Add references to rules (panther_audit_rules)

rules/panther_audit_rules/panther_detection_deleted.yml

@@ -14,6 +14,7 @@ Reports:
     - TA0005:T1562
 Description: Detection content has been removed from Panther.
 Runbook: Ensure this change was approved and appropriate.
+Reference: https://docs.panther.com/system-configuration/panther-audit-logs/querying-and-writing-detections-for-panther-audit-logs
 SummaryAttributes:
   - p_any_ip_addresses
 Tests:

rules/panther_audit_rules/panther_saml_modified.yml

@@ -14,6 +14,7 @@ Reports:
     - TA0005:T1562
 Description: An Admin has modified Panther's SAML configuration.
 Runbook: Ensure this change was approved and appropriate.
+Reference: https://docs.panther.com/system-configuration/saml
 SummaryAttributes:
   - p_any_ip_addresses
   - p_any_usernames

rules/panther_audit_rules/panther_sensitive_role_created.yml

@@ -14,6 +14,7 @@ Reports:
     - TA0003:T1098
 Description: A Panther user role has been created that contains admin level permissions.
 Runbook: Contact the creator of this role to ensure its creation was appropriate.
+Reference: https://docs.panther.com/system-configuration/rbac
 SummaryAttributes:
   - p_any_ip_addresses
 Tests:

rules/panther_audit_rules/panther_user_modified.yml

@@ -14,6 +14,7 @@ Reports:
     - TA0003:T1098
 Description: A Panther user's role has been modified. This could mean password, email, or role has changed for the user.
 Runbook: Validate that this user modification was intentional.
+Reference: https://docs.panther.com/panther-developer-workflows/api/operations/user-management
 SummaryAttributes:
   - p_any_ip_addresses
 Tests: