Merge branch 'main' into jof/public/dmz-multiple-tags

rules/duo_rules/duo_admin_bypass_code_created.yml

@@ -4,6 +4,7 @@ DisplayName: "Duo Admin Bypass Code Created"
 Enabled: true
 Filename: duo_admin_bypass_code_created.py
 Runbook: Confirm this was authorized and necessary behavior.
+Reference: https://duo.com/docs/administration-users#generating-a-bypass-code
 Severity: Medium
 Tests:
     - ExpectedResult: true

rules/duo_rules/duo_admin_create_admin.yml

@@ -3,6 +3,7 @@ Description: 'A new Duo Administrator was created. '
 DisplayName: "Duo Admin Create Admin"
 Enabled: true
 Filename: duo_admin_create_admin.py
+Reference: https://duo.com/docs/administration-admins#add-an-administrator
 Severity: High
 Tests:
     - ExpectedResult: true

rules/duo_rules/duo_admin_mfa_restrictions_updated.yml

@@ -3,6 +3,7 @@ Description: Detects changes to allowed MFA factors administrators can use to lo
 DisplayName: "Duo Admin MFA Restrictions Updated"
 Enabled: true
 Filename: duo_admin_mfa_restrictions_updated.py
+Reference: https://duo.com/docs/essentials-overview
 Severity: Medium
 Tests:
     - ExpectedResult: true

rules/duo_rules/duo_admin_new_admin_api_app_integration.yml

@@ -3,6 +3,7 @@ Description: Identifies creation of new Admin API integrations for Duo.
 DisplayName: "Duo Admin New Admin API App Integration"
 Enabled: true
 Filename: duo_admin_new_admin_api_app_integration.py
+Reference: https://duo.com/docs/adminapi#overview
 Severity: High
 Tests:
     - ExpectedResult: true

rules/duo_rules/duo_admin_policy_updated.yml

@@ -3,6 +3,7 @@ Description: A Duo Administrator updated a Policy, which governs how users authe
 DisplayName: "Duo Admin Policy Updated"
 Enabled: true
 Filename: duo_admin_policy_updated.py
+Reference: https://duo.com/docs/policy#authenticators-policy-settings
 Severity: Medium
 Tests:
     - ExpectedResult: true

rules/duo_rules/duo_admin_sso_saml_requirement_disabled.yml

@@ -3,6 +3,7 @@ Description: Detects when SAML Authentication for Administrators is marked as Di
 DisplayName: "Duo Admin SSO SAML Requirement Disabled"
 Enabled: true
 Filename: duo_admin_sso_saml_requirement_disabled.py
+Reference: https://duo.com/docs/sso#saml:~:text=Modify%20Authentication%20Sources
 Severity: Medium
 Tests:
     - ExpectedResult: true

rules/duo_rules/duo_admin_user_mfa_bypass_enabled.yml

@@ -3,6 +3,7 @@ Description: An Administrator enabled a user to authenticate without MFA.
 DisplayName: "Duo Admin User MFA Bypass Enabled"
 Enabled: true
 Filename: duo_admin_user_mfa_bypass_enabled.py
+Reference: https://duo.com/docs/policy#authentication-policy
 Severity: Medium
 Tests:
     - ExpectedResult: false

rules/gcp_audit_rules/gcp_access_attempts_violating_vpc_service_controls.yml

@@ -3,6 +3,7 @@ Description: An access attempt violating VPC service controls (such as Perimeter
 DisplayName: "GCP Access Attempts Violating VPC Service Controls"
 Enabled: true
 Filename: gcp_access_attempts_violating_vpc_service_controls.py
+Reference: https://cloud.google.com/vpc-service-controls/docs/troubleshooting#debugging
 Severity: Medium
 Tests:
     - ExpectedResult: false

rules/gcp_audit_rules/gcp_bigquery_large_scan.yml

@@ -3,6 +3,7 @@ Description: Detect any BigQuery query that is doing a very large scan (> 1 GB).
 DisplayName: "GCP BigQuery Large Scan"
 Enabled: true
 Filename: gcp_bigquery_large_scan.py
+Reference: https://cloud.google.com/bigquery/docs/running-queries
 Severity: Info
 Tests:
     - ExpectedResult: false

rules/gcp_audit_rules/gcp_cloud_storage_buckets_modified_or_deleted.yml

@@ -3,6 +3,7 @@ Description: Detects GCP cloud storage bucket updates and deletes.
 DisplayName: "GCP Cloud Storage Buckets Modified Or Deleted"
 Enabled: true
 Filename: gcp_cloud_storage_buckets_modified_or_deleted.py
+Reference: https://cloud.google.com/storage/docs/buckets
 Severity: Low
 Tests:
     - ExpectedResult: false

rules/gcp_audit_rules/gcp_destructive_queries.yml

@@ -1,8 +1,9 @@
 AnalysisType: rule
 Description: Detect any destructive BigQuery queries or jobs such as update, delete, drop, alter or truncate.
-DisplayName: "'GCP Destructive Queries '"
+DisplayName: "GCP Destructive Queries"
 Enabled: true
 Filename: gcp_destructive_queries.py
+Reference: https://cloud.google.com/bigquery/docs/managing-tables
 Severity: Info
 Tests:
     - ExpectedResult: true

rules/gcp_audit_rules/gcp_dns_zone_modified_or_deleted.yml

@@ -4,6 +4,7 @@ DisplayName: "GCP DNS Zone Modified or Deleted"
 Enabled: true
 Filename: gcp_dns_zone_modified_or_deleted.py
 Runbook: Verify that this modification or deletion was expected. These operations are high-impact events and can result in downtimes or total outages.
+Reference: https://cloud.google.com/dns/docs/zones
 Severity: Low
 Tests:
     - ExpectedResult: true

rules/gcp_audit_rules/gcp_gcs_iam_changes.yml

@@ -19,6 +19,7 @@ Severity: Low
 Description: >
   Monitoring changes to Cloud Storage bucket permissions may reduce time to detect and correct permissions on sensitive Cloud Storage bucket and objects inside the bucket.
 Runbook: Validate the GCS bucket change was safe.
+Reference: https://cloud.google.com/storage/docs/access-control/iam-permissions
 SummaryAttributes:
   - severity
   - p_any_ip_addresses

rules/gcp_audit_rules/gcp_gcs_public.yml

@@ -16,6 +16,7 @@ Reports:
 Severity: High
 Description: Adversaries may access data objects from improperly secured cloud storage.
 Runbook: Validate the GCS bucket change was safe.
+Reference: https://cloud.google.com/storage/docs/access-control/making-data-public
 SummaryAttributes:
   - severity
   - p_any_ip_addresses

rules/gcp_audit_rules/gcp_iam_admin_role_assigned.yml

@@ -13,8 +13,9 @@ Reports:
   MITRE ATT&CK:
     - TA0004:T1078
 Severity: Medium
-Description: Attaching an audit role manually could be a sign of privilege escalation
+Description: Attaching an admin role manually could be a sign of privilege escalation
 Runbook: Verify with the user who attached the role or add to a allowlist
+Reference: https://cloud.google.com/looker/docs/admin-panel-users-roles
 SummaryAttributes:
   - severity
   - p_any_ip_addresses

rules/gcp_audit_rules/gcp_iam_corp_email.yml

@@ -18,6 +18,7 @@ Reports:
 Severity: Low
 Description: A Gmail account is being used instead of a corporate email
 Runbook: Remove the user
+Reference: https://cloud.google.com/iam/docs/service-account-overview
 SummaryAttributes:
   - severity
   - p_any_ip_addresses

rules/gcp_audit_rules/gcp_iam_custom_role_changes.yml

@@ -18,6 +18,7 @@ Reports:
 Severity: Info
 Description: A custom role has been created, deleted, or updated.
 Runbook: No action needed, informational
+Reference: https://cloud.google.com/iam/docs/creating-custom-roles
 SummaryAttributes:
   - severity
   - p_any_ip_addresses

rules/gcp_audit_rules/gcp_iam_org_folder_changes.yml

@@ -24,6 +24,7 @@ Runbook: >
   Direct them to make the change in Terraform to avoid automated rollback.
   Grep for google_org and google_folder in terraform repos for places to 
   put your new policy bindings. 
+Reference: https://cloud.google.com/iam/docs/granting-changing-revoking-access
 SummaryAttributes:
   - severity
   - p_any_ip_addresses

rules/gcp_audit_rules/gcp_logging_settings_modified.yml

@@ -3,6 +3,7 @@ Description: Detects any changes made to logging settings
 DisplayName: "GCP Logging Settings Modified"
 Enabled: true
 Filename: gcp_logging_settings_modified.py
+Reference: https://cloud.google.com/logging/docs/default-settings
 Severity: Low
 Tests:
     - ExpectedResult: false

rules/gcp_audit_rules/gcp_permissions_granted_to_create_or_manage_service_account_key.yml

@@ -3,6 +3,7 @@ Description: Permissions granted to impersonate a service account. This includes
 DisplayName: GCP Permissions Granted to Create or Manage Service Account Key
 Enabled: true
 Filename: gcp_permissions_granted_to_create_or_manage_service_account_key.py
+Reference: https://cloud.google.com/iam/docs/keys-create-delete
 Severity: Low
 Tests:
     - ExpectedResult: false

rules/gcp_audit_rules/gcp_service_account_or_keys_created.yml

@@ -3,6 +3,7 @@ Description: Detects when a service account or key is created manually by a user
 DisplayName: "GCP Service Account or Keys Created "
 Enabled: true
 Filename: gcp_service_account_or_keys_created.py
+Reference: https://cloud.google.com/iam/docs/keys-create-delete
 Severity: Low
 Tests:
     - ExpectedResult: true

rules/gcp_audit_rules/gcp_sql_config_changes.yml

@@ -14,8 +14,9 @@ Reports:
     - 2.11
 Severity: Low
 Description: >
-  Monitoring changes to Sql Instance configuration changes may reduce time to detect and correct misconfigurations done on sql server.
+  Monitoring changes to Sql Instance configuration may reduce time to detect and correct misconfigurations done on sql server.
 Runbook: Validate the Sql Instance configuration change was safe
+Reference: https://cloud.google.com/sql/docs/mysql/instance-settings
 SummaryAttributes:
   - severity
   - p_any_ip_addresses

rules/gcp_audit_rules/gcp_unused_regions.yml

@@ -18,6 +18,7 @@ Severity: Medium
 Description: >
   Adversaries may create cloud instances in unused geographic service regions in order to evade detection.
 Runbook: Validate the user making the request and the resource created.
+Reference: https://cloud.google.com/docs/geography-and-regions
 SummaryAttributes:
   - severity
   - p_any_ip_addresses

rules/gcp_audit_rules/gcp_user_added_to_iap_protected_service.yml

@@ -4,6 +4,7 @@ DisplayName: "GCP User Added to IAP Protected Service"
 Enabled: true
 Filename: gcp_user_added_to_iap_protected_service.py
 Runbook: 'Note: GCP logs all bindings everytime this event occurs, not just changes. Bindings should be reviewed to ensure no unintended users have been added. '
+Reference: https://cloud.google.com/iap/docs/managing-access
 Severity: Low
 Tests:
     - ExpectedResult: false

rules/gcp_audit_rules/gcp_vpc_flow_logs_disabled.yml

@@ -3,6 +3,7 @@ Description: VPC flow logs were disabled for a subnet.
 DisplayName: "GCP VPC Flow Logs Disabled"
 Enabled: true
 Filename: gcp_vpc_flow_logs_disabled.py
+Reference: https://cloud.google.com/vpc/docs/using-flow-logs
 Severity: Medium
 Tests:
     - ExpectedResult: true

rules/gcp_http_lb_rules/gcp_access_attempts_violating_iap_access_controls.yml

@@ -3,6 +3,7 @@ Description: GCP Access Attempts Violating IAP Access Controls
 DisplayName: "GCP Access Attempts Violating IAP Access Controls"
 Enabled: true
 Filename: gcp_access_attempts_violating_iap_access_controls.py
+Reference: https://cloud.google.com/iap/docs/concepts-overview
 Severity: Medium
 Tests:
     - ExpectedResult: true

rules/gcp_k8s_rules/gcp_k8s_exec_into_pod.yml

@@ -14,6 +14,7 @@ Description: >
   Alerts when users exec into pod. Possible to specify specific projects and allowed users.
 Runbook: >
   Investigate the user and determine why. Advise that it is discouraged practice. Create ticket if appropriate. 
+Reference: https://cloud.google.com/migrate/containers/docs/troubleshooting/executing-shell-commands
 Tests:
   -
     Name: Allowed User

rules/github_rules/github_action_failed.yml

@@ -13,6 +13,7 @@ Description: A monitored github action has failed.
 Runbook: >
   Inspect the action failure link and take appropriate response.
   There are no general plans of response for this activity.
+Reference: https://docs.github.com/en/actions/creating-actions/setting-exit-codes-for-actions#about-exit-codes
 Tests:
   -
     Name: GitHub - Branch Protection Disabled

rules/github_rules/github_advanced_security_change.yml

@@ -13,6 +13,7 @@ Reports:
 Severity: Low
 Description: The rule alerts when GitHub Security tools (Dependabot, Secret Scanner, etc) are disabled.
 Runbook: Confirm with GitHub administrators and re-enable the tools as applicable. 
+Reference: https://docs.github.com/en/code-security/getting-started/auditing-security-alerts
 Tests:
   -
     Name: Secret Scanning Disabled on a Repo

rules/github_rules/github_branch_policy_override.yml

@@ -14,6 +14,7 @@ Reports:
 Severity: High
 Description: Bypassing branch protection controls could indicate malicious use of admin credentials in an attempt to hide activity.
 Runbook: Verify that the GitHub admin performed this activity and validate its use.
+Reference: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule
 Tests:
   -
     Name: GitHub - Branch Protection Policy Override

rules/github_rules/github_branch_protection_disabled.yml

@@ -14,6 +14,7 @@ Reports:
 Severity: High
 Description: Disabling branch protection controls could indicate malicious use of admin credentials in an attempt to hide activity.
 Runbook: Verify that branch protection should be disabled on the repository and re-enable as necessary.
+Reference: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule
 Tests:
   -
     Name: GitHub - Branch Protection Disabled

rules/github_rules/github_org_auth_modified.yml

@@ -17,6 +17,7 @@ SummaryAttributes:
   - action
 Description: Detects changes to GitHub org authentication changes.
 Runbook: Verify that the GitHub admin performed this activity and validate its use.
+Reference: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-authentication-to-github
 Tests:
   -
     Name: GitHub - Authentication Method Changed

rules/github_rules/github_org_ip_allowlist.yml

@@ -17,6 +17,7 @@ SummaryAttributes:
   - action
 Description: Detects changes to a GitHub Org IP Allow List
 Runbook: Verify that the change was authorized and appropriate.
+Reference: https://docs.github.com/en/apps/maintaining-github-apps/managing-allowed-ip-addresses-for-a-github-app
 Tests:
   -
     Name: GitHub - IP Allow list modified

rules/github_rules/github_org_moderators_add.yml

@@ -10,6 +10,7 @@ Tags:
   - Initial Access:Supply Chain Compromise
 Severity: Medium
 Description: Detects when a user is added to a GitHub org's list of moderators.
+Reference: https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/managing-moderators-in-your-organization
 Tests:
   -
     Name: GitHub - Org Moderator Added

rules/github_rules/github_org_modified.yml

@@ -11,6 +11,7 @@ Tags:
 Reports:
   MITRE ATT&CK:
     - TA0001:T1195
+Reference: https://docs.github.com/en/organizations/managing-membership-in-your-organization
 Severity: Info
 Description: Detects when a user is added or removed from a GitHub Org.
 Tests:

rules/github_rules/github_public_repository_created.yml

@@ -4,6 +4,7 @@ DisplayName: "Github Public Repository Created"
 Enabled: true
 Filename: github_public_repository_created.py
 Runbook: Confirm this github repository was intended to be created as 'public' versus 'private'.
+Reference: https://docs.github.com/en/get-started/quickstart/create-a-repo
 Severity: Medium
 Tags:
     - Github Repository

rules/github_rules/github_repo_collaborator_change.yml

@@ -14,6 +14,7 @@ Reports:
 Severity: Medium
 Description: Detects when a repository collaborator is added or removed.
 Runbook: Determine if the new collaborator is authorized to access the repository. 
+Reference: https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-an-individuals-access-to-an-organization-repository
 Tests:
   -
     Name: GitHub - Collaborator Added

rules/github_rules/github_repo_created.yml

@@ -7,6 +7,7 @@ LogTypes:
   - GitHub.Audit
 Tags:
   - GitHub
+Reference: https://docs.github.com/en/get-started/quickstart/create-a-repo
 Severity: Info
 Description: Detects when a repository is created.
 Tests:

rules/github_rules/github_repo_hook_modified.yml

@@ -11,6 +11,7 @@ Tags:
 Reports:
   MITRE ATT&CK:
     - TA0010:T1020
+Reference: https://docs.github.com/en/webhooks/about-webhooks
 Severity: Info
 Description: Detects when a web hook is added, modified, or deleted in an org repository. 
 Tests:

rules/github_rules/github_repo_initial_access.yml

@@ -7,6 +7,7 @@ LogTypes:
   - GitHub.Audit
 Tags:
   - GitHub
+Reference: https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-an-individuals-access-to-an-organization-repository
 Severity: Info
 Description: Detects when a user initially accesses a private organization repository.
 Tests:

rules/github_rules/github_repo_visibility_change.yml

@@ -11,6 +11,7 @@ Tags:
 Reports:
   MITRE ATT&CK:
     - TA0010:T1567
+Reference: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility
 Severity: High
 Description: Detects when an organization repository visibility changes.
 Tests:

rules/github_rules/github_secret_scanning_alert_created.yml

@@ -13,6 +13,7 @@ Reports:
 Severity: Medium
 Description: GitHub detected a secret and created a secret scanning alert.
 Runbook: Review the secret to determine if it needs to be revoked or the alert suppressed. 
+Reference: https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning
 Tests:
   -
     Name: secret_scanning_alert.create-true

rules/github_rules/github_team_modified.yml

@@ -11,6 +11,7 @@ Tags:
 Reports:
   MITRE ATT&CK:
     - TA0001:T1195
+Reference: https://docs.github.com/en/organizations/organizing-members-into-teams
 Severity: Info
 Description: Detects when a team is modified in some way, such as adding a new team, deleting a team, modifying members, or a change in repository control.
 Tests:

rules/github_rules/github_user_access_key_created.yml

@@ -11,6 +11,7 @@ Tags:
 Reports:
   MITRE ATT&CK:
     - TA0003:T1078
+Reference: https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent
 Severity: Info
 Description: Detects when a GitHub user access key is created.
 Tests:

rules/github_rules/github_user_role_updated.yml

@@ -11,6 +11,7 @@ Tags:
 Reports:
   MITRE ATT&CK:
     - TA0003:T1098
+Reference: https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization
 Severity: High
 Description: Detects when a GitHub user role is upgraded to an admin or downgraded to a member
 Tests:

rules/gsuite_activityevent_rules/google_workspace_admin_custom_role.yml

@@ -4,6 +4,7 @@ DisplayName: "Google Workspace Admin Custom Role"
 Enabled: true
 Filename: google_workspace_admin_custom_role.py
 Runbook: Please review this activity with the administrator and ensure this behavior was authorized.
+Reference: https://support.google.com/a/answer/2406043?hl=en#:~:text=under%20the%20limit.-,Create%20a%20custom%20role,-Before%20you%20begin
 Severity: Medium
 Tags:
     - admin

rules/gsuite_activityevent_rules/google_workspace_advanced_protection_program.yml

@@ -4,6 +4,7 @@ DisplayName: "Google Workspace Advanced Protection Program"
 Enabled: true
 Filename: google_workspace_advanced_protection_program.py
 Runbook: Confirm the changes made were authorized for your organization.
+Reference: https://support.google.com/a/answer/9378686?hl=en
 Severity: Medium
 Tests:
     - ExpectedResult: false

rules/gsuite_activityevent_rules/google_workspace_apps_marketplace_allowlist.yml

@@ -4,6 +4,7 @@ DisplayName: "Google Workspace Apps Marketplace Allowlist"
 Enabled: true
 Filename: google_workspace_apps_marketplace_allowlist.py
 Runbook: Confirm with the acting user that this change was authorized.
+Reference: https://support.google.com/a/answer/6089179?hl=en
 Severity: Medium
 Tests:
     - ExpectedResult: false