From e3d14a9d50ab9e60a18c6c861c33f890bbbc8b04 Mon Sep 17 00:00:00 2001 From: Oleh Melenevskyi Date: Thu, 14 Dec 2023 11:10:23 +0200 Subject: [PATCH] Deprecated IOC rules --- packs/atlassian.yml | 1 - packs/panther.yml | 4 ---- rules/panther_ioc_rules/atlassian_confluence_ip_iocs.yml | 1 + rules/panther_ioc_rules/log4j_exploit_iocs.yml | 1 + rules/panther_ioc_rules/sunburst_fqdn_iocs.yml | 1 + rules/panther_ioc_rules/sunburst_ip_iocs.yml | 1 + rules/panther_ioc_rules/sunburst_sha256_iocs.yml | 1 + 7 files changed, 5 insertions(+), 5 deletions(-) diff --git a/packs/atlassian.yml b/packs/atlassian.yml index 88857dcbc..944b942e0 100644 --- a/packs/atlassian.yml +++ b/packs/atlassian.yml @@ -4,7 +4,6 @@ Description: Group of all Atlassian detections PackDefinition: IDs: - Atlassian.User.LoggedInAsUser - - Confluence.0DayIPs # Globals used in these detections - panther_base_helpers - panther_config diff --git a/packs/panther.yml b/packs/panther.yml index 35c455982..a2801b129 100644 --- a/packs/panther.yml +++ b/packs/panther.yml @@ -7,10 +7,6 @@ PackDefinition: - Panther.SAML.Modified - Panther.Sensitive.Role - Panther.User.Modified - - IOC.SunburstFQDNIOCs - - IOC.SunburstSHA256IOCs - - Confluence.0DayIPs - - IOC.Log4jExploit # Data Model - Standard.Panther.Audit # Helpers diff --git a/rules/panther_ioc_rules/atlassian_confluence_ip_iocs.yml b/rules/panther_ioc_rules/atlassian_confluence_ip_iocs.yml index 690ef7d69..a4a6eb9c5 100644 --- a/rules/panther_ioc_rules/atlassian_confluence_ip_iocs.yml +++ b/rules/panther_ioc_rules/atlassian_confluence_ip_iocs.yml @@ -24,6 +24,7 @@ Tags: - Cloudflare - Nginx - Juniper + - Deprecated Severity: High Description: > Detects IP addresses observed exploiting the 0-Day CVE-2022-26134 diff --git a/rules/panther_ioc_rules/log4j_exploit_iocs.yml b/rules/panther_ioc_rules/log4j_exploit_iocs.yml index b39c95e06..6450511f4 100644 --- a/rules/panther_ioc_rules/log4j_exploit_iocs.yml +++ b/rules/panther_ioc_rules/log4j_exploit_iocs.yml @@ -24,6 +24,7 @@ Tags: - Web - Log4J - Execution:Exploitation for Client Execution + - Deprecated Reports: MITRE ATT&CK: - TA0002:T1203 diff --git a/rules/panther_ioc_rules/sunburst_fqdn_iocs.yml b/rules/panther_ioc_rules/sunburst_fqdn_iocs.yml index dff59a9b4..a3b2fc58a 100644 --- a/rules/panther_ioc_rules/sunburst_fqdn_iocs.yml +++ b/rules/panther_ioc_rules/sunburst_fqdn_iocs.yml @@ -27,6 +27,7 @@ Tags: - OneLogin - Osquery - Initial Access:Trusted Relationship + - Deprecated Reports: MITRE ATT&CK: - TA0001:T1199 diff --git a/rules/panther_ioc_rules/sunburst_ip_iocs.yml b/rules/panther_ioc_rules/sunburst_ip_iocs.yml index 657137b96..8e8e95949 100644 --- a/rules/panther_ioc_rules/sunburst_ip_iocs.yml +++ b/rules/panther_ioc_rules/sunburst_ip_iocs.yml @@ -26,6 +26,7 @@ Tags: - SSH - OneLogin - Osquery + - Deprecated Severity: High Description: > Monitors for communication to known Sunburst Backdoor IPs. These IOCs indicate a potential breach and have been associated with a sophisticated nation-state actor. diff --git a/rules/panther_ioc_rules/sunburst_sha256_iocs.yml b/rules/panther_ioc_rules/sunburst_sha256_iocs.yml index 4ea74b8e5..3698fb36e 100644 --- a/rules/panther_ioc_rules/sunburst_sha256_iocs.yml +++ b/rules/panther_ioc_rules/sunburst_sha256_iocs.yml @@ -25,6 +25,7 @@ Tags: - OneLogin - Osquery - Initial Access:Trusted Relationship + - Deprecated Reports: MITRE ATT&CK: - TA0001:T1199