Merge branch 'main' into Add-references-to-rules-standard

rules/netskope_rules/netskope_admin_logged_out.yml

@@ -21,6 +21,7 @@ Description: An admin was logged out because of successive login failures.
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: An admin was logged out because of successive login failures.  This could indicate brute force activity against this account.
+Reference: https://docs.netskope.com/en/netskope-help/admin-console/administration/audit-log/
 Tests:
     - Name: True positive
       ExpectedResult: true

rules/netskope_rules/netskope_admin_user_change.yml

@@ -27,6 +27,7 @@ Tags:
 Reports:
   MITRE ATT&CK: 
     - TA0004:T1098
+Reference: https://docs.netskope.com/en/netskope-help/admin-console/administration/managing-administrators/
 Severity: High
 DynamicSeverities:
   - ChangeTo: Critical

rules/netskope_rules/netskope_many_deletes.yml

@@ -22,6 +22,7 @@ Description: A user deleted a large number of objects in a short period of time.
 DedupPeriodMinutes: 60
 Threshold: 10
 Runbook: A user deleted a large number of objects in a short period of time.  Validate that this activity is expected and authorized.
+Reference: https://docs.netskope.com/en/netskope-help/admin-console/administration/audit-log/
 Tests:
     - Name: True positive
       ExpectedResult: true

rules/netskope_rules/netskope_personnel_action.yml

@@ -21,6 +21,7 @@ Description: An action was performed by Netskope personnel.
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: Action taken by Netskope Personnel.  Validate that this action was authorized.
+Reference: https://docs.netskope.com/en/netskope-help/admin-console/administration/audit-log/#filters-1
 Tests:
     - Name: True positive
       ExpectedResult: true

rules/netskope_rules/netskope_unauthorized_api_calls.yml

@@ -22,6 +22,7 @@ Description: Many unauthorized API calls were observed for a user in a short per
 DedupPeriodMinutes: 60
 Threshold: 10
 Runbook: An account is making many unauthorized API calls.  This could indicate brute force activity, or expired service account credentials.
+Reference: https://docs.netskope.com/en/netskope-help/data-security/netskope-private-access/private-access-rest-apis/
 Tests:
     - Name: True positive
       ExpectedResult: true

rules/notion_rules/notion_account_changed_after_login.yml

@@ -14,6 +14,7 @@ Description: A Notion User logged in then changed their account details.
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: Possible account takeover. Follow up with the Notion User to determine if this email change is genuine.
+Reference: https://www.notion.so/help/account-settings
 Tests:
     - # This unit test is to make sure the logic for handling login events successfully results in
       #   caching the login info. The outputted title/alert_context are not important.

rules/notion_rules/notion_login_from_blocked_ip.yml

@@ -14,3 +14,4 @@ Description: "A user attempted to access Notion from a blocked IP address. Note:
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: Confirm with user if the login was legitimate. If so, determine why the IP is blocked.
+Reference: https://www.notion.so/help/allowlist-ip

rules/notion_rules/notion_login_from_new_location.yml

@@ -14,6 +14,7 @@ Description: A Notion User logged in from a new location.
 DedupPeriodMinutes: 60
 Threshold: 1 # Number of pages deleted; please change this value to suit your organization's needs.
 Runbook: Possible account takeover. Follow up with the Notion User to determine if this login is genuine.
+Reference: https://ipinfo.io/products/ip-geolocation-api
 Tests:
     - Name: Login from normal location
       ExpectedResult: false

rules/notion_rules/notion_many_pages_deleted.yml

@@ -14,6 +14,7 @@ Description: A Notion User deleted multiple pages.
 DedupPeriodMinutes: 60
 Threshold: 10 # Number of pages deleted; please change this value to suit your organization's needs.
 Runbook: Possible Data Destruction. Follow up with the Notion User to determine if this was done for a valid business reason.
+Reference: https://www.notion.so/help/duplicate-delete-and-restore-content
 Tests:
     - Name: Other Event
       ExpectedResult: false

rules/notion_rules/notion_many_pages_exported.yml

@@ -14,6 +14,7 @@ Description: A Notion User exported multiple pages.
 DedupPeriodMinutes: 60
 Threshold: 10 # Number of pages exported; please change this value to suit your organization's needs.
 Runbook: Possible Data Exfiltration. Follow up with the Notion User to determine if this was done for a valid business reason.
+Reference: https://www.notion.so/help/export-your-content
 Tests:
     - Name: Other Event
       ExpectedResult: false

rules/notion_rules/notion_page_accessible_to_api.yml

@@ -14,3 +14,4 @@ Description: "A new API integration was added to a Notion page, or it's permissi
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: Potential information exposure - review the shared page and rectify if needed.
+Reference: https://www.notion.so/help/sharing-and-permissions

rules/notion_rules/notion_page_accessible_to_guests.yml

@@ -14,6 +14,7 @@ Description: The external guest permissions for a Notion page have been altered.
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: Potential information exposure - review the shared page and rectify if needed.
+Reference: https://www.notion.so/help/sharing-and-permissions
 Tests:
   - Name: Guest Role Added
     ExpectedResult: true

rules/notion_rules/notion_page_shared_to_web.yml

@@ -14,3 +14,4 @@ Description: A Notion User published a page to the web.
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: Potential information exposure - review the shared page and rectify if needed.
+Reference: https://www.notion.so/help/public-pages-and-web-publishing

rules/notion_rules/notion_page_view_impossible_travel.yml

@@ -15,6 +15,7 @@ Description: A Notion User viewed a page from 2 locations simultaneously
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: Possible account compromise. Review activity of this user.
+Reference: https://raxis.com/blog/simultaneous-sessions/
 Tests:
   - Name: Normal Page View
     ExpectedResult: False

rules/notion_rules/notion_scim_token_generated.yml

@@ -14,6 +14,7 @@ Severity: Medium
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: Possible Initial Access. Follow up with the Notion User to determine if this was done for a valid business reason.
+Reference: https://www.notion.so/help/provision-users-and-groups-with-scim
 Tests:
     - ExpectedResult: false
       Log:

rules/notion_rules/notion_workspace_audit_log_exported.yml

@@ -14,6 +14,7 @@ Description: A Notion User exported audit logs for your organization’s workspa
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: Possible Data Exfiltration. Follow up with the Notion User to determine if this was done for a valid business reason.
+Reference: https://www.notion.so/help/audit-log#export-your-audit-log
 Tests:
     - Name: Other Event
       ExpectedResult: false

rules/notion_rules/notion_workspace_exported.yml

@@ -14,6 +14,7 @@ Description: A Notion User exported an existing workspace.
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: Possible Data Exfiltration. Follow up with the Notion User to determine if this was done for a valid business reason.
+Reference: https://www.notion.so/help/workspace-settings#export-an-entire-workspace
 Tests:
     - Name: Workspace Exported
       ExpectedResult: true

rules/notion_rules/notion_workspace_settings_enforce_saml_sso_config_updated.yml

@@ -14,6 +14,7 @@ Description: A Notion User changed settings to enforce SAML SSO configurations f
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook:  Follow up with the Notion User to determine if this was done for a valid business reason and to ensure these settings get re-enabled quickly for best security practices.
+Reference: https://www.notion.so/help/saml-sso-configuration
 Tests:
     - Name: Other Event
       ExpectedResult: false

rules/notion_rules/notion_workspace_settings_public_homepage_added.yml

@@ -14,6 +14,7 @@ Description: A Notion page was set to public in your worksace.
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: A Notion page was made public. Check with the author to determine why this page was made public.
+Reference: https://www.notion.so/help/public-pages-and-web-publishing
 Tests:
   - Name: Public page added
     ExpectedResult: true

rules/okta_rules/okta_app_unauthorized_access_attempt.yml

@@ -4,6 +4,7 @@ DisplayName: "Okta App Unauthorized Access Attempt"
 Enabled: true
 Filename: okta_app_unauthorized_access_attempt.py
 Severity: Low
+Reference: https://support.okta.com/help/s/article/App-Sign-on-Error-403-User-attempted-unauthorized-access-to-app?language=en_US
 Tests:
     - ExpectedResult: true
       Log:

rules/okta_rules/okta_geo_improbable_access.yml

@@ -15,6 +15,7 @@ Reports:
 Severity: High
 Description: A user has subsequent logins from two geographic locations that are very far apart
 Runbook: Reach out to the user if needed to validate the activity, then lock the account
+Reference: https://www.blinkops.com/blog/how-to-detect-and-remediate-okta-impossible-traveler-alerts
 SummaryAttributes:
   - eventType
   - severity

rules/okta_rules/okta_group_admin_role_assigned.yml

@@ -3,6 +3,7 @@ Description: Detect when an admin role is assigned to a group
 DisplayName: "Okta Group Admin Role Assigned"
 Enabled: true
 Filename: okta_group_admin_role_assigned.py
+Reference: https://support.okta.com/help/s/article/How-to-assign-Administrator-roles-to-groups?language=en_US#:~:text=Log%20in%20to%20the%20Admin,user%20and%20click%20Save%20changes
 Severity: High
 Tests:
     - ExpectedResult: true

rules/okta_rules/okta_user_account_locked.yml

@@ -3,6 +3,7 @@ Description: An Okta user has locked their account.
 DisplayName: "Okta User Account Locked"
 Enabled: true
 Filename: okta_user_account_locked.py
+Reference: https://support.okta.com/help/s/article/How-to-Configure-the-Number-of-Failed-Login-Attempts-Before-User-Lockout?language=en_US
 Severity: Low
 Tests:
     - ExpectedResult: true

rules/okta_rules/okta_user_mfa_factor_suspend.yml

@@ -3,6 +3,7 @@ Description: Suspend factor or authenticator enrollment method for user.
 DisplayName: "Okta User MFA Factor Suspend"
 Enabled: true
 Filename: okta_user_mfa_factor_suspend.py
+Reference: https://help.okta.com/en-us/content/topics/security/mfa/mfa-factors.htm
 Severity: High
 Tests:
     - ExpectedResult: true

rules/okta_rules/okta_user_mfa_reset.yml

@@ -4,6 +4,7 @@ DisplayName: "Okta User MFA Own Reset"
 RuleID: "Okta.User.MFA.Reset.Single"
 Enabled: true
 Filename: okta_user_mfa_reset.py
+Reference: https://support.okta.com/help/s/article/How-to-avoid-lockouts-and-reset-your-Multifactor-Authentication-MFA-for-Okta-Admins?language=en_US
 Severity: Info
 Tests:
     - 

rules/okta_rules/okta_user_mfa_reset_all.yml

@@ -3,6 +3,7 @@ Description: 'All MFA factors have been reset for a user.'
 DisplayName: "Okta User MFA Reset All"
 Enabled: true
 Filename: okta_user_mfa_reset_all.py
+Reference: https://help.okta.com/en-us/content/topics/security/mfa/mfa-reset-users.htm#:~:text=the%20Admin%20Console%3A-,In%20the%20Admin%20Console%2C%20go%20to%20DirectoryPeople.,Selected%20Factors%20or%20Reset%20All
 Severity: Low
 Tests:
     - ExpectedResult: true

rules/onelogin_rules/onelogin_admin_role_assigned.yml

@@ -7,6 +7,7 @@ LogTypes:
   - OneLogin.Events
 Tags:
   - Identity & Access Management
+Reference: https://onelogin.service-now.com/kb_view_customer.do?sysparm_article=KB0010391
 Severity: Low
 SummaryAttributes:
   - account_id

rules/onelogin_rules/onelogin_unusual_login.yml

@@ -9,6 +9,7 @@ LogTypes:
   - OneLogin.Events
 Tags:
   - Identity & Access Management
+Reference: https://actzero.ai/resources/blog/a-smarter-way-to-detect-suspicious-cloud-logins
 Severity: Medium
 Description: Deprecated. Please see Standard.UnusualLogin instead.
 SummaryAttributes:

rules/onepassword_rules/onepassword_lut_sensitive_item_access.yml

@@ -6,6 +6,7 @@ DisplayName: "BETA - Sensitive 1Password Item Accessed"
 Enabled: false
 LogTypes:
    - OnePassword.ItemUsage
+Reference: https://support.1password.com/1password-com-items/
 Severity: Low
 Description: Alerts when a user defined list of sensitive items in 1Password is accessed
 SummaryAttributes:

rules/onepassword_rules/onepassword_sensitive_item_access.yml

@@ -6,6 +6,7 @@ DisplayName: "Configuration Required - Sensitive 1Password Item Accessed"
 Enabled: false
 LogTypes:
    - OnePassword.ItemUsage
+Reference: https://support.1password.com/1password-com-items/
 Severity: Low
 Description: Alerts when a user defined list of sensitive items in 1Password is accessed
 SummaryAttributes:

rules/osquery_rules/osquery_mac_enable_auto_update.yml

@@ -21,6 +21,7 @@ Description: >
   Verifies that MacOS has automatic software updates enabled.
 Runbook: >
   Enable the auto updates on the host.
+Reference: https://support.apple.com/en-gb/guide/mac-help/mchlpx1065/mac
 SummaryAttributes:
   - name
   - action

rules/osquery_rules/osquery_mac_unwanted_chrome_extensions.yml

@@ -17,6 +17,7 @@ Severity: Medium
 Description: >
   Monitor for chrome extensions that could lead to a credential compromise.
 Runbook: Uninstall the unwanted extension
+Reference: https://securelist.com/threat-in-your-browser-extensions/107181/
 SummaryAttributes:
   - action
   - hostIdentifier

rules/osquery_rules/osquery_ossec.yml

@@ -17,6 +17,7 @@ Description: >
   Checks if any results are returned for the Osquery OSSEC Rootkit pack.
 Runbook: >
   Verify the presence of the rootkit and re-image the machine.
+Reference: https://panther.com/blog/osquery-log-analysis/
 SummaryAttributes:
   - name
   - hostIdentifier

rules/osquery_rules/osquery_outdated.py

@@ -1,6 +1,6 @@
 from panther_base_helpers import deep_get
 
-LATEST_VERSION = "4.2.0"
+LATEST_VERSION = "5.10.2"
 
 
 def rule(event):

rules/osquery_rules/osquery_outdated.yml

@@ -9,8 +9,9 @@ Tags:
   - Osquery
   - Compliance
 Severity: Info
-Description: Keep track of osquery versions, current is 4.1.2.
+Description: Keep track of osquery versions, current is 5.10.2.
 Runbook: Update the osquery agent.
+Reference: https://www.osquery.io/downloads/official/5.10.2
 SummaryAttributes:
   - name
   - hostIdentifier
@@ -74,7 +75,7 @@ Tests:
               "system_time": "12472",
               "user_time": "31800",
               "uuid": "37821E12-CC8A-5AA3-A90C-FAB28A5BF8F9",
-              "version": "4.2.0",
+              "version": "5.10.2",
               "watcher": "92"
           },
           "counter": "255",

rules/osquery_rules/osquery_outdated_macos.yml

@@ -12,6 +12,7 @@ Severity: Low
 Description: >
   Check that all laptops on the corporate environment are on a version of MacOS supported by IT.
 Runbook: Update the MacOs version
+Reference: https://support.apple.com/en-eg/HT201260
 SummaryAttributes:
   - name
   - hostIdentifier

rules/osquery_rules/osquery_ssh_listener.yml

@@ -16,6 +16,7 @@ Description: >
   Check if SSH is listening in a non-production environment. This could be an indicator of persistent access within an environment.
 Runbook: >
   Terminate the SSH daemon, investigate for signs of compromise.
+Reference: https://medium.com/uptycs/osquery-what-it-is-how-it-works-and-how-to-use-it-ce4e81e60dfc
 SummaryAttributes:
   - action
   - hostIdentifier

rules/panther_audit_rules/panther_detection_deleted.yml

@@ -14,6 +14,7 @@ Reports:
     - TA0005:T1562
 Description: Detection content has been removed from Panther.
 Runbook: Ensure this change was approved and appropriate.
+Reference: https://docs.panther.com/system-configuration/panther-audit-logs/querying-and-writing-detections-for-panther-audit-logs
 SummaryAttributes:
   - p_any_ip_addresses
 Tests:

rules/panther_audit_rules/panther_saml_modified.yml

@@ -14,6 +14,7 @@ Reports:
     - TA0005:T1562
 Description: An Admin has modified Panther's SAML configuration.
 Runbook: Ensure this change was approved and appropriate.
+Reference: https://docs.panther.com/system-configuration/saml
 SummaryAttributes:
   - p_any_ip_addresses
   - p_any_usernames

rules/panther_audit_rules/panther_sensitive_role_created.yml

@@ -14,6 +14,7 @@ Reports:
     - TA0003:T1098
 Description: A Panther user role has been created that contains admin level permissions.
 Runbook: Contact the creator of this role to ensure its creation was appropriate.
+Reference: https://docs.panther.com/system-configuration/rbac
 SummaryAttributes:
   - p_any_ip_addresses
 Tests:

rules/panther_audit_rules/panther_user_modified.yml

@@ -14,6 +14,7 @@ Reports:
     - TA0003:T1098
 Description: A Panther user's role has been modified. This could mean password, email, or role has changed for the user.
 Runbook: Validate that this user modification was intentional.
+Reference: https://docs.panther.com/panther-developer-workflows/api/operations/user-management
 SummaryAttributes:
   - p_any_ip_addresses
 Tests:

rules/salesforce_rules/salesforce_admin_login_as_user.yml

@@ -4,6 +4,7 @@ DisplayName: "Salesforce Admin Login As User"
 Enabled: true
 Filename: salesforce_admin_login_as_user.py
 Runbook: 'Please do an indicator search on USER_ID to find which user was assumed. '
+Reference: https://help.salesforce.com/s/articleView?id=sf.logging_in_as_another_user.htm&type=5
 Severity: Info
 Tests:
     - ExpectedResult: false

rules/sentinelone_rules/sentinelone_alert_passthrough.yml

@@ -3,6 +3,7 @@ Description: SentinelOne Alert Passthrough
 DisplayName: "SentinelOne Alert Passthrough"
 Enabled: true
 Filename: sentinelone_alert_passthrough.py
+Reference: https://www.sentinelone.com/blog/feature-spotlight-introducing-the-new-threat-center/
 Severity: High
 Tests:
     - ExpectedResult: true

rules/sentinelone_rules/sentinelone_threats.yml

@@ -3,6 +3,7 @@ Description: 'Passthrough SentinelOne Threats '
 DisplayName: "SentinelOne Threats"
 Enabled: true
 Filename: sentinelone_threats.py
+Reference: https://www.sentinelone.com/blog/feature-spotlight-introducing-the-new-threat-center/
 Severity: High
 Tests:
     - ExpectedResult: true

rules/snyk_rules/snyk_misc_settings.yml

@@ -8,6 +8,7 @@ LogTypes:
   - Snyk.OrgAudit
 Tags:
   - Snyk
+Reference: https://docs.snyk.io/snyk-admin/manage-settings
 Severity: Low
 Description: >
   Detects when Snyk settings that lack a clear security impact are changed

rules/snyk_rules/snyk_org_settings.yml

@@ -8,6 +8,7 @@ LogTypes:
   - Snyk.OrgAudit
 Tags:
   - Snyk
+Reference: https://docs.snyk.io/snyk-admin/manage-settings/organization-general-settings
 Severity: Medium
 Description: >
   Detects when Snyk Organization settings, like Integrations and Webhooks, are changed

rules/snyk_rules/snyk_project_settings.yml

@@ -8,6 +8,7 @@ LogTypes:
   - Snyk.OrgAudit
 Tags:
   - Snyk
+Reference: https://docs.snyk.io/snyk-admin/introduction-to-snyk-projects/view-and-edit-project-settings
 Severity: Medium
 Description: >
   Detects when Snyk Project settings are changed

rules/tailscale_rules/tailscale_https_disabled.yml

@@ -4,6 +4,7 @@ DisplayName: "Tailscale HTTPS Disabled"
 Enabled: true
 Filename: tailscale_https_disabled.py
 Runbook: Assess if this was done by the user for a valid business reason. Be vigilant to re-enable this setting as it's in the best security interest for your organization's security posture.
+Reference: https://tailscale.com/kb/1153/enabling-https/#disable-https
 Severity: High
 Tests:
     - ExpectedResult: true

rules/tailscale_rules/tailscale_machine_approval_requirements_disabled.yml

@@ -4,6 +4,7 @@ DisplayName: "Tailscale Machine Approval Requirements Disabled"
 Enabled: true
 Filename: tailscale_machine_approval_requirements_disabled.py
 Runbook: Assess if this was done by the user for a valid business reason. Be vigilant to re-enable this setting as it's in the best security interest for your organization's security posture.
+Reference: https://tailscale.com/kb/1099/device-approval/
 Severity: High
 Tests:
     - ExpectedResult: true