-
Notifications
You must be signed in to change notification settings - Fork 174
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
95f2893
commit 514b86a
Showing
9 changed files
with
166 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| def additional_details(event): | ||
| details = event.get("AdditionalDetails", []) | ||
| return {detail[0]: detail[-1] for detail in details} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| AnalysisType: global | ||
| Filename: panther_thinkstcanary_helpers.py | ||
| GlobalID: "panther_thinkstcanary_helpers" | ||
| Description: > | ||
| Global helpers for ThinkstCanary detections |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| AnalysisType: pack | ||
| PackID: PantherManaged.ThinkstCanary | ||
| Description: Group of all ThinkstCanary detections | ||
| PackDefinition: | ||
| IDs: | ||
| - Thinkst.CanaryDCRC | ||
| - Thinkst.CanaryIncident | ||
| - Thinkst.CanaryTokenIncident | ||
| # Globals used in these detections | ||
| - panther_thinkstcanary_helpers | ||
| DisplayName: "Panther ThinkstCanary Pack" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| def rule(event): | ||
| return any(keyword in event.get("Intro", "") for keyword in ["disconnected", "reconnected"]) | ||
|
|
||
|
|
||
| def title(event): | ||
| return event.get("Intro", "Canary Disconnected/Reconnected") | ||
|
|
||
|
|
||
| def severity(event): | ||
| if "reconnected" in event.get("Intro", ""): | ||
| return "Low" | ||
| return "Default" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| AnalysisType: rule | ||
| Filename: thinkst_canary_dcrc.py | ||
| DisplayName: Thinkst Canary DCRC | ||
| RuleID: Thinkst.CanaryDCRC | ||
| Description: "A Canary has disconnected/reconnected." | ||
| Enabled: true | ||
| Severity: High | ||
| LogTypes: | ||
| - ThinkstCanary.Alert | ||
| DedupPeriodMinutes: 60 | ||
| Threshold: 1 | ||
| Tests: | ||
| - ExpectedResult: true | ||
| Name: Canary Disconnected | ||
| Log: | ||
| { | ||
| "CanaryID": "00029666d14d454f", | ||
| "CanaryIP": "192.168.20.101", | ||
| "CanaryName": "FS01", | ||
| "Description": "Canary Disconnected", | ||
| "IncidentKey": "incident:devicedied:3b04b62c54dcbb64d17131be::1718794923", | ||
| "Intro": "One of your Canaries (FS01) previously at 192.168.20.101 has disconnected.", | ||
| "MatchedAnnotations": {}, | ||
| "Timestamp": "2024-06-19 11:02:03 (UTC)", | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| from panther_thinkstcanary_helpers import additional_details | ||
|
|
||
|
|
||
| def rule(event): | ||
| return event.get("AlertType") == "CanaryIncident" | ||
|
|
||
|
|
||
| def title(event): | ||
| return event.get("Intro", "Canary Incident") | ||
|
|
||
|
|
||
| def alert_context(event): | ||
| return additional_details(event) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| AnalysisType: rule | ||
| Filename: thinkst_canary_incident.py | ||
| DisplayName: Thinkst Canary Incident | ||
| RuleID: Thinkst.CanaryIncident | ||
| Description: "A Canary incident has been detected." | ||
| Enabled: true | ||
| Severity: High | ||
| LogTypes: | ||
| - ThinkstCanary.Alert | ||
| DedupPeriodMinutes: 60 | ||
| Threshold: 1 | ||
| Tests: | ||
| - ExpectedResult: true | ||
| Name: Canary Incident | ||
| Log: | ||
| { | ||
| "AdditionalDetails": | ||
| [ | ||
| ["User", "guest"], | ||
| ["Filename", "IT/Default Windows Desktop Configuration.docx"], | ||
| [ | ||
| "Background Context", | ||
| "You have had 2 incidents from 192.168.110.14 previously.", | ||
| ], | ||
| ], | ||
| "AlertType": "CanaryIncident", | ||
| "CanaryID": "000222326791e1e8", | ||
| "CanaryIP": "192.168.110.27", | ||
| "CanaryLocation": "Server room A", | ||
| "CanaryName": "VirtualCanary-unnamed", | ||
| "CanaryPort": 445, | ||
| "Description": "Shared File Opened", | ||
| "IncidentHash": "f78b692a7716d0d668012bc0eb65c367", | ||
| "IncidentKey": "incident:smbfileopen:89d38322e4e764e202b42bbb:192.168.110.14:1717059335", | ||
| "Intro": "Shared File Opened has been detected against one of your Canaries (VirtualCanary-unnamed) at 192.168.110.27.", | ||
| "ReverseDNS": "", | ||
| "SourceIP": "192.168.110.14", | ||
| "Timestamp": "2024-05-30 08:55:35 (UTC)", | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| from panther_thinkstcanary_helpers import additional_details | ||
|
|
||
|
|
||
| def rule(event): | ||
| return event.get("AlertType") == "CanarytokenIncident" | ||
|
|
||
|
|
||
| def title(event): | ||
| return event.get("Intro", "Canary Token Incident") | ||
|
|
||
|
|
||
| def alert_context(event): | ||
| return additional_details(event) |
45 changes: 45 additions & 0 deletions
45
rules/thinkstcanary_rules/thinkst_canarytoken_incident.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| AnalysisType: rule | ||
| Filename: thinkst_canarytoken_incident.py | ||
| DisplayName: Thinkst Canarytoken Incident | ||
| RuleID: Thinkst.CanaryTokenIncident | ||
| Description: "A Canarytoken incident has been detected." | ||
| Enabled: true | ||
| Severity: High | ||
| LogTypes: | ||
| - ThinkstCanary.Alert | ||
| DedupPeriodMinutes: 60 | ||
| Threshold: 1 | ||
| Tests: | ||
| - ExpectedResult: true | ||
| Name: Canarytoken Incident | ||
| Log: | ||
| { | ||
| "AdditionalDetails": | ||
| [ | ||
| [ | ||
| "Background Context", | ||
| "You have had 4 incidents from 123.123.123.123 previously.", | ||
| ], | ||
| ["Dst Port", 80], | ||
| ["Event Name", "GetCallerIdentity"], | ||
| ["User-Agent", "TruffleHog"], | ||
| ], | ||
| "AlertType": "CanarytokenIncident", | ||
| "Description": "AWS API Key Canarytoken triggered", | ||
| "IncidentHash": "79cb967bde35e3b2d3b346844c16c4bf", | ||
| "IncidentKey": "incident:canarytoken:94e08d45e5f2c8c13e7b99ae:123.123.123.123:1718797361", | ||
| "Intro": "An AWS API Key Canarytoken was triggered by '123.123.123.123'.", | ||
| "MatchedAnnotations": | ||
| { | ||
| "trufflehog_scan": | ||
| [ | ||
| "This looks like a TruffleHog scan.", | ||
| "https://help.canary.tools/hc/en-gb/articles/18185364902813-Alert-Annotation-TruffleHog-Scan", | ||
| ], | ||
| }, | ||
| "Reminder": "aws api key inside keepass", | ||
| "SourceIP": "123.123.123.123", | ||
| "Timestamp": "2024-06-19 11:42:41 (UTC)", | ||
| "Token": "jf15ldk2jeaooi8dhlc6rgt9g", | ||
| "Triggered": "2", | ||
| } |