Prepare for v3.62.0

Pipfile

@@ -19,7 +19,7 @@ wrapt = "~=1.15"
 [packages]
 policyuniverse = "==1.5.1.20230817"
 requests = "==2.31.0"
-panther-analysis-tool = "~=0.51"
+panther-analysis-tool = "~=0.52.1"
 panther-detection-helpers = "==0.4.0"
 
 [requires]

correlation_rules/aws_potentially_compromised_service_role_cr.yml

@@ -8,7 +8,7 @@ Tags:
 Severity: Info
 Reports:
   MITRE ATT&CK:
-    - T1528 # Steal Application Access Token
+    - TA0006:T1528 # Steal Application Access Token
 Description: A role was assumed by an AWS service, followed by a user within 24 hours.  This could indicate a stolen or compromised AWS service role.
 Detection:
   - Sequence:

correlation_rules/aws_privilege_escalation_via_user_compromise.yml

@@ -5,7 +5,7 @@ Enabled: true
 Severity: Medium
 Reports:
   MITRE ATT&CK:
-    - T1098.001 # Additional Cloud Credentials
+    - TA0004:T1098.001 # Additional Cloud Credentials
 Detection:
     - Sequence:
         - ID: User Backdoored

correlation_rules/aws_user_takeover_via_password_reset.yml

@@ -5,7 +5,7 @@ Enabled: true
 Severity: High
 Reports:
   MITRE ATT&CK:
-    - T1098.001 # Additional Cloud Credentials
+    - TA0004:T1098.001 # Additional Cloud Credentials
 Detection:
     - Sequence:
         - ID: Password Reset

correlation_rules/okta_login_without_push.yml

@@ -7,8 +7,8 @@ Tags:
   - Configuration Required
 Reports:
   MITRE ATT&CK:
-    - T1212 # Exploitation for Credential Access
-    - T1539 # Steal Web Session Cookie
+    - TA0006:T1212 # Exploitation for Credential Access
+    - TA0006:T1539 # Steal Web Session Cookie
 Severity: Critical
 Detection:
   - Sequence:

correlation_rules/potential_compromised_okta_credentials.yml

@@ -7,8 +7,8 @@ Tags:
   - Configuration Required
 Reports:
   MITRE ATT&CK:
-    - T1212 # Exploitation for Credential Access
-    - T1539 # Steal Web Session Cookie
+    - TA0006:T1212 # Exploitation for Credential Access
+    - TA0006:T1539 # Steal Web Session Cookie
 Severity: Critical
 Detection:
   - Sequence:

correlation_rules/secret_exposed_and_not_quarantined.yml

@@ -7,7 +7,7 @@ Tags:
 Severity: High
 Reports:
     MITRE ATT&CK:
-        - T1552.001
+        - TA0006:T1552.001
 Description: The rule detects when a GitHub Secret Scan detects an exposed secret, which is not followed by the expected quarantine operation in AWS.  When you make a repository public, or push changes to a public repository, GitHub always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If secret scanning detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them.
 Reference: https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning
 Detection:

global_helpers/crowdstrike_event_streams_helpers.py

@@ -2,6 +2,22 @@
 
 
 def cs_alert_context(event):
+    return audit_keys_dict(event)
+
+
+def audit_keys_dict(event):
     return key_value_list_to_dict(
         event.deep_get("event", "AuditKeyValues", default=[]), "Key", "ValueString"
     )
+
+
+def str_to_list(liststr: str) -> list[str]:
+    """Several crowdstrike values are returned as a list like "[x y z]". This function convetrs
+    such entries to Python list of strings, like: ["x", "y", "z"]."""
+    # Return empty list for empty string
+    if not liststr:
+        return []
+    # Validate
+    if liststr[0] != "[" or liststr[-1] != "]":
+        raise ValueError(f"Invalid list string: {liststr}")
+    return [x.strip() for x in liststr[1:-1].split(" ")]

global_helpers/panther_iocs.py

@@ -1,71 +1,5 @@
 # pylint: disable=line-too-long
 
-# 2022-06-02 Confluence 0-Day IOCs:
-# https://github.com/volexity/threat-intel/blob/main/2022/2022-06-02%20Active%20Exploitation%20Of%20Confluence%200-day/indicators/indicators.csv
-VOLEXITY_CONFLUENCE_IP_IOCS = {
-    "156.146.34.46",
-    "156.146.34.9",
-    "156.146.56.136",
-    "198.147.22.148",
-    "45.43.19.91",
-    "66.115.182.102",
-    "66.115.182.111",
-    "67.149.61.16",
-    "154.16.105.147",
-    "64.64.228.239",
-    "156.146.34.52",
-    "154.146.34.145",
-    "221.178.126.244",
-    "59.163.248.170",
-    "98.32.230.38",
-}
-
-# SUNBURST IOCs:
-# https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv
-# Last accessed: 2021-11-17
-SUNBURST_FQDN_IOCS = {
-    "databasegalore.com",
-    "deftsecurity.com",
-    "freescanonline.com",
-    "highdatabase.com",
-    "incomeupdate.com",
-    "panhardware.com",
-    "thedoccloud.com",
-    "websitetheme.com",
-    "zupertech.com",
-    "6a57jk2ba1d9keg15cbg.appsync-api.eu-west-1.avsvmcloud.com",
-    "7sbvaemscs0mc925tb99.appsync-api.us-west-2.avsvmcloud.com",
-    "gq1h856599gqh538acqn.appsync-api.us-west-2.avsvmcloud.com",
-    "ihvpgv9psvq02ffo77et.appsync-api.us-east-2.avsvmcloud.com",
-    "k5kcubuassl3alrf7gm3.appsync-api.eu-west-1.avsvmcloud.com",
-    "mhdosoksaccf9sni9icp.appsync-api.eu-west-1.avsvmcloud.com",
-}
-
-SUNBURST_IP_IOCS = {"0.0.0.1"}
-
-# https://github.com/mandiant/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_Hashes.csv
-# Last accessed: 2021-11-17
-SUNBURST_SHA256_IOCS = {
-    "019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134",
-    "292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712",
-    "32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77",
-    "53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7",
-    "abe22cf0d78836c3ea072daeaf4c5eeaf9c29b6feb597741651979fc8fbd2417",
-    "ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6",
-    "d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600",
-}
-
-# LOG4J IOCs:
-# IPs Pulled from the following sources, deduped and compiled here.
-# https://gist.github.com/gnremy/c546c7911d5f876f263309d7161a7217
-# https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv
-# https://raw.githubusercontent.com/Malwar3Ninja/Exploitation-of-Log4j2-CVE-2021-44228/main/Threatview.io-log4j2-IOC-list
-# Created 12-13-21
-
-LOG4J_IP_IOCS = {
-    # The rule using this set has been deprecated and disabled by default
-    "0.0.0.1"
-}
 
 # Example sources:
 # - https://www.fastly.com/blog/new-data-and-insights-into-log4shell-attacks-cve-2021-44228

packs/crowdstrike_event_streams.yml

@@ -3,7 +3,17 @@ PackID: PantherManaged.CrowdstrikeEventStreams
 Description: Group of all Crowdstrike Event Stream detections
 PackDefinition:
   IDs:
+    - crowdstrike_event_streams_helpers
+    - panther_base_helpers
+
+    - Crowdstrike.AdminRoleAssigned
+    - Crowdstrike.AllowlistRemoved
     - Crowdstrike.API.Key.Created
     - Crowdstrike.API.Key.Deleted
-    - panther_base_helpers
-    - crowdstrike_event_streams_helpers
+    - Crowdstrike.EphemeralUserAccount
+    - Crowdstrike.IpAllowlistChanged
+    - Crowdstrike.NewAdminUserCreated
+    - Crowdstrike.NewUserCreated
+    - Crowdstrike.SingleIpAllowlisted
+    - Crowdstrike.UserDeleted
+    - Crowdstrike.UserPasswordChange

packs/github.yml

@@ -14,11 +14,12 @@ PackDefinition:
     - GitHub.Org.Modified
     - Github.Repo.CollaboratorChange
     - Github.Repo.Created
-    - GitHub.Repo.HookModified
+    #- GitHub.Repo.HookModified
     - GitHub.Repo.InitialAccess
     - Github.Repo.VisibilityChange
     - GitHub.Secret.Scanning.Alert.Created
     - GitHub.Team.Modified
+    - GitHub.Webhook.Modified
     - GitHub.User.AccessKeyCreated
     - GitHub.User.RoleUpdated
     - Github.Organization.App.Integration.Installed

queries/aws_queries/aws_potentially_compromised_service_role.yml

@@ -7,7 +7,7 @@ Tags:
 Severity: High
 Reports:
   MITRE ATT&CK:
-    - T1528 # Steal Application Access Token
+    - TA0006:T1528 # Steal Application Access Token
 Description: A role was assumed by an AWS service, followed by a user within 24 hours.  This could indicate a stolen or compromised AWS service role.
 Filename: scheduled_rule_default.py
 ScheduledQueries:

rules/auth0_rules/auth0_user_invitation_created.yml

@@ -4,6 +4,7 @@ Enabled: true
 Filename: auth0_user_invitation_created.py
 Reference: https://auth0.com/docs/manage-users/organizations/configure-organizations/invite-members
 Severity: Info
+CreateAlert: false
 Tests:
   - ExpectedResult: true
     Log:

rules/auth0_rules/auth0_user_joined_tenant.yml

@@ -6,6 +6,7 @@ Filename: auth0_user_joined_tenant.py
 RuleID: Auth0.User.Joined.Tenant
 Reference: https://auth0.com/docs/manage-users/organizations/configure-organizations/invite-members#send-membership-invitations:~:text=.-,Send%20membership%20invitations,-You%20can
 Severity: Info
+CreateAlert: false
 LogTypes:
   - Auth0.Events
 Tests:

rules/aws_cloudtrail_rules/aws_cloudtrail_account_discovery.yml

@@ -8,6 +8,7 @@ Reports:
   MITRE ATT&CK:
     - TA0007:T1087
 Severity: Info
+CreateAlert: false
 Tests:
   - ExpectedResult: true
     Log:

rules/aws_cloudtrail_rules/aws_ec2_traffic_mirroring.py

@@ -12,9 +12,9 @@ def rule(event):
         "DeleteTrafficMirrorFilterRule",
         "DeleteTrafficMirrorSession",
         "DeleteTrafficMirrorTarget",
-        "DescribeTrafficMirrorFilters",
-        "DescribeTrafficMirrorSessions",
-        "DescribeTrafficMirrorTargets",
+        # "DescribeTrafficMirrorFilters",
+        # "DescribeTrafficMirrorSessions",
+        # "DescribeTrafficMirrorTargets",
         "ModifyTrafficMirrorFilterNetworkServices",
         "ModifyTrafficMirrorFilterRule",
         "ModifyTrafficMirrorSession",
@@ -28,9 +28,6 @@ def rule(event):
 
 
 def title(event):
-    # (Optional) Return a string which will be shown as the alert title.
-    # If no 'dedup' function is defined, the return value of this method will
-    # act as deduplication string.
     return (
         f"{event.get('userIdentity',{}).get('arn','no-type')} ec2 activity found for "
         f"{event.get('eventName')} in account {event.get('recipientAccountId')} "
@@ -39,12 +36,8 @@ def title(event):
 
 
 def dedup(event):
-    #  (Optional) Return a string which will be used to deduplicate similar alerts.
-    # Dedupe based on user identity, to not include multiple events from the same identity.
     return f"{event.get('userIdentity',{}).get('arn','no-user-identity-provided')}"
 
 
 def alert_context(event):
-    #  (Optional) Return a dictionary with additional data to be included
-    #  in the alert sent to the SNS/SQS/Webhook destination
     return aws_rule_context(event)

rules/aws_cloudtrail_rules/aws_ec2_traffic_mirroring.yml

@@ -10,6 +10,13 @@ Tags:
   - AWS
   - Cloudtrail
   - MITRE
+DedupPeriodMinutes: 1440
+LogTypes:
+  - AWS.CloudTrail
+RuleID: "AWS.EC2.Traffic.Mirroring"
+SummaryAttributes:
+  - userIdentity.type
+Threshold: 1
 Tests:
   - ExpectedResult: true
     Log:
@@ -341,7 +348,7 @@ Tests:
           webIdFederationData: {}
         type: AssumedRole
     Name: DeleteTrafficMirrorTarget
-  - ExpectedResult: true
+  - ExpectedResult: false
     Log:
       awsRegion: us-east-1
       eventCategory: Management
@@ -553,10 +560,3 @@ Tests:
             "type": "AssumedRole",
           },
       }
-DedupPeriodMinutes: 60
-LogTypes:
-  - AWS.CloudTrail
-RuleID: "AWS.EC2.Traffic.Mirroring"
-SummaryAttributes:
-  - userIdentity.type
-Threshold: 1

rules/aws_cloudtrail_rules/aws_ecr_crud.yml

@@ -14,7 +14,8 @@ Reports:
     - 3.12
   MITRE ATT&CK:
     - TA0005:T1525
-Severity: High
+Severity: Info
+CreateAlert: false
 Description: Unauthorized ECR Create, Read, Update, or Delete event occurred.
 Runbook: https://docs.aws.amazon.com/AmazonECR/latest/userguide/logging-using-cloudtrail.html
 Reference: https://docs.aws.amazon.com/AmazonECR/latest/userguide/security-iam.html#security_iam_authentication

rules/aws_cloudtrail_rules/aws_ecr_events.yml

@@ -12,7 +12,8 @@ Tags:
 Reports:
   MITRE ATT&CK:
     - TA0005:T1535
-Severity: Medium
+Severity: Info
+CreateAlert: false
 Description: An ECR event occurred outside of an expected account or region
 Runbook: https://docs.aws.amazon.com/AmazonECR/latest/userguide/logging-using-cloudtrail.html
 Reference: https://aws.amazon.com/blogs/containers/amazon-ecr-in-multi-account-and-multi-region-architectures/

rules/aws_cloudtrail_rules/aws_iam_group_read_only_events.yml

@@ -6,6 +6,7 @@ Filename: aws_iam_group_read_only_events.py
 Reference: https://attack.mitre.org/techniques/T1069/
 Runbook: Examine other activities done by this user to determine whether or not activity is suspicious.
 Severity: Info
+CreateAlert: false
 Tags:
   - AWS
   - Cloudtrail

rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

@@ -8,7 +8,8 @@ Reports:
   MITRE ATT&CK:
     - TA0009:T1530
 Runbook: Investigate all actions taken and validate that the ARN conducting the acitivty was not compromised
-Severity: High
+Severity: Info
+CreateAlert: false
 DedupPeriodMinutes: 60
 Threshold: 1
 SummaryAttributes:

rules/aws_cloudtrail_rules/aws_snapshot_made_public.py

@@ -3,6 +3,8 @@
 from panther_base_helpers import aws_rule_context, deep_get
 from panther_default import aws_cloudtrail_success
 
+IS_SINGLE_USER_SHARE = False  # Used to adjust severity
+
 
 def rule(event):
     if not aws_cloudtrail_success(event):
@@ -19,11 +21,20 @@ def rule(event):
             if not isinstance(item, (Mapping, dict)):
                 continue
             if item.get("userId") or item.get("group") == "all":
+                global IS_SINGLE_USER_SHARE  # pylint: disable=global-statement
+                IS_SINGLE_USER_SHARE = "userId" in item  # Used for dynamic severity
                 return True
         return False
 
     return False
 
 
+def severity(_):
+    # Set severity to INFO if only shared with a single user
+    if IS_SINGLE_USER_SHARE:
+        return "INFO"
+    return "DEFAULT"
+
+
 def alert_context(event):
     return aws_rule_context(event)