diff --git a/rules/netskope_rules/netskope_admin_logged_out.yml b/rules/netskope_rules/netskope_admin_logged_out.yml index 993033c96..b0e6cf9c2 100644 --- a/rules/netskope_rules/netskope_admin_logged_out.yml +++ b/rules/netskope_rules/netskope_admin_logged_out.yml @@ -21,6 +21,7 @@ Description: An admin was logged out because of successive login failures. DedupPeriodMinutes: 60 Threshold: 1 Runbook: An admin was logged out because of successive login failures. This could indicate brute force activity against this account. +Reference: https://docs.netskope.com/en/netskope-help/admin-console/administration/audit-log/ Tests: - Name: True positive ExpectedResult: true diff --git a/rules/netskope_rules/netskope_admin_user_change.yml b/rules/netskope_rules/netskope_admin_user_change.yml index f98513b87..abc84d284 100644 --- a/rules/netskope_rules/netskope_admin_user_change.yml +++ b/rules/netskope_rules/netskope_admin_user_change.yml @@ -27,6 +27,7 @@ Tags: Reports: MITRE ATT&CK: - TA0004:T1098 +Reference: https://docs.netskope.com/en/netskope-help/admin-console/administration/managing-administrators/ Severity: High DynamicSeverities: - ChangeTo: Critical diff --git a/rules/netskope_rules/netskope_many_deletes.yml b/rules/netskope_rules/netskope_many_deletes.yml index 6663338eb..c89c54fe6 100644 --- a/rules/netskope_rules/netskope_many_deletes.yml +++ b/rules/netskope_rules/netskope_many_deletes.yml @@ -22,6 +22,7 @@ Description: A user deleted a large number of objects in a short period of time. DedupPeriodMinutes: 60 Threshold: 10 Runbook: A user deleted a large number of objects in a short period of time. Validate that this activity is expected and authorized. +Reference: https://docs.netskope.com/en/netskope-help/admin-console/administration/audit-log/ Tests: - Name: True positive ExpectedResult: true diff --git a/rules/netskope_rules/netskope_personnel_action.yml b/rules/netskope_rules/netskope_personnel_action.yml index 53fb387a0..cd3b2f389 100644 --- a/rules/netskope_rules/netskope_personnel_action.yml +++ b/rules/netskope_rules/netskope_personnel_action.yml @@ -21,6 +21,7 @@ Description: An action was performed by Netskope personnel. DedupPeriodMinutes: 60 Threshold: 1 Runbook: Action taken by Netskope Personnel. Validate that this action was authorized. +Reference: https://docs.netskope.com/en/netskope-help/admin-console/administration/audit-log/#filters-1 Tests: - Name: True positive ExpectedResult: true diff --git a/rules/netskope_rules/netskope_unauthorized_api_calls.yml b/rules/netskope_rules/netskope_unauthorized_api_calls.yml index 6fe10496f..74758ed4f 100644 --- a/rules/netskope_rules/netskope_unauthorized_api_calls.yml +++ b/rules/netskope_rules/netskope_unauthorized_api_calls.yml @@ -22,6 +22,7 @@ Description: Many unauthorized API calls were observed for a user in a short per DedupPeriodMinutes: 60 Threshold: 10 Runbook: An account is making many unauthorized API calls. This could indicate brute force activity, or expired service account credentials. +Reference: https://docs.netskope.com/en/netskope-help/data-security/netskope-private-access/private-access-rest-apis/ Tests: - Name: True positive ExpectedResult: true diff --git a/rules/notion_rules/notion_account_changed_after_login.yml b/rules/notion_rules/notion_account_changed_after_login.yml index c3f6d1609..59cf99205 100644 --- a/rules/notion_rules/notion_account_changed_after_login.yml +++ b/rules/notion_rules/notion_account_changed_after_login.yml @@ -14,6 +14,7 @@ Description: A Notion User logged in then changed their account details. DedupPeriodMinutes: 60 Threshold: 1 Runbook: Possible account takeover. Follow up with the Notion User to determine if this email change is genuine. +Reference: https://www.notion.so/help/account-settings Tests: - # This unit test is to make sure the logic for handling login events successfully results in # caching the login info. The outputted title/alert_context are not important. diff --git a/rules/notion_rules/notion_login_from_blocked_ip.yml b/rules/notion_rules/notion_login_from_blocked_ip.yml index b32b63256..af4e2134b 100644 --- a/rules/notion_rules/notion_login_from_blocked_ip.yml +++ b/rules/notion_rules/notion_login_from_blocked_ip.yml @@ -14,3 +14,4 @@ Description: "A user attempted to access Notion from a blocked IP address. Note: DedupPeriodMinutes: 60 Threshold: 1 Runbook: Confirm with user if the login was legitimate. If so, determine why the IP is blocked. +Reference: https://www.notion.so/help/allowlist-ip diff --git a/rules/notion_rules/notion_login_from_new_location.yml b/rules/notion_rules/notion_login_from_new_location.yml index d3461b477..8cf3202d4 100644 --- a/rules/notion_rules/notion_login_from_new_location.yml +++ b/rules/notion_rules/notion_login_from_new_location.yml @@ -14,6 +14,7 @@ Description: A Notion User logged in from a new location. DedupPeriodMinutes: 60 Threshold: 1 # Number of pages deleted; please change this value to suit your organization's needs. Runbook: Possible account takeover. Follow up with the Notion User to determine if this login is genuine. +Reference: https://ipinfo.io/products/ip-geolocation-api Tests: - Name: Login from normal location ExpectedResult: false diff --git a/rules/notion_rules/notion_many_pages_deleted.yml b/rules/notion_rules/notion_many_pages_deleted.yml index ef5ba1205..81257217b 100644 --- a/rules/notion_rules/notion_many_pages_deleted.yml +++ b/rules/notion_rules/notion_many_pages_deleted.yml @@ -14,6 +14,7 @@ Description: A Notion User deleted multiple pages. DedupPeriodMinutes: 60 Threshold: 10 # Number of pages deleted; please change this value to suit your organization's needs. Runbook: Possible Data Destruction. Follow up with the Notion User to determine if this was done for a valid business reason. +Reference: https://www.notion.so/help/duplicate-delete-and-restore-content Tests: - Name: Other Event ExpectedResult: false diff --git a/rules/notion_rules/notion_many_pages_exported.yml b/rules/notion_rules/notion_many_pages_exported.yml index fb5f13740..010245809 100644 --- a/rules/notion_rules/notion_many_pages_exported.yml +++ b/rules/notion_rules/notion_many_pages_exported.yml @@ -14,6 +14,7 @@ Description: A Notion User exported multiple pages. DedupPeriodMinutes: 60 Threshold: 10 # Number of pages exported; please change this value to suit your organization's needs. Runbook: Possible Data Exfiltration. Follow up with the Notion User to determine if this was done for a valid business reason. +Reference: https://www.notion.so/help/export-your-content Tests: - Name: Other Event ExpectedResult: false diff --git a/rules/notion_rules/notion_page_accessible_to_api.yml b/rules/notion_rules/notion_page_accessible_to_api.yml index 288174f6e..4f8ba6c0c 100644 --- a/rules/notion_rules/notion_page_accessible_to_api.yml +++ b/rules/notion_rules/notion_page_accessible_to_api.yml @@ -14,3 +14,4 @@ Description: "A new API integration was added to a Notion page, or it's permissi DedupPeriodMinutes: 60 Threshold: 1 Runbook: Potential information exposure - review the shared page and rectify if needed. +Reference: https://www.notion.so/help/sharing-and-permissions diff --git a/rules/notion_rules/notion_page_accessible_to_guests.yml b/rules/notion_rules/notion_page_accessible_to_guests.yml index ec3ef9fdf..53db176be 100644 --- a/rules/notion_rules/notion_page_accessible_to_guests.yml +++ b/rules/notion_rules/notion_page_accessible_to_guests.yml @@ -14,6 +14,7 @@ Description: The external guest permissions for a Notion page have been altered. DedupPeriodMinutes: 60 Threshold: 1 Runbook: Potential information exposure - review the shared page and rectify if needed. +Reference: https://www.notion.so/help/sharing-and-permissions Tests: - Name: Guest Role Added ExpectedResult: true diff --git a/rules/notion_rules/notion_page_shared_to_web.yml b/rules/notion_rules/notion_page_shared_to_web.yml index 620d59920..777237005 100644 --- a/rules/notion_rules/notion_page_shared_to_web.yml +++ b/rules/notion_rules/notion_page_shared_to_web.yml @@ -14,3 +14,4 @@ Description: A Notion User published a page to the web. DedupPeriodMinutes: 60 Threshold: 1 Runbook: Potential information exposure - review the shared page and rectify if needed. +Reference: https://www.notion.so/help/public-pages-and-web-publishing diff --git a/rules/notion_rules/notion_page_view_impossible_travel.yml b/rules/notion_rules/notion_page_view_impossible_travel.yml index f7ecce6d3..3d9f98fe3 100644 --- a/rules/notion_rules/notion_page_view_impossible_travel.yml +++ b/rules/notion_rules/notion_page_view_impossible_travel.yml @@ -15,6 +15,7 @@ Description: A Notion User viewed a page from 2 locations simultaneously DedupPeriodMinutes: 60 Threshold: 1 Runbook: Possible account compromise. Review activity of this user. +Reference: https://raxis.com/blog/simultaneous-sessions/ Tests: - Name: Normal Page View ExpectedResult: False diff --git a/rules/notion_rules/notion_scim_token_generated.yml b/rules/notion_rules/notion_scim_token_generated.yml index b30115211..e13e18c44 100644 --- a/rules/notion_rules/notion_scim_token_generated.yml +++ b/rules/notion_rules/notion_scim_token_generated.yml @@ -14,6 +14,7 @@ Severity: Medium DedupPeriodMinutes: 60 Threshold: 1 Runbook: Possible Initial Access. Follow up with the Notion User to determine if this was done for a valid business reason. +Reference: https://www.notion.so/help/provision-users-and-groups-with-scim Tests: - ExpectedResult: false Log: diff --git a/rules/notion_rules/notion_workspace_audit_log_exported.yml b/rules/notion_rules/notion_workspace_audit_log_exported.yml index f18a3a767..6c80f8550 100644 --- a/rules/notion_rules/notion_workspace_audit_log_exported.yml +++ b/rules/notion_rules/notion_workspace_audit_log_exported.yml @@ -14,6 +14,7 @@ Description: A Notion User exported audit logs for your organization’s workspa DedupPeriodMinutes: 60 Threshold: 1 Runbook: Possible Data Exfiltration. Follow up with the Notion User to determine if this was done for a valid business reason. +Reference: https://www.notion.so/help/audit-log#export-your-audit-log Tests: - Name: Other Event ExpectedResult: false diff --git a/rules/notion_rules/notion_workspace_exported.yml b/rules/notion_rules/notion_workspace_exported.yml index 2232647de..c40f7ec5c 100644 --- a/rules/notion_rules/notion_workspace_exported.yml +++ b/rules/notion_rules/notion_workspace_exported.yml @@ -14,6 +14,7 @@ Description: A Notion User exported an existing workspace. DedupPeriodMinutes: 60 Threshold: 1 Runbook: Possible Data Exfiltration. Follow up with the Notion User to determine if this was done for a valid business reason. +Reference: https://www.notion.so/help/workspace-settings#export-an-entire-workspace Tests: - Name: Workspace Exported ExpectedResult: true diff --git a/rules/notion_rules/notion_workspace_settings_enforce_saml_sso_config_updated.yml b/rules/notion_rules/notion_workspace_settings_enforce_saml_sso_config_updated.yml index 199009e77..a81cbe9c0 100644 --- a/rules/notion_rules/notion_workspace_settings_enforce_saml_sso_config_updated.yml +++ b/rules/notion_rules/notion_workspace_settings_enforce_saml_sso_config_updated.yml @@ -14,6 +14,7 @@ Description: A Notion User changed settings to enforce SAML SSO configurations f DedupPeriodMinutes: 60 Threshold: 1 Runbook: Follow up with the Notion User to determine if this was done for a valid business reason and to ensure these settings get re-enabled quickly for best security practices. +Reference: https://www.notion.so/help/saml-sso-configuration Tests: - Name: Other Event ExpectedResult: false diff --git a/rules/notion_rules/notion_workspace_settings_public_homepage_added.yml b/rules/notion_rules/notion_workspace_settings_public_homepage_added.yml index 221c8ca0b..0147311d7 100644 --- a/rules/notion_rules/notion_workspace_settings_public_homepage_added.yml +++ b/rules/notion_rules/notion_workspace_settings_public_homepage_added.yml @@ -14,6 +14,7 @@ Description: A Notion page was set to public in your worksace. DedupPeriodMinutes: 60 Threshold: 1 Runbook: A Notion page was made public. Check with the author to determine why this page was made public. +Reference: https://www.notion.so/help/public-pages-and-web-publishing Tests: - Name: Public page added ExpectedResult: true diff --git a/rules/okta_rules/okta_app_unauthorized_access_attempt.yml b/rules/okta_rules/okta_app_unauthorized_access_attempt.yml index 3d6cfeb11..ff18e8a81 100644 --- a/rules/okta_rules/okta_app_unauthorized_access_attempt.yml +++ b/rules/okta_rules/okta_app_unauthorized_access_attempt.yml @@ -4,6 +4,7 @@ DisplayName: "Okta App Unauthorized Access Attempt" Enabled: true Filename: okta_app_unauthorized_access_attempt.py Severity: Low +Reference: https://support.okta.com/help/s/article/App-Sign-on-Error-403-User-attempted-unauthorized-access-to-app?language=en_US Tests: - ExpectedResult: true Log: diff --git a/rules/okta_rules/okta_geo_improbable_access.yml b/rules/okta_rules/okta_geo_improbable_access.yml index 20e9d65b9..6eb4d46ea 100644 --- a/rules/okta_rules/okta_geo_improbable_access.yml +++ b/rules/okta_rules/okta_geo_improbable_access.yml @@ -15,6 +15,7 @@ Reports: Severity: High Description: A user has subsequent logins from two geographic locations that are very far apart Runbook: Reach out to the user if needed to validate the activity, then lock the account +Reference: https://www.blinkops.com/blog/how-to-detect-and-remediate-okta-impossible-traveler-alerts SummaryAttributes: - eventType - severity diff --git a/rules/okta_rules/okta_group_admin_role_assigned.yml b/rules/okta_rules/okta_group_admin_role_assigned.yml index 4f6a8dcb9..def8bcd08 100644 --- a/rules/okta_rules/okta_group_admin_role_assigned.yml +++ b/rules/okta_rules/okta_group_admin_role_assigned.yml @@ -3,6 +3,7 @@ Description: Detect when an admin role is assigned to a group DisplayName: "Okta Group Admin Role Assigned" Enabled: true Filename: okta_group_admin_role_assigned.py +Reference: https://support.okta.com/help/s/article/How-to-assign-Administrator-roles-to-groups?language=en_US#:~:text=Log%20in%20to%20the%20Admin,user%20and%20click%20Save%20changes Severity: High Tests: - ExpectedResult: true diff --git a/rules/okta_rules/okta_user_account_locked.yml b/rules/okta_rules/okta_user_account_locked.yml index 97a4a074d..c7dbf6303 100644 --- a/rules/okta_rules/okta_user_account_locked.yml +++ b/rules/okta_rules/okta_user_account_locked.yml @@ -3,6 +3,7 @@ Description: An Okta user has locked their account. DisplayName: "Okta User Account Locked" Enabled: true Filename: okta_user_account_locked.py +Reference: https://support.okta.com/help/s/article/How-to-Configure-the-Number-of-Failed-Login-Attempts-Before-User-Lockout?language=en_US Severity: Low Tests: - ExpectedResult: true diff --git a/rules/okta_rules/okta_user_mfa_factor_suspend.yml b/rules/okta_rules/okta_user_mfa_factor_suspend.yml index 45d60f71b..7364a4231 100644 --- a/rules/okta_rules/okta_user_mfa_factor_suspend.yml +++ b/rules/okta_rules/okta_user_mfa_factor_suspend.yml @@ -3,6 +3,7 @@ Description: Suspend factor or authenticator enrollment method for user. DisplayName: "Okta User MFA Factor Suspend" Enabled: true Filename: okta_user_mfa_factor_suspend.py +Reference: https://help.okta.com/en-us/content/topics/security/mfa/mfa-factors.htm Severity: High Tests: - ExpectedResult: true diff --git a/rules/okta_rules/okta_user_mfa_reset.yml b/rules/okta_rules/okta_user_mfa_reset.yml index d21c22df7..4bd2ee8c0 100644 --- a/rules/okta_rules/okta_user_mfa_reset.yml +++ b/rules/okta_rules/okta_user_mfa_reset.yml @@ -4,6 +4,7 @@ DisplayName: "Okta User MFA Own Reset" RuleID: "Okta.User.MFA.Reset.Single" Enabled: true Filename: okta_user_mfa_reset.py +Reference: https://support.okta.com/help/s/article/How-to-avoid-lockouts-and-reset-your-Multifactor-Authentication-MFA-for-Okta-Admins?language=en_US Severity: Info Tests: - diff --git a/rules/okta_rules/okta_user_mfa_reset_all.yml b/rules/okta_rules/okta_user_mfa_reset_all.yml index c8826818a..f2a44444c 100644 --- a/rules/okta_rules/okta_user_mfa_reset_all.yml +++ b/rules/okta_rules/okta_user_mfa_reset_all.yml @@ -3,6 +3,7 @@ Description: 'All MFA factors have been reset for a user.' DisplayName: "Okta User MFA Reset All" Enabled: true Filename: okta_user_mfa_reset_all.py +Reference: https://help.okta.com/en-us/content/topics/security/mfa/mfa-reset-users.htm#:~:text=the%20Admin%20Console%3A-,In%20the%20Admin%20Console%2C%20go%20to%20DirectoryPeople.,Selected%20Factors%20or%20Reset%20All Severity: Low Tests: - ExpectedResult: true diff --git a/rules/onelogin_rules/onelogin_admin_role_assigned.yml b/rules/onelogin_rules/onelogin_admin_role_assigned.yml index cac026bee..d8bcaef05 100644 --- a/rules/onelogin_rules/onelogin_admin_role_assigned.yml +++ b/rules/onelogin_rules/onelogin_admin_role_assigned.yml @@ -7,6 +7,7 @@ LogTypes: - OneLogin.Events Tags: - Identity & Access Management +Reference: https://onelogin.service-now.com/kb_view_customer.do?sysparm_article=KB0010391 Severity: Low SummaryAttributes: - account_id diff --git a/rules/onelogin_rules/onelogin_unusual_login.yml b/rules/onelogin_rules/onelogin_unusual_login.yml index 1e982554d..d614e0344 100644 --- a/rules/onelogin_rules/onelogin_unusual_login.yml +++ b/rules/onelogin_rules/onelogin_unusual_login.yml @@ -9,6 +9,7 @@ LogTypes: - OneLogin.Events Tags: - Identity & Access Management +Reference: https://actzero.ai/resources/blog/a-smarter-way-to-detect-suspicious-cloud-logins Severity: Medium Description: Deprecated. Please see Standard.UnusualLogin instead. SummaryAttributes: diff --git a/rules/onepassword_rules/onepassword_lut_sensitive_item_access.yml b/rules/onepassword_rules/onepassword_lut_sensitive_item_access.yml index f1a0ca2fd..9dbed6ae1 100644 --- a/rules/onepassword_rules/onepassword_lut_sensitive_item_access.yml +++ b/rules/onepassword_rules/onepassword_lut_sensitive_item_access.yml @@ -6,6 +6,7 @@ DisplayName: "BETA - Sensitive 1Password Item Accessed" Enabled: false LogTypes: - OnePassword.ItemUsage +Reference: https://support.1password.com/1password-com-items/ Severity: Low Description: Alerts when a user defined list of sensitive items in 1Password is accessed SummaryAttributes: diff --git a/rules/onepassword_rules/onepassword_sensitive_item_access.yml b/rules/onepassword_rules/onepassword_sensitive_item_access.yml index 8e5ab5bd3..22a937473 100644 --- a/rules/onepassword_rules/onepassword_sensitive_item_access.yml +++ b/rules/onepassword_rules/onepassword_sensitive_item_access.yml @@ -6,6 +6,7 @@ DisplayName: "Configuration Required - Sensitive 1Password Item Accessed" Enabled: false LogTypes: - OnePassword.ItemUsage +Reference: https://support.1password.com/1password-com-items/ Severity: Low Description: Alerts when a user defined list of sensitive items in 1Password is accessed SummaryAttributes: diff --git a/rules/osquery_rules/osquery_mac_enable_auto_update.yml b/rules/osquery_rules/osquery_mac_enable_auto_update.yml index 7360f78fe..6039f11ca 100644 --- a/rules/osquery_rules/osquery_mac_enable_auto_update.yml +++ b/rules/osquery_rules/osquery_mac_enable_auto_update.yml @@ -21,6 +21,7 @@ Description: > Verifies that MacOS has automatic software updates enabled. Runbook: > Enable the auto updates on the host. +Reference: https://support.apple.com/en-gb/guide/mac-help/mchlpx1065/mac SummaryAttributes: - name - action diff --git a/rules/osquery_rules/osquery_mac_unwanted_chrome_extensions.yml b/rules/osquery_rules/osquery_mac_unwanted_chrome_extensions.yml index 1e7c2180b..e3012725f 100644 --- a/rules/osquery_rules/osquery_mac_unwanted_chrome_extensions.yml +++ b/rules/osquery_rules/osquery_mac_unwanted_chrome_extensions.yml @@ -17,6 +17,7 @@ Severity: Medium Description: > Monitor for chrome extensions that could lead to a credential compromise. Runbook: Uninstall the unwanted extension +Reference: https://securelist.com/threat-in-your-browser-extensions/107181/ SummaryAttributes: - action - hostIdentifier diff --git a/rules/osquery_rules/osquery_ossec.yml b/rules/osquery_rules/osquery_ossec.yml index 93c53f3f9..3ef6ad2ab 100644 --- a/rules/osquery_rules/osquery_ossec.yml +++ b/rules/osquery_rules/osquery_ossec.yml @@ -17,6 +17,7 @@ Description: > Checks if any results are returned for the Osquery OSSEC Rootkit pack. Runbook: > Verify the presence of the rootkit and re-image the machine. +Reference: https://panther.com/blog/osquery-log-analysis/ SummaryAttributes: - name - hostIdentifier diff --git a/rules/osquery_rules/osquery_outdated.py b/rules/osquery_rules/osquery_outdated.py index cb190758c..7e9005acf 100644 --- a/rules/osquery_rules/osquery_outdated.py +++ b/rules/osquery_rules/osquery_outdated.py @@ -1,6 +1,6 @@ from panther_base_helpers import deep_get -LATEST_VERSION = "4.2.0" +LATEST_VERSION = "5.10.2" def rule(event): diff --git a/rules/osquery_rules/osquery_outdated.yml b/rules/osquery_rules/osquery_outdated.yml index b276f2f11..6c0af5fa1 100644 --- a/rules/osquery_rules/osquery_outdated.yml +++ b/rules/osquery_rules/osquery_outdated.yml @@ -9,8 +9,9 @@ Tags: - Osquery - Compliance Severity: Info -Description: Keep track of osquery versions, current is 4.1.2. +Description: Keep track of osquery versions, current is 5.10.2. Runbook: Update the osquery agent. +Reference: https://www.osquery.io/downloads/official/5.10.2 SummaryAttributes: - name - hostIdentifier @@ -74,7 +75,7 @@ Tests: "system_time": "12472", "user_time": "31800", "uuid": "37821E12-CC8A-5AA3-A90C-FAB28A5BF8F9", - "version": "4.2.0", + "version": "5.10.2", "watcher": "92" }, "counter": "255", diff --git a/rules/osquery_rules/osquery_outdated_macos.yml b/rules/osquery_rules/osquery_outdated_macos.yml index 32490ce9c..2e51f2f6a 100644 --- a/rules/osquery_rules/osquery_outdated_macos.yml +++ b/rules/osquery_rules/osquery_outdated_macos.yml @@ -12,6 +12,7 @@ Severity: Low Description: > Check that all laptops on the corporate environment are on a version of MacOS supported by IT. Runbook: Update the MacOs version +Reference: https://support.apple.com/en-eg/HT201260 SummaryAttributes: - name - hostIdentifier diff --git a/rules/osquery_rules/osquery_ssh_listener.yml b/rules/osquery_rules/osquery_ssh_listener.yml index 880b70ed1..765a8ca8f 100644 --- a/rules/osquery_rules/osquery_ssh_listener.yml +++ b/rules/osquery_rules/osquery_ssh_listener.yml @@ -16,6 +16,7 @@ Description: > Check if SSH is listening in a non-production environment. This could be an indicator of persistent access within an environment. Runbook: > Terminate the SSH daemon, investigate for signs of compromise. +Reference: https://medium.com/uptycs/osquery-what-it-is-how-it-works-and-how-to-use-it-ce4e81e60dfc SummaryAttributes: - action - hostIdentifier diff --git a/rules/panther_audit_rules/panther_detection_deleted.yml b/rules/panther_audit_rules/panther_detection_deleted.yml index 5938d2a7b..d8fcba243 100644 --- a/rules/panther_audit_rules/panther_detection_deleted.yml +++ b/rules/panther_audit_rules/panther_detection_deleted.yml @@ -14,6 +14,7 @@ Reports: - TA0005:T1562 Description: Detection content has been removed from Panther. Runbook: Ensure this change was approved and appropriate. +Reference: https://docs.panther.com/system-configuration/panther-audit-logs/querying-and-writing-detections-for-panther-audit-logs SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/panther_audit_rules/panther_saml_modified.yml b/rules/panther_audit_rules/panther_saml_modified.yml index cf73682ba..daaa7b943 100644 --- a/rules/panther_audit_rules/panther_saml_modified.yml +++ b/rules/panther_audit_rules/panther_saml_modified.yml @@ -14,6 +14,7 @@ Reports: - TA0005:T1562 Description: An Admin has modified Panther's SAML configuration. Runbook: Ensure this change was approved and appropriate. +Reference: https://docs.panther.com/system-configuration/saml SummaryAttributes: - p_any_ip_addresses - p_any_usernames diff --git a/rules/panther_audit_rules/panther_sensitive_role_created.yml b/rules/panther_audit_rules/panther_sensitive_role_created.yml index 93e5ac17b..36ec77ca6 100644 --- a/rules/panther_audit_rules/panther_sensitive_role_created.yml +++ b/rules/panther_audit_rules/panther_sensitive_role_created.yml @@ -14,6 +14,7 @@ Reports: - TA0003:T1098 Description: A Panther user role has been created that contains admin level permissions. Runbook: Contact the creator of this role to ensure its creation was appropriate. +Reference: https://docs.panther.com/system-configuration/rbac SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/panther_audit_rules/panther_user_modified.yml b/rules/panther_audit_rules/panther_user_modified.yml index ca28a4a69..95280e28c 100644 --- a/rules/panther_audit_rules/panther_user_modified.yml +++ b/rules/panther_audit_rules/panther_user_modified.yml @@ -14,6 +14,7 @@ Reports: - TA0003:T1098 Description: A Panther user's role has been modified. This could mean password, email, or role has changed for the user. Runbook: Validate that this user modification was intentional. +Reference: https://docs.panther.com/panther-developer-workflows/api/operations/user-management SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/salesforce_rules/salesforce_admin_login_as_user.yml b/rules/salesforce_rules/salesforce_admin_login_as_user.yml index 5c55e71ae..8421ec35c 100644 --- a/rules/salesforce_rules/salesforce_admin_login_as_user.yml +++ b/rules/salesforce_rules/salesforce_admin_login_as_user.yml @@ -4,6 +4,7 @@ DisplayName: "Salesforce Admin Login As User" Enabled: true Filename: salesforce_admin_login_as_user.py Runbook: 'Please do an indicator search on USER_ID to find which user was assumed. ' +Reference: https://help.salesforce.com/s/articleView?id=sf.logging_in_as_another_user.htm&type=5 Severity: Info Tests: - ExpectedResult: false diff --git a/rules/sentinelone_rules/sentinelone_alert_passthrough.yml b/rules/sentinelone_rules/sentinelone_alert_passthrough.yml index 935d220fe..5e16edc36 100644 --- a/rules/sentinelone_rules/sentinelone_alert_passthrough.yml +++ b/rules/sentinelone_rules/sentinelone_alert_passthrough.yml @@ -3,6 +3,7 @@ Description: SentinelOne Alert Passthrough DisplayName: "SentinelOne Alert Passthrough" Enabled: true Filename: sentinelone_alert_passthrough.py +Reference: https://www.sentinelone.com/blog/feature-spotlight-introducing-the-new-threat-center/ Severity: High Tests: - ExpectedResult: true diff --git a/rules/sentinelone_rules/sentinelone_threats.yml b/rules/sentinelone_rules/sentinelone_threats.yml index b22c72f3c..f861b3cf8 100644 --- a/rules/sentinelone_rules/sentinelone_threats.yml +++ b/rules/sentinelone_rules/sentinelone_threats.yml @@ -3,6 +3,7 @@ Description: 'Passthrough SentinelOne Threats ' DisplayName: "SentinelOne Threats" Enabled: true Filename: sentinelone_threats.py +Reference: https://www.sentinelone.com/blog/feature-spotlight-introducing-the-new-threat-center/ Severity: High Tests: - ExpectedResult: true diff --git a/rules/snyk_rules/snyk_misc_settings.yml b/rules/snyk_rules/snyk_misc_settings.yml index b6b4df89a..4d7c41974 100644 --- a/rules/snyk_rules/snyk_misc_settings.yml +++ b/rules/snyk_rules/snyk_misc_settings.yml @@ -8,6 +8,7 @@ LogTypes: - Snyk.OrgAudit Tags: - Snyk +Reference: https://docs.snyk.io/snyk-admin/manage-settings Severity: Low Description: > Detects when Snyk settings that lack a clear security impact are changed diff --git a/rules/snyk_rules/snyk_org_settings.yml b/rules/snyk_rules/snyk_org_settings.yml index 3716d8c5c..18dae4e54 100644 --- a/rules/snyk_rules/snyk_org_settings.yml +++ b/rules/snyk_rules/snyk_org_settings.yml @@ -8,6 +8,7 @@ LogTypes: - Snyk.OrgAudit Tags: - Snyk +Reference: https://docs.snyk.io/snyk-admin/manage-settings/organization-general-settings Severity: Medium Description: > Detects when Snyk Organization settings, like Integrations and Webhooks, are changed diff --git a/rules/snyk_rules/snyk_project_settings.yml b/rules/snyk_rules/snyk_project_settings.yml index a0d294745..9d52d8289 100644 --- a/rules/snyk_rules/snyk_project_settings.yml +++ b/rules/snyk_rules/snyk_project_settings.yml @@ -8,6 +8,7 @@ LogTypes: - Snyk.OrgAudit Tags: - Snyk +Reference: https://docs.snyk.io/snyk-admin/introduction-to-snyk-projects/view-and-edit-project-settings Severity: Medium Description: > Detects when Snyk Project settings are changed diff --git a/rules/tailscale_rules/tailscale_https_disabled.yml b/rules/tailscale_rules/tailscale_https_disabled.yml index 15dd0a239..8f786c969 100644 --- a/rules/tailscale_rules/tailscale_https_disabled.yml +++ b/rules/tailscale_rules/tailscale_https_disabled.yml @@ -4,6 +4,7 @@ DisplayName: "Tailscale HTTPS Disabled" Enabled: true Filename: tailscale_https_disabled.py Runbook: Assess if this was done by the user for a valid business reason. Be vigilant to re-enable this setting as it's in the best security interest for your organization's security posture. +Reference: https://tailscale.com/kb/1153/enabling-https/#disable-https Severity: High Tests: - ExpectedResult: true diff --git a/rules/tailscale_rules/tailscale_machine_approval_requirements_disabled.yml b/rules/tailscale_rules/tailscale_machine_approval_requirements_disabled.yml index 268e95db4..fe7a3e8a5 100644 --- a/rules/tailscale_rules/tailscale_machine_approval_requirements_disabled.yml +++ b/rules/tailscale_rules/tailscale_machine_approval_requirements_disabled.yml @@ -4,6 +4,7 @@ DisplayName: "Tailscale Machine Approval Requirements Disabled" Enabled: true Filename: tailscale_machine_approval_requirements_disabled.py Runbook: Assess if this was done by the user for a valid business reason. Be vigilant to re-enable this setting as it's in the best security interest for your organization's security posture. +Reference: https://tailscale.com/kb/1099/device-approval/ Severity: High Tests: - ExpectedResult: true diff --git a/rules/tailscale_rules/tailscale_magicdns_disabled.yml b/rules/tailscale_rules/tailscale_magicdns_disabled.yml index 513da6419..c84f88818 100644 --- a/rules/tailscale_rules/tailscale_magicdns_disabled.yml +++ b/rules/tailscale_rules/tailscale_magicdns_disabled.yml @@ -4,6 +4,7 @@ DisplayName: "Tailscale Magic DNS Disabled" Enabled: true Filename: tailscale_magicdns_disabled.py Runbook: Assess if this was done by the user for a valid business reason. Be vigilant to re-enable this setting as it's in the best security interest for your organization's security posture. +Reference: https://tailscale.com/kb/1081/magicdns/ Severity: High Tests: - ExpectedResult: true diff --git a/rules/tines_rules/tines_actions_disabled_changes.yml b/rules/tines_rules/tines_actions_disabled_changes.yml index 0b311afc2..f5e0fbc6d 100644 --- a/rules/tines_rules/tines_actions_disabled_changes.yml +++ b/rules/tines_rules/tines_actions_disabled_changes.yml @@ -7,6 +7,7 @@ LogTypes: - Tines.Audit Tags: - Tines +Reference: https://www.tines.com/university/tines-basics/architecture-of-an-action Severity: Medium Description: > Detections when Tines Actions are set to Disabled Change diff --git a/rules/tines_rules/tines_custom_ca.yml b/rules/tines_rules/tines_custom_ca.yml index b61097e4f..645d2b85f 100644 --- a/rules/tines_rules/tines_custom_ca.yml +++ b/rules/tines_rules/tines_custom_ca.yml @@ -8,6 +8,7 @@ LogTypes: Tags: - Tines - IAM - Credential Security +Reference: https://www.tines.com/docs/admin/custom-certificate-authority Severity: High Description: > Detects when Tines Custom CertificateAuthority settings are changed diff --git a/rules/tines_rules/tines_enqueued_retrying_job_deletion.yml b/rules/tines_rules/tines_enqueued_retrying_job_deletion.yml index 1b1282def..4c5cbd566 100644 --- a/rules/tines_rules/tines_enqueued_retrying_job_deletion.yml +++ b/rules/tines_rules/tines_enqueued_retrying_job_deletion.yml @@ -10,6 +10,7 @@ Tags: Severity: Low Description: "Currently enqueued or retrying jobs were cleared" Runbook: "Possible data destruction. Please reach out to the user and confirm this was done for valid business reasons." +Reference: https://www.tines.com/docs/self-hosting/job-management DedupPeriodMinutes: 60 Threshold: 1 Tests: diff --git a/rules/tines_rules/tines_global_resource_destruction.yml b/rules/tines_rules/tines_global_resource_destruction.yml index 6e50d9be7..4b16a7a22 100644 --- a/rules/tines_rules/tines_global_resource_destruction.yml +++ b/rules/tines_rules/tines_global_resource_destruction.yml @@ -15,6 +15,7 @@ Tags: Severity: Low Description: "A Tines user has destroyed a global resource." Runbook: "Possible data destruction. Please reach out to the user and confirm this was done for valid business reasons." +Reference: https://www.tines.com/docs/resources DedupPeriodMinutes: 60 Threshold: 1 Tests: diff --git a/rules/tines_rules/tines_sso_settings.yml b/rules/tines_rules/tines_sso_settings.yml index af54cc371..841ef9c6a 100644 --- a/rules/tines_rules/tines_sso_settings.yml +++ b/rules/tines_rules/tines_sso_settings.yml @@ -11,6 +11,7 @@ Tags: Severity: High Description: > Detects when Tines SSO settings are changed +Reference: https://www.tines.com/docs/admin/single-sign-on DedupPeriodMinutes: 60 Threshold: 1 SummaryAttributes: diff --git a/rules/tines_rules/tines_story_items_destruction.yml b/rules/tines_rules/tines_story_items_destruction.yml index d4021b6b2..df94d9a30 100644 --- a/rules/tines_rules/tines_story_items_destruction.yml +++ b/rules/tines_rules/tines_story_items_destruction.yml @@ -10,6 +10,7 @@ Tags: Severity: Info Description: "A user has destroyed a story item" Runbook: "Possible data destruction. Please reach out to the user and confirm this was done for valid business reasons." +Reference: https://www.tines.com/docs/stories DedupPeriodMinutes: 60 Threshold: 1 Tests: diff --git a/rules/tines_rules/tines_story_jobs_clearance.yml b/rules/tines_rules/tines_story_jobs_clearance.yml index b812abe4b..8310aca46 100644 --- a/rules/tines_rules/tines_story_jobs_clearance.yml +++ b/rules/tines_rules/tines_story_jobs_clearance.yml @@ -10,6 +10,7 @@ Tags: Severity: Low Description: "A Tines User has cleared story jobs." Runbook: "Possible data destruction. Please reach out to the user and confirm this was done for valid business reasons." +Reference: https://www.tines.com/docs/stories DedupPeriodMinutes: 60 Threshold: 1 Tests: diff --git a/rules/tines_rules/tines_team_destruction.yml b/rules/tines_rules/tines_team_destruction.yml index 85375c64f..329da0272 100644 --- a/rules/tines_rules/tines_team_destruction.yml +++ b/rules/tines_rules/tines_team_destruction.yml @@ -10,6 +10,7 @@ Tags: Severity: Low Description: "A user has destroyed a team" Runbook: "Possible data destruction. Please reach out to the user and confirm this was done for valid business reasons." +Reference: https://www.tines.com/docs/admin/teams DedupPeriodMinutes: 60 Threshold: 1 Tests: diff --git a/rules/tines_rules/tines_tenant_authtoken.yml b/rules/tines_rules/tines_tenant_authtoken.yml index ff366f3d2..33bb4fd94 100644 --- a/rules/tines_rules/tines_tenant_authtoken.yml +++ b/rules/tines_rules/tines_tenant_authtoken.yml @@ -11,6 +11,7 @@ Tags: Severity: Medium Description: > Detects when Tines Tenant API Keys are added +Reference: https://www.tines.com/api/authentication DedupPeriodMinutes: 60 Threshold: 1 SummaryAttributes: