Skip to content

Commit

Permalink
Fixing rules that were failing validation (#1041)
Browse files Browse the repository at this point in the history 
* Fixed rules

* Removed deleted rule from pack

* Reverted changes

* Remove tailscale selectors

* Fixed riot basic
  • Loading branch information
@kostaspap
kostaspap authored Dec 14, 2023
1 parent 12019bc commit aea6bb2
Show file tree
Hide file tree
Showing 13 changed files with 0 additions and 205 deletions.
10 changes: 0 additions & 10 deletions lookup_tables/greynoise/advanced/noise_advanced.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -422,16 +422,6 @@ LogTypeMap:
- LogType: Sysdig.Audit
Selectors:
- "$.content.userOriginIP"
- LogType: Tailscale.Network
Selectors:
- "$.event.virtualTraffic[].srcIp"
- "$.event.virtualTraffic[].dstIp"
- "$.event.subnetTraffic[].srcIp"
- "$.event.subnetTraffic[].dstIp"
- "$.event.exitTraffic[].srcIp"
- "$.event.exitTraffic[].dstIp"
- "$.event.physicalTraffic[].srcIp"
- "$.event.physicalTraffic[].dstIp"
- LogType: Tines.Audit
Selectors:
- "request_ip"
Expand Down
10 changes: 0 additions & 10 deletions lookup_tables/greynoise/advanced/riot_advanced.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -422,16 +422,6 @@ LogTypeMap:
- LogType: Sysdig.Audit
Selectors:
- "$.content.userOriginIP"
- LogType: Tailscale.Network
Selectors:
- "$.event.virtualTraffic[].srcIp"
- "$.event.virtualTraffic[].dstIp"
- "$.event.subnetTraffic[].srcIp"
- "$.event.subnetTraffic[].dstIp"
- "$.event.exitTraffic[].srcIp"
- "$.event.exitTraffic[].dstIp"
- "$.event.physicalTraffic[].srcIp"
- "$.event.physicalTraffic[].dstIp"
- LogType: Tines.Audit
Selectors:
- "request_ip"
Expand Down
10 changes: 0 additions & 10 deletions lookup_tables/greynoise/basic/noise_basic.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -422,16 +422,6 @@ LogTypeMap:
- LogType: Sysdig.Audit
Selectors:
- "$.content.userOriginIP"
- LogType: Tailscale.Network
Selectors:
- "$.event.virtualTraffic[].srcIp"
- "$.event.virtualTraffic[].dstIp"
- "$.event.subnetTraffic[].srcIp"
- "$.event.subnetTraffic[].dstIp"
- "$.event.exitTraffic[].srcIp"
- "$.event.exitTraffic[].dstIp"
- "$.event.physicalTraffic[].srcIp"
- "$.event.physicalTraffic[].dstIp"
- LogType: Tines.Audit
Selectors:
- "request_ip"
Expand Down
10 changes: 0 additions & 10 deletions lookup_tables/greynoise/basic/riot_basic.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -422,16 +422,6 @@ LogTypeMap:
- LogType: Sysdig.Audit
Selectors:
- "$.content.userOriginIP"
- LogType: Tailscale.Network
Selectors:
- "$.event.virtualTraffic[].srcIp"
- "$.event.virtualTraffic[].dstIp"
- "$.event.subnetTraffic[].srcIp"
- "$.event.subnetTraffic[].dstIp"
- "$.event.exitTraffic[].srcIp"
- "$.event.exitTraffic[].dstIp"
- "$.event.physicalTraffic[].srcIp"
- "$.event.physicalTraffic[].dstIp"
- LogType: Tines.Audit
Selectors:
- "request_ip"
Expand Down
10 changes: 0 additions & 10 deletions lookup_tables/ipinfo/ipinfo_asn.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -422,16 +422,6 @@ LogTypeMap:
- LogType: Sysdig.Audit
Selectors:
- "$.content.userOriginIP"
- LogType: Tailscale.Network
Selectors:
- "$.event.virtualTraffic[].srcIp"
- "$.event.virtualTraffic[].dstIp"
- "$.event.subnetTraffic[].srcIp"
- "$.event.subnetTraffic[].dstIp"
- "$.event.exitTraffic[].srcIp"
- "$.event.exitTraffic[].dstIp"
- "$.event.physicalTraffic[].srcIp"
- "$.event.physicalTraffic[].dstIp"
- LogType: Tines.Audit
Selectors:
- "request_ip"
Expand Down
10 changes: 0 additions & 10 deletions lookup_tables/ipinfo/ipinfo_asn_datalake.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -422,16 +422,6 @@ LogTypeMap:
- LogType: Sysdig.Audit
Selectors:
- "$.content.userOriginIP"
- LogType: Tailscale.Network
Selectors:
- "$.event.virtualTraffic[].srcIp"
- "$.event.virtualTraffic[].dstIp"
- "$.event.subnetTraffic[].srcIp"
- "$.event.subnetTraffic[].dstIp"
- "$.event.exitTraffic[].srcIp"
- "$.event.exitTraffic[].dstIp"
- "$.event.physicalTraffic[].srcIp"
- "$.event.physicalTraffic[].dstIp"
- LogType: Tines.Audit
Selectors:
- "request_ip"
Expand Down
10 changes: 0 additions & 10 deletions lookup_tables/ipinfo/ipinfo_location.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -422,16 +422,6 @@ LogTypeMap:
- LogType: Sysdig.Audit
Selectors:
- "$.content.userOriginIP"
- LogType: Tailscale.Network
Selectors:
- "$.event.virtualTraffic[].srcIp"
- "$.event.virtualTraffic[].dstIp"
- "$.event.subnetTraffic[].srcIp"
- "$.event.subnetTraffic[].dstIp"
- "$.event.exitTraffic[].srcIp"
- "$.event.exitTraffic[].dstIp"
- "$.event.physicalTraffic[].srcIp"
- "$.event.physicalTraffic[].dstIp"
- LogType: Tines.Audit
Selectors:
- "request_ip"
Expand Down
10 changes: 0 additions & 10 deletions lookup_tables/ipinfo/ipinfo_location_datalake.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -422,16 +422,6 @@ LogTypeMap:
- LogType: Sysdig.Audit
Selectors:
- "$.content.userOriginIP"
- LogType: Tailscale.Network
Selectors:
- "$.event.virtualTraffic[].srcIp"
- "$.event.virtualTraffic[].dstIp"
- "$.event.subnetTraffic[].srcIp"
- "$.event.subnetTraffic[].dstIp"
- "$.event.exitTraffic[].srcIp"
- "$.event.exitTraffic[].dstIp"
- "$.event.physicalTraffic[].srcIp"
- "$.event.physicalTraffic[].dstIp"
- LogType: Tines.Audit
Selectors:
- "request_ip"
Expand Down
10 changes: 0 additions & 10 deletions lookup_tables/ipinfo/ipinfo_privacy.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -422,16 +422,6 @@ LogTypeMap:
- LogType: Sysdig.Audit
Selectors:
- "$.content.userOriginIP"
- LogType: Tailscale.Network
Selectors:
- "$.event.virtualTraffic[].srcIp"
- "$.event.virtualTraffic[].dstIp"
- "$.event.subnetTraffic[].srcIp"
- "$.event.subnetTraffic[].dstIp"
- "$.event.exitTraffic[].srcIp"
- "$.event.exitTraffic[].dstIp"
- "$.event.physicalTraffic[].srcIp"
- "$.event.physicalTraffic[].dstIp"
- LogType: Tines.Audit
Selectors:
- "request_ip"
Expand Down
10 changes: 0 additions & 10 deletions lookup_tables/ipinfo/ipinfo_privacy_datalake.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -422,16 +422,6 @@ LogTypeMap:
- LogType: Sysdig.Audit
Selectors:
- "$.content.userOriginIP"
- LogType: Tailscale.Network
Selectors:
- "$.event.virtualTraffic[].srcIp"
- "$.event.virtualTraffic[].dstIp"
- "$.event.subnetTraffic[].srcIp"
- "$.event.subnetTraffic[].dstIp"
- "$.event.exitTraffic[].srcIp"
- "$.event.exitTraffic[].dstIp"
- "$.event.physicalTraffic[].srcIp"
- "$.event.physicalTraffic[].dstIp"
- LogType: Tines.Audit
Selectors:
- "request_ip"
Expand Down
10 changes: 0 additions & 10 deletions lookup_tables/tor/tor_exit_nodes.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -422,16 +422,6 @@ LogTypeMap:
- LogType: Sysdig.Audit
Selectors:
- "$.content.userOriginIP"
- LogType: Tailscale.Network
Selectors:
- "$.event.virtualTraffic[].srcIp"
- "$.event.virtualTraffic[].dstIp"
- "$.event.subnetTraffic[].srcIp"
- "$.event.subnetTraffic[].dstIp"
- "$.event.exitTraffic[].srcIp"
- "$.event.exitTraffic[].dstIp"
- "$.event.physicalTraffic[].srcIp"
- "$.event.physicalTraffic[].dstIp"
- LogType: Tines.Audit
Selectors:
- "request_ip"
Expand Down
1 change: 0 additions & 1 deletion packs/netskope.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ Description: Group of all Netskope detections
PackDefinition:
IDs:
- Netskope.AdminLoggedOutLoginFailures
- Netskope.AdminUserChange
- Netskope.ManyDeletes
- Netskope.NetskopePersonnelActivity
- Netskope.UnauthorizedAPICalls
Expand Down
94 changes: 0 additions & 94 deletions rules/netskope_rules/netskope_admin_user_change.yml
View file

This file was deleted.

0 comments on commit aea6bb2

Please sign in to comment.