Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Unpacked Items to Packs #1361

Merged
merged 5 commits into from
Sep 30, 2024
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions packs/auth0.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ PackID: PantherManaged.Auth0
Description: Group of all Auth0 detections
PackDefinition:
IDs:
- Auth0.CIC.Credential.Stuffing
- Auth0.Custom.Role.Created
- Auth0.Integration.Installed
- Auth0.MFA.Factor.Setting.Enabled
Expand Down
5 changes: 5 additions & 0 deletions packs/aws.yml
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ PackDefinition:
- AWS.PasswordPolicy.ComplexityGuidelines
- AWS.PasswordPolicy.PasswordAgeLimit
- AWS.PasswordPolicy.PasswordReuse
- AWS.Potentially.Stolen.Service.Role.Scheduled
- AWS.Suspicious.SAML.Activity
- AWS.User.Login.Profile.Modified
# General Policies and Rules
Expand Down Expand Up @@ -165,14 +166,18 @@ PackDefinition:
# Correlation Rules
- AWS.Potentially.Stolen.Service.Role
- AWS.Privilege.Escalation.Via.User.Compromise
- AWS.SSO.Access.Token.Retrieved.by.Unauthenticated.IP
- AWS.User.Takeover.Via.Password.Reset
# Signal Rules
- Role.Assumed.by.AWS.Service
- Role.Assumed.by.User
- AWS.CloudTrail.UserAccessKeyAuth
- AWS.CloudTrail.LoginProfileCreatedOrModified
- AWS.Console.Login
- Retrieve.SSO.access.token
- Sign-in.with.AWS.CLI.prompt
# Queries
- AWS Potentially Stolen Service Role
- Query.CloudTrail.Password.Spraying
- Query.VPC.DNS.Tunneling
- VPC Flow Port Scanning
Expand Down
21 changes: 21 additions & 0 deletions packs/gcp_k8.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
AnalysisType: pack
PackID: PantherManaged.GCP.K8
DisplayName: "Panther GCP Kubernetes Pack"
Description: Group of all Google Cloud Platform (GCP) K8 detections
PackDefinition:
IDs:
# DataModel
- Standard.GCP.AuditLog
# Rules
ben-githubs marked this conversation as resolved.
Show resolved Hide resolved
- GCP.K8S.Pot.Create.Or.Modify.Host.Path.Volume.Mount
- GCP.K8S.Privileged.Pod.Created
- GCP.K8S.Service.Type.NodePort.Deployed
- GCP.K8s.IOC.Activity
- GCP.K8s.Pod.Attached.To.Node.Host.Network
- GCP.K8s.Pod.Using.Host.PID.Namespace
# Globals
- gcp_base_helpers
- panther_base_helpers
- panther_config
- panther_config_defaults
- panther_config_overrides
1 change: 0 additions & 1 deletion packs/github.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@ PackDefinition:
- Github.Repo.Archived
- Github.Repo.CollaboratorChange
- Github.Repo.Created
#- GitHub.Repo.HookModified
- GitHub.Repo.InitialAccess
- Github.Repo.VisibilityChange
- Github.Repo.VulnerabilityDismissed
Expand Down
5 changes: 4 additions & 1 deletion packs/multisource_correlations.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,9 @@ PackDefinition:
- Secret.Exposed.and.not.Quarantined
- GitHub.Secret.Scanning.Alert.Created
- AWS.CloudTrail.IAMCompromisedKeyQuarantine
- global_filter_github
- Okta.SSO.to.AWS
- AWS.Console.Sign-In
- AWS.Console.Sign-In.NOT.PRECEDED.BY.Okta

# Okta + Push Security
- Okta.Login.Without.Push
Expand All @@ -24,6 +26,7 @@ PackDefinition:
- Standard.AWS.CloudTrail

# Global Helpers
- global_filter_github
- panther_base_helpers
- panther_config
- panther_config_defaults
Expand Down
4 changes: 4 additions & 0 deletions packs/snowflake.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,9 @@ PackDefinition:
- Query.Snowflake.External.Shares
- Query.Snowflake.FileDownloaded
- Query.Snowflake.KeyUserPasswordLogin
- Query.Snowflake.MFALogin
- Query.Snowflake.Multiple.Logins.Followed.By.Success
- Query.Snowflake.PublicRoleGrant
- Query.Snowflake.SuspectedUserAccess
- Query.Snowflake.TempStageCreated
- Query.Snowflake.UserCreated
Expand All @@ -34,7 +36,9 @@ PackDefinition:
- Snowflake.External.Shares
- Snowflake.FileDownloaded
- Snowflake.KeyUserPasswordLogin
- Snowflake.LoginWithoutMFA
- Snowflake.Multiple.Failed.Logins.Followed.By.Success
- Snowflake.PublicRoleGrant
- Snowflake.TempStageCreated
- Snowflake.User.Access
- Snowflake.UserCreated
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -44,3 +44,5 @@ RuleID: "AWS.Authentication.From.CrowdStrike.Unmanaged.Device"
Threshold: 1
ScheduledQueries:
- AWS Authentication from CrowdStrike Unmanaged Device
Tags:
- Multi-Table Query
Original file line number Diff line number Diff line change
Expand Up @@ -162,3 +162,5 @@ RuleID: "Okta.Login.From.CrowdStrike.Unmanaged.Device"
Threshold: 1
ScheduledQueries:
- Okta Login From CrowdStrike Unmanaged Device
Tags:
- Multi-Table Query
Original file line number Diff line number Diff line change
Expand Up @@ -49,3 +49,5 @@ RuleID: "OnePassword.Login.From.CrowdStrike.Unmanaged.Device"
Threshold: 1
ScheduledQueries:
- 1Password Login From CrowdStrike Unmanaged Device Query
Tags:
- Multi-Table Query
2 changes: 2 additions & 0 deletions queries/dropbox_queries/Dropbox_Many_Deletes.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,3 +22,5 @@ RuleID: "Dropbox.Many.Deletes"
Threshold: 1
ScheduledQueries:
- Dropbox Many Deletes
Tags:
- Configuration Required
2 changes: 2 additions & 0 deletions queries/dropbox_queries/Dropbox_Many_Downloads.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,3 +22,5 @@ RuleID: "Dropbox.Many.Downloads"
Threshold: 1
ScheduledQueries:
- Dropbox Many Downloads
Tags:
- Configuration Required
5 changes: 3 additions & 2 deletions rules/github_rules/github_repo_hook_modified.yml
Original file line number Diff line number Diff line change
@@ -1,19 +1,20 @@
AnalysisType: rule
Filename: github_repo_hook_modified.py
RuleID: "GitHub.Repo.HookModified"
DisplayName: "GitHub Web Hook Modified"
DisplayName: "DEPRECATED - GitHub Web Hook Modified"
Enabled: false
LogTypes:
- GitHub.Audit
Tags:
- GitHub
- Exfiltration:Automated Exfiltration
- Deprecated
Reports:
MITRE ATT&CK:
- TA0010:T1020
Reference: https://docs.github.com/en/webhooks/about-webhooks
Severity: Info
Description: Detects when a web hook is added, modified, or deleted in an org repository.
Description: Deprecated. See GitHub.Webhook.Modified instead.
Tests:
- Name: GitHub - Webhook Created
ExpectedResult: true
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ LogTypes:
Tags:
- GitLab
- CVE-2023-7028
- No Pack
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we create a GitLab pack?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's only 2 detections, which is why I didn't bother. I know that means that Console-only folks won't get this detection, but I personally feel rather than release a tiny pack, it's better to just wait till we use pypanther to manage content delivery. Lmk if you feel differently!

Reports:
MITRE ATT&CK:
- TA0001:T1195
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ LogTypes:
Tags:
- GitLab
- CVE-2023-7028
- No Pack
Reports:
MITRE ATT&CK:
- TA0001:T1195
Expand Down
1 change: 1 addition & 0 deletions templates/example_scheduled_rule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ ScheduledQueries:
- My Query Name
Tags:
- Tag
- No Pack
Severity: Medium
Description: >
An optional Description
Expand Down
Loading