panther-labs · egibs · Jan 16, 2024 · Dec 13, 2023 · Dec 14, 2023 · Jan 15, 2024
@@ -13,6 +13,7 @@ PackDefinition:
     - Asana.Workspace.Require.App.Approvals.Disabled
     - Asana.Workspace.Password.Requirements.Simple
     - Asana.Workspace.Org.Export
+    - Asana.Workspace.New.Admin
     # Globals used in these detections
     - panther_asana_helpers
     - panther_base_helpers

@@ -12,6 +12,8 @@ PackDefinition:
     - Box.Untrusted.Device
     - Box.Large.Number.Downloads
     - Box.Large.Number.Permission.Updates
+    - Box.Item.Shared.Externally
+    - Box.Event.Triggered.Externally
     # Globals used in these detections
     - panther_base_helpers
     - panther_box_helpers

@@ -4,5 +4,7 @@ Description: Group of all Cisco Umbrella detections
 PackDefinition:
   IDs:
     - CiscoUmbrella.DNS.Blocked
+    - CiscoUmbrella.DNS.FuzzyMatching
+    - CiscoUmbrella.DNS.Suspicious
     # Globals used in these detections
 DisplayName: "Panther Cisco Umbrella Pack"
@@ -19,6 +19,10 @@ PackDefinition:
     - Crowdstrike.Macos.Add.Trusted.Cert
     - Crowdstrike.Macos.Plutil.Usage
     - Crowdstrike.Macos.Osascript.Administrator
+    - Crowdstrike.DNS.Request
+    - OnePassword.Login.From.CrowdStrike.Unmanaged.Device
+    - Okta.Login.From.CrowdStrike.Unmanaged.Device
+    - AWS.Authentication.From.CrowdStrike.Unmanaged.Device
     # Globals used in these detections
     - panther_base_helpers
     - panther_config

@@ -9,6 +9,8 @@ PackDefinition:
     - Dropbox.Ownership.Transfer
     - Dropbox.User.Disabled.2FA
     - Dropbox.Admin.sign.in.as.Session
+    - Dropbox.Many.Deletes
+    - Dropbox.Many.Downloads
     # Globals used in these detections
     - panther_base_helpers
     - panther_config

@@ -23,6 +23,7 @@ PackDefinition:
     - Github.Organization.App.Integration.Installed
     - Github.Public.Repository.Created
     - Github.Repository.Transfer
+    - GitHub.Action.Failed
     # Data model
     - Standard.Github.Audit
     # Globals

@@ -8,6 +8,14 @@ PackDefinition:
     - Teleport.NetworkScanning
     - Teleport.ScheduledJobs
     - Teleport.SuspiciousCommands
+    - Teleport.SAMLLoginWithoutCompanyDomain
+    - Teleport.LocalUserLoginWithoutMFA
+    - Teleport.CompanyDomainLoginWithoutSAML
+    - Teleport.LongLivedCerts
+    - Teleport.LockCreated
+    - Teleport.RoleCreated
+    - Teleport.SAMLCreated
+    - Teleport.RootLogin
     # Globals used in these detections
     - panther_base_helpers
     - panther_config

@@ -15,6 +15,7 @@ PackDefinition:
     - Notion.Workspace.Exported
     - Notion.Workspace.SCIM.Token.Generated
     - Notion.Workspace.Public.Page.Added
+    - Notion.LoginFromBlockedIP
     # Globals used in these detections
     - panther_base_helpers
     - panther_oss_helpers

@@ -6,7 +6,6 @@ PackDefinition:
     - Okta.AdminRoleAssigned
     - Okta.APIKeyCreated
     - Okta.APIKeyRevoked
-    # - Okta.GeographicallyImprobableAccess DEPRECATED
     - Okta.Support.Access
     - Okta.Global.MFA.Disabled
     - Okta.ThreatInsight.Security.Threat.Detected
@@ -25,6 +24,11 @@ PackDefinition:
     - Okta.Org2org.Creation.Modification
     - Okta.Password.Extraction.via.SCIM
     - Okta.Phishing.Attempt.Blocked.FastPass
+    - Okta.User.MFA.Reset.Single
+    - Okta.PasswordAccess
+    - Okta.Login.From.CrowdStrike.Unmanaged.Device
+    - Okta.PotentiallyStolenSession
+    - Okta.Support.Reset
     # Globals used in these detections
     - panther_base_helpers
     - panther_oss_helpers

@@ -8,6 +8,9 @@ PackDefinition:
     - Standard.OnePassword.SignInAttempt
     # 1Password Specific Rules
     - OnePassword.Unusual.Client
+    - OnePassword.Lut.Sensitive.Item
+    - OnePassword.Sensitive.Item
+    - OnePassword.Login.From.CrowdStrike.Unmanaged.Device
     # Supporting Global Helpers
     - panther_base_helpers
     - panther_event_type_helpers

@@ -14,6 +14,7 @@ PackDefinition:
     - Osquery.UnsupportedMacOS
     - Osquery.SSHListener
     - Osquery.SuspiciousCron
+    - Osquery.Linux.LoginFromNonOffice
     # Globals used in these detections
     - panther_base_helpers
     - panther_config

@@ -12,6 +12,7 @@ PackDefinition:
     - Tines.Story.Jobs.Clearance
     - Tines.Team.Destruction
     - Tines.Tenant.AuthToken
+    - Tines.Actions.DisabledChanges
     # Globals
     - global_filter_tines
     - panther_base_helpers

@@ -24,6 +24,7 @@ Tags:
   - Cloudflare
   - Nginx
   - Juniper
+  - Deprecated
 Severity: High
 Description: >
    Detects IP addresses observed exploiting the 0-Day CVE-2022-26134

@@ -24,6 +24,7 @@ Tags:
   - Web
   - Log4J
   - Execution:Exploitation for Client Execution
+  - Deprecated
 Reports:
   MITRE ATT&CK:
     - TA0002:T1203

@@ -27,6 +27,7 @@ Tags:
   - OneLogin
   - Osquery
   - Initial Access:Trusted Relationship
+  - Deprecated
 Reports:
   MITRE ATT&CK:
     - TA0001:T1199

@@ -26,6 +26,7 @@ Tags:
   - SSH
   - OneLogin
   - Osquery
+  - Deprecated
 Severity: High
 Description: >
   Monitors for communication to known Sunburst Backdoor IPs. These IOCs indicate a potential breach and have been associated with a sophisticated nation-state actor.

@@ -25,6 +25,7 @@ Tags:
   - OneLogin
   - Osquery
   - Initial Access:Trusted Relationship
+  - Deprecated
 Reports:
   MITRE ATT&CK:
     - TA0001:T1199