Skip to content

Commit

Permalink
Merge pull request #1321 from panther-labs/release
Browse files Browse the repository at this point in the history
Prepare for `v3.61.0`
  • Loading branch information
arielkr256 authored Aug 6, 2024
2 parents 100e543 + 9dd6a92 commit dca7bc6
Show file tree
Hide file tree
Showing 3 changed files with 64 additions and 10 deletions.
55 changes: 55 additions & 0 deletions correlation_rules/aws_potentially_compromised_service_role_cr.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
AnalysisType: correlation_rule
RuleID: "AWS.Potentially.Stolen.Service.Role"
DisplayName: "DEPRECATED - AWS Potentially Stolen Service Role CR"
Enabled: false
Tags:
- AWS
- DEPRECATED
Severity: Info
Reports:
MITRE ATT&CK:
- T1528 # Steal Application Access Token
Description: A role was assumed by an AWS service, followed by a user within 24 hours. This could indicate a stolen or compromised AWS service role.
Detection:
- Sequence:
- ID: Role Assumed by Service
RuleID: Role.Assumed.by.AWS.Service
- ID: Role Assumed by User
RuleID: Role.Assumed.by.User
Transitions:
- ID: Role Assumed by Service TO Role Assumed by User ON username
From: Role Assumed by Service
To: Role Assumed by User
Match:
- On: requestParameters.roleArn
Schedule:
RateMinutes: 1440
TimeoutMinutes: 20
LookbackWindowMinutes: 15
Tests:
- Name: Role Assumed By Service, Followed By Different Role Assumed By User
ExpectedResult: false
RuleOutputs:
- ID: Role Assumed by Service
Matches:
requestParameters.roleArn:
FAKE_ROLE_ARN:
- 0
- ID: Role Assumed by User
Matches:
requestParameters.roleArn:
OTHER_ROLE_ARN:
- 2
- Name: Role Assumed By Service, Followed By Role Assumed By User
ExpectedResult: true
RuleOutputs:
- ID: Role Assumed by Service
Matches:
requestParameters.roleArn:
FAKE_ROLE_ARN:
- 0
- ID: Role Assumed by User
Matches:
requestParameters.roleArn:
FAKE_ROLE_ARN:
- 2
Original file line number Diff line number Diff line change
Expand Up @@ -6,19 +6,18 @@ Severity: Critical
Description: Identifies when advances security change was made not to archive a repo. Eliminates false positives in the Advances Security Change Rule when the repo is archived.
Reference: https://docs.github.com/en/code-security/getting-started/auditing-security-alerts
Detection:
- Group:
- Sequence:
- ID: GHASChange
RuleID: GitHub.Advanced.Security.Change
- ID: RepoArchived
RuleID: Github.Repo.Archived
Absence: true
MatchCriteria:
field_name:
- GroupID: GHASChange
Match: p_alert_context.repo
- GroupID: RepoArchived
Match: p_alert_context.repo
EventEvaluationOrder: Chronological
Transitions:
- ID: GHASChange NOT FOLLOWED BY RepoArchived
From: RepoArchived
To: GHASChange
Match:
- On: p_alert_context.repo
LookbackWindowMinutes: 90
Schedule:
RateMinutes: 60
Expand All @@ -38,7 +37,7 @@ Tests:
my-org/example-repo:
- "2024-06-01T10:00:01Z"
- Name: Repo Archived followed by GHAS change on same repo
ExpectedResult: false
ExpectedResult: true
RuleOutputs:
- ID: RepoArchived
Matches:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
AnalysisType: scheduled_rule
RuleID: "AWS.Potentially.Stolen.Service.Role"
RuleID: "AWS.Potentially.Stolen.Service.Role.Scheduled"
DisplayName: "AWS Potentially Stolen Service Role"
Enabled: true
Tags:
Expand Down

0 comments on commit dca7bc6

Please sign in to comment.