_invitation_created.py
+Reference: https://auth0.com/docs/manage-users/organizations/configure-organizations/invite-members
 Severity: Info
 Tests:
     - ExpectedResult: true

rules/auth0_rules/auth0_user_joined_tenant.yml

@@ -4,6 +4,7 @@ Description: User accepted invitation from Auth0 member to join an Auth0 tenant.
 Enabled: true
 Filename: auth0_user_joined_tenant.py
 RuleID: Auth0.User.Joined.Tenant
+Reference: https://auth0.com/docs/manage-users/organizations/configure-organizations/invite-members#send-membership-invitations:~:text=.-,Send%20membership%20invitations,-You%20can
 Severity: Info
 LogTypes:
     - Auth0.Events

rules/azure_signin_rules/azure_failed_signins.py

@@ -1,9 +1,5 @@
 from global_filter_azuresignin import filter_include_event
-from panther_azuresignin_helpers import (
-    actor_user,
-    azure_signin_alert_context,
-    is_sign_in_event,
-)
+from panther_azuresignin_helpers import actor_user, azure_signin_alert_context, is_sign_in_event
 from panther_base_helpers import deep_get
 
 

rules/azure_signin_rules/azure_legacyauth.py

@@ -2,11 +2,7 @@
 from unittest.mock import MagicMock
 
 from global_filter_azuresignin import filter_include_event
-from panther_azuresignin_helpers import (
-    actor_user,
-    azure_signin_alert_context,
-    is_sign_in_event,
-)
+from panther_azuresignin_helpers import actor_user, azure_signin_alert_context, is_sign_in_event
 from panther_base_helpers import deep_get
 
 LEGACY_AUTH_USERAGENTS = ["BAV2ROPC", "CBAInPROD"]  # CBAInPROD is reported to be IMAP

rules/azure_signin_rules/azure_risklevel_passthrough.py

@@ -1,9 +1,5 @@
 from global_filter_azuresignin import filter_include_event
-from panther_azuresignin_helpers import (
-    actor_user,
-    azure_signin_alert_context,
-    is_sign_in_event,
-)
+from panther_azuresignin_helpers import actor_user, azure_signin_alert_context, is_sign_in_event
 from panther_base_helpers import deep_get
 
 PASSTHROUGH_SEVERITIES = {"low", "medium", "high"}

rules/crowdstrike_rules/crowdstrike_detection_passthrough.py

@@ -1,7 +1,4 @@
-from panther_base_helpers import (
-    crowdstrike_detection_alert_context,
-    get_crowdstrike_field,
-)
+from panther_base_helpers import crowdstrike_detection_alert_context, get_crowdstrike_field
 
 
 def rule(event):

rules/crowdstrike_rules/crowdstrike_dns_request.py

@@ -1,7 +1,4 @@
-from panther_base_helpers import (
-    filter_crowdstrike_fdr_event_type,
-    get_crowdstrike_field,
-)
+from panther_base_helpers import filter_crowdstrike_fdr_event_type, get_crowdstrike_field
 
 # baddomain.com is present for testing purposes. Add domains you wish to be alerted on to this list
 DENYLIST = ["baddomain.com"]

rules/duo_rules/duo_admin_create_admin.py

@@ -1,7 +1,4 @@
-from panther_duo_helpers import (
-    deserialize_administrator_log_event_description,
-    duo_alert_context,
-)
+from panther_duo_helpers import deserialize_administrator_log_event_description, duo_alert_context
 
 
 def rule(event):

rules/duo_rules/duo_admin_new_admin_api_app_integration.py

@@ -1,7 +1,4 @@
-from panther_duo_helpers import (
-    deserialize_administrator_log_event_description,
-    duo_alert_context,
-)
+from panther_duo_helpers import deserialize_administrator_log_event_description, duo_alert_context
 
 
 def rule(event):

rules/duo_rules/duo_admin_sso_saml_requirement_disabled.py

@@ -1,7 +1,4 @@
-from panther_duo_helpers import (
-    deserialize_administrator_log_event_description,
-    duo_alert_context,
-)
+from panther_duo_helpers import deserialize_administrator_log_event_description, duo_alert_context
 
 
 def rule(event):

rules/duo_rules/duo_admin_user_mfa_bypass_enabled.py

@@ -1,7 +1,4 @@
-from panther_duo_helpers import (
-    deserialize_administrator_log_event_description,
-    duo_alert_context,
-)
+from panther_duo_helpers import deserialize_administrator_log_event_description, duo_alert_context
 
 
 def rule(event):

rules/gsuite_reports_rules/gsuite_drive_external_share.py

@@ -1,11 +1,6 @@
 import datetime
 
-from panther_base_helpers import (
-    PantherUnexpectedAlert,
-    deep_get,
-    pattern_match,
-    pattern_match_list,
-)
+from panther_base_helpers import PantherUnexpectedAlert, deep_get, pattern_match, pattern_match_list
 
 COMPANY_DOMAIN = "your-company-name.com"
 EXCEPTION_PATTERNS = {

rules/onelogin_rules/onelogin_active_login_activity.py

@@ -1,11 +1,7 @@
 from datetime import timedelta
 
 from panther_base_helpers import is_ip_in_network
-from panther_detection_helpers.caching import (
-    add_to_string_set,
-    get_string_set,
-    put_string_set,
-)
+from panther_detection_helpers.caching import add_to_string_set, get_string_set, put_string_set
 
 THRESH = 2
 THRESH_TTL = timedelta(hours=12).total_seconds()

rules/onelogin_rules/onelogin_high_risk_login.py

@@ -1,10 +1,6 @@
 from datetime import timedelta
 
-from panther_detection_helpers.caching import (
-    get_counter,
-    increment_counter,
-    reset_counter,
-)
+from panther_detection_helpers.caching import get_counter, increment_counter, reset_counter
 
 THRESH_TTL = timedelta(minutes=10).total_seconds()
 

rules/tailscale_rules/tailscale_https_disabled.py

@@ -1,9 +1,6 @@
 from global_filter_tailscale import filter_include_event
 from panther_base_helpers import deep_get
-from panther_tailscale_helpers import (
-    is_tailscale_admin_console_event,
-    tailscale_alert_context,
-)
+from panther_tailscale_helpers import is_tailscale_admin_console_event, tailscale_alert_context
 
 
 def rule(event):

rules/tailscale_rules/tailscale_machine_approval_requirements_disabled.py

@@ -1,9 +1,6 @@
 from global_filter_tailscale import filter_include_event
 from panther_base_helpers import deep_get
-from panther_tailscale_helpers import (
-    is_tailscale_admin_console_event,
-    tailscale_alert_context,
-)
+from panther_tailscale_helpers import is_tailscale_admin_console_event, tailscale_alert_context
 
 
 def rule(event):

rules/tailscale_rules/tailscale_magicdns_disabled.py

@@ -1,9 +1,6 @@
 from global_filter_tailscale import filter_include_event
 from panther_base_helpers import deep_get
-from panther_tailscale_helpers import (
-    is_tailscale_admin_console_event,
-    tailscale_alert_context,
-)
+from panther_tailscale_helpers import is_tailscale_admin_console_event, tailscale_alert_context
 
 
 def rule(event):

test_scenarios/send_data.py

@@ -1,3 +1,5 @@
+#!/usr/bin/env -S python3
+
 import argparse
 import gzip
 import json