Merge pull request #1305 from panther-labs/release

Releasing performance improvements

correlation_rules/aws_potentially_compromised_service_role.yml

@@ -22,9 +22,9 @@ Detection:
         Match:
           - On: requestParameters.roleArn
     Schedule:
-      RateMinutes: 60
-      TimeoutMinutes: 15
-    LookbackWindowMinutes: 1440
+      RateMinutes: 685
+      TimeoutMinutes: 20
+    LookbackWindowMinutes: 720
 Tests:
     - Name: Role Assumed By Service, Followed By Role Assumed By User
       ExpectedResult: true

correlation_rules/aws_privilege_escalation_via_user_compromise.yml

@@ -19,9 +19,9 @@ Detection:
           Match:
             - On: p_alert_context.ip_accessKeyId
       Schedule:
-        RateMinutes: 15
-        TimeoutMinutes: 5
-      LookbackWindowMinutes: 60
+        RateMinutes: 60
+        TimeoutMinutes: 10
+      LookbackWindowMinutes: 90
 Tests:
     - Name: Access Key Created and Used from Same IP
       ExpectedResult: true

correlation_rules/aws_user_takeover_via_password_reset.yml

@@ -19,9 +19,9 @@ Detection:
           Match:
             - On: sourceIPAddress
       Schedule:
-        RateMinutes: 15
-        TimeoutMinutes: 5
-      LookbackWindowMinutes: 60
+        RateMinutes: 60
+        TimeoutMinutes: 10
+      LookbackWindowMinutes: 90
 Tests:
     - Name: Password Reset, Then Login From Same IP
       ExpectedResult: true

correlation_rules/github_advanced_security_change_not_followed_by_repo_archived.yml

@@ -18,10 +18,10 @@ Detection:
         To: RepoArchived
         Match:
           - On: p_alert_context.repo
-    LookbackWindowMinutes: 15
+    LookbackWindowMinutes: 90
     Schedule:
-      RateMinutes: 10
-      TimeoutMinutes: 5
+      RateMinutes: 60
+      TimeoutMinutes: 10
 Tests:
     - Name: Security Change on Repo, Followed By Same Repo Archived
       ExpectedResult: false

correlation_rules/okta_login_without_push.yml

@@ -25,9 +25,9 @@ Detection:
           - From: actor.alternateId
             To: new.email
     Schedule:
-      RateMinutes: 5
-      TimeoutMinutes: 3
-    LookbackWindowMinutes: 30
+      RateMinutes: 60
+      TimeoutMinutes: 10
+    LookbackWindowMinutes: 90
 Tests:
   - Name: Okta Login, Followed By Push Authorized Login
     ExpectedResult: false

correlation_rules/potential_compromised_okta_credentials.yml

@@ -24,9 +24,9 @@ Detection:
           - From: actor.alternateId
             To: new.employee.email
     Schedule:
-      RateMinutes: 5
-      TimeoutMinutes: 3
-    LookbackWindowMinutes: 30
+      RateMinutes: 60
+      TimeoutMinutes: 10
+    LookbackWindowMinutes: 90
 Tests:
   - Name: Login Without Marker, Followed By Phishing Detection
     ExpectedResult: true

correlation_rules/secret_exposed_and_not_quarantined.yml

@@ -22,9 +22,9 @@ Detection:
           From: SecretFound
           To: SecretNotQuarantined
       Schedule:
-        RateMinutes: 10
-        TimeoutMinutes: 3
-      LookbackWindowMinutes: 30
+        RateMinutes: 60
+        TimeoutMinutes: 10
+      LookbackWindowMinutes: 90
 Tests:
     - Name: Secret Found and Quarantied
       ExpectedResult: false

rules/slack_rules/slack_user_privilege_escalation.yml

@@ -50,6 +50,17 @@ Tests:
               },
             "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36",
           },
+        "entity":
+          {
+            "type": "user",
+            "user":
+              {
+                "email": "[email protected]",
+                "id": "W012J3FEWAU",
+                "name": "primary-owner",
+                "team": "T01234N56GB",
+              },
+          },
       }
   - Name: Permissions Assigned
     ExpectedResult: true
@@ -79,6 +90,17 @@ Tests:
               },
             "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36",
           },
+        "entity":
+          {
+            "type": "user",
+            "user":
+              {
+                "email": "[email protected]",
+                "id": "W012J3FEWAU",
+                "name": "primary-owner",
+                "team": "T01234N56GB",
+              },
+          },
       }
   - Name: Role Changed to Admin
     ExpectedResult: true
@@ -108,6 +130,17 @@ Tests:
               },
             "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36",
           },
+        "entity":
+          {
+            "type": "user",
+            "user":
+              {
+                "email": "[email protected]",
+                "id": "W012J3FEWAU",
+                "name": "primary-owner",
+                "team": "T01234N56GB",
+              },
+          },
       }
   - Name: Role Changed to Owner
     ExpectedResult: true
@@ -137,6 +170,17 @@ Tests:
               },
             "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36",
           },
+        "entity":
+          {
+            "type": "user",
+            "user":
+              {
+                "email": "[email protected]",
+                "id": "W012J3FEWAU",
+                "name": "primary-owner",
+                "team": "T01234N56GB",
+              },
+          },
       }
   - Name: User Logout
     ExpectedResult: false