From 21ec5cc241114fa2b145e0a0b5563f44bfbe851d Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Tue, 12 Dec 2023 16:02:14 +0200 Subject: [PATCH 01/13] Add references to rules (netskope_rules) (#1021) --- rules/netskope_rules/netskope_admin_logged_out.yml | 1 + rules/netskope_rules/netskope_admin_user_change.yml | 1 + rules/netskope_rules/netskope_many_deletes.yml | 1 + rules/netskope_rules/netskope_personnel_action.yml | 1 + rules/netskope_rules/netskope_unauthorized_api_calls.yml | 1 + 5 files changed, 5 insertions(+) diff --git a/rules/netskope_rules/netskope_admin_logged_out.yml b/rules/netskope_rules/netskope_admin_logged_out.yml index 993033c96..b0e6cf9c2 100644 --- a/rules/netskope_rules/netskope_admin_logged_out.yml +++ b/rules/netskope_rules/netskope_admin_logged_out.yml @@ -21,6 +21,7 @@ Description: An admin was logged out because of successive login failures. DedupPeriodMinutes: 60 Threshold: 1 Runbook: An admin was logged out because of successive login failures. This could indicate brute force activity against this account. +Reference: https://docs.netskope.com/en/netskope-help/admin-console/administration/audit-log/ Tests: - Name: True positive ExpectedResult: true diff --git a/rules/netskope_rules/netskope_admin_user_change.yml b/rules/netskope_rules/netskope_admin_user_change.yml index f98513b87..abc84d284 100644 --- a/rules/netskope_rules/netskope_admin_user_change.yml +++ b/rules/netskope_rules/netskope_admin_user_change.yml @@ -27,6 +27,7 @@ Tags: Reports: MITRE ATT&CK: - TA0004:T1098 +Reference: https://docs.netskope.com/en/netskope-help/admin-console/administration/managing-administrators/ Severity: High DynamicSeverities: - ChangeTo: Critical diff --git a/rules/netskope_rules/netskope_many_deletes.yml b/rules/netskope_rules/netskope_many_deletes.yml index 6663338eb..c89c54fe6 100644 --- a/rules/netskope_rules/netskope_many_deletes.yml +++ b/rules/netskope_rules/netskope_many_deletes.yml @@ -22,6 +22,7 @@ Description: A user deleted a large number of objects in a short period of time. DedupPeriodMinutes: 60 Threshold: 10 Runbook: A user deleted a large number of objects in a short period of time. Validate that this activity is expected and authorized. +Reference: https://docs.netskope.com/en/netskope-help/admin-console/administration/audit-log/ Tests: - Name: True positive ExpectedResult: true diff --git a/rules/netskope_rules/netskope_personnel_action.yml b/rules/netskope_rules/netskope_personnel_action.yml index 53fb387a0..cd3b2f389 100644 --- a/rules/netskope_rules/netskope_personnel_action.yml +++ b/rules/netskope_rules/netskope_personnel_action.yml @@ -21,6 +21,7 @@ Description: An action was performed by Netskope personnel. DedupPeriodMinutes: 60 Threshold: 1 Runbook: Action taken by Netskope Personnel. Validate that this action was authorized. +Reference: https://docs.netskope.com/en/netskope-help/admin-console/administration/audit-log/#filters-1 Tests: - Name: True positive ExpectedResult: true diff --git a/rules/netskope_rules/netskope_unauthorized_api_calls.yml b/rules/netskope_rules/netskope_unauthorized_api_calls.yml index 6fe10496f..74758ed4f 100644 --- a/rules/netskope_rules/netskope_unauthorized_api_calls.yml +++ b/rules/netskope_rules/netskope_unauthorized_api_calls.yml @@ -22,6 +22,7 @@ Description: Many unauthorized API calls were observed for a user in a short per DedupPeriodMinutes: 60 Threshold: 10 Runbook: An account is making many unauthorized API calls. This could indicate brute force activity, or expired service account credentials. +Reference: https://docs.netskope.com/en/netskope-help/data-security/netskope-private-access/private-access-rest-apis/ Tests: - Name: True positive ExpectedResult: true From fb621313ca1412cab6f2a5ef031886bc0e8b4f62 Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Tue, 12 Dec 2023 16:04:41 +0200 Subject: [PATCH 02/13] Add references to rules (notion_rules) (#1022) --- rules/notion_rules/notion_account_changed_after_login.yml | 1 + rules/notion_rules/notion_login_from_blocked_ip.yml | 1 + rules/notion_rules/notion_login_from_new_location.yml | 1 + rules/notion_rules/notion_many_pages_deleted.yml | 1 + rules/notion_rules/notion_many_pages_exported.yml | 1 + rules/notion_rules/notion_page_accessible_to_api.yml | 1 + rules/notion_rules/notion_page_accessible_to_guests.yml | 1 + rules/notion_rules/notion_page_shared_to_web.yml | 1 + rules/notion_rules/notion_page_view_impossible_travel.yml | 1 + rules/notion_rules/notion_scim_token_generated.yml | 1 + rules/notion_rules/notion_workspace_audit_log_exported.yml | 1 + rules/notion_rules/notion_workspace_exported.yml | 1 + ...notion_workspace_settings_enforce_saml_sso_config_updated.yml | 1 + .../notion_workspace_settings_public_homepage_added.yml | 1 + 14 files changed, 14 insertions(+) diff --git a/rules/notion_rules/notion_account_changed_after_login.yml b/rules/notion_rules/notion_account_changed_after_login.yml index c3f6d1609..59cf99205 100644 --- a/rules/notion_rules/notion_account_changed_after_login.yml +++ b/rules/notion_rules/notion_account_changed_after_login.yml @@ -14,6 +14,7 @@ Description: A Notion User logged in then changed their account details. DedupPeriodMinutes: 60 Threshold: 1 Runbook: Possible account takeover. Follow up with the Notion User to determine if this email change is genuine. +Reference: https://www.notion.so/help/account-settings Tests: - # This unit test is to make sure the logic for handling login events successfully results in # caching the login info. The outputted title/alert_context are not important. diff --git a/rules/notion_rules/notion_login_from_blocked_ip.yml b/rules/notion_rules/notion_login_from_blocked_ip.yml index b32b63256..af4e2134b 100644 --- a/rules/notion_rules/notion_login_from_blocked_ip.yml +++ b/rules/notion_rules/notion_login_from_blocked_ip.yml @@ -14,3 +14,4 @@ Description: "A user attempted to access Notion from a blocked IP address. Note: DedupPeriodMinutes: 60 Threshold: 1 Runbook: Confirm with user if the login was legitimate. If so, determine why the IP is blocked. +Reference: https://www.notion.so/help/allowlist-ip diff --git a/rules/notion_rules/notion_login_from_new_location.yml b/rules/notion_rules/notion_login_from_new_location.yml index d3461b477..8cf3202d4 100644 --- a/rules/notion_rules/notion_login_from_new_location.yml +++ b/rules/notion_rules/notion_login_from_new_location.yml @@ -14,6 +14,7 @@ Description: A Notion User logged in from a new location. DedupPeriodMinutes: 60 Threshold: 1 # Number of pages deleted; please change this value to suit your organization's needs. Runbook: Possible account takeover. Follow up with the Notion User to determine if this login is genuine. +Reference: https://ipinfo.io/products/ip-geolocation-api Tests: - Name: Login from normal location ExpectedResult: false diff --git a/rules/notion_rules/notion_many_pages_deleted.yml b/rules/notion_rules/notion_many_pages_deleted.yml index ef5ba1205..81257217b 100644 --- a/rules/notion_rules/notion_many_pages_deleted.yml +++ b/rules/notion_rules/notion_many_pages_deleted.yml @@ -14,6 +14,7 @@ Description: A Notion User deleted multiple pages. DedupPeriodMinutes: 60 Threshold: 10 # Number of pages deleted; please change this value to suit your organization's needs. Runbook: Possible Data Destruction. Follow up with the Notion User to determine if this was done for a valid business reason. +Reference: https://www.notion.so/help/duplicate-delete-and-restore-content Tests: - Name: Other Event ExpectedResult: false diff --git a/rules/notion_rules/notion_many_pages_exported.yml b/rules/notion_rules/notion_many_pages_exported.yml index fb5f13740..010245809 100644 --- a/rules/notion_rules/notion_many_pages_exported.yml +++ b/rules/notion_rules/notion_many_pages_exported.yml @@ -14,6 +14,7 @@ Description: A Notion User exported multiple pages. DedupPeriodMinutes: 60 Threshold: 10 # Number of pages exported; please change this value to suit your organization's needs. Runbook: Possible Data Exfiltration. Follow up with the Notion User to determine if this was done for a valid business reason. +Reference: https://www.notion.so/help/export-your-content Tests: - Name: Other Event ExpectedResult: false diff --git a/rules/notion_rules/notion_page_accessible_to_api.yml b/rules/notion_rules/notion_page_accessible_to_api.yml index 288174f6e..4f8ba6c0c 100644 --- a/rules/notion_rules/notion_page_accessible_to_api.yml +++ b/rules/notion_rules/notion_page_accessible_to_api.yml @@ -14,3 +14,4 @@ Description: "A new API integration was added to a Notion page, or it's permissi DedupPeriodMinutes: 60 Threshold: 1 Runbook: Potential information exposure - review the shared page and rectify if needed. +Reference: https://www.notion.so/help/sharing-and-permissions diff --git a/rules/notion_rules/notion_page_accessible_to_guests.yml b/rules/notion_rules/notion_page_accessible_to_guests.yml index ec3ef9fdf..53db176be 100644 --- a/rules/notion_rules/notion_page_accessible_to_guests.yml +++ b/rules/notion_rules/notion_page_accessible_to_guests.yml @@ -14,6 +14,7 @@ Description: The external guest permissions for a Notion page have been altered. DedupPeriodMinutes: 60 Threshold: 1 Runbook: Potential information exposure - review the shared page and rectify if needed. +Reference: https://www.notion.so/help/sharing-and-permissions Tests: - Name: Guest Role Added ExpectedResult: true diff --git a/rules/notion_rules/notion_page_shared_to_web.yml b/rules/notion_rules/notion_page_shared_to_web.yml index 620d59920..777237005 100644 --- a/rules/notion_rules/notion_page_shared_to_web.yml +++ b/rules/notion_rules/notion_page_shared_to_web.yml @@ -14,3 +14,4 @@ Description: A Notion User published a page to the web. DedupPeriodMinutes: 60 Threshold: 1 Runbook: Potential information exposure - review the shared page and rectify if needed. +Reference: https://www.notion.so/help/public-pages-and-web-publishing diff --git a/rules/notion_rules/notion_page_view_impossible_travel.yml b/rules/notion_rules/notion_page_view_impossible_travel.yml index f7ecce6d3..3d9f98fe3 100644 --- a/rules/notion_rules/notion_page_view_impossible_travel.yml +++ b/rules/notion_rules/notion_page_view_impossible_travel.yml @@ -15,6 +15,7 @@ Description: A Notion User viewed a page from 2 locations simultaneously DedupPeriodMinutes: 60 Threshold: 1 Runbook: Possible account compromise. Review activity of this user. +Reference: https://raxis.com/blog/simultaneous-sessions/ Tests: - Name: Normal Page View ExpectedResult: False diff --git a/rules/notion_rules/notion_scim_token_generated.yml b/rules/notion_rules/notion_scim_token_generated.yml index b30115211..e13e18c44 100644 --- a/rules/notion_rules/notion_scim_token_generated.yml +++ b/rules/notion_rules/notion_scim_token_generated.yml @@ -14,6 +14,7 @@ Severity: Medium DedupPeriodMinutes: 60 Threshold: 1 Runbook: Possible Initial Access. Follow up with the Notion User to determine if this was done for a valid business reason. +Reference: https://www.notion.so/help/provision-users-and-groups-with-scim Tests: - ExpectedResult: false Log: diff --git a/rules/notion_rules/notion_workspace_audit_log_exported.yml b/rules/notion_rules/notion_workspace_audit_log_exported.yml index f18a3a767..6c80f8550 100644 --- a/rules/notion_rules/notion_workspace_audit_log_exported.yml +++ b/rules/notion_rules/notion_workspace_audit_log_exported.yml @@ -14,6 +14,7 @@ Description: A Notion User exported audit logs for your organization’s workspa DedupPeriodMinutes: 60 Threshold: 1 Runbook: Possible Data Exfiltration. Follow up with the Notion User to determine if this was done for a valid business reason. +Reference: https://www.notion.so/help/audit-log#export-your-audit-log Tests: - Name: Other Event ExpectedResult: false diff --git a/rules/notion_rules/notion_workspace_exported.yml b/rules/notion_rules/notion_workspace_exported.yml index 2232647de..c40f7ec5c 100644 --- a/rules/notion_rules/notion_workspace_exported.yml +++ b/rules/notion_rules/notion_workspace_exported.yml @@ -14,6 +14,7 @@ Description: A Notion User exported an existing workspace. DedupPeriodMinutes: 60 Threshold: 1 Runbook: Possible Data Exfiltration. Follow up with the Notion User to determine if this was done for a valid business reason. +Reference: https://www.notion.so/help/workspace-settings#export-an-entire-workspace Tests: - Name: Workspace Exported ExpectedResult: true diff --git a/rules/notion_rules/notion_workspace_settings_enforce_saml_sso_config_updated.yml b/rules/notion_rules/notion_workspace_settings_enforce_saml_sso_config_updated.yml index 199009e77..a81cbe9c0 100644 --- a/rules/notion_rules/notion_workspace_settings_enforce_saml_sso_config_updated.yml +++ b/rules/notion_rules/notion_workspace_settings_enforce_saml_sso_config_updated.yml @@ -14,6 +14,7 @@ Description: A Notion User changed settings to enforce SAML SSO configurations f DedupPeriodMinutes: 60 Threshold: 1 Runbook: Follow up with the Notion User to determine if this was done for a valid business reason and to ensure these settings get re-enabled quickly for best security practices. +Reference: https://www.notion.so/help/saml-sso-configuration Tests: - Name: Other Event ExpectedResult: false diff --git a/rules/notion_rules/notion_workspace_settings_public_homepage_added.yml b/rules/notion_rules/notion_workspace_settings_public_homepage_added.yml index 221c8ca0b..0147311d7 100644 --- a/rules/notion_rules/notion_workspace_settings_public_homepage_added.yml +++ b/rules/notion_rules/notion_workspace_settings_public_homepage_added.yml @@ -14,6 +14,7 @@ Description: A Notion page was set to public in your worksace. DedupPeriodMinutes: 60 Threshold: 1 Runbook: A Notion page was made public. Check with the author to determine why this page was made public. +Reference: https://www.notion.so/help/public-pages-and-web-publishing Tests: - Name: Public page added ExpectedResult: true From c393954a12ccded847476f2c744c0ea8d64f8010 Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Tue, 12 Dec 2023 16:07:29 +0200 Subject: [PATCH 03/13] Add references to rules (onelogin_rules) (#1024) --- rules/onelogin_rules/onelogin_admin_role_assigned.yml | 1 + rules/onelogin_rules/onelogin_unusual_login.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/rules/onelogin_rules/onelogin_admin_role_assigned.yml b/rules/onelogin_rules/onelogin_admin_role_assigned.yml index cac026bee..d8bcaef05 100644 --- a/rules/onelogin_rules/onelogin_admin_role_assigned.yml +++ b/rules/onelogin_rules/onelogin_admin_role_assigned.yml @@ -7,6 +7,7 @@ LogTypes: - OneLogin.Events Tags: - Identity & Access Management +Reference: https://onelogin.service-now.com/kb_view_customer.do?sysparm_article=KB0010391 Severity: Low SummaryAttributes: - account_id diff --git a/rules/onelogin_rules/onelogin_unusual_login.yml b/rules/onelogin_rules/onelogin_unusual_login.yml index 1e982554d..d614e0344 100644 --- a/rules/onelogin_rules/onelogin_unusual_login.yml +++ b/rules/onelogin_rules/onelogin_unusual_login.yml @@ -9,6 +9,7 @@ LogTypes: - OneLogin.Events Tags: - Identity & Access Management +Reference: https://actzero.ai/resources/blog/a-smarter-way-to-detect-suspicious-cloud-logins Severity: Medium Description: Deprecated. Please see Standard.UnusualLogin instead. SummaryAttributes: From 4c9102eb675797560cb0ff6e4e2cf7ae0770ad0e Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Tue, 12 Dec 2023 16:09:57 +0200 Subject: [PATCH 04/13] Add references to rules (onepassword_rules) (#1025) --- .../onepassword_rules/onepassword_lut_sensitive_item_access.yml | 1 + rules/onepassword_rules/onepassword_sensitive_item_access.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/rules/onepassword_rules/onepassword_lut_sensitive_item_access.yml b/rules/onepassword_rules/onepassword_lut_sensitive_item_access.yml index f1a0ca2fd..9dbed6ae1 100644 --- a/rules/onepassword_rules/onepassword_lut_sensitive_item_access.yml +++ b/rules/onepassword_rules/onepassword_lut_sensitive_item_access.yml @@ -6,6 +6,7 @@ DisplayName: "BETA - Sensitive 1Password Item Accessed" Enabled: false LogTypes: - OnePassword.ItemUsage +Reference: https://support.1password.com/1password-com-items/ Severity: Low Description: Alerts when a user defined list of sensitive items in 1Password is accessed SummaryAttributes: diff --git a/rules/onepassword_rules/onepassword_sensitive_item_access.yml b/rules/onepassword_rules/onepassword_sensitive_item_access.yml index 8e5ab5bd3..22a937473 100644 --- a/rules/onepassword_rules/onepassword_sensitive_item_access.yml +++ b/rules/onepassword_rules/onepassword_sensitive_item_access.yml @@ -6,6 +6,7 @@ DisplayName: "Configuration Required - Sensitive 1Password Item Accessed" Enabled: false LogTypes: - OnePassword.ItemUsage +Reference: https://support.1password.com/1password-com-items/ Severity: Low Description: Alerts when a user defined list of sensitive items in 1Password is accessed SummaryAttributes: From 323e365d4cd83073c9c837aa6ef34a2c1de4058b Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Tue, 12 Dec 2023 16:12:23 +0200 Subject: [PATCH 05/13] Add references to rules (panther_audit_rules) (#1027) --- rules/panther_audit_rules/panther_detection_deleted.yml | 1 + rules/panther_audit_rules/panther_saml_modified.yml | 1 + rules/panther_audit_rules/panther_sensitive_role_created.yml | 1 + rules/panther_audit_rules/panther_user_modified.yml | 1 + 4 files changed, 4 insertions(+) diff --git a/rules/panther_audit_rules/panther_detection_deleted.yml b/rules/panther_audit_rules/panther_detection_deleted.yml index 5938d2a7b..d8fcba243 100644 --- a/rules/panther_audit_rules/panther_detection_deleted.yml +++ b/rules/panther_audit_rules/panther_detection_deleted.yml @@ -14,6 +14,7 @@ Reports: - TA0005:T1562 Description: Detection content has been removed from Panther. Runbook: Ensure this change was approved and appropriate. +Reference: https://docs.panther.com/system-configuration/panther-audit-logs/querying-and-writing-detections-for-panther-audit-logs SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/panther_audit_rules/panther_saml_modified.yml b/rules/panther_audit_rules/panther_saml_modified.yml index cf73682ba..daaa7b943 100644 --- a/rules/panther_audit_rules/panther_saml_modified.yml +++ b/rules/panther_audit_rules/panther_saml_modified.yml @@ -14,6 +14,7 @@ Reports: - TA0005:T1562 Description: An Admin has modified Panther's SAML configuration. Runbook: Ensure this change was approved and appropriate. +Reference: https://docs.panther.com/system-configuration/saml SummaryAttributes: - p_any_ip_addresses - p_any_usernames diff --git a/rules/panther_audit_rules/panther_sensitive_role_created.yml b/rules/panther_audit_rules/panther_sensitive_role_created.yml index 93e5ac17b..36ec77ca6 100644 --- a/rules/panther_audit_rules/panther_sensitive_role_created.yml +++ b/rules/panther_audit_rules/panther_sensitive_role_created.yml @@ -14,6 +14,7 @@ Reports: - TA0003:T1098 Description: A Panther user role has been created that contains admin level permissions. Runbook: Contact the creator of this role to ensure its creation was appropriate. +Reference: https://docs.panther.com/system-configuration/rbac SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/panther_audit_rules/panther_user_modified.yml b/rules/panther_audit_rules/panther_user_modified.yml index ca28a4a69..95280e28c 100644 --- a/rules/panther_audit_rules/panther_user_modified.yml +++ b/rules/panther_audit_rules/panther_user_modified.yml @@ -14,6 +14,7 @@ Reports: - TA0003:T1098 Description: A Panther user's role has been modified. This could mean password, email, or role has changed for the user. Runbook: Validate that this user modification was intentional. +Reference: https://docs.panther.com/panther-developer-workflows/api/operations/user-management SummaryAttributes: - p_any_ip_addresses Tests: From a6d7e1c36189e2a8dc0244c358966c07e5762efc Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Tue, 12 Dec 2023 16:14:48 +0200 Subject: [PATCH 06/13] Add references to rules (salesforce_rules) (#1028) --- rules/salesforce_rules/salesforce_admin_login_as_user.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/salesforce_rules/salesforce_admin_login_as_user.yml b/rules/salesforce_rules/salesforce_admin_login_as_user.yml index 5c55e71ae..8421ec35c 100644 --- a/rules/salesforce_rules/salesforce_admin_login_as_user.yml +++ b/rules/salesforce_rules/salesforce_admin_login_as_user.yml @@ -4,6 +4,7 @@ DisplayName: "Salesforce Admin Login As User" Enabled: true Filename: salesforce_admin_login_as_user.py Runbook: 'Please do an indicator search on USER_ID to find which user was assumed. ' +Reference: https://help.salesforce.com/s/articleView?id=sf.logging_in_as_another_user.htm&type=5 Severity: Info Tests: - ExpectedResult: false From 71c5df9988d798ce87daa60cad250f894d3de0b5 Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Tue, 12 Dec 2023 16:17:16 +0200 Subject: [PATCH 07/13] Add references to rules (sentinelone_rules) (#1029) --- rules/sentinelone_rules/sentinelone_alert_passthrough.yml | 1 + rules/sentinelone_rules/sentinelone_threats.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/rules/sentinelone_rules/sentinelone_alert_passthrough.yml b/rules/sentinelone_rules/sentinelone_alert_passthrough.yml index 935d220fe..5e16edc36 100644 --- a/rules/sentinelone_rules/sentinelone_alert_passthrough.yml +++ b/rules/sentinelone_rules/sentinelone_alert_passthrough.yml @@ -3,6 +3,7 @@ Description: SentinelOne Alert Passthrough DisplayName: "SentinelOne Alert Passthrough" Enabled: true Filename: sentinelone_alert_passthrough.py +Reference: https://www.sentinelone.com/blog/feature-spotlight-introducing-the-new-threat-center/ Severity: High Tests: - ExpectedResult: true diff --git a/rules/sentinelone_rules/sentinelone_threats.yml b/rules/sentinelone_rules/sentinelone_threats.yml index b22c72f3c..f861b3cf8 100644 --- a/rules/sentinelone_rules/sentinelone_threats.yml +++ b/rules/sentinelone_rules/sentinelone_threats.yml @@ -3,6 +3,7 @@ Description: 'Passthrough SentinelOne Threats ' DisplayName: "SentinelOne Threats" Enabled: true Filename: sentinelone_threats.py +Reference: https://www.sentinelone.com/blog/feature-spotlight-introducing-the-new-threat-center/ Severity: High Tests: - ExpectedResult: true From 92dfc5f65acd7e9e6a4c755902e310da84ceea51 Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Tue, 12 Dec 2023 16:19:34 +0200 Subject: [PATCH 08/13] Add references to rules (snyk_rules) (#1030) --- rules/snyk_rules/snyk_misc_settings.yml | 1 + rules/snyk_rules/snyk_org_settings.yml | 1 + rules/snyk_rules/snyk_project_settings.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/rules/snyk_rules/snyk_misc_settings.yml b/rules/snyk_rules/snyk_misc_settings.yml index b6b4df89a..4d7c41974 100644 --- a/rules/snyk_rules/snyk_misc_settings.yml +++ b/rules/snyk_rules/snyk_misc_settings.yml @@ -8,6 +8,7 @@ LogTypes: - Snyk.OrgAudit Tags: - Snyk +Reference: https://docs.snyk.io/snyk-admin/manage-settings Severity: Low Description: > Detects when Snyk settings that lack a clear security impact are changed diff --git a/rules/snyk_rules/snyk_org_settings.yml b/rules/snyk_rules/snyk_org_settings.yml index 3716d8c5c..18dae4e54 100644 --- a/rules/snyk_rules/snyk_org_settings.yml +++ b/rules/snyk_rules/snyk_org_settings.yml @@ -8,6 +8,7 @@ LogTypes: - Snyk.OrgAudit Tags: - Snyk +Reference: https://docs.snyk.io/snyk-admin/manage-settings/organization-general-settings Severity: Medium Description: > Detects when Snyk Organization settings, like Integrations and Webhooks, are changed diff --git a/rules/snyk_rules/snyk_project_settings.yml b/rules/snyk_rules/snyk_project_settings.yml index a0d294745..9d52d8289 100644 --- a/rules/snyk_rules/snyk_project_settings.yml +++ b/rules/snyk_rules/snyk_project_settings.yml @@ -8,6 +8,7 @@ LogTypes: - Snyk.OrgAudit Tags: - Snyk +Reference: https://docs.snyk.io/snyk-admin/introduction-to-snyk-projects/view-and-edit-project-settings Severity: Medium Description: > Detects when Snyk Project settings are changed From 14d9912533437bc3675488b0bf2a76bc8219a16c Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Tue, 12 Dec 2023 16:22:17 +0200 Subject: [PATCH 09/13] Add references to rules (tailscale_rules) (#1032) --- rules/tailscale_rules/tailscale_https_disabled.yml | 1 + .../tailscale_machine_approval_requirements_disabled.yml | 1 + rules/tailscale_rules/tailscale_magicdns_disabled.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/rules/tailscale_rules/tailscale_https_disabled.yml b/rules/tailscale_rules/tailscale_https_disabled.yml index 15dd0a239..8f786c969 100644 --- a/rules/tailscale_rules/tailscale_https_disabled.yml +++ b/rules/tailscale_rules/tailscale_https_disabled.yml @@ -4,6 +4,7 @@ DisplayName: "Tailscale HTTPS Disabled" Enabled: true Filename: tailscale_https_disabled.py Runbook: Assess if this was done by the user for a valid business reason. Be vigilant to re-enable this setting as it's in the best security interest for your organization's security posture. +Reference: https://tailscale.com/kb/1153/enabling-https/#disable-https Severity: High Tests: - ExpectedResult: true diff --git a/rules/tailscale_rules/tailscale_machine_approval_requirements_disabled.yml b/rules/tailscale_rules/tailscale_machine_approval_requirements_disabled.yml index 268e95db4..fe7a3e8a5 100644 --- a/rules/tailscale_rules/tailscale_machine_approval_requirements_disabled.yml +++ b/rules/tailscale_rules/tailscale_machine_approval_requirements_disabled.yml @@ -4,6 +4,7 @@ DisplayName: "Tailscale Machine Approval Requirements Disabled" Enabled: true Filename: tailscale_machine_approval_requirements_disabled.py Runbook: Assess if this was done by the user for a valid business reason. Be vigilant to re-enable this setting as it's in the best security interest for your organization's security posture. +Reference: https://tailscale.com/kb/1099/device-approval/ Severity: High Tests: - ExpectedResult: true diff --git a/rules/tailscale_rules/tailscale_magicdns_disabled.yml b/rules/tailscale_rules/tailscale_magicdns_disabled.yml index 513da6419..c84f88818 100644 --- a/rules/tailscale_rules/tailscale_magicdns_disabled.yml +++ b/rules/tailscale_rules/tailscale_magicdns_disabled.yml @@ -4,6 +4,7 @@ DisplayName: "Tailscale Magic DNS Disabled" Enabled: true Filename: tailscale_magicdns_disabled.py Runbook: Assess if this was done by the user for a valid business reason. Be vigilant to re-enable this setting as it's in the best security interest for your organization's security posture. +Reference: https://tailscale.com/kb/1081/magicdns/ Severity: High Tests: - ExpectedResult: true From 1643a029fc6623b058c84d3b535aab827ac18aac Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Tue, 12 Dec 2023 16:24:40 +0200 Subject: [PATCH 10/13] Add references to rules (tines_rules) (#1033) --- rules/tines_rules/tines_actions_disabled_changes.yml | 1 + rules/tines_rules/tines_custom_ca.yml | 1 + rules/tines_rules/tines_enqueued_retrying_job_deletion.yml | 1 + rules/tines_rules/tines_global_resource_destruction.yml | 1 + rules/tines_rules/tines_sso_settings.yml | 1 + rules/tines_rules/tines_story_items_destruction.yml | 1 + rules/tines_rules/tines_story_jobs_clearance.yml | 1 + rules/tines_rules/tines_team_destruction.yml | 1 + rules/tines_rules/tines_tenant_authtoken.yml | 1 + 9 files changed, 9 insertions(+) diff --git a/rules/tines_rules/tines_actions_disabled_changes.yml b/rules/tines_rules/tines_actions_disabled_changes.yml index 0b311afc2..f5e0fbc6d 100644 --- a/rules/tines_rules/tines_actions_disabled_changes.yml +++ b/rules/tines_rules/tines_actions_disabled_changes.yml @@ -7,6 +7,7 @@ LogTypes: - Tines.Audit Tags: - Tines +Reference: https://www.tines.com/university/tines-basics/architecture-of-an-action Severity: Medium Description: > Detections when Tines Actions are set to Disabled Change diff --git a/rules/tines_rules/tines_custom_ca.yml b/rules/tines_rules/tines_custom_ca.yml index b61097e4f..645d2b85f 100644 --- a/rules/tines_rules/tines_custom_ca.yml +++ b/rules/tines_rules/tines_custom_ca.yml @@ -8,6 +8,7 @@ LogTypes: Tags: - Tines - IAM - Credential Security +Reference: https://www.tines.com/docs/admin/custom-certificate-authority Severity: High Description: > Detects when Tines Custom CertificateAuthority settings are changed diff --git a/rules/tines_rules/tines_enqueued_retrying_job_deletion.yml b/rules/tines_rules/tines_enqueued_retrying_job_deletion.yml index 1b1282def..4c5cbd566 100644 --- a/rules/tines_rules/tines_enqueued_retrying_job_deletion.yml +++ b/rules/tines_rules/tines_enqueued_retrying_job_deletion.yml @@ -10,6 +10,7 @@ Tags: Severity: Low Description: "Currently enqueued or retrying jobs were cleared" Runbook: "Possible data destruction. Please reach out to the user and confirm this was done for valid business reasons." +Reference: https://www.tines.com/docs/self-hosting/job-management DedupPeriodMinutes: 60 Threshold: 1 Tests: diff --git a/rules/tines_rules/tines_global_resource_destruction.yml b/rules/tines_rules/tines_global_resource_destruction.yml index 6e50d9be7..4b16a7a22 100644 --- a/rules/tines_rules/tines_global_resource_destruction.yml +++ b/rules/tines_rules/tines_global_resource_destruction.yml @@ -15,6 +15,7 @@ Tags: Severity: Low Description: "A Tines user has destroyed a global resource." Runbook: "Possible data destruction. Please reach out to the user and confirm this was done for valid business reasons." +Reference: https://www.tines.com/docs/resources DedupPeriodMinutes: 60 Threshold: 1 Tests: diff --git a/rules/tines_rules/tines_sso_settings.yml b/rules/tines_rules/tines_sso_settings.yml index af54cc371..841ef9c6a 100644 --- a/rules/tines_rules/tines_sso_settings.yml +++ b/rules/tines_rules/tines_sso_settings.yml @@ -11,6 +11,7 @@ Tags: Severity: High Description: > Detects when Tines SSO settings are changed +Reference: https://www.tines.com/docs/admin/single-sign-on DedupPeriodMinutes: 60 Threshold: 1 SummaryAttributes: diff --git a/rules/tines_rules/tines_story_items_destruction.yml b/rules/tines_rules/tines_story_items_destruction.yml index d4021b6b2..df94d9a30 100644 --- a/rules/tines_rules/tines_story_items_destruction.yml +++ b/rules/tines_rules/tines_story_items_destruction.yml @@ -10,6 +10,7 @@ Tags: Severity: Info Description: "A user has destroyed a story item" Runbook: "Possible data destruction. Please reach out to the user and confirm this was done for valid business reasons." +Reference: https://www.tines.com/docs/stories DedupPeriodMinutes: 60 Threshold: 1 Tests: diff --git a/rules/tines_rules/tines_story_jobs_clearance.yml b/rules/tines_rules/tines_story_jobs_clearance.yml index b812abe4b..8310aca46 100644 --- a/rules/tines_rules/tines_story_jobs_clearance.yml +++ b/rules/tines_rules/tines_story_jobs_clearance.yml @@ -10,6 +10,7 @@ Tags: Severity: Low Description: "A Tines User has cleared story jobs." Runbook: "Possible data destruction. Please reach out to the user and confirm this was done for valid business reasons." +Reference: https://www.tines.com/docs/stories DedupPeriodMinutes: 60 Threshold: 1 Tests: diff --git a/rules/tines_rules/tines_team_destruction.yml b/rules/tines_rules/tines_team_destruction.yml index 85375c64f..329da0272 100644 --- a/rules/tines_rules/tines_team_destruction.yml +++ b/rules/tines_rules/tines_team_destruction.yml @@ -10,6 +10,7 @@ Tags: Severity: Low Description: "A user has destroyed a team" Runbook: "Possible data destruction. Please reach out to the user and confirm this was done for valid business reasons." +Reference: https://www.tines.com/docs/admin/teams DedupPeriodMinutes: 60 Threshold: 1 Tests: diff --git a/rules/tines_rules/tines_tenant_authtoken.yml b/rules/tines_rules/tines_tenant_authtoken.yml index ff366f3d2..33bb4fd94 100644 --- a/rules/tines_rules/tines_tenant_authtoken.yml +++ b/rules/tines_rules/tines_tenant_authtoken.yml @@ -11,6 +11,7 @@ Tags: Severity: Medium Description: > Detects when Tines Tenant API Keys are added +Reference: https://www.tines.com/api/authentication DedupPeriodMinutes: 60 Threshold: 1 SummaryAttributes: From 550c7aca50be9efb50dcc567777b64287319f54b Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Wed, 13 Dec 2023 00:05:41 +0200 Subject: [PATCH 11/13] Add references to rules (okta_rules) (#1023) * Add references to rules (okta_rules) * Add references to rules (okta_rules) --------- Co-authored-by: Evan Gibler --- rules/okta_rules/okta_app_unauthorized_access_attempt.yml | 1 + rules/okta_rules/okta_geo_improbable_access.yml | 1 + rules/okta_rules/okta_group_admin_role_assigned.yml | 1 + rules/okta_rules/okta_user_account_locked.yml | 1 + rules/okta_rules/okta_user_mfa_factor_suspend.yml | 1 + rules/okta_rules/okta_user_mfa_reset.yml | 1 + rules/okta_rules/okta_user_mfa_reset_all.yml | 1 + 7 files changed, 7 insertions(+) diff --git a/rules/okta_rules/okta_app_unauthorized_access_attempt.yml b/rules/okta_rules/okta_app_unauthorized_access_attempt.yml index 3d6cfeb11..ff18e8a81 100644 --- a/rules/okta_rules/okta_app_unauthorized_access_attempt.yml +++ b/rules/okta_rules/okta_app_unauthorized_access_attempt.yml @@ -4,6 +4,7 @@ DisplayName: "Okta App Unauthorized Access Attempt" Enabled: true Filename: okta_app_unauthorized_access_attempt.py Severity: Low +Reference: https://support.okta.com/help/s/article/App-Sign-on-Error-403-User-attempted-unauthorized-access-to-app?language=en_US Tests: - ExpectedResult: true Log: diff --git a/rules/okta_rules/okta_geo_improbable_access.yml b/rules/okta_rules/okta_geo_improbable_access.yml index 20e9d65b9..6eb4d46ea 100644 --- a/rules/okta_rules/okta_geo_improbable_access.yml +++ b/rules/okta_rules/okta_geo_improbable_access.yml @@ -15,6 +15,7 @@ Reports: Severity: High Description: A user has subsequent logins from two geographic locations that are very far apart Runbook: Reach out to the user if needed to validate the activity, then lock the account +Reference: https://www.blinkops.com/blog/how-to-detect-and-remediate-okta-impossible-traveler-alerts SummaryAttributes: - eventType - severity diff --git a/rules/okta_rules/okta_group_admin_role_assigned.yml b/rules/okta_rules/okta_group_admin_role_assigned.yml index 4f6a8dcb9..def8bcd08 100644 --- a/rules/okta_rules/okta_group_admin_role_assigned.yml +++ b/rules/okta_rules/okta_group_admin_role_assigned.yml @@ -3,6 +3,7 @@ Description: Detect when an admin role is assigned to a group DisplayName: "Okta Group Admin Role Assigned" Enabled: true Filename: okta_group_admin_role_assigned.py +Reference: https://support.okta.com/help/s/article/How-to-assign-Administrator-roles-to-groups?language=en_US#:~:text=Log%20in%20to%20the%20Admin,user%20and%20click%20Save%20changes Severity: High Tests: - ExpectedResult: true diff --git a/rules/okta_rules/okta_user_account_locked.yml b/rules/okta_rules/okta_user_account_locked.yml index 97a4a074d..c7dbf6303 100644 --- a/rules/okta_rules/okta_user_account_locked.yml +++ b/rules/okta_rules/okta_user_account_locked.yml @@ -3,6 +3,7 @@ Description: An Okta user has locked their account. DisplayName: "Okta User Account Locked" Enabled: true Filename: okta_user_account_locked.py +Reference: https://support.okta.com/help/s/article/How-to-Configure-the-Number-of-Failed-Login-Attempts-Before-User-Lockout?language=en_US Severity: Low Tests: - ExpectedResult: true diff --git a/rules/okta_rules/okta_user_mfa_factor_suspend.yml b/rules/okta_rules/okta_user_mfa_factor_suspend.yml index 45d60f71b..7364a4231 100644 --- a/rules/okta_rules/okta_user_mfa_factor_suspend.yml +++ b/rules/okta_rules/okta_user_mfa_factor_suspend.yml @@ -3,6 +3,7 @@ Description: Suspend factor or authenticator enrollment method for user. DisplayName: "Okta User MFA Factor Suspend" Enabled: true Filename: okta_user_mfa_factor_suspend.py +Reference: https://help.okta.com/en-us/content/topics/security/mfa/mfa-factors.htm Severity: High Tests: - ExpectedResult: true diff --git a/rules/okta_rules/okta_user_mfa_reset.yml b/rules/okta_rules/okta_user_mfa_reset.yml index d21c22df7..4bd2ee8c0 100644 --- a/rules/okta_rules/okta_user_mfa_reset.yml +++ b/rules/okta_rules/okta_user_mfa_reset.yml @@ -4,6 +4,7 @@ DisplayName: "Okta User MFA Own Reset" RuleID: "Okta.User.MFA.Reset.Single" Enabled: true Filename: okta_user_mfa_reset.py +Reference: https://support.okta.com/help/s/article/How-to-avoid-lockouts-and-reset-your-Multifactor-Authentication-MFA-for-Okta-Admins?language=en_US Severity: Info Tests: - diff --git a/rules/okta_rules/okta_user_mfa_reset_all.yml b/rules/okta_rules/okta_user_mfa_reset_all.yml index c8826818a..f2a44444c 100644 --- a/rules/okta_rules/okta_user_mfa_reset_all.yml +++ b/rules/okta_rules/okta_user_mfa_reset_all.yml @@ -3,6 +3,7 @@ Description: 'All MFA factors have been reset for a user.' DisplayName: "Okta User MFA Reset All" Enabled: true Filename: okta_user_mfa_reset_all.py +Reference: https://help.okta.com/en-us/content/topics/security/mfa/mfa-reset-users.htm#:~:text=the%20Admin%20Console%3A-,In%20the%20Admin%20Console%2C%20go%20to%20DirectoryPeople.,Selected%20Factors%20or%20Reset%20All Severity: Low Tests: - ExpectedResult: true From 1692899f6d268c405ca73ac41bb13454020485a4 Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Wed, 13 Dec 2023 00:07:34 +0200 Subject: [PATCH 12/13] Add references to rules (osquery_rules) (#1026) * Add references to rules (osquery_rules) * Add references to rules (osquery_rules) --------- Co-authored-by: Evan Gibler --- rules/osquery_rules/osquery_mac_enable_auto_update.yml | 1 + .../osquery_rules/osquery_mac_unwanted_chrome_extensions.yml | 1 + rules/osquery_rules/osquery_ossec.yml | 1 + rules/osquery_rules/osquery_outdated.py | 2 +- rules/osquery_rules/osquery_outdated.yml | 5 +++-- rules/osquery_rules/osquery_outdated_macos.yml | 1 + rules/osquery_rules/osquery_ssh_listener.yml | 1 + 7 files changed, 9 insertions(+), 3 deletions(-) diff --git a/rules/osquery_rules/osquery_mac_enable_auto_update.yml b/rules/osquery_rules/osquery_mac_enable_auto_update.yml index 7360f78fe..6039f11ca 100644 --- a/rules/osquery_rules/osquery_mac_enable_auto_update.yml +++ b/rules/osquery_rules/osquery_mac_enable_auto_update.yml @@ -21,6 +21,7 @@ Description: > Verifies that MacOS has automatic software updates enabled. Runbook: > Enable the auto updates on the host. +Reference: https://support.apple.com/en-gb/guide/mac-help/mchlpx1065/mac SummaryAttributes: - name - action diff --git a/rules/osquery_rules/osquery_mac_unwanted_chrome_extensions.yml b/rules/osquery_rules/osquery_mac_unwanted_chrome_extensions.yml index 1e7c2180b..e3012725f 100644 --- a/rules/osquery_rules/osquery_mac_unwanted_chrome_extensions.yml +++ b/rules/osquery_rules/osquery_mac_unwanted_chrome_extensions.yml @@ -17,6 +17,7 @@ Severity: Medium Description: > Monitor for chrome extensions that could lead to a credential compromise. Runbook: Uninstall the unwanted extension +Reference: https://securelist.com/threat-in-your-browser-extensions/107181/ SummaryAttributes: - action - hostIdentifier diff --git a/rules/osquery_rules/osquery_ossec.yml b/rules/osquery_rules/osquery_ossec.yml index 93c53f3f9..3ef6ad2ab 100644 --- a/rules/osquery_rules/osquery_ossec.yml +++ b/rules/osquery_rules/osquery_ossec.yml @@ -17,6 +17,7 @@ Description: > Checks if any results are returned for the Osquery OSSEC Rootkit pack. Runbook: > Verify the presence of the rootkit and re-image the machine. +Reference: https://panther.com/blog/osquery-log-analysis/ SummaryAttributes: - name - hostIdentifier diff --git a/rules/osquery_rules/osquery_outdated.py b/rules/osquery_rules/osquery_outdated.py index cb190758c..7e9005acf 100644 --- a/rules/osquery_rules/osquery_outdated.py +++ b/rules/osquery_rules/osquery_outdated.py @@ -1,6 +1,6 @@ from panther_base_helpers import deep_get -LATEST_VERSION = "4.2.0" +LATEST_VERSION = "5.10.2" def rule(event): diff --git a/rules/osquery_rules/osquery_outdated.yml b/rules/osquery_rules/osquery_outdated.yml index b276f2f11..6c0af5fa1 100644 --- a/rules/osquery_rules/osquery_outdated.yml +++ b/rules/osquery_rules/osquery_outdated.yml @@ -9,8 +9,9 @@ Tags: - Osquery - Compliance Severity: Info -Description: Keep track of osquery versions, current is 4.1.2. +Description: Keep track of osquery versions, current is 5.10.2. Runbook: Update the osquery agent. +Reference: https://www.osquery.io/downloads/official/5.10.2 SummaryAttributes: - name - hostIdentifier @@ -74,7 +75,7 @@ Tests: "system_time": "12472", "user_time": "31800", "uuid": "37821E12-CC8A-5AA3-A90C-FAB28A5BF8F9", - "version": "4.2.0", + "version": "5.10.2", "watcher": "92" }, "counter": "255", diff --git a/rules/osquery_rules/osquery_outdated_macos.yml b/rules/osquery_rules/osquery_outdated_macos.yml index 32490ce9c..2e51f2f6a 100644 --- a/rules/osquery_rules/osquery_outdated_macos.yml +++ b/rules/osquery_rules/osquery_outdated_macos.yml @@ -12,6 +12,7 @@ Severity: Low Description: > Check that all laptops on the corporate environment are on a version of MacOS supported by IT. Runbook: Update the MacOs version +Reference: https://support.apple.com/en-eg/HT201260 SummaryAttributes: - name - hostIdentifier diff --git a/rules/osquery_rules/osquery_ssh_listener.yml b/rules/osquery_rules/osquery_ssh_listener.yml index 880b70ed1..765a8ca8f 100644 --- a/rules/osquery_rules/osquery_ssh_listener.yml +++ b/rules/osquery_rules/osquery_ssh_listener.yml @@ -16,6 +16,7 @@ Description: > Check if SSH is listening in a non-production environment. This could be an indicator of persistent access within an environment. Runbook: > Terminate the SSH daemon, investigate for signs of compromise. +Reference: https://medium.com/uptycs/osquery-what-it-is-how-it-works-and-how-to-use-it-ce4e81e60dfc SummaryAttributes: - action - hostIdentifier From ac00a3c1975ade4be6ab21a4feadd841b89b6183 Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Wed, 13 Dec 2023 00:09:24 +0200 Subject: [PATCH 13/13] Add references to rules (standard_rules) (#1031) * Add references to rules (standard_rules) * Add references to rules (standard_rules) --------- Co-authored-by: Evan Gibler --- rules/standard_rules/admin_assigned.yml | 3 ++- rules/standard_rules/brute_force_by_ip.yml | 1 + rules/standard_rules/impossible_travel_login.yml | 1 + rules/standard_rules/malicious_sso_dns_lookup.yml | 1 + rules/standard_rules/mfa_disabled.yml | 1 + rules/standard_rules/standard_dns_base64.yml | 1 + rules/standard_rules/unusual_login_deprecated.yml | 1 + 7 files changed, 8 insertions(+), 1 deletion(-) diff --git a/rules/standard_rules/admin_assigned.yml b/rules/standard_rules/admin_assigned.yml index a1f954efa..ab6f1b58d 100644 --- a/rules/standard_rules/admin_assigned.yml +++ b/rules/standard_rules/admin_assigned.yml @@ -18,8 +18,9 @@ Severity: Medium Reports: MITRE ATT&CK: - TA0004:T1078 -Description: Attaching an audit role manually could be a sign of privilege escalation +Description: Assigning an admin role manually could be a sign of privilege escalation Runbook: Verify with the user who attached the role or add to a allowlist +Reference: https://medium.com/@gokulelango1040/privilege-escalation-attacks-28a9ef226abb SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/standard_rules/brute_force_by_ip.yml b/rules/standard_rules/brute_force_by_ip.yml index 79e32f277..74eed9ed7 100644 --- a/rules/standard_rules/brute_force_by_ip.yml +++ b/rules/standard_rules/brute_force_by_ip.yml @@ -23,6 +23,7 @@ Reports: - TA0006:T1110 Description: An actor user was denied login access more times than the configured threshold. Runbook: Analyze the IP they came from, and other actions taken before/after. Check if a user from this ip eventually authenticated successfully. +Reference: https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/standard_rules/impossible_travel_login.yml b/rules/standard_rules/impossible_travel_login.yml index 113f89663..1d7175827 100644 --- a/rules/standard_rules/impossible_travel_login.yml +++ b/rules/standard_rules/impossible_travel_login.yml @@ -21,6 +21,7 @@ Runbook: > If the user responds that the geolocation on the new location is incorrect, you can directly report the inaccuracy via https://ipinfo.io/corrections +Reference: https://expertinsights.com/insights/what-are-impossible-travel-logins/#:~:text=An%20impossible%20travel%20login%20is,of%20the%20logins%20is%20fraudulent SummaryAttributes: - p_any_usernames - p_any_ip_addresses diff --git a/rules/standard_rules/malicious_sso_dns_lookup.yml b/rules/standard_rules/malicious_sso_dns_lookup.yml index 3320ffd90..a9f88593c 100644 --- a/rules/standard_rules/malicious_sso_dns_lookup.yml +++ b/rules/standard_rules/malicious_sso_dns_lookup.yml @@ -19,6 +19,7 @@ Reports: - TA0001:T1566 Description: The rule looks for DNS requests to sites potentially posing as SSO domains. Runbook: Verify if the destination domain is owned by your organization. +Reference: https://www.cloudns.net/wiki/article/254/#:~:text=A%20DNS%20query%20(also%20known,associated%20with%20a%20domain%20name SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/standard_rules/mfa_disabled.yml b/rules/standard_rules/mfa_disabled.yml index 21e8d3c81..b71485cda 100644 --- a/rules/standard_rules/mfa_disabled.yml +++ b/rules/standard_rules/mfa_disabled.yml @@ -15,6 +15,7 @@ Tags: Reports: MITRE ATT&CK: - TA0005:T1556 +Reference: https://en.wikipedia.org/wiki/Multi-factor_authentication Severity: High Description: Detects when Multi-Factor Authentication (MFA) is disabled SummaryAttributes: diff --git a/rules/standard_rules/standard_dns_base64.yml b/rules/standard_rules/standard_dns_base64.yml index 21f585d1e..5bcbb7f44 100644 --- a/rules/standard_rules/standard_dns_base64.yml +++ b/rules/standard_rules/standard_dns_base64.yml @@ -4,6 +4,7 @@ Description: Detects DNS queries with Base64 encoded subdomains, which could ind RuleID: "Standard.DNSBase64" Enabled: false Filename: standard_dns_base64.py +Reference: https://zofixer.com/what-is-base64-disclosure-vulnerability/ Severity: Medium DedupPeriodMinutes: 60 Threshold: 1 diff --git a/rules/standard_rules/unusual_login_deprecated.yml b/rules/standard_rules/unusual_login_deprecated.yml index dfd2f3eaf..ce7088b55 100644 --- a/rules/standard_rules/unusual_login_deprecated.yml +++ b/rules/standard_rules/unusual_login_deprecated.yml @@ -29,6 +29,7 @@ Runbook: > Reach out to the user to ensure the login was legitimate. Be sure to use a means outside the one the unusual login originated from, if one is available. CC an individual that works with the user for visibility, usually the user’s manager if they’re available. The second user is not expected to respond, unless they find the response unusual or the location unexpected. To reduce noise, geolocation history length can be configured in the rule body to increase the number of allowed locations per user. +Reference: https://d3fend.mitre.org/technique/d3f:UserGeolocationLogonPatternAnalysis/ SummaryAttributes: - p_any_ip_addresses Tests: