Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Migrate AthenaQuery and SnowflakeQuery to just Query #1392

Merged
merged 3 commits into from
Oct 17, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,7 @@ QueryName: "Query.CloudTrail.Password.Spraying"
Enabled: false
Description: >
Detect password spraying in cloudtrail logs
AthenaQuery: |
/* athena query not supported */
SELECT count(1)
SnowflakeQuery: |
Query: |
SELECT
-- this information will be in the alert events
awsRegion as region,
Expand Down
5 changes: 1 addition & 4 deletions queries/aws_queries/ec2_crud_activity_by_role_query.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,7 @@ QueryName: "Query.EC2.CRUD.Activity.Role"
Enabled: false
Description: >
This query searches for CRUD activity in EC2 by role arn. Activities from a role outside typical deployment processes may warrant investigation.
AthenaQuery: |
/* athena query not supported */
SELECT count(1)
SnowflakeQuery: |
Query: |
SELECT
count(*) as num_logs,
recipientAccountId,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,7 @@ QueryName: "Query.EC2.CRUD.Activity.Useragent"
Enabled: false
Description: >
This query searches for CRUD activity in EC2 by userAgent. A low count or previously unseen useragent may indicate that the action was not performed by an automated process.
AthenaQuery: |
/* athena query not supported */
SELECT count(1)
SnowflakeQuery: |
Query: |
SELECT
count(*) as num_logs,
recipientAccountId,
Expand Down
5 changes: 1 addition & 4 deletions queries/aws_queries/vpc_dns_tunneling_query.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,7 @@ QueryName: "Query.VPC.DNS.Tunneling"
Enabled: false
Description: >
Detect activity similar to DNS tunneling traffic in AWS VPC Logs
AthenaQuery: |
/* athena query not supported */
SELECT count(1)
SnowflakeQuery: |
Query: |
SELECT
account_id,
region,
Expand Down
12 changes: 1 addition & 11 deletions queries/okta_queries/okta_activity_audit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,7 @@ QueryName: "Okta Investigate User Activity"
Enabled: false
Description: >
Audit user activity across your environment. Customize to filter on specific users, time ranges, etc
AthenaQuery: |
SELECT actor.displayName AS actor_name, actor.alternateId AS actor_email, eventType, COUNT(*) AS activity_count
FROM panther_logs.okta_systemlog
WHERE p_occurs_since('7 days')
AND actor.type = 'User'
-- Uncomment lines below to filter by user email and/or eventType
-- and actor_email = '<EMAIL_GOES_HERE>'
-- and eventType = '<EVENTTYPE_GOES_HERE>'
GROUP BY actor.displayName, actor.alternateId, eventType
ORDER BY actor_name, activity_count DESC
SnowflakeQuery: |
Query: |
SELECT actor:displayName AS actor_name, actor:alternateId AS actor_email, eventType, COUNT(*) AS activity_count
FROM panther_logs.public.okta_systemlog
WHERE p_occurs_since('7 days')
Expand Down
25 changes: 1 addition & 24 deletions queries/okta_queries/okta_admin_access_granted.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,30 +3,7 @@ QueryName: "Okta Admin Access Granted"
Enabled: false
Description: >
Audit instances of admin access granted in your okta tenant
AthenaQuery: |
SELECT
p_event_time as event_time,
actor.alternateid as actor_email,
actor.displayName as actor_name,
displayMessage,
eventType,
json_extract(debugcontext.debugdata, '$.privilegeGranted') as priv_granted,
target as target_name,
client.ipAddress as src_ip,
client.geographicalContext.city as city,
client.geographicalContext.country as country,
client.useragent.rawUserAgent as user_agent
FROM panther_logs.okta_systemlog
WHERE
(
eventType = 'user.account.privilege.grant' OR
eventType = 'group.privilege.grant' AND
cast(json_extract(debugcontext.debugdata, '$.privilegeGranted') as varchar) LIKE '%Admin%'
) AND
p_occurs_between('2022-01-14','2022-03-22')
ORDER BY
event_time desc
SnowflakeQuery: |
Query: |
SELECT
p_event_time as event_time,
actor:alternateId as actor_email,
Expand Down
10 changes: 1 addition & 9 deletions queries/okta_queries/okta_mfa_password_reset_audit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,7 @@ QueryName: "Okta Investigate MFA and Password resets"
Enabled: false
Description: >
Investigate Password and MFA resets for the last 7 days
AthenaQuery: |
SELECT p_event_time,actor.alternateId as actor_user,target[1].alternateId as target_user, eventType,client.ipAddress as ip_address
FROM panther_logs.okta_systemlog
WHERE eventType IN ('user.mfa.factor.reset_all', 'user.mfa.factor.deactivate', 'user.mfa.factor.suspend', 'user.account.reset_password', 'user.account.update_password')
and p_occurs_since('7 days')
-- If you wish to investigate an individual user , uncomment this line and add their email here
-- and actor:alternateId = '<EMAIL_GOES_HERE>'
ORDER by p_event_time DESC
SnowflakeQuery: |
Query: |
SELECT p_event_time,actor:alternateId as actor_user,target[0]:alternateId as target_user, eventType,client:ipAddress as ip_address
FROM panther_logs.public.okta_systemlog
WHERE eventType IN ('user.mfa.factor.reset_all', 'user.mfa.factor.deactivate', 'user.mfa.factor.suspend', 'user.account.reset_password', 'user.account.update_password','user.mfa.factor.update')
Expand Down
19 changes: 1 addition & 18 deletions queries/okta_queries/okta_session_id_audit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,24 +3,7 @@ QueryName: "Okta Investigate Session ID Activity"
Enabled: false
Description: >
Search for activity related to a specific SessionID in Okta panther_logs.okta_systemlog
AthenaQuery: |
SELECT
p_event_time as event_time,
actor.alternateId as actor_email,
actor.displayName as actor_name,
authenticationContext.externalSessionId as sessionId,
displayMessage,
eventType,
client.ipAddress as src_ip,
client.geographicalContext.city as city,
client.geographicalContext.country as country,
client.userAgent.rawUserAgent as user_agent
FROM panther_logs.okta_systemlog
WHERE p_occurs_since('7 days')
-- Uncomment the line below and replace 'sessionId' with the sessionId you are investigating
-- and authenticationContext:externalSessionId = '<SESSIONID_GOES_HERE>'
ORDER BY event_time DESC
SnowflakeQuery: |
Query: |
SELECT
p_event_time as event_time,
actor:alternateId as actor_email,
Expand Down
22 changes: 1 addition & 21 deletions queries/okta_queries/okta_support_access.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,27 +3,7 @@ QueryName: "Okta Support Access"
Enabled: false
Description: >
Show instances that Okta support was granted to your account
AthenaQuery: |
SELECT
p_event_time as event_time,
actor.alternateid as actor_email,
actor.displayName as actor_name,
displayMessage,
eventType,
client.ipAddress as src_ip,
client.geographicalContext.city as city,
client.geographicalContext.country as country,
client.useragent.rawUserAgent as user_agent
FROM panther_logs.okta_systemlog
WHERE
(
eventType = 'user.session.impersonation.grant' OR
eventType = 'user.session.impersonation.initiate'
) and
p_occurs_between('2022-01-14','2022-03-22')
ORDER BY
event_time desc
SnowflakeQuery: |
Query: |
SELECT
p_event_time as event_time,
actor:alternateId as actor_email,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ Description: >
Monitor for configuration drift made by malicious actors as part of ongoing cyber threat activity reported May 31st, 2024
Tags:
- Configuration Required
SnowflakeQuery: |
Query: |
-- https://community.snowflake.com/s/article/Communication-ID-0108977-Additional-Information

-- adjust query/limit to narrow as necessary
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ AnalysisType: saved_query
QueryName: "Query.Snowflake.ThreatHunting.ConfigurationDrift"
Description: >
Monitor for configuration drift made by malicious actors as part of ongoing cyber threat activity reported May 31st, 2024
SnowflakeQuery: |
Query: |
-- https://community.snowflake.com/s/article/Communication-ID-0108977-Additional-Information

-- adjust query/limit to narrow as necessary
Expand Down
2 changes: 1 addition & 1 deletion queries/snowflake_queries/snowflake_0108977_ip_query.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ Enabled: false
QueryName: "Query.Snowflake.ClientIp"
Description: >
Monitor for malicious IPs interacting with Snowflake as part of ongoing cyber threat activity reported May 31st, 2024
SnowflakeQuery: |
Query: |
-- https://community.snowflake.com/s/article/Communication-ID-0108977-Additional-Information

SELECT
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ AnalysisType: saved_query
QueryName: "Query.Snowflake.ThreatHunting.ClientIp"
Description: >
Monitor for malicious IPs interacting with Snowflake as part of ongoing cyber threat activity reported May 31st, 2024
SnowflakeQuery: |
Query: |
-- https://community.snowflake.com/s/article/Communication-ID-0108977-Additional-Information

SELECT
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ Enabled: false
QueryName: "Query.Snowflake.SuspectedUserAccess"
Description: >
Return sessions of suspected clients as part of ongoing cyber threat activity reported May 31st, 2024
SnowflakeQuery: |
Query: |
-- https://community.snowflake.com/s/article/Communication-ID-0108977-Additional-Information

SELECT
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ AnalysisType: saved_query
QueryName: "Query.Snowflake.ThreatHunting.SuspectedUserAccess"
Description: >
Return sessions of suspected clients as part of ongoing cyber threat activity reported May 31st, 2024
SnowflakeQuery: |
Query: |
-- https://community.snowflake.com/s/article/Communication-ID-0108977-Additional-Information

SELECT
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ AnalysisType: saved_query
QueryName: "Query.Snowflake.ThreatHunting.SuspectedUserActivity"
Description: >
Return actions/queries made by suspected users as part of ongoing cyber threat activity reported May 31st, 2024
SnowflakeQuery: |
Query: |
-- https://community.snowflake.com/s/article/Communication-ID-0108977-Additional-Information

-- replace <SUSPECTED_USER> with actual user name
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,7 @@ QueryName: "Query.Snowflake.AccountAdminGranted"
Enabled: false
Description: >
Monitor and detect granting account admin role.
AthenaQuery: |
/* athena query not supported */
SELECT count(1)
SnowflakeQuery: |
Query: |
--return instances where active (not deleted) roles are granted within the last 24 hours

--this was adapted from a Security Feature Checklist query
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,7 @@ QueryName: "Query.Snowflake.BruteForceByIp"
Enabled: false
Description: >
Detect brute force attempts by monitoring for failed logins to snowflake.
AthenaQuery: |
/* athena query not supported */
SELECT count(1)
SnowflakeQuery: |
Query: |
--return IPs with more than 5 failed logins in the previous 24 hours

--this was adapted from a SnowAlert query
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,7 @@ QueryName: "Query.Snowflake.BruteForceByUsername"
Enabled: false
Description: >
Detect brute force attempts by monitoring for failed logins to snowflake.
AthenaQuery: |
/* athena query not supported */
SELECT count(1)
SnowflakeQuery: |
Query: |
--return users with more than 5 failed logins in the previous 24 hours

--this was adapted from a SnowAlert query
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,7 @@ QueryName: "Query.Snowflake.External.Shares"
Enabled: false
Description: >
Monitor for external shares from one cloud source to another.
AthenaQuery: |
/* athena query not supported */
SELECT count(1)
SnowflakeQuery: |
Query: |
--return external shares

--this was adapted from a Security Feature Checklist query
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,7 @@ QueryName: "Query.Snowflake.KeyUserPasswordLogin"
Enabled: false
Description: >
Detects when a user with a configured RSA key logs in with a password
AthenaQuery: |
/* athena query not supported */
SELECT count(1)
SnowflakeQuery: |
Query: |
--return instances where a user who has key-based login configured logs in with a password
--this was adapted from a Security Feature Checklist query

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,7 @@ QueryName: "Query.Snowflake.MFALogin"
Enabled: false
Description: >
Monitor logins that are not using MFA.
AthenaQuery: |
/* athena query not supported */
SELECT count(1)
SnowflakeQuery: |
Query: |
--return instances where a user logs in without MFA

--this was adapted from a Security Feature Checklist query
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,7 @@ QueryName: "Query.Snowflake.Multiple.Logins.Followed.By.Success"
Enabled: false
Description: >
Monitor for brute force user activity.
AthenaQuery: |
/* athena query not supported */
SELECT count(1)
SnowflakeQuery: |
Query: |
--return multiple failed logins followed by a success

WITH login_attempts as (
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,7 @@ QueryName: "Query.Snowflake.UserCreated"
Enabled: false
Description: >
Monitor for new users.
AthenaQuery: |
/* athena query not supported */
SELECT count(1)
SnowflakeQuery: |
Query: |
--return create user events

--this was adapted from a Security Feature Checklist query
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,7 @@ QueryName: "Query.Snowflake.UserEnabled"
Enabled: false
Description: >
Monitor for users that are being re-enabled.
AthenaQuery: |
/* athena query not supported */
SELECT count(1)
SnowflakeQuery: |
Query: |
--return enable user events

--this was adapted from a Security Feature Checklist query
Expand Down
7 changes: 1 addition & 6 deletions templates/example_scheduled_query.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,7 @@ Tags:
- Tags
Description: >
An optional Description
# Note: Use this parameter if the query includes generic syntax
Query: "SELECT * FROM panther_logs.aws_cloudtrail LIMIT 10"
# Note: Use this parameter if the query includes Snowflake-specific syntax
SnowflakeQuery: "SELECT * FROM panther_logs.public.aws_cloudtrail LIMIT 10"
# Note: Use this parameter if the query includes Athena-specific syntax
AthenaQuery: "SELECT * FROM panther_logs.aws_cloudtrail LIMIT 10"
Query: "SELECT * FROM panther_logs.public.aws_cloudtrail LIMIT 10"
Schedule:
# Note: CronExpression and RateMinutes are mutually exclusive, only
# configure one or the other
Expand Down
Loading