Skip to content

Commit

Permalink
Updated packs
Browse files Browse the repository at this point in the history
  • Loading branch information
melenevskyi committed Dec 13, 2023
1 parent ff81fc6 commit 5df05d1
Show file tree
Hide file tree
Showing 14 changed files with 36 additions and 1 deletion.
1 change: 1 addition & 0 deletions packs/asana.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ PackDefinition:
- Asana.Workspace.Require.App.Approvals.Disabled
- Asana.Workspace.Password.Requirements.Simple
- Asana.Workspace.Org.Export
- Asana.Workspace.New.Admin
# Globals used in these detections
- panther_asana_helpers
- panther_base_helpers
Expand Down
1 change: 1 addition & 0 deletions packs/atlassian.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ Description: Group of all Atlassian detections
PackDefinition:
IDs:
- Atlassian.User.LoggedInAsUser
- Confluence.0DayIPs
# Globals used in these detections
- panther_base_helpers
DisplayName: "Panther Atlassian Pack"
2 changes: 2 additions & 0 deletions packs/box.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ PackDefinition:
- Box.Untrusted.Device
- Box.Large.Number.Downloads
- Box.Large.Number.Permission.Updates
- Box.Item.Shared.Externally
- Box.Event.Triggered.Externally
# Globals used in these detections
- panther_base_helpers
- panther_box_helpers
Expand Down
2 changes: 2 additions & 0 deletions packs/cisco_umbrella_dns.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,5 +4,7 @@ Description: Group of all Cisco Umbrella detections
PackDefinition:
IDs:
- CiscoUmbrella.DNS.Blocked
- CiscoUmbrella.DNS.FuzzyMatching
- CiscoUmbrella.DNS.Suspicious
# Globals used in these detections
DisplayName: "Panther Cisco Umbrella Pack"
4 changes: 4 additions & 0 deletions packs/crowdstrike.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,10 @@ PackDefinition:
- Crowdstrike.Macos.Add.Trusted.Cert
- Crowdstrike.Macos.Plutil.Usage
- Crowdstrike.Macos.Osascript.Administrator
- Crowdstrike.DNS.Request
- OnePassword.Login.From.CrowdStrike.Unmanaged.Device
- Okta.Login.From.CrowdStrike.Unmanaged.Device
- AWS.Authentication.From.CrowdStrike.Unmanaged.Device
# Globals used in these detections
- panther_base_helpers
# Data models
Expand Down
2 changes: 2 additions & 0 deletions packs/dropbox.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ PackDefinition:
- Dropbox.Ownership.Transfer
- Dropbox.User.Disabled.2FA
- Dropbox.Admin.sign.in.as.Session
- Dropbox.Many.Deletes
- Dropbox.Many.Downloads
# Globals used in these detections
- panther_base_helpers
- panther_config
Expand Down
1 change: 1 addition & 0 deletions packs/github.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ PackDefinition:
- Github.Organization.App.Integration.Installed
- Github.Public.Repository.Created
- Github.Repository.Transfer
- GitHub.Action.Failed
# Data model
- Standard.Github.Audit
# Globals
Expand Down
8 changes: 8 additions & 0 deletions packs/gravitational_teleport.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,14 @@ PackDefinition:
- Teleport.NetworkScanning
- Teleport.ScheduledJobs
- Teleport.SuspiciousCommands
- Teleport.SAMLLoginWithoutCompanyDomain
- Teleport.LocalUserLoginWithoutMFA
- Teleport.CompanyDomainLoginWithoutSAML
- Teleport.LongLivedCerts
- Teleport.LockCreated
- Teleport.RoleCreated
- Teleport.SAMLCreated
- Teleport.RootLogin
# Globals used in these detections
- panther_base_helpers
DisplayName: "Panther Teleport Pack"
1 change: 1 addition & 0 deletions packs/notion.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ PackDefinition:
- Notion.Workspace.Exported
- Notion.Workspace.SCIM.Token.Generated
- Notion.Workspace.Public.Page.Added
- Notion.LoginFromBlockedIP
# Globals used in these detections
- panther_base_helpers
- panther_oss_helpers
Expand Down
6 changes: 5 additions & 1 deletion packs/okta.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@ PackDefinition:
- Okta.AdminRoleAssigned
- Okta.APIKeyCreated
- Okta.APIKeyRevoked
# - Okta.GeographicallyImprobableAccess DEPRECATED
- Okta.Support.Access
- Okta.Global.MFA.Disabled
- Okta.ThreatInsight.Security.Threat.Detected
Expand All @@ -25,6 +24,11 @@ PackDefinition:
- Okta.Org2org.Creation.Modification
- Okta.Password.Extraction.via.SCIM
- Okta.Phishing.Attempt.Blocked.FastPass
- Okta.User.MFA.Reset.Single
- Okta.PasswordAccess
- Okta.Login.From.CrowdStrike.Unmanaged.Device
- Okta.PotentiallyStolenSession
- Okta.Support.Reset
# Globals used in these detections
- panther_base_helpers
- panther_oss_helpers
Expand Down
3 changes: 3 additions & 0 deletions packs/onepassword.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ PackDefinition:
- Standard.OnePassword.SignInAttempt
# 1Password Specific Rules
- OnePassword.Unusual.Client
- OnePassword.Lut.Sensitive.Item
- OnePassword.Sensitive.Item
- OnePassword.Login.From.CrowdStrike.Unmanaged.Device
# Supporting Global Helpers
- panther_base_helpers
- panther_event_type_helpers
1 change: 1 addition & 0 deletions packs/osquery.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ PackDefinition:
- Osquery.UnsupportedMacOS
- Osquery.SSHListener
- Osquery.SuspiciousCron
- Osquery.Linux.LoginFromNonOffice
# Globals used in these detections
- panther_base_helpers
DisplayName: "Panther OSQuery Pack"
4 changes: 4 additions & 0 deletions packs/panther.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@ PackDefinition:
- Panther.SAML.Modified
- Panther.Sensitive.Role
- Panther.User.Modified
- IOC.SunburstFQDNIOCs
- IOC.SunburstSHA256IOCs
- Confluence.0DayIPs
- IOC.Log4jExploit
# Data Model
- Standard.Panther.Audit
# Helpers
Expand Down
1 change: 1 addition & 0 deletions packs/tines.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ PackDefinition:
- Tines.Story.Jobs.Clearance
- Tines.Team.Destruction
- Tines.Tenant.AuthToken
- Tines.Actions.DisabledChanges
# Globals
- global_filter_tines
- panther_base_helpers
Expand Down

0 comments on commit 5df05d1

Please sign in to comment.