diff --git a/packs/asana.yml b/packs/asana.yml index e22778505..6e1346baf 100644 --- a/packs/asana.yml +++ b/packs/asana.yml @@ -13,6 +13,7 @@ PackDefinition: - Asana.Workspace.Require.App.Approvals.Disabled - Asana.Workspace.Password.Requirements.Simple - Asana.Workspace.Org.Export + - Asana.Workspace.New.Admin # Globals used in these detections - panther_asana_helpers - panther_base_helpers diff --git a/packs/box.yml b/packs/box.yml index 2b0b593eb..6868d0e05 100644 --- a/packs/box.yml +++ b/packs/box.yml @@ -12,6 +12,8 @@ PackDefinition: - Box.Untrusted.Device - Box.Large.Number.Downloads - Box.Large.Number.Permission.Updates + - Box.Item.Shared.Externally + - Box.Event.Triggered.Externally # Globals used in these detections - panther_base_helpers - panther_box_helpers diff --git a/packs/cisco_umbrella_dns.yml b/packs/cisco_umbrella_dns.yml index 55cae731c..527f45088 100644 --- a/packs/cisco_umbrella_dns.yml +++ b/packs/cisco_umbrella_dns.yml @@ -4,5 +4,7 @@ Description: Group of all Cisco Umbrella detections PackDefinition: IDs: - CiscoUmbrella.DNS.Blocked + - CiscoUmbrella.DNS.FuzzyMatching + - CiscoUmbrella.DNS.Suspicious # Globals used in these detections DisplayName: "Panther Cisco Umbrella Pack" diff --git a/packs/crowdstrike.yml b/packs/crowdstrike.yml index 273913382..5aa1ee6ce 100644 --- a/packs/crowdstrike.yml +++ b/packs/crowdstrike.yml @@ -19,6 +19,10 @@ PackDefinition: - Crowdstrike.Macos.Add.Trusted.Cert - Crowdstrike.Macos.Plutil.Usage - Crowdstrike.Macos.Osascript.Administrator + - Crowdstrike.DNS.Request + - OnePassword.Login.From.CrowdStrike.Unmanaged.Device + - Okta.Login.From.CrowdStrike.Unmanaged.Device + - AWS.Authentication.From.CrowdStrike.Unmanaged.Device # Globals used in these detections - panther_base_helpers - panther_config diff --git a/packs/dropbox.yml b/packs/dropbox.yml index 3ad8e3845..acd02b37a 100644 --- a/packs/dropbox.yml +++ b/packs/dropbox.yml @@ -9,6 +9,8 @@ PackDefinition: - Dropbox.Ownership.Transfer - Dropbox.User.Disabled.2FA - Dropbox.Admin.sign.in.as.Session + - Dropbox.Many.Deletes + - Dropbox.Many.Downloads # Globals used in these detections - panther_base_helpers - panther_config diff --git a/packs/github.yml b/packs/github.yml index bb5de9948..137a18d56 100644 --- a/packs/github.yml +++ b/packs/github.yml @@ -23,6 +23,7 @@ PackDefinition: - Github.Organization.App.Integration.Installed - Github.Public.Repository.Created - Github.Repository.Transfer + - GitHub.Action.Failed # Data model - Standard.Github.Audit # Globals diff --git a/packs/gravitational_teleport.yml b/packs/gravitational_teleport.yml index e29f3403d..697408726 100644 --- a/packs/gravitational_teleport.yml +++ b/packs/gravitational_teleport.yml @@ -8,6 +8,14 @@ PackDefinition: - Teleport.NetworkScanning - Teleport.ScheduledJobs - Teleport.SuspiciousCommands + - Teleport.SAMLLoginWithoutCompanyDomain + - Teleport.LocalUserLoginWithoutMFA + - Teleport.CompanyDomainLoginWithoutSAML + - Teleport.LongLivedCerts + - Teleport.LockCreated + - Teleport.RoleCreated + - Teleport.SAMLCreated + - Teleport.RootLogin # Globals used in these detections - panther_base_helpers - panther_config diff --git a/packs/notion.yml b/packs/notion.yml index c50e9f5b6..4e47fa45a 100644 --- a/packs/notion.yml +++ b/packs/notion.yml @@ -15,6 +15,7 @@ PackDefinition: - Notion.Workspace.Exported - Notion.Workspace.SCIM.Token.Generated - Notion.Workspace.Public.Page.Added + - Notion.LoginFromBlockedIP # Globals used in these detections - panther_base_helpers - panther_oss_helpers diff --git a/packs/okta.yml b/packs/okta.yml index faf4469fb..1df658a97 100644 --- a/packs/okta.yml +++ b/packs/okta.yml @@ -6,7 +6,6 @@ PackDefinition: - Okta.AdminRoleAssigned - Okta.APIKeyCreated - Okta.APIKeyRevoked - # - Okta.GeographicallyImprobableAccess DEPRECATED - Okta.Support.Access - Okta.Global.MFA.Disabled - Okta.ThreatInsight.Security.Threat.Detected @@ -25,6 +24,11 @@ PackDefinition: - Okta.Org2org.Creation.Modification - Okta.Password.Extraction.via.SCIM - Okta.Phishing.Attempt.Blocked.FastPass + - Okta.User.MFA.Reset.Single + - Okta.PasswordAccess + - Okta.Login.From.CrowdStrike.Unmanaged.Device + - Okta.PotentiallyStolenSession + - Okta.Support.Reset # Globals used in these detections - panther_base_helpers - panther_oss_helpers diff --git a/packs/onepassword.yml b/packs/onepassword.yml index 8ea7183df..2149c2075 100644 --- a/packs/onepassword.yml +++ b/packs/onepassword.yml @@ -8,6 +8,9 @@ PackDefinition: - Standard.OnePassword.SignInAttempt # 1Password Specific Rules - OnePassword.Unusual.Client + - OnePassword.Lut.Sensitive.Item + - OnePassword.Sensitive.Item + - OnePassword.Login.From.CrowdStrike.Unmanaged.Device # Supporting Global Helpers - panther_base_helpers - panther_event_type_helpers diff --git a/packs/osquery.yml b/packs/osquery.yml index adac2b24d..32ab36f22 100644 --- a/packs/osquery.yml +++ b/packs/osquery.yml @@ -14,6 +14,7 @@ PackDefinition: - Osquery.UnsupportedMacOS - Osquery.SSHListener - Osquery.SuspiciousCron + - Osquery.Linux.LoginFromNonOffice # Globals used in these detections - panther_base_helpers - panther_config diff --git a/packs/tines.yml b/packs/tines.yml index bca8c6bda..59fb15934 100644 --- a/packs/tines.yml +++ b/packs/tines.yml @@ -12,6 +12,7 @@ PackDefinition: - Tines.Story.Jobs.Clearance - Tines.Team.Destruction - Tines.Tenant.AuthToken + - Tines.Actions.DisabledChanges # Globals - global_filter_tines - panther_base_helpers diff --git a/rules/panther_ioc_rules/atlassian_confluence_ip_iocs.yml b/rules/panther_ioc_rules/atlassian_confluence_ip_iocs.yml index 690ef7d69..a4a6eb9c5 100644 --- a/rules/panther_ioc_rules/atlassian_confluence_ip_iocs.yml +++ b/rules/panther_ioc_rules/atlassian_confluence_ip_iocs.yml @@ -24,6 +24,7 @@ Tags: - Cloudflare - Nginx - Juniper + - Deprecated Severity: High Description: > Detects IP addresses observed exploiting the 0-Day CVE-2022-26134 diff --git a/rules/panther_ioc_rules/log4j_exploit_iocs.yml b/rules/panther_ioc_rules/log4j_exploit_iocs.yml index b39c95e06..6450511f4 100644 --- a/rules/panther_ioc_rules/log4j_exploit_iocs.yml +++ b/rules/panther_ioc_rules/log4j_exploit_iocs.yml @@ -24,6 +24,7 @@ Tags: - Web - Log4J - Execution:Exploitation for Client Execution + - Deprecated Reports: MITRE ATT&CK: - TA0002:T1203 diff --git a/rules/panther_ioc_rules/sunburst_fqdn_iocs.yml b/rules/panther_ioc_rules/sunburst_fqdn_iocs.yml index dff59a9b4..a3b2fc58a 100644 --- a/rules/panther_ioc_rules/sunburst_fqdn_iocs.yml +++ b/rules/panther_ioc_rules/sunburst_fqdn_iocs.yml @@ -27,6 +27,7 @@ Tags: - OneLogin - Osquery - Initial Access:Trusted Relationship + - Deprecated Reports: MITRE ATT&CK: - TA0001:T1199 diff --git a/rules/panther_ioc_rules/sunburst_ip_iocs.yml b/rules/panther_ioc_rules/sunburst_ip_iocs.yml index 657137b96..8e8e95949 100644 --- a/rules/panther_ioc_rules/sunburst_ip_iocs.yml +++ b/rules/panther_ioc_rules/sunburst_ip_iocs.yml @@ -26,6 +26,7 @@ Tags: - SSH - OneLogin - Osquery + - Deprecated Severity: High Description: > Monitors for communication to known Sunburst Backdoor IPs. These IOCs indicate a potential breach and have been associated with a sophisticated nation-state actor. diff --git a/rules/panther_ioc_rules/sunburst_sha256_iocs.yml b/rules/panther_ioc_rules/sunburst_sha256_iocs.yml index 4ea74b8e5..3698fb36e 100644 --- a/rules/panther_ioc_rules/sunburst_sha256_iocs.yml +++ b/rules/panther_ioc_rules/sunburst_sha256_iocs.yml @@ -25,6 +25,7 @@ Tags: - OneLogin - Osquery - Initial Access:Trusted Relationship + - Deprecated Reports: MITRE ATT&CK: - TA0001:T1199