diff --git a/.bandit b/.bandit new file mode 100644 index 000000000..a1be52009 --- /dev/null +++ b/.bandit @@ -0,0 +1,2 @@ +[bandit] +skips = B101 diff --git a/.github/workflows/sync-from-upstream.yml b/.github/workflows/sync-from-upstream.yml index 48041213c..88d152870 100644 --- a/.github/workflows/sync-from-upstream.yml +++ b/.github/workflows/sync-from-upstream.yml @@ -40,6 +40,7 @@ jobs: uses: actions/checkout@v4 with: ref: 'sync_upstream_${{steps.set_upstream.outputs.latest-release}}' + token: ${{ secrets.GITHUB_TOKEN }} # Sync this branch with upstream - name: Sync upstream changes into PR branch id: sync diff --git a/.pylintrc b/.pylintrc new file mode 100644 index 000000000..a7425ed1c --- /dev/null +++ b/.pylintrc @@ -0,0 +1,15 @@ +[MAIN] +disable= + missing-docstring, + duplicate-code, + import-error, + fixme, + consider-iterating-dictionary, + global-variable-not-assigned, + broad-exception-raised + +load-plugins= + pylint.extensions.mccabe, + pylint_print + +max-line-length=100 diff --git a/.vscode/example_settings.json b/.vscode/example_settings.json index fb7c816b0..0b3f98e3c 100644 --- a/.vscode/example_settings.json +++ b/.vscode/example_settings.json @@ -1,8 +1,18 @@ { "python.defaultInterpreterPath": "XXX_pipenv_py_output_XXX", "yaml.schemas": { - "https://panther-community-us-east-1.s3.amazonaws.com/latest/logschema/schema.json": [ "schemas/*.yml", "schemas/*.yaml", "schemas/**/*yaml", "schemas/**/*.yaml"], - ".vscode/rule_jsonschema.json": [ "rules/*.yml", "rules/*.yaml", "rules/**/*.yaml", "rules/**/*.yml"] + "https://panther-community-us-east-1.s3.amazonaws.com/latest/logschema/schema.json": [ + "schemas/*.yml", + "schemas/*.yaml", + "schemas/**/*yaml", + "schemas/**/*.yaml" + ], + ".vscode/rule_jsonschema.json": [ + "rules/*.yml", + "rules/*.yaml", + "rules/**/*.yaml", + "rules/**/*.yml" + ] }, "python.analysis.extraPaths": [ "global_helpers" @@ -11,10 +21,21 @@ "**/__pycache": true, "**/*pyc": true }, - //"python.analysis.logLevel": "Trace", - //"files.autoSave": "afterDelay", - //"makefile.extensionOutputFolder": "./.vscode", "files.associations": { "panther_analysis_tool": "python" - } -} \ No newline at end of file + }, + "[python]": { + "editor.defaultFormatter": "ms-python.black-formatter", + "editor.formatOnSave": true, + "editor.codeActionsOnSave": { + "source.organizeImports": true + }, + }, + // Add pylint.lintOnChange to your User (not Workspace) settings + // Cmd+Shift+P -> Preferences: Open Settings (JSON) + "pylint.lintOnChange": true, + "bandit.args": [ + "-r", + "." + ] +} diff --git a/Makefile b/Makefile index 2edc7ff73..0c7068c3f 100644 --- a/Makefile +++ b/Makefile @@ -35,11 +35,8 @@ global-helpers-unit-test: lint: lint-pylint lint-fmt lint-pylint: - pipenv run bandit -r $(dirs) --skip B101 # allow assert statements in tests - pipenv run pylint $(dirs) \ - --disable=missing-docstring,duplicate-code,import-error,fixme,consider-iterating-dictionary,global-variable-not-assigned,broad-exception-raised \ - --load-plugins=pylint.extensions.mccabe,pylint_print \ - --max-line-length=100 + pipenv run bandit -r $(dirs) + pipenv run pylint $(dirs) lint-fmt: @echo Checking python file formatting with the black code style checker diff --git a/README.md b/README.md index 8b96a6457..8d0bbd72b 100644 --- a/README.md +++ b/README.md @@ -119,7 +119,10 @@ If you are comfortable using the Visual Studio Code IDE, the `make vscode-config In addition to this command, you will need to install these vscode add-ons: 1. [Python](https://marketplace.visualstudio.com/items?itemName=ms-python.python) -2. [YAML](https://marketplace.visualstudio.com/items?itemName=redhat.vscode-yaml) +2. [Black Formatter](https://marketplace.visualstudio.com/items?itemName=ms-python.black-formatter) +3. [Pylint](https://marketplace.visualstudio.com/items?itemName=ms-python.pylint) +4 [Bandit](https://marketplace.visualstudio.com/items?itemName=nwgh.bandit) +5. [YAML](https://marketplace.visualstudio.com/items?itemName=redhat.vscode-yaml) You will also need Visual Studio's [code](https://code.visualstudio.com/docs/setup/mac#_launching-from-the-command-line) configured to open Visual Studio from your CLI. @@ -130,6 +133,10 @@ You will also need Visual Studio's [code](https://code.visualstudio.com/docs/set 1. Creates two debugging targets, which will give you single-button push support for running `panther_analysis_tool test` through the debugger. 1. Installs JSONSchema support for your custom panther-analysis schemas in the `schemas/` directory. This brings IDE hints about which fields are necessary for schemas/custom-schema.yml files. 1. Installs JSONSchema support for panther-analysis rules in the `rules/` directory. This brings IDE hints about which fields are necessary for rules/my-rule.yml files. +1. Configures `Black` and `isort` settings for auto-formatting on save (thus reducing the need to run `make fmt` on all files) +1. Configures `pylint` settings for linting when changes are made + - Ensure that `"pylint.lintOnChange": true` is present in the User-level VSCode settings (`Cmd+Shift+P` -> `Preferences: Open Settings (JSON)`) +1. Configures `Bandit` settings for linting when files are opened ```shell user@computer:panther-analysis: make vscode-config diff --git a/data_models/github_data_model.py b/data_models/github_data_model.py index e381fe74c..b6f337089 100644 --- a/data_models/github_data_model.py +++ b/data_models/github_data_model.py @@ -1,14 +1,20 @@ import panther_event_type_helpers as event_type +ADMIN_EVENTS = { + "business.add_admin", + "business.invite_admin", + "team.promote_maintainer", +} -def get_admin_role(_): - # github doesn't record the admin role in the event - return "" + +def get_admin_role(event): + action = event.get("action", "") + return action if action in ADMIN_EVENTS else "" def get_event_type(event): - if event.get("action") == "team.promote_maintainer": + if event.get("action", "") in ADMIN_EVENTS: return event_type.ADMIN_ROLE_ASSIGNED - if event.get("action") == "org.disable_two_factor_requirement": + if event.get("action", "") == "org.disable_two_factor_requirement": return event_type.MFA_DISABLED return None diff --git a/global_helpers/panther_iocs.py b/global_helpers/panther_iocs.py index 90a209e1f..10a978550 100644 --- a/global_helpers/panther_iocs.py +++ b/global_helpers/panther_iocs.py @@ -90,77 +90,262 @@ "${::-j", # example: ${${::-j}${::-n}di:${::-l}d${::-a}p://example.com:1234/callback} } +# Sources: +# - https://github.com/SigmaHQ/sigma/blob/392500131d75634d8db43b2a2de9ddeb8c9f59dc/rules/network/zeek/zeek_dns_mining_pools.yml +# - https://github.com/SigmaHQ/sigma/blob/392500131d75634d8db43b2a2de9ddeb8c9f59dc/rules/network/dns/net_dns_pua_cryptocoin_mining_xmr.yml +# - https://github.com/SigmaHQ/sigma/blob/392500131d75634d8db43b2a2de9ddeb8c9f59dc/rules/windows/network_connection/net_connection_win_crypto_mining_pools.yml CRYPTO_MINING_DOMAINS = { - "monerohash.com", - "do-dear.com", - "xmrminerpro.com", - "secumine.net", - "xmrpool.com", - "minexmr.org", - "hashanywhere.com", - "xmrget.com", - "mininglottery.eu", - "minergate.com", - "moriaxmr.com", - "multipooler.com", - "moneropools.com", - "xmrpool.eu", - "coolmining.club", - "minexmr.com", - "xmrpool.net", - "crypto-pool.fr", - "xmr.pt", - "miner.rocks", - "walpool.com", - "herominers.com", - "gntl.co.uk", - "semipool.com", - "coinfoundry.org", - "cryptoknight.cc", - "fairhash.org", - "baikalmine.com", - "tubepool.xyz", - "fairpool.xyz", + "1gh.com", + "abcxyz.stream", + "alimabi.cn", + "ap.luckpool.net", "asiapool.io", + "backup-pool.com", + "baikalmine.com", + "bcn.pool.minergate.com", + "bcn.vip.pool.minergate.com", + "bohemianpool.com", + "ca.minexmr.com", + "ca.monero.herominers.com", + "cbd.monerpool.org", + "cbdv2.monerpool.org", + "coinfoundry.org", "coinpoolit.webhop.me", - "nanopool.org", - "moneropool.com", - "miner.center", - "prohash.net", - "poolto.be", + "coolmining.club", + "cryptmonero.com", + "crypto-pool.fr", + "crypto-pool.info", + "crypto-pools.org", "cryptoescrow.eu", - "monerominers.net", + "cryptoknight.cc", + "cryptonight-hub.miningpoolhub.com", + "cryptonight.net", + "cryptonotepool.org.uk", "cryptonotepool.org", - "extrmepool.org", - "webcoin.me", - "kippo.eu", - "hashinvest.ws", - "monero.farm", - "supportxmr.com", - "linux-repository-updates.com", - "1gh.com", + "d1pool.ddns.net", + "d5pool.us", + "daili01.monerpool.org", + "de.minexmr.com", + "dl.nbminer.com", + "do-dear.com", + "donate.graef.in", + "donate.ssl.xmrig.com", + "donate.v2.xmrig.com", + "donate.xmrig.com", + "donate2.graef.in", + "drill.moneroworld.com", "dwarfpool.com", + "emercoin.com", + "emercoin.net", + "emergate.net", + "ethereumpool.co", + "eu.luckpool.net", + "eu.minerpool.pw", + "extremehash.com", + "extremepool.org", + "extrmepool.org", + "fairhash.org", + "fairpool.cloud", + "fairpool.xyz", + "fcn-xmr.pool.minergate.com", + "fee.xmrig.com", + "fr.minexmr.com", + "freeyy.me", + "gntl.co.uk", "hash-to-coins.com", - "hashvault.pro", - "pool-proxy.com", + "hashanywhere.com", "hashfor.cash", - "fairpool.cloud", + "hashinvest.net", + "hashinvest.ws", + "hashvault.pro", + "hellominer.com", + "herominers.com", + "huadong1-aeon.ppxxmr.com", + "iwanttoearn.money", + "jw-js1.ppxxmr.com", + "kippo.eu", + "koto-pool.work", + "lhr.nbminer.com", + "lhr3.nbminer.com", + "linux-repository-updates.com", + "linux.monerpool.org", "litecoinpool.org", + "lokiturtle.herominers.com", + "luckpool.net", + "masari.miner.rocks", + "mine.c3pool.com", + "mine.moneropool.com", + "mine.ppxxmr.com", + "mine.zpool.ca", + "mine1.ppxxmr.com", + "minemonero.gq", + "miner.center", + "miner.ppxxmr.com", + "miner.rocks", + "minercircle.com", + "minergate.com", + "minerpool.pw", + "minerrocks.com", + "miners.pro", + "minerxmr.ru", "mineshaft.ml", - "abcxyz.stream", - "moneropool.ru", - "cryptonotepool.org.uk", - "extremepool.org", - "extremehash.com", - "hashinvest.net", - "unipool.pro", - "crypto-pools.org", + "minexmr.cn", + "minexmr.com", + "minexmr.org", + "mining-help.ru", + "mininglottery.eu", + "miningpoolhub.com", + "mixpools.org", + "moner.monerpool.org", + "moner1min.monerpool.org", + "monero-master.crypto-pool.fr", + "monero.crypto-pool.fr", + "monero.farm", + "monero.hashvault.pro", + "monero.herominers.com", + "monero.lindon-pool.win", + "monero.miners.pro", "monero.net", - "backup-pool.com", + "monero.riefly.id", + "monero.us.to", + "monerocean.stream", + "monerogb.com", + "monerohash.com", + "monerominers.net", + "moneroocean.stream", + "moneropool.com", + "moneropool.nl", + "moneropool.ru", + "moneropools.com", + "monerorx.com", + "monerpool.org", "mooo.com", - "freeyy.me", - "cryptonight.net", + "moriaxmr.com", + "mro.pool.minergate.com", + "multipool.us", + "multipooler.com", + "myxmr.pw", + "na.luckpool.net", + "nanopool.org", + "nbminer.com", + "node3.luckpool.net", + "noobxmr.com", + "pangolinminer.comgandalph3000.com", + "pool-proxy.com", + "pool.4i7i.com", + "pool.armornetwork.org", + "pool.cortins.tk", + "pool.gntl.co.uk", + "pool.hashvault.pro", + "pool.minergate.com", + "pool.minexmr.com", + "pool.monero.hashvault.pro", + "pool.ppxxmr.com", + "pool.somec.cc", + "pool.support", + "pool.supportxmr.com", + "pool.usa-138.com", + "pool.xmr.pt", + "pool.xmrfast.com", + "pool2.armornetwork.org", + "poolchange.ppxxmr.com", + "pooldd.com", + "poolmining.org", + "poolto.be", + "ppxvip1.ppxxmr.com", + "ppxxmr.com", + "prohash.net", + "r.twotouchauthentication.online", + "randomx.xmrig.com", + "ratchetmining.com", + "secumine.net", + "seed.emercoin.com", + "seed.emercoin.net", + "seed.emergate.net", + "seed1.joulecoin.org", + "seed2.joulecoin.org", + "seed3.joulecoin.org", + "seed4.joulecoin.org", + "seed5.joulecoin.org", + "seed6.joulecoin.org", + "seed7.joulecoin.org", + "seed8.joulecoin.org", + "semipool.com", + "sg.minexmr.com", + "sheepman.mine.bz", "shscrypto.net", + "siamining.com", + "sumokoin.minerrocks.com", + "supportxmr.com", + "suprnova.cc", + "teracycle.net", + "trtl.cnpool.cc", + "trtl.pool.mine2gether.com", + "tubepool.xyz", + "turtle.miner.rocks", + "unipool.pro", + "us-west.minexmr.com", + "usxmrpool.com", + "viaxmr.com", + "walpool.com", + "webcoin.me", + "webservicepag.webhop.net", + "xiazai.monerpool.org", + "xiazai1.monerpool.org", + "xmc.pool.minergate.com", + "xmo.pool.minergate.com", + "xmr-asia1.nanopool.org", + "xmr-au1.nanopool.org", + "xmr-eu1.nanopool.org", + "xmr-eu2.nanopool.org", + "xmr-jp1.nanopool.org", + "xmr-us-east1.nanopool.org", + "xmr-us-west1.nanopool.org", + "xmr-us.suprnova.cc", + "xmr-usa.dwarfpool.com", + "xmr.2miners.com", + "xmr.5b6b7b.ru", + "xmr.alimabi.cn", + "xmr.bohemianpool.com", + "xmr.crypto-pool.fr", + "xmr.crypto-pool.info", + "xmr.f2pool.com", + "xmr.hashcity.org", + "xmr.hex7e4.ru", + "xmr.ip28.net", + "xmr.monerpool.org", + "xmr.mypool.online", + "xmr.nanopool.org", + "xmr.pool.gntl.co.uk", + "xmr.pool.minergate.com", + "xmr.poolto.be", + "xmr.ppxxmr.com", + "xmr.prohash.net", + "xmr.pt", + "xmr.simka.pw", + "xmr.somec.cc", + "xmr.suprnova.cc", + "xmr.usa-138.com", + "xmr.vip.pool.minergate.com", + "xmr1min.monerpool.org", + "xmrf.520fjh.org", + "xmrf.fjhan.club", + "xmrfast.com", + "xmrget.com", + "xmrigcc.graef.in", + "xmrminer.cc", + "xmrminerpro.com", + "xmrpool.com", + "xmrpool.de", + "xmrpool.eu", + "xmrpool.me", + "xmrpool.net", + "xmrpool.xyz", + "xx11m.monerpool.org", + "xx11mv2.monerpool.org", + "xxx.hex7e4.ru", + "zarabotaibitok.ru", + "zer0day.ru", } diff --git a/packs/gcp_audit.yml b/packs/gcp_audit.yml index 3807f3781..488b7f00d 100644 --- a/packs/gcp_audit.yml +++ b/packs/gcp_audit.yml @@ -8,16 +8,26 @@ PackDefinition: - GCP.BigQuery.Large.Scan - GCP.Cloud.Storage.Buckets.Modified.Or.Deleted - GCP.Destructive.Queries + - GCP.DNS.Zone.Modified.or.Deleted + - GCP.Firewall.Rule.Created + - GCP.Firewall.Rule.Deleted + - GCP.Firewall.Rule.Modified - GCP.GCS.IAMChanges - GCP.GCS.Public + - GCP.IAM.AdminRoleAssigned - GCP.IAM.CorporateEmail - GCP.IAM.CustomRoleChanges - GCP.IAM.OrgFolderIAMChanges - GCP.Inbound.SSO.Profile.Created + - GCP.K8s.ExecIntoPod + - GCP.Log.Bucket.Or.Sink.Deleted - GCP.Logging.Settings.Modified + - GCP.Logging.Sink.Modified - GCP.Permissions.Granted.to.Create.or.Manage.Service.Account.Key + - GCP.Service.Account.Access.Denied - GCP.Service.Account.or.Keys.Created - GCP.SQL.ConfigChanges + - GCP.UnusedRegions - GCP.User.Added.to.IAP.Protected.Service - GCP.VPC.Flow.Logs.Disabled - GCP.Workforce.Pool.Created.or.Updated diff --git a/pyproject.toml b/pyproject.toml new file mode 100644 index 000000000..e4cea09ff --- /dev/null +++ b/pyproject.toml @@ -0,0 +1,8 @@ +[tool.black] +line-length = 100 +target-version = ['py39'] +include = '\.pyi?$' + +[tool.isort] +line_length = 100 +profile = "black" diff --git a/queries/kubernetes_queries/kubernetes_admission_controller_created.yml b/queries/kubernetes_queries/kubernetes_admission_controller_created.yml index 7e4946fd1..398f1a668 100644 --- a/queries/kubernetes_queries/kubernetes_admission_controller_created.yml +++ b/queries/kubernetes_queries/kubernetes_admission_controller_created.yml @@ -1,5 +1,5 @@ AnalysisType: scheduled_rule -Filename: scheduled_rule_default.py +Filename: scheduled_rule_default_k8s.py RuleID: "Kubernetes.NewAdmissionControllerCreated" DisplayName: "New Admission Controller Created" Description: > diff --git a/queries/kubernetes_queries/kubernetes_admission_controller_created_query.yml b/queries/kubernetes_queries/kubernetes_admission_controller_created_query.yml index 95b279ade..28a2f117b 100644 --- a/queries/kubernetes_queries/kubernetes_admission_controller_created_query.yml +++ b/queries/kubernetes_queries/kubernetes_admission_controller_created_query.yml @@ -1,6 +1,6 @@ AnalysisType: scheduled_query QueryName: New Admission Controller Created -Enabled: true +Enabled: false Tags: - Optional Description: > diff --git a/queries/kubernetes_queries/kubernetes_cron_job_created_or_modified.yml b/queries/kubernetes_queries/kubernetes_cron_job_created_or_modified.yml index ba75e0c13..3f0015747 100644 --- a/queries/kubernetes_queries/kubernetes_cron_job_created_or_modified.yml +++ b/queries/kubernetes_queries/kubernetes_cron_job_created_or_modified.yml @@ -1,5 +1,5 @@ AnalysisType: scheduled_rule -Filename: scheduled_rule_default.py +Filename: scheduled_rule_default_k8s.py RuleID: "Kubernetes.CronJobCreatedOrModified" DisplayName: "Kubernetes Cron Job Created or Modified" Description: > diff --git a/queries/kubernetes_queries/kubernetes_cron_job_created_or_modified_query.yml b/queries/kubernetes_queries/kubernetes_cron_job_created_or_modified_query.yml index d0a23dd3c..6d3c9b36c 100644 --- a/queries/kubernetes_queries/kubernetes_cron_job_created_or_modified_query.yml +++ b/queries/kubernetes_queries/kubernetes_cron_job_created_or_modified_query.yml @@ -1,6 +1,6 @@ AnalysisType: scheduled_query QueryName: Kubernetes Cron Job Created or Modified -Enabled: true +Enabled: false Tags: - Optional Description: > diff --git a/queries/kubernetes_queries/kubernetes_ioc_activity.yml b/queries/kubernetes_queries/kubernetes_ioc_activity.yml index d5471218a..c3d37fc26 100644 --- a/queries/kubernetes_queries/kubernetes_ioc_activity.yml +++ b/queries/kubernetes_queries/kubernetes_ioc_activity.yml @@ -1,5 +1,5 @@ AnalysisType: scheduled_rule -Filename: scheduled_rule_default.py +Filename: scheduled_rule_default_k8s.py RuleID: "Kubernetes.IOCActivity" DisplayName: "IOC Activity in K8 Control Plane" Description: > diff --git a/queries/kubernetes_queries/kubernetes_new_daemonset_deployed.yml b/queries/kubernetes_queries/kubernetes_new_daemonset_deployed.yml index 057390c17..8f8d0c4da 100644 --- a/queries/kubernetes_queries/kubernetes_new_daemonset_deployed.yml +++ b/queries/kubernetes_queries/kubernetes_new_daemonset_deployed.yml @@ -1,5 +1,5 @@ AnalysisType: scheduled_rule -Filename: scheduled_rule_default.py +Filename: scheduled_rule_default_k8s.py RuleID: "Kubernetes.DaemonSetDeployed" DisplayName: "New DaemonSet Deployed to Kubernetes" Description: > diff --git a/queries/kubernetes_queries/kubernetes_new_daemonset_deployed_query.yml b/queries/kubernetes_queries/kubernetes_new_daemonset_deployed_query.yml index fe409ff9e..ccf6f22c0 100644 --- a/queries/kubernetes_queries/kubernetes_new_daemonset_deployed_query.yml +++ b/queries/kubernetes_queries/kubernetes_new_daemonset_deployed_query.yml @@ -1,6 +1,6 @@ AnalysisType: scheduled_query QueryName: New DaemonSet Deployed to Kubernetes -Enabled: true +Enabled: false Tags: - Optional Description: > diff --git a/queries/kubernetes_queries/kubernetes_overly_permissive_linux_capabilities.yml b/queries/kubernetes_queries/kubernetes_overly_permissive_linux_capabilities.yml index d53de0865..f0e981f18 100644 --- a/queries/kubernetes_queries/kubernetes_overly_permissive_linux_capabilities.yml +++ b/queries/kubernetes_queries/kubernetes_overly_permissive_linux_capabilities.yml @@ -1,5 +1,5 @@ AnalysisType: scheduled_rule -Filename: scheduled_rule_default.py +Filename: scheduled_rule_default_k8s.py RuleID: "Kubernetes.OverlyPermissivePod" DisplayName: "Pod Created with Overly Permissive Linux Capabilities" Description: > diff --git a/queries/kubernetes_queries/kubernetes_overly_permissive_linux_capabilities_query.yml b/queries/kubernetes_queries/kubernetes_overly_permissive_linux_capabilities_query.yml index 6a1e4f30e..8e6d296bc 100644 --- a/queries/kubernetes_queries/kubernetes_overly_permissive_linux_capabilities_query.yml +++ b/queries/kubernetes_queries/kubernetes_overly_permissive_linux_capabilities_query.yml @@ -1,6 +1,6 @@ AnalysisType: scheduled_query QueryName: Pod Created with Overly Permissive Linux Capabilities -Enabled: true +Enabled: false Tags: - Optional Description: > diff --git a/queries/kubernetes_queries/kubernetes_pod_attached_to_node_host_network.yml b/queries/kubernetes_queries/kubernetes_pod_attached_to_node_host_network.yml index 9ed2f32ce..78d57ac00 100644 --- a/queries/kubernetes_queries/kubernetes_pod_attached_to_node_host_network.yml +++ b/queries/kubernetes_queries/kubernetes_pod_attached_to_node_host_network.yml @@ -1,5 +1,5 @@ AnalysisType: scheduled_rule -Filename: scheduled_rule_default.py +Filename: scheduled_rule_default_k8s.py RuleID: "Kubernetes.PodAttachedHostNetwork" DisplayName: "Pod attached to the Node Host Network" Description: > diff --git a/queries/kubernetes_queries/kubernetes_pod_attached_to_node_host_network_query.yml b/queries/kubernetes_queries/kubernetes_pod_attached_to_node_host_network_query.yml index e03372f2d..798555526 100644 --- a/queries/kubernetes_queries/kubernetes_pod_attached_to_node_host_network_query.yml +++ b/queries/kubernetes_queries/kubernetes_pod_attached_to_node_host_network_query.yml @@ -1,6 +1,6 @@ AnalysisType: scheduled_query QueryName: Pod attached to the Node Host Network -Enabled: true +Enabled: false Tags: - Optional Description: > diff --git a/queries/kubernetes_queries/kubernetes_pod_create_or_modify_host_path_vol_mount.yml b/queries/kubernetes_queries/kubernetes_pod_create_or_modify_host_path_vol_mount.yml index fbc2df798..0f9d7b69f 100644 --- a/queries/kubernetes_queries/kubernetes_pod_create_or_modify_host_path_vol_mount.yml +++ b/queries/kubernetes_queries/kubernetes_pod_create_or_modify_host_path_vol_mount.yml @@ -1,5 +1,5 @@ AnalysisType: scheduled_rule -Filename: scheduled_rule_default.py +Filename: scheduled_rule_default_k8s.py RuleID: "Kubernetes.PodHostPathVolumeMount" DisplayName: "Pod creation or modification to a Host Path Volume Mount" Description: > diff --git a/queries/kubernetes_queries/kubernetes_pod_create_or_modify_host_path_vol_mount_query.yml b/queries/kubernetes_queries/kubernetes_pod_create_or_modify_host_path_vol_mount_query.yml index 92f6ad239..675b5530a 100644 --- a/queries/kubernetes_queries/kubernetes_pod_create_or_modify_host_path_vol_mount_query.yml +++ b/queries/kubernetes_queries/kubernetes_pod_create_or_modify_host_path_vol_mount_query.yml @@ -1,6 +1,6 @@ AnalysisType: scheduled_query QueryName: Pod creation or modification to a Host Path Volume Mount -Enabled: true +Enabled: false Tags: - Optional Description: > diff --git a/queries/kubernetes_queries/kubernetes_pod_in_default_name_space.yml b/queries/kubernetes_queries/kubernetes_pod_in_default_name_space.yml index 3bd808baa..3e7fc8d71 100644 --- a/queries/kubernetes_queries/kubernetes_pod_in_default_name_space.yml +++ b/queries/kubernetes_queries/kubernetes_pod_in_default_name_space.yml @@ -1,5 +1,5 @@ AnalysisType: scheduled_rule -Filename: scheduled_rule_default.py +Filename: scheduled_rule_default_k8s.py RuleID: "Kubernetes.PodCreatedDefaultNameSpace" DisplayName: "Kubernetes Pod Created in Pre-Configured or Default Name Spaces" Description: > diff --git a/queries/kubernetes_queries/kubernetes_pod_in_default_name_space_query.yml b/queries/kubernetes_queries/kubernetes_pod_in_default_name_space_query.yml index 634bbe594..4a3014e5c 100644 --- a/queries/kubernetes_queries/kubernetes_pod_in_default_name_space_query.yml +++ b/queries/kubernetes_queries/kubernetes_pod_in_default_name_space_query.yml @@ -1,6 +1,6 @@ AnalysisType: scheduled_query QueryName: Kubernetes Pod Created in Pre-Configured or Default Name Spaces -Enabled: true +Enabled: false Tags: - Optional Description: > diff --git a/queries/kubernetes_queries/kubernetes_pod_using_host_ipc_namespace.yml b/queries/kubernetes_queries/kubernetes_pod_using_host_ipc_namespace.yml index 52836f40b..b6a9bf5d5 100644 --- a/queries/kubernetes_queries/kubernetes_pod_using_host_ipc_namespace.yml +++ b/queries/kubernetes_queries/kubernetes_pod_using_host_ipc_namespace.yml @@ -1,5 +1,5 @@ AnalysisType: scheduled_rule -Filename: scheduled_rule_default.py +Filename: scheduled_rule_default_k8s.py RuleID: "Kubernetes.PodUsingIPCNamespace" DisplayName: "Pod Created or Modified Using the Host IPC Namespace" Description: > diff --git a/queries/kubernetes_queries/kubernetes_pod_using_host_ipc_namespace_query.yml b/queries/kubernetes_queries/kubernetes_pod_using_host_ipc_namespace_query.yml index 2802c03ba..eba4ad142 100644 --- a/queries/kubernetes_queries/kubernetes_pod_using_host_ipc_namespace_query.yml +++ b/queries/kubernetes_queries/kubernetes_pod_using_host_ipc_namespace_query.yml @@ -1,6 +1,6 @@ AnalysisType: scheduled_query QueryName: Pod Created or Modified Using the Host IPC Namespace -Enabled: true +Enabled: false Tags: - Optional Description: > diff --git a/queries/kubernetes_queries/kubernetes_pod_using_host_pid_namespace.yml b/queries/kubernetes_queries/kubernetes_pod_using_host_pid_namespace.yml index 429c38309..7e2a948a8 100644 --- a/queries/kubernetes_queries/kubernetes_pod_using_host_pid_namespace.yml +++ b/queries/kubernetes_queries/kubernetes_pod_using_host_pid_namespace.yml @@ -1,5 +1,5 @@ AnalysisType: scheduled_rule -Filename: scheduled_rule_default.py +Filename: scheduled_rule_default_k8s.py RuleID: "Kubernetes.PodUsingHostPIDNamespace" DisplayName: "Pod Created or Modified Using the Host PID Namespace" Description: > diff --git a/queries/kubernetes_queries/kubernetes_pod_using_host_pid_namespace_query.yml b/queries/kubernetes_queries/kubernetes_pod_using_host_pid_namespace_query.yml index a975729f2..1622bf82d 100644 --- a/queries/kubernetes_queries/kubernetes_pod_using_host_pid_namespace_query.yml +++ b/queries/kubernetes_queries/kubernetes_pod_using_host_pid_namespace_query.yml @@ -1,6 +1,6 @@ AnalysisType: scheduled_query QueryName: Pod Created or Modified Using the Host PID Namespace -Enabled: true +Enabled: false Tags: - Optional Description: > diff --git a/queries/kubernetes_queries/kubernetes_privileged_pod_created.yml b/queries/kubernetes_queries/kubernetes_privileged_pod_created.yml index ac64239ed..de1943a6f 100644 --- a/queries/kubernetes_queries/kubernetes_privileged_pod_created.yml +++ b/queries/kubernetes_queries/kubernetes_privileged_pod_created.yml @@ -1,5 +1,5 @@ AnalysisType: scheduled_rule -Filename: scheduled_rule_default.py +Filename: scheduled_rule_default_k8s.py RuleID: "Kubernetes.PrivilegedPodCreated" DisplayName: "Privileged Pod Created" Description: > diff --git a/queries/kubernetes_queries/kubernetes_privileged_pod_created_query.yml b/queries/kubernetes_queries/kubernetes_privileged_pod_created_query.yml index bc6329689..e8810ecdc 100644 --- a/queries/kubernetes_queries/kubernetes_privileged_pod_created_query.yml +++ b/queries/kubernetes_queries/kubernetes_privileged_pod_created_query.yml @@ -1,6 +1,6 @@ AnalysisType: scheduled_query QueryName: Privileged Pod Created -Enabled: true +Enabled: false Tags: - Optional Description: > diff --git a/queries/kubernetes_queries/kubernetes_secret_enumeration.yml b/queries/kubernetes_queries/kubernetes_secret_enumeration.yml index 1e8ca913f..3a06bbd83 100644 --- a/queries/kubernetes_queries/kubernetes_secret_enumeration.yml +++ b/queries/kubernetes_queries/kubernetes_secret_enumeration.yml @@ -1,5 +1,5 @@ AnalysisType: scheduled_rule -Filename: scheduled_rule_default.py +Filename: scheduled_rule_default_k8s.py RuleID: "Kubernetes.SecretEnumeration" DisplayName: "Secret Enumeration by a User" Description: > diff --git a/queries/kubernetes_queries/kubernetes_secret_enumeration_query.yml b/queries/kubernetes_queries/kubernetes_secret_enumeration_query.yml index 2f83a1da0..f1adc0920 100644 --- a/queries/kubernetes_queries/kubernetes_secret_enumeration_query.yml +++ b/queries/kubernetes_queries/kubernetes_secret_enumeration_query.yml @@ -1,6 +1,6 @@ AnalysisType: scheduled_query QueryName: Secret Enumeration by a User -Enabled: true +Enabled: false Tags: - Optional Description: > diff --git a/queries/kubernetes_queries/kubernetes_service_type_node_port_deployed.yml b/queries/kubernetes_queries/kubernetes_service_type_node_port_deployed.yml index 86b7a301f..72074b1dc 100644 --- a/queries/kubernetes_queries/kubernetes_service_type_node_port_deployed.yml +++ b/queries/kubernetes_queries/kubernetes_service_type_node_port_deployed.yml @@ -1,5 +1,5 @@ AnalysisType: scheduled_rule -Filename: scheduled_rule_default.py +Filename: scheduled_rule_default_k8s.py RuleID: "Kubernetes.ServiceTypeNodePortDeployed" DisplayName: "Kubernetes Service with Type Node Port Deployed" Description: > diff --git a/queries/kubernetes_queries/kubernetes_service_type_node_port_deployed_query.yml b/queries/kubernetes_queries/kubernetes_service_type_node_port_deployed_query.yml index 709bfe141..405eda796 100644 --- a/queries/kubernetes_queries/kubernetes_service_type_node_port_deployed_query.yml +++ b/queries/kubernetes_queries/kubernetes_service_type_node_port_deployed_query.yml @@ -1,6 +1,6 @@ AnalysisType: scheduled_query QueryName: Kubernetes Service with Type Node Port Deployed -Enabled: true +Enabled: false Tags: - Optional Description: > diff --git a/queries/kubernetes_queries/kubernetes_unauthenticated_api_request.yml b/queries/kubernetes_queries/kubernetes_unauthenticated_api_request.yml index 75cb8ac5b..deaed9089 100644 --- a/queries/kubernetes_queries/kubernetes_unauthenticated_api_request.yml +++ b/queries/kubernetes_queries/kubernetes_unauthenticated_api_request.yml @@ -1,5 +1,5 @@ AnalysisType: scheduled_rule -Filename: scheduled_rule_default.py +Filename: scheduled_rule_default_k8s.py RuleID: "Kubernetes.UnauthenticatedAPIRequest" DisplayName: "Unauthenticated Kubernetes API Request" Description: > diff --git a/queries/kubernetes_queries/kubernetes_unauthenticated_api_request_query.yml b/queries/kubernetes_queries/kubernetes_unauthenticated_api_request_query.yml index 13221c0da..cc4b32903 100644 --- a/queries/kubernetes_queries/kubernetes_unauthenticated_api_request_query.yml +++ b/queries/kubernetes_queries/kubernetes_unauthenticated_api_request_query.yml @@ -1,6 +1,6 @@ AnalysisType: scheduled_query QueryName: Unauthenticated Kubernetes API Request -Enabled: true +Enabled: false Tags: - Optional Description: > diff --git a/queries/kubernetes_queries/kubernetes_unauthorized_pod_execution.yml b/queries/kubernetes_queries/kubernetes_unauthorized_pod_execution.yml index c3ab45871..f35ebd779 100644 --- a/queries/kubernetes_queries/kubernetes_unauthorized_pod_execution.yml +++ b/queries/kubernetes_queries/kubernetes_unauthorized_pod_execution.yml @@ -1,5 +1,5 @@ AnalysisType: scheduled_rule -Filename: scheduled_rule_default.py +Filename: scheduled_rule_default_k8s.py RuleID: "Kubernetes.UnauthorizedPodExecution" DisplayName: "Unauthorized Kubernetes Pod Execution" Description: > diff --git a/queries/kubernetes_queries/kubernetes_unauthorized_pod_execution_query.yml b/queries/kubernetes_queries/kubernetes_unauthorized_pod_execution_query.yml index ba89119cb..fa18beab8 100644 --- a/queries/kubernetes_queries/kubernetes_unauthorized_pod_execution_query.yml +++ b/queries/kubernetes_queries/kubernetes_unauthorized_pod_execution_query.yml @@ -1,6 +1,6 @@ AnalysisType: scheduled_query QueryName: Unauthorized Kubernetes Pod Execution -Enabled: true +Enabled: false Tags: - Optional Description: > diff --git a/queries/kubernetes_queries/scheduled_rule_default.py b/queries/kubernetes_queries/scheduled_rule_default_k8s.py similarity index 100% rename from queries/kubernetes_queries/scheduled_rule_default.py rename to queries/kubernetes_queries/scheduled_rule_default_k8s.py diff --git a/rules/aws_vpc_flow_rules/aws_dns_crypto_domain.yml b/rules/aws_vpc_flow_rules/aws_dns_crypto_domain.yml index 5217f0c5a..1d9c9ce51 100644 --- a/rules/aws_vpc_flow_rules/aws_dns_crypto_domain.yml +++ b/rules/aws_vpc_flow_rules/aws_dns_crypto_domain.yml @@ -134,6 +134,48 @@ Tests: version: "1.100000" vpc_id: vpc-abc123 Name: Crypto Query Subdomain Trailing Period + - ExpectedResult: true + Log: + account_id: "0123456789" + answers: + - Class: IN + Rdata: 1.2.3.4 + Type: A + query_class: IN + query_name: webservicepag.webhop.net + query_timestamp: "2022-06-25 00:27:53" + query_type: A + rcode: NOERROR + region: us-west-2 + srcaddr: 5.6.7.8 + srcids: + instance: i-0abc234 + srcport: "8888" + transport: UDP + version: "1.100000" + vpc_id: vpc-abc123 + Name: Checking Against Subdomain IOC + - ExpectedResult: true + Log: + account_id: "0123456789" + answers: + - Class: IN + Rdata: 1.2.3.4 + Type: A + query_class: IN + query_name: webservicepag.webhop.net. + query_timestamp: "2022-06-25 00:27:53" + query_type: A + rcode: NOERROR + region: us-west-2 + srcaddr: 5.6.7.8 + srcids: + instance: i-0abc234 + srcport: "8888" + transport: UDP + version: "1.100000" + vpc_id: vpc-abc123 + Name: Checking Against Subdomain IOC Trailing Period DedupPeriodMinutes: 60 LogTypes: - AWS.VPCDns diff --git a/rules/gravitational_teleport_rules/teleport_long_lived_certs.py b/rules/gravitational_teleport_rules/teleport_long_lived_certs.py index 7056c4482..2c26b0678 100644 --- a/rules/gravitational_teleport_rules/teleport_long_lived_certs.py +++ b/rules/gravitational_teleport_rules/teleport_long_lived_certs.py @@ -1,4 +1,4 @@ -from datetime import timedelta, datetime +from datetime import datetime, timedelta from typing import Dict, Tuple from panther_base_helpers import ( diff --git a/rules/standard_rules/admin_assigned.yml b/rules/standard_rules/admin_assigned.yml index c68aea2e4..a1f954efa 100644 --- a/rules/standard_rules/admin_assigned.yml +++ b/rules/standard_rules/admin_assigned.yml @@ -166,6 +166,33 @@ Tests: "p_log_type": "GitHub.Audit", "user": "bob" } + - Name: Github - Admin Added + ExpectedResult: true + Log: + { + "actor": "cat", + "action": "business.add_admin", + "p_log_type": "GitHub.Audit", + "user": "bob" + } + - Name: Github - Admin Invited + ExpectedResult: true + Log: + { + "actor": "cat", + "action": "business.invite_admin", + "p_log_type": "GitHub.Audit", + "user": "bob" + } + - Name: Github - Unknown Admin Role + ExpectedResult: false + Log: + { + "actor": "cat", + "action": "unknown.admin_role", + "p_log_type": "GitHub.Audit", + "user": "bob" + } - Name: Zendesk - Admin Role Downgraded ExpectedResult: false