Merge branch 'main' into release

panther-labs · Jul 23, 2024 · c952bf2 · c952bf2
2 parents 990bbe3 + 8ddde32
commit c952bf2
Show file tree

Hide file tree

Showing 10 changed files with 16 additions and 16 deletions.
diff --git a/correlation_rules/aws_cloudtrail_stopinstance_followed_by_modifyinstanceattributes.yml b/correlation_rules/aws_cloudtrail_stopinstance_followed_by_modifyinstanceattributes.yml
@@ -23,7 +23,7 @@ Detection:
       LookbackWindowMinutes: 90
       Schedule:
         RateMinutes: 60
-        TimeoutMinutes: 1
+        TimeoutMinutes: 5
 Tests:
     - Name: Instance Stopped, Followed By Script Change
       ExpectedResult: true

diff --git a/correlation_rules/aws_potentially_compromised_service_role.yml b/correlation_rules/aws_potentially_compromised_service_role.yml
@@ -23,7 +23,7 @@ Detection:
           - On: requestParameters.roleArn
     Schedule:
       RateMinutes: 60
-      TimeoutMinutes: 2
+      TimeoutMinutes: 15
     LookbackWindowMinutes: 1440
 Tests:
     - Name: Role Assumed By Service, Followed By Role Assumed By User
@@ -61,4 +61,4 @@ Tests:
         - ID: Role Assumed by User
           Matches:
             requestParameters.roleArn:
-              FAKE_ROLE_ARN: [0]
+              FAKE_ROLE_ARN: [0]
diff --git a/correlation_rules/aws_privilege_escalation_via_user_compromise.yml b/correlation_rules/aws_privilege_escalation_via_user_compromise.yml
@@ -20,7 +20,7 @@ Detection:
             - On: p_alert_context.ip_accessKeyId
       Schedule:
         RateMinutes: 15
-        TimeoutMinutes: 2
+        TimeoutMinutes: 5
       LookbackWindowMinutes: 60
 Tests:
     - Name: Access Key Created and Used from Same IP
@@ -69,4 +69,4 @@ Tests:
         - ID: User Accessed
           Matches:
             p_alert_context.ip_accessKeyId:
-              1.1.1.1-FAKE_ACCESS_KEY_ID: [30]
+              1.1.1.1-FAKE_ACCESS_KEY_ID: [30]
diff --git a/correlation_rules/aws_user_takeover_via_password_reset.yml b/correlation_rules/aws_user_takeover_via_password_reset.yml
@@ -20,7 +20,7 @@ Detection:
             - On: sourceIPAddress
       Schedule:
         RateMinutes: 15
-        TimeoutMinutes: 2
+        TimeoutMinutes: 5
       LookbackWindowMinutes: 60
 Tests:
     - Name: Password Reset, Then Login From Same IP

diff --git a/correlation_rules/gcp_cloud_run_service_create_followed_by_set_iam_policy.yml b/correlation_rules/gcp_cloud_run_service_create_followed_by_set_iam_policy.yml
@@ -26,7 +26,7 @@ Detection:
       LookbackWindowMinutes: 90
       Schedule:
         RateMinutes: 60 
-        TimeoutMinutes: 1
+        TimeoutMinutes: 5
 Tests:
     - Name: GCP Service Run, Followed By IAM Policy Change From Same IP
       ExpectedResult: true

diff --git a/correlation_rules/github_advanced_security_change_not_followed_by_repo_archived.yml b/correlation_rules/github_advanced_security_change_not_followed_by_repo_archived.yml
@@ -21,7 +21,7 @@ Detection:
     LookbackWindowMinutes: 15
     Schedule:
       RateMinutes: 10
-      TimeoutMinutes: 1
+      TimeoutMinutes: 5
 Tests:
     - Name: Security Change on Repo, Followed By Same Repo Archived
       ExpectedResult: false
@@ -56,4 +56,4 @@ Tests:
           Matches:
             p_alert_context.repo:
               my-org/example-repo:
-                - "2024-06-01T10:00:00Z"
+                - "2024-06-01T10:00:00Z"
diff --git a/correlation_rules/okta_login_without_push.yml b/correlation_rules/okta_login_without_push.yml
@@ -26,7 +26,7 @@ Detection:
             To: new.email
     Schedule:
       RateMinutes: 5
-      TimeoutMinutes: 2
+      TimeoutMinutes: 3
     LookbackWindowMinutes: 30
 Tests:
   - Name: Okta Login, Followed By Push Authorized Login
@@ -62,4 +62,4 @@ Tests:
         Matches:
           new.email:
             [email protected]:
-              - 3
+              - 3
diff --git a/correlation_rules/potential_compromised_okta_credentials.yml b/correlation_rules/potential_compromised_okta_credentials.yml
@@ -25,7 +25,7 @@ Detection:
             To: new.employee.email
     Schedule:
       RateMinutes: 5
-      TimeoutMinutes: 1
+      TimeoutMinutes: 3
     LookbackWindowMinutes: 30
 Tests:
   - Name: Login Without Marker, Followed By Phishing Detection
@@ -61,4 +61,4 @@ Tests:
         Matches:
           actor.alternateId:
             [email protected]:
-              - 0
+              - 0
diff --git a/correlation_rules/secret_exposed_and_not_quarantined.yml b/correlation_rules/secret_exposed_and_not_quarantined.yml
@@ -23,7 +23,7 @@ Detection:
           To: SecretNotQuarantined
       Schedule:
         RateMinutes: 10
-        TimeoutMinutes: 2
+        TimeoutMinutes: 3
       LookbackWindowMinutes: 30
 Tests:
     - Name: Secret Found and Quarantied
@@ -43,4 +43,4 @@ Tests:
         - ID: SecretFound
           Matches:
             foo:
-              bar: [0]
+              bar: [0]
diff --git a/correlation_rules/snowflake_data_exfiltration.yml b/correlation_rules/snowflake_data_exfiltration.yml
@@ -29,7 +29,7 @@ Detection:
           - On: stage
     Schedule:
       RateMinutes: 720
-      TimeoutMinutes: 2
+      TimeoutMinutes: 15
     LookbackWindowMinutes: 1440
 Tests:
     - Name: Data Exfiltration