Merge branch 'release' into THREAT-370/remove-deprecate-rules

correlation_rules/aws_user_takeover_via_password_reset.yml

@@ -17,7 +17,7 @@ Detection:
           From: Password Reset
           To: Login
           Match:
-            - On: sourceIPAddress
+            - On: p_alert_context.ip_and_username
       Schedule:
         RateMinutes: 60
         TimeoutMinutes: 10
@@ -28,34 +28,53 @@ Tests:
       RuleOutputs:
         - ID: Password Reset
           Matches:
-            sourceIPAddress:
-              '1.1.1.1': [0]
+            p_alert_context.ip_and_username:
+              "1.1.1.1alice":
+                - "2024-06-01T10:01:01Z"
         - ID: Login
           Matches:
-            sourceIPAddress:
-              '1.1.1.1': [5]
+            p_alert_context.ip_and_username:
+              "1.1.1.1alice":
+                - "2024-06-01T10:02:01Z"
+    - Name: Password Reset, Then Login From different user
+      ExpectedResult: false
+      RuleOutputs:
+        - ID: Password Reset
+          Matches:
+            p_alert_context.ip_and_username:
+              "1.1.1.1alice":
+                - "2024-06-01T10:01:01Z"
+        - ID: Login
+          Matches:
+            p_alert_context.ip_and_username:
+              "1.1.1.1bob":
+                - "2024-06-01T10:02:01Z"
     - Name: Password Reset, Then Login From Different IPs
       ExpectedResult: false
       RuleOutputs:
         - ID: Password Reset
           Matches:
-            sourceIPAddress:
-              '1.1.1.1': [0]
+            p_alert_context.ip_and_username:
+              "1.1.1.1alice":
+                - "2024-06-01T10:01:01Z"
         - ID: Login
           Matches:
-            sourceIPAddress:
-              '2.2.2.2': [5]
+            p_alert_context.ip_and_username:
+              "2.2.2.2alice":
+                - "2024-06-01T10:02:01Z"
     - Name: Password Reset Without Login
       ExpectedResult: false
       RuleOutputs:
         - ID: Password Reset
           Matches:
-            sourceIPAddress:
-              '1.1.1.1': [0]
+            p_alert_context.ip_and_username:
+              "1.1.1.1alice":
+                - "2024-06-01T10:01:01Z"
     - Name: Login Without Password Reset
       ExpectedResult: false
       RuleOutputs:
         - ID: Login
           Matches:
-            sourceIPAddress:
-              '1.1.1.1': [5]
+            p_alert_context.ip_and_username:
+              "1.1.1.1alice":
+                - "2024-06-01T10:01:01Z"

packs/auth0.yml

@@ -3,6 +3,7 @@ PackID: PantherManaged.Auth0
 Description: Group of all Auth0 detections
 PackDefinition:
   IDs:
+    - Auth0.CIC.Credential.Stuffing
     - Auth0.Custom.Role.Created
     - Auth0.Integration.Installed
     - Auth0.MFA.Factor.Setting.Enabled

packs/aws.yml

@@ -73,6 +73,7 @@ PackDefinition:
     - AWS.PasswordPolicy.ComplexityGuidelines
     - AWS.PasswordPolicy.PasswordAgeLimit
     - AWS.PasswordPolicy.PasswordReuse
+    - AWS.Potentially.Stolen.Service.Role.Scheduled
     - AWS.Suspicious.SAML.Activity
     - AWS.User.Login.Profile.Modified
     # General Policies and Rules
@@ -164,14 +165,18 @@ PackDefinition:
     - VPCFlow.Port.Scanning
     # Correlation Rules
     - AWS.Privilege.Escalation.Via.User.Compromise
+    - AWS.SSO.Access.Token.Retrieved.by.Unauthenticated.IP
     - AWS.User.Takeover.Via.Password.Reset
     # Signal Rules
     - Role.Assumed.by.AWS.Service
     - Role.Assumed.by.User
     - AWS.CloudTrail.UserAccessKeyAuth
     - AWS.CloudTrail.LoginProfileCreatedOrModified
     - AWS.Console.Login
+    - Retrieve.SSO.access.token
+    - Sign-in.with.AWS.CLI.prompt
     # Queries
+    - AWS Potentially Stolen Service Role
     - Query.CloudTrail.Password.Spraying
     - Query.VPC.DNS.Tunneling
     - VPC Flow Port Scanning

packs/gcp_audit.yml

@@ -27,7 +27,6 @@ PackDefinition:
     - GCP.iam.roles.update.Privilege.Escalation
     - GCP.iam.serviceAccountKeys.create
     - GCP.Inbound.SSO.Profile.Created
-    - GCP.K8s.New.Daemonset.Deployed
     - GCP.Log.Bucket.Or.Sink.Deleted
     - GCP.Logging.Settings.Modified
     - GCP.Logging.Sink.Modified

packs/gcp_k8.yml

@@ -0,0 +1,22 @@
+AnalysisType: pack
+PackID: PantherManaged.GCP.K8
+DisplayName: "Panther GCP Kubernetes Pack"
+Description: Group of all Google Cloud Platform (GCP) K8 detections
+PackDefinition:
+  IDs:
+    # DataModel
+    - Standard.GCP.AuditLog
+    # Rules
+    - GCP.K8s.New.Daemonset.Deployed
+    - GCP.K8S.Pot.Create.Or.Modify.Host.Path.Volume.Mount
+    - GCP.K8S.Privileged.Pod.Created
+    - GCP.K8S.Service.Type.NodePort.Deployed
+    - GCP.K8s.IOC.Activity
+    - GCP.K8s.Pod.Attached.To.Node.Host.Network
+    - GCP.K8s.Pod.Using.Host.PID.Namespace
+    # Globals
+    - gcp_base_helpers
+    - panther_base_helpers
+    - panther_config
+    - panther_config_defaults
+    - panther_config_overrides

packs/github.yml

@@ -15,7 +15,6 @@ PackDefinition:
     - Github.Repo.Archived
     - Github.Repo.CollaboratorChange
     - Github.Repo.Created
-    #- GitHub.Repo.HookModified
     - GitHub.Repo.InitialAccess
     - Github.Repo.VisibilityChange
     - Github.Repo.VulnerabilityDismissed

packs/multisource_correlations.yml

@@ -8,7 +8,9 @@ PackDefinition:
     - Secret.Exposed.and.not.Quarantined
     - GitHub.Secret.Scanning.Alert.Created
     - AWS.CloudTrail.IAMCompromisedKeyQuarantine
-    - global_filter_github
+    - Okta.SSO.to.AWS
+    - AWS.Console.Sign-In
+    - AWS.Console.Sign-In.NOT.PRECEDED.BY.Okta
 
   # Okta + Push Security
     - Okta.Login.Without.Push
@@ -24,6 +26,7 @@ PackDefinition:
     - Standard.AWS.CloudTrail
 
   # Global Helpers
+    - global_filter_github
     - panther_base_helpers
     - panther_config
     - panther_config_defaults

packs/snowflake.yml

@@ -18,7 +18,9 @@ PackDefinition:
     - Query.Snowflake.External.Shares
     - Query.Snowflake.FileDownloaded
     - Query.Snowflake.KeyUserPasswordLogin
+    - Query.Snowflake.MFALogin
     - Query.Snowflake.Multiple.Logins.Followed.By.Success
+    - Query.Snowflake.PublicRoleGrant
     - Query.Snowflake.SuspectedUserAccess
     - Query.Snowflake.TempStageCreated
     - Query.Snowflake.UserCreated
@@ -34,7 +36,9 @@ PackDefinition:
     - Snowflake.External.Shares
     - Snowflake.FileDownloaded
     - Snowflake.KeyUserPasswordLogin
+    - Snowflake.LoginWithoutMFA
     - Snowflake.Multiple.Failed.Logins.Followed.By.Success
+    - Snowflake.PublicRoleGrant
     - Snowflake.TempStageCreated
     - Snowflake.User.Access
     - Snowflake.UserCreated

queries/aws_queries/cloudtrail_password_spraying_query.yml

@@ -3,10 +3,10 @@ QueryName: "Query.CloudTrail.Password.Spraying"
 Enabled: false
 Description: >
   Detect password spraying in cloudtrail logs
-AthenaQuery: >
+AthenaQuery: |
   /* athena query not supported */
   SELECT count(1)
-SnowflakeQuery: >
+SnowflakeQuery: |
   SELECT
     -- this information will be in the alert events
     awsRegion as region,

queries/aws_queries/ec2_crud_activity_by_role_query.yml

@@ -3,10 +3,10 @@ QueryName: "Query.EC2.CRUD.Activity.Role"
 Enabled: false
 Description: >
   This query searches for CRUD activity in EC2 by role arn. Activities from a role outside typical deployment processes may warrant investigation.
-AthenaQuery: >
+AthenaQuery: |
   /* athena query not supported */
   SELECT count(1)
-SnowflakeQuery: >
+SnowflakeQuery: |
   SELECT
     count(*) as num_logs,
     recipientAccountId,

queries/aws_queries/ec2_crud_activity_by_useragent_query.yml

@@ -3,10 +3,10 @@ QueryName: "Query.EC2.CRUD.Activity.Useragent"
 Enabled: false
 Description: >
   This query searches for CRUD activity in EC2 by userAgent. A low count or previously unseen useragent may indicate that the action was not performed by an automated process.
-AthenaQuery: >
+AthenaQuery: |
   /* athena query not supported */
   SELECT count(1)
-SnowflakeQuery: >
+SnowflakeQuery: |
   SELECT
     count(*) as num_logs,
     recipientAccountId,

queries/aws_queries/vpc_dns_tunneling_query.yml

@@ -3,10 +3,10 @@ QueryName: "Query.VPC.DNS.Tunneling"
 Enabled: false
 Description: >
   Detect activity similar to DNS tunneling traffic in AWS VPC Logs
-AthenaQuery: >
+AthenaQuery: |
   /* athena query not supported */
   SELECT count(1)
-SnowflakeQuery: >
+SnowflakeQuery: |
   SELECT
     account_id,
     region,

queries/crowdstrike_queries/AWS_Authentication_from_CrowdStrike_Unmanaged_Device.yml

@@ -44,3 +44,5 @@ RuleID: "AWS.Authentication.From.CrowdStrike.Unmanaged.Device"
 Threshold: 1
 ScheduledQueries:
   - AWS Authentication from CrowdStrike Unmanaged Device
+Tags:
+  - Multi-Table Query

queries/crowdstrike_queries/Okta_Login_From_CrowdStrike_Unmanaged_Device.yml

@@ -162,3 +162,5 @@ RuleID: "Okta.Login.From.CrowdStrike.Unmanaged.Device"
 Threshold: 1
 ScheduledQueries:
   - Okta Login From CrowdStrike Unmanaged Device
+Tags:
+  - Multi-Table Query

queries/crowdstrike_queries/onepassword_login_from_crowdstrike_unmanaged_device.yml

@@ -49,3 +49,5 @@ RuleID: "OnePassword.Login.From.CrowdStrike.Unmanaged.Device"
 Threshold: 1
 ScheduledQueries:
   - 1Password Login From CrowdStrike Unmanaged Device Query
+Tags:
+  - Multi-Table Query

queries/dropbox_queries/Dropbox_Many_Deletes.yml

@@ -22,3 +22,5 @@ RuleID: "Dropbox.Many.Deletes"
 Threshold: 1
 ScheduledQueries:
   - Dropbox Many Deletes
+Tags:
+  - Configuration Required

queries/dropbox_queries/Dropbox_Many_Downloads.yml

@@ -22,3 +22,5 @@ RuleID: "Dropbox.Many.Downloads"
 Threshold: 1
 ScheduledQueries:
   - Dropbox Many Downloads
+Tags:
+  - Configuration Required

queries/kubernetes_queries/kubernetes_admission_controller_created_query.yml

@@ -5,7 +5,7 @@ Tags:
   - Optional
 Description: >
   This detection monitors for a new admission controller being created in the cluster. Admission controllers allows an attack to intercept all API requests made within a cluster, allowing for enumeration of resources and common actions. This can be a very powerful tool to understand where to pivot to next.
-Query: >
+Query: |
   SELECT *,
          IFF(sourceIPs[0] IS NOT null, sourceIPs[0], 'N/A') as X_FORWARDED_FOR_IP,
          IFF(sourceIPs[1] IS NOT null, sourceIPs[1], 'N/A') as X_Real_IP,

queries/kubernetes_queries/kubernetes_cron_job_created_or_modified_query.yml

@@ -5,7 +5,7 @@ Tags:
   - Optional
 Description: >
   This detection monitor for any modifications or creations of a cron job. Attackers may create or modify an existing scheduled job in order to achieve cluster persistence.
-Query: >
+Query: |
   SELECT *,
          IFF(sourceIPs[0] IS NOT null, sourceIPs[0], 'N/A') as X_FORWARDED_FOR_IP,
          IFF(sourceIPs[1] IS NOT null, sourceIPs[1], 'N/A') as X_Real_IP,

queries/kubernetes_queries/kubernetes_ioc_activity_query.yml

@@ -5,7 +5,7 @@ Tags:
   - Optional
 Description: >
   This detection monitors for any kubernetes API Request originating from an Indicator of Compromise.
-Query: >
+Query: |
   SELECT *,
          VALUE as SRC_IP,
          THIS as IP_ADDRESS,

queries/kubernetes_queries/kubernetes_new_daemonset_deployed_query.yml

@@ -5,7 +5,7 @@ Tags:
   - Optional
 Description: >
   This detection monitors for a new DaemonSet deployed to a kubernetes cluster. A daemonset is a workload that guarantees the presence of exactly one instance of a specific pod on every node in the cluster. This can be a very powerful tool for establishing peristence.
-Query: >
+Query: |
   SELECT *,
          IFF(sourceIPs[0] IS NOT null, sourceIPs[0], 'N/A') as X_FORWARDED_FOR_IP,
          IFF(sourceIPs[1] IS NOT null, sourceIPs[1], 'N/A') as X_Real_IP,

queries/kubernetes_queries/kubernetes_pod_attached_to_node_host_network_query.yml

@@ -5,7 +5,7 @@ Tags:
   - Optional
 Description: >
   This detection monitor for the creation of pods which are attached to the host's network. This allows a pod to listen to all network traffic for all deployed computer on that particular node and communicate with other compute on the network namespace. Attackers can use this to capture secrets passed in arguments or connections.
-Query: >
+Query: |
   SELECT *,
          IFF(sourceIPs[0] IS NOT null, sourceIPs[0], 'N/A') as X_FORWARDED_FOR_IP,
          IFF(sourceIPs[1] IS NOT null, sourceIPs[1], 'N/A') as X_Real_IP,

queries/kubernetes_queries/kubernetes_pod_create_or_modify_host_path_vol_mount_query.yml

@@ -5,7 +5,7 @@ Tags:
   - Optional
 Description: >
   This detection monitors for pod creation with a hostPath volume mount. The attachment to a node's volume can allow for privilege escalation through underlying vulnerabilities or it can open up possibilities for data exfiltration or unauthorized file access. It is very rare to see this being a pod requirement.
-Query: >
+Query: |
   SELECT *,
          IFF(sourceIPs[0] IS NOT null, sourceIPs[0], 'N/A') as X_FORWARDED_FOR_IP,
          IFF(sourceIPs[1] IS NOT null, sourceIPs[1], 'N/A') as X_Real_IP,

queries/kubernetes_queries/kubernetes_pod_in_default_name_space_query.yml

@@ -5,7 +5,7 @@ Tags:
   - Optional
 Description: >
   This detection monitors for any pod created in pre-configured or default namespaces. Only Cluster Admins should be creating pods in the kube-system namespace, and it is best practice not to run any cluster critical infrastructure here. The kube-public namespace is intended to be readable by unauthenticated users. The default namespace is shipped with the cluster and it is best practice not to deploy production workloads here. These namespaces may be used to evade defenses or hide attacker infrastructure.
-Query: >
+Query: |
   SELECT *,
          IFF(sourceIPs[0] IS NOT null, sourceIPs[0], 'N/A') as X_FORWARDED_FOR_IP,
          IFF(sourceIPs[1] IS NOT null, sourceIPs[1], 'N/A') as X_Real_IP,

queries/kubernetes_queries/kubernetes_pod_using_host_ipc_namespace_query.yml

@@ -5,7 +5,7 @@ Tags:
   - Optional
 Description: >
   This detection monitors for any pod creation or modification using the host IPC Namespace. Deploying pods in the Host IPC Namespace, breaks isolation between the pod and the underlying host meaning the pod has direct access to the same IPC objects and communications channels as the host system.
-Query: >
+Query: |
   SELECT *,
          IFF(sourceIPs[0] IS NOT null, sourceIPs[0], 'N/A') as X_FORWARDED_FOR_IP,
          IFF(sourceIPs[1] IS NOT null, sourceIPs[1], 'N/A') as X_Real_IP,

queries/kubernetes_queries/kubernetes_pod_using_host_pid_namespace_query.yml

@@ -5,7 +5,7 @@ Tags:
   - Optional
 Description: >
   This detection monitors for any pod creation or modification using the host PID namespace. The Host PID namespace enables a pod and its containers to have direct access and share the same view as of the host’s processes. This can offer a powerful escape hatch to the underlying host.
-Query: >
+Query: |
   SELECT *,
          IFF(sourceIPs[0] IS NOT null, sourceIPs[0], 'N/A') as X_FORWARDED_FOR_IP,
          IFF(sourceIPs[1] IS NOT null, sourceIPs[1], 'N/A') as X_Real_IP,

queries/kubernetes_queries/kubernetes_privileged_pod_created_query.yml

@@ -5,7 +5,7 @@ Tags:
   - Optional
 Description: >
   This detection monitors for a privileged pod is created either by default or with permissions to run as root. These particular pods have full access to the hosts namespace and devices, ability to exploit the kernel, have dangerous linux capabilities, and can be a powerful launching point for further attacks.
-Query: >
+Query: |
   SELECT *,
          IFF(sourceIPs[0] IS NOT null, sourceIPs[0], 'N/A') as X_FORWARDED_FOR_IP,
          IFF(sourceIPs[1] IS NOT null, sourceIPs[1], 'N/A') as X_Real_IP,

queries/kubernetes_queries/kubernetes_service_type_node_port_deployed_query.yml

@@ -5,7 +5,7 @@ Tags:
   - Optional
 Description: >
   This detection monitors for any kubernetes service deployed with type node port. A Node Port service allows an attacker to expose a set of pods hosting the service to the internet by opening their port and redirecting traffic here. This can be used to bypass network controls and intercept traffic, creating a direct line to the outside network.
-Query: >
+Query: |
   SELECT *,
          objectRef:name as service,
          objectRef:namespace as namespace,

queries/kubernetes_queries/kubernetes_unauthenticated_api_request_query.yml

@@ -5,7 +5,7 @@ Tags:
   - Optional
 Description: >
   This detection monitors for any unauthenticated kubernetes api request. Unauthenticated Requests are performed by the anonymous user and have unfederated access to the cluster.
-Query: >
+Query: |
   SELECT *,
          IFF(sourceIPs[0] IS NOT null, sourceIPs[0], 'N/A') as X_FORWARDED_FOR_IP,
          IFF(sourceIPs[1] IS NOT null, sourceIPs[1], 'N/A') as X_Real_IP,

queries/kubernetes_queries/kubernetes_unauthorized_pod_execution_query.yml

@@ -5,7 +5,7 @@ Tags:
   - Optional
 Description: >
   This detection monitors for any pod execution in a kubernetes cluster. Pod execution should never be done in a production cluster, and can indicate a user performing unauthorized actions.
-Query: >
+Query: |
   SELECT *,
          split(split(impersonatedUser:username,'remote-')[1],'-')[0] as src_user,
          SPLIT(requestURI,'exec?')[1] as command_executed,