Skip to content

Commit

Permalink
Merge branch 'main' into Add-references-to-rules-osquery
Browse files Browse the repository at this point in the history
  • Loading branch information
Evan Gibler authored Dec 12, 2023
2 parents 16b1824 + 550c7ac commit c80bbf0
Show file tree
Hide file tree
Showing 52 changed files with 52 additions and 0 deletions.
1 change: 1 addition & 0 deletions rules/netskope_rules/netskope_admin_logged_out.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ Description: An admin was logged out because of successive login failures.
DedupPeriodMinutes: 60
Threshold: 1
Runbook: An admin was logged out because of successive login failures. This could indicate brute force activity against this account.
Reference: https://docs.netskope.com/en/netskope-help/admin-console/administration/audit-log/
Tests:
- Name: True positive
ExpectedResult: true
Expand Down
1 change: 1 addition & 0 deletions rules/netskope_rules/netskope_admin_user_change.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ Tags:
Reports:
MITRE ATT&CK:
- TA0004:T1098
Reference: https://docs.netskope.com/en/netskope-help/admin-console/administration/managing-administrators/
Severity: High
DynamicSeverities:
- ChangeTo: Critical
Expand Down
1 change: 1 addition & 0 deletions rules/netskope_rules/netskope_many_deletes.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ Description: A user deleted a large number of objects in a short period of time.
DedupPeriodMinutes: 60
Threshold: 10
Runbook: A user deleted a large number of objects in a short period of time. Validate that this activity is expected and authorized.
Reference: https://docs.netskope.com/en/netskope-help/admin-console/administration/audit-log/
Tests:
- Name: True positive
ExpectedResult: true
Expand Down
1 change: 1 addition & 0 deletions rules/netskope_rules/netskope_personnel_action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ Description: An action was performed by Netskope personnel.
DedupPeriodMinutes: 60
Threshold: 1
Runbook: Action taken by Netskope Personnel. Validate that this action was authorized.
Reference: https://docs.netskope.com/en/netskope-help/admin-console/administration/audit-log/#filters-1
Tests:
- Name: True positive
ExpectedResult: true
Expand Down
1 change: 1 addition & 0 deletions rules/netskope_rules/netskope_unauthorized_api_calls.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ Description: Many unauthorized API calls were observed for a user in a short per
DedupPeriodMinutes: 60
Threshold: 10
Runbook: An account is making many unauthorized API calls. This could indicate brute force activity, or expired service account credentials.
Reference: https://docs.netskope.com/en/netskope-help/data-security/netskope-private-access/private-access-rest-apis/
Tests:
- Name: True positive
ExpectedResult: true
Expand Down
1 change: 1 addition & 0 deletions rules/notion_rules/notion_account_changed_after_login.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Description: A Notion User logged in then changed their account details.
DedupPeriodMinutes: 60
Threshold: 1
Runbook: Possible account takeover. Follow up with the Notion User to determine if this email change is genuine.
Reference: https://www.notion.so/help/account-settings
Tests:
- # This unit test is to make sure the logic for handling login events successfully results in
# caching the login info. The outputted title/alert_context are not important.
Expand Down
1 change: 1 addition & 0 deletions rules/notion_rules/notion_login_from_blocked_ip.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,4 @@ Description: "A user attempted to access Notion from a blocked IP address. Note:
DedupPeriodMinutes: 60
Threshold: 1
Runbook: Confirm with user if the login was legitimate. If so, determine why the IP is blocked.
Reference: https://www.notion.so/help/allowlist-ip
1 change: 1 addition & 0 deletions rules/notion_rules/notion_login_from_new_location.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Description: A Notion User logged in from a new location.
DedupPeriodMinutes: 60
Threshold: 1 # Number of pages deleted; please change this value to suit your organization's needs.
Runbook: Possible account takeover. Follow up with the Notion User to determine if this login is genuine.
Reference: https://ipinfo.io/products/ip-geolocation-api
Tests:
- Name: Login from normal location
ExpectedResult: false
Expand Down
1 change: 1 addition & 0 deletions rules/notion_rules/notion_many_pages_deleted.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Description: A Notion User deleted multiple pages.
DedupPeriodMinutes: 60
Threshold: 10 # Number of pages deleted; please change this value to suit your organization's needs.
Runbook: Possible Data Destruction. Follow up with the Notion User to determine if this was done for a valid business reason.
Reference: https://www.notion.so/help/duplicate-delete-and-restore-content
Tests:
- Name: Other Event
ExpectedResult: false
Expand Down
1 change: 1 addition & 0 deletions rules/notion_rules/notion_many_pages_exported.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Description: A Notion User exported multiple pages.
DedupPeriodMinutes: 60
Threshold: 10 # Number of pages exported; please change this value to suit your organization's needs.
Runbook: Possible Data Exfiltration. Follow up with the Notion User to determine if this was done for a valid business reason.
Reference: https://www.notion.so/help/export-your-content
Tests:
- Name: Other Event
ExpectedResult: false
Expand Down
1 change: 1 addition & 0 deletions rules/notion_rules/notion_page_accessible_to_api.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,4 @@ Description: "A new API integration was added to a Notion page, or it's permissi
DedupPeriodMinutes: 60
Threshold: 1
Runbook: Potential information exposure - review the shared page and rectify if needed.
Reference: https://www.notion.so/help/sharing-and-permissions
1 change: 1 addition & 0 deletions rules/notion_rules/notion_page_accessible_to_guests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Description: The external guest permissions for a Notion page have been altered.
DedupPeriodMinutes: 60
Threshold: 1
Runbook: Potential information exposure - review the shared page and rectify if needed.
Reference: https://www.notion.so/help/sharing-and-permissions
Tests:
- Name: Guest Role Added
ExpectedResult: true
Expand Down
1 change: 1 addition & 0 deletions rules/notion_rules/notion_page_shared_to_web.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,4 @@ Description: A Notion User published a page to the web.
DedupPeriodMinutes: 60
Threshold: 1
Runbook: Potential information exposure - review the shared page and rectify if needed.
Reference: https://www.notion.so/help/public-pages-and-web-publishing
1 change: 1 addition & 0 deletions rules/notion_rules/notion_page_view_impossible_travel.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ Description: A Notion User viewed a page from 2 locations simultaneously
DedupPeriodMinutes: 60
Threshold: 1
Runbook: Possible account compromise. Review activity of this user.
Reference: https://raxis.com/blog/simultaneous-sessions/
Tests:
- Name: Normal Page View
ExpectedResult: False
Expand Down
1 change: 1 addition & 0 deletions rules/notion_rules/notion_scim_token_generated.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Severity: Medium
DedupPeriodMinutes: 60
Threshold: 1
Runbook: Possible Initial Access. Follow up with the Notion User to determine if this was done for a valid business reason.
Reference: https://www.notion.so/help/provision-users-and-groups-with-scim
Tests:
- ExpectedResult: false
Log:
Expand Down
1 change: 1 addition & 0 deletions rules/notion_rules/notion_workspace_audit_log_exported.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Description: A Notion User exported audit logs for your organization’s workspa
DedupPeriodMinutes: 60
Threshold: 1
Runbook: Possible Data Exfiltration. Follow up with the Notion User to determine if this was done for a valid business reason.
Reference: https://www.notion.so/help/audit-log#export-your-audit-log
Tests:
- Name: Other Event
ExpectedResult: false
Expand Down
1 change: 1 addition & 0 deletions rules/notion_rules/notion_workspace_exported.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Description: A Notion User exported an existing workspace.
DedupPeriodMinutes: 60
Threshold: 1
Runbook: Possible Data Exfiltration. Follow up with the Notion User to determine if this was done for a valid business reason.
Reference: https://www.notion.so/help/workspace-settings#export-an-entire-workspace
Tests:
- Name: Workspace Exported
ExpectedResult: true
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Description: A Notion User changed settings to enforce SAML SSO configurations f
DedupPeriodMinutes: 60
Threshold: 1
Runbook: Follow up with the Notion User to determine if this was done for a valid business reason and to ensure these settings get re-enabled quickly for best security practices.
Reference: https://www.notion.so/help/saml-sso-configuration
Tests:
- Name: Other Event
ExpectedResult: false
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Description: A Notion page was set to public in your worksace.
DedupPeriodMinutes: 60
Threshold: 1
Runbook: A Notion page was made public. Check with the author to determine why this page was made public.
Reference: https://www.notion.so/help/public-pages-and-web-publishing
Tests:
- Name: Public page added
ExpectedResult: true
Expand Down
1 change: 1 addition & 0 deletions rules/okta_rules/okta_app_unauthorized_access_attempt.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ DisplayName: "Okta App Unauthorized Access Attempt"
Enabled: true
Filename: okta_app_unauthorized_access_attempt.py
Severity: Low
Reference: https://support.okta.com/help/s/article/App-Sign-on-Error-403-User-attempted-unauthorized-access-to-app?language=en_US
Tests:
- ExpectedResult: true
Log:
Expand Down
1 change: 1 addition & 0 deletions rules/okta_rules/okta_geo_improbable_access.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ Reports:
Severity: High
Description: A user has subsequent logins from two geographic locations that are very far apart
Runbook: Reach out to the user if needed to validate the activity, then lock the account
Reference: https://www.blinkops.com/blog/how-to-detect-and-remediate-okta-impossible-traveler-alerts
SummaryAttributes:
- eventType
- severity
Expand Down
1 change: 1 addition & 0 deletions rules/okta_rules/okta_group_admin_role_assigned.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ Description: Detect when an admin role is assigned to a group
DisplayName: "Okta Group Admin Role Assigned"
Enabled: true
Filename: okta_group_admin_role_assigned.py
Reference: https://support.okta.com/help/s/article/How-to-assign-Administrator-roles-to-groups?language=en_US#:~:text=Log%20in%20to%20the%20Admin,user%20and%20click%20Save%20changes
Severity: High
Tests:
- ExpectedResult: true
Expand Down
1 change: 1 addition & 0 deletions rules/okta_rules/okta_user_account_locked.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ Description: An Okta user has locked their account.
DisplayName: "Okta User Account Locked"
Enabled: true
Filename: okta_user_account_locked.py
Reference: https://support.okta.com/help/s/article/How-to-Configure-the-Number-of-Failed-Login-Attempts-Before-User-Lockout?language=en_US
Severity: Low
Tests:
- ExpectedResult: true
Expand Down
1 change: 1 addition & 0 deletions rules/okta_rules/okta_user_mfa_factor_suspend.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ Description: Suspend factor or authenticator enrollment method for user.
DisplayName: "Okta User MFA Factor Suspend"
Enabled: true
Filename: okta_user_mfa_factor_suspend.py
Reference: https://help.okta.com/en-us/content/topics/security/mfa/mfa-factors.htm
Severity: High
Tests:
- ExpectedResult: true
Expand Down
1 change: 1 addition & 0 deletions rules/okta_rules/okta_user_mfa_reset.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ DisplayName: "Okta User MFA Own Reset"
RuleID: "Okta.User.MFA.Reset.Single"
Enabled: true
Filename: okta_user_mfa_reset.py
Reference: https://support.okta.com/help/s/article/How-to-avoid-lockouts-and-reset-your-Multifactor-Authentication-MFA-for-Okta-Admins?language=en_US
Severity: Info
Tests:
-
Expand Down
1 change: 1 addition & 0 deletions rules/okta_rules/okta_user_mfa_reset_all.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ Description: 'All MFA factors have been reset for a user.'
DisplayName: "Okta User MFA Reset All"
Enabled: true
Filename: okta_user_mfa_reset_all.py
Reference: https://help.okta.com/en-us/content/topics/security/mfa/mfa-reset-users.htm#:~:text=the%20Admin%20Console%3A-,In%20the%20Admin%20Console%2C%20go%20to%20DirectoryPeople.,Selected%20Factors%20or%20Reset%20All
Severity: Low
Tests:
- ExpectedResult: true
Expand Down
1 change: 1 addition & 0 deletions rules/onelogin_rules/onelogin_admin_role_assigned.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ LogTypes:
- OneLogin.Events
Tags:
- Identity & Access Management
Reference: https://onelogin.service-now.com/kb_view_customer.do?sysparm_article=KB0010391
Severity: Low
SummaryAttributes:
- account_id
Expand Down
1 change: 1 addition & 0 deletions rules/onelogin_rules/onelogin_unusual_login.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ LogTypes:
- OneLogin.Events
Tags:
- Identity & Access Management
Reference: https://actzero.ai/resources/blog/a-smarter-way-to-detect-suspicious-cloud-logins
Severity: Medium
Description: Deprecated. Please see Standard.UnusualLogin instead.
SummaryAttributes:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ DisplayName: "BETA - Sensitive 1Password Item Accessed"
Enabled: false
LogTypes:
- OnePassword.ItemUsage
Reference: https://support.1password.com/1password-com-items/
Severity: Low
Description: Alerts when a user defined list of sensitive items in 1Password is accessed
SummaryAttributes:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ DisplayName: "Configuration Required - Sensitive 1Password Item Accessed"
Enabled: false
LogTypes:
- OnePassword.ItemUsage
Reference: https://support.1password.com/1password-com-items/
Severity: Low
Description: Alerts when a user defined list of sensitive items in 1Password is accessed
SummaryAttributes:
Expand Down
1 change: 1 addition & 0 deletions rules/panther_audit_rules/panther_detection_deleted.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Reports:
- TA0005:T1562
Description: Detection content has been removed from Panther.
Runbook: Ensure this change was approved and appropriate.
Reference: https://docs.panther.com/system-configuration/panther-audit-logs/querying-and-writing-detections-for-panther-audit-logs
SummaryAttributes:
- p_any_ip_addresses
Tests:
Expand Down
1 change: 1 addition & 0 deletions rules/panther_audit_rules/panther_saml_modified.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Reports:
- TA0005:T1562
Description: An Admin has modified Panther's SAML configuration.
Runbook: Ensure this change was approved and appropriate.
Reference: https://docs.panther.com/system-configuration/saml
SummaryAttributes:
- p_any_ip_addresses
- p_any_usernames
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Reports:
- TA0003:T1098
Description: A Panther user role has been created that contains admin level permissions.
Runbook: Contact the creator of this role to ensure its creation was appropriate.
Reference: https://docs.panther.com/system-configuration/rbac
SummaryAttributes:
- p_any_ip_addresses
Tests:
Expand Down
1 change: 1 addition & 0 deletions rules/panther_audit_rules/panther_user_modified.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Reports:
- TA0003:T1098
Description: A Panther user's role has been modified. This could mean password, email, or role has changed for the user.
Runbook: Validate that this user modification was intentional.
Reference: https://docs.panther.com/panther-developer-workflows/api/operations/user-management
SummaryAttributes:
- p_any_ip_addresses
Tests:
Expand Down
1 change: 1 addition & 0 deletions rules/salesforce_rules/salesforce_admin_login_as_user.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ DisplayName: "Salesforce Admin Login As User"
Enabled: true
Filename: salesforce_admin_login_as_user.py
Runbook: 'Please do an indicator search on USER_ID to find which user was assumed. '
Reference: https://help.salesforce.com/s/articleView?id=sf.logging_in_as_another_user.htm&type=5
Severity: Info
Tests:
- ExpectedResult: false
Expand Down
1 change: 1 addition & 0 deletions rules/sentinelone_rules/sentinelone_alert_passthrough.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ Description: SentinelOne Alert Passthrough
DisplayName: "SentinelOne Alert Passthrough"
Enabled: true
Filename: sentinelone_alert_passthrough.py
Reference: https://www.sentinelone.com/blog/feature-spotlight-introducing-the-new-threat-center/
Severity: High
Tests:
- ExpectedResult: true
Expand Down
1 change: 1 addition & 0 deletions rules/sentinelone_rules/sentinelone_threats.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ Description: 'Passthrough SentinelOne Threats '
DisplayName: "SentinelOne Threats"
Enabled: true
Filename: sentinelone_threats.py
Reference: https://www.sentinelone.com/blog/feature-spotlight-introducing-the-new-threat-center/
Severity: High
Tests:
- ExpectedResult: true
Expand Down
1 change: 1 addition & 0 deletions rules/snyk_rules/snyk_misc_settings.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ LogTypes:
- Snyk.OrgAudit
Tags:
- Snyk
Reference: https://docs.snyk.io/snyk-admin/manage-settings
Severity: Low
Description: >
Detects when Snyk settings that lack a clear security impact are changed
Expand Down
1 change: 1 addition & 0 deletions rules/snyk_rules/snyk_org_settings.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ LogTypes:
- Snyk.OrgAudit
Tags:
- Snyk
Reference: https://docs.snyk.io/snyk-admin/manage-settings/organization-general-settings
Severity: Medium
Description: >
Detects when Snyk Organization settings, like Integrations and Webhooks, are changed
Expand Down
1 change: 1 addition & 0 deletions rules/snyk_rules/snyk_project_settings.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ LogTypes:
- Snyk.OrgAudit
Tags:
- Snyk
Reference: https://docs.snyk.io/snyk-admin/introduction-to-snyk-projects/view-and-edit-project-settings
Severity: Medium
Description: >
Detects when Snyk Project settings are changed
Expand Down
1 change: 1 addition & 0 deletions rules/tailscale_rules/tailscale_https_disabled.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ DisplayName: "Tailscale HTTPS Disabled"
Enabled: true
Filename: tailscale_https_disabled.py
Runbook: Assess if this was done by the user for a valid business reason. Be vigilant to re-enable this setting as it's in the best security interest for your organization's security posture.
Reference: https://tailscale.com/kb/1153/enabling-https/#disable-https
Severity: High
Tests:
- ExpectedResult: true
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ DisplayName: "Tailscale Machine Approval Requirements Disabled"
Enabled: true
Filename: tailscale_machine_approval_requirements_disabled.py
Runbook: Assess if this was done by the user for a valid business reason. Be vigilant to re-enable this setting as it's in the best security interest for your organization's security posture.
Reference: https://tailscale.com/kb/1099/device-approval/
Severity: High
Tests:
- ExpectedResult: true
Expand Down
1 change: 1 addition & 0 deletions rules/tailscale_rules/tailscale_magicdns_disabled.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ DisplayName: "Tailscale Magic DNS Disabled"
Enabled: true
Filename: tailscale_magicdns_disabled.py
Runbook: Assess if this was done by the user for a valid business reason. Be vigilant to re-enable this setting as it's in the best security interest for your organization's security posture.
Reference: https://tailscale.com/kb/1081/magicdns/
Severity: High
Tests:
- ExpectedResult: true
Expand Down
1 change: 1 addition & 0 deletions rules/tines_rules/tines_actions_disabled_changes.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ LogTypes:
- Tines.Audit
Tags:
- Tines
Reference: https://www.tines.com/university/tines-basics/architecture-of-an-action
Severity: Medium
Description: >
Detections when Tines Actions are set to Disabled Change
Expand Down
1 change: 1 addition & 0 deletions rules/tines_rules/tines_custom_ca.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ LogTypes:
Tags:
- Tines
- IAM - Credential Security
Reference: https://www.tines.com/docs/admin/custom-certificate-authority
Severity: High
Description: >
Detects when Tines Custom CertificateAuthority settings are changed
Expand Down
1 change: 1 addition & 0 deletions rules/tines_rules/tines_enqueued_retrying_job_deletion.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ Tags:
Severity: Low
Description: "Currently enqueued or retrying jobs were cleared"
Runbook: "Possible data destruction. Please reach out to the user and confirm this was done for valid business reasons."
Reference: https://www.tines.com/docs/self-hosting/job-management
DedupPeriodMinutes: 60
Threshold: 1
Tests:
Expand Down
1 change: 1 addition & 0 deletions rules/tines_rules/tines_global_resource_destruction.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ Tags:
Severity: Low
Description: "A Tines user has destroyed a global resource."
Runbook: "Possible data destruction. Please reach out to the user and confirm this was done for valid business reasons."
Reference: https://www.tines.com/docs/resources
DedupPeriodMinutes: 60
Threshold: 1
Tests:
Expand Down
1 change: 1 addition & 0 deletions rules/tines_rules/tines_sso_settings.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ Tags:
Severity: High
Description: >
Detects when Tines SSO settings are changed
Reference: https://www.tines.com/docs/admin/single-sign-on
DedupPeriodMinutes: 60
Threshold: 1
SummaryAttributes:
Expand Down
1 change: 1 addition & 0 deletions rules/tines_rules/tines_story_items_destruction.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ Tags:
Severity: Info
Description: "A user has destroyed a story item"
Runbook: "Possible data destruction. Please reach out to the user and confirm this was done for valid business reasons."
Reference: https://www.tines.com/docs/stories
DedupPeriodMinutes: 60
Threshold: 1
Tests:
Expand Down
1 change: 1 addition & 0 deletions rules/tines_rules/tines_story_jobs_clearance.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ Tags:
Severity: Low
Description: "A Tines User has cleared story jobs."
Runbook: "Possible data destruction. Please reach out to the user and confirm this was done for valid business reasons."
Reference: https://www.tines.com/docs/stories
DedupPeriodMinutes: 60
Threshold: 1
Tests:
Expand Down
1 change: 1 addition & 0 deletions rules/tines_rules/tines_team_destruction.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ Tags:
Severity: Low
Description: "A user has destroyed a team"
Runbook: "Possible data destruction. Please reach out to the user and confirm this was done for valid business reasons."
Reference: https://www.tines.com/docs/admin/teams
DedupPeriodMinutes: 60
Threshold: 1
Tests:
Expand Down
Loading

0 comments on commit c80bbf0

Please sign in to comment.