From 2f53632b651e939f9938c67a1ef9df8828ee47e2 Mon Sep 17 00:00:00 2001 From: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> Date: Mon, 11 Dec 2023 13:00:55 -0700 Subject: [PATCH 01/35] Netskope detections and pack (#1017) --- packs/netskope.yml | 11 +++ .../netskope_admin_logged_out.yml | 73 +++++++++++++++ .../netskope_admin_user_change.yml | 93 +++++++++++++++++++ .../netskope_rules/netskope_many_deletes.yml | 67 +++++++++++++ .../netskope_personnel_action.yml | 73 +++++++++++++++ .../netskope_unauthorized_api_calls.yml | 76 +++++++++++++++ 6 files changed, 393 insertions(+) create mode 100644 packs/netskope.yml create mode 100644 rules/netskope_rules/netskope_admin_logged_out.yml create mode 100644 rules/netskope_rules/netskope_admin_user_change.yml create mode 100644 rules/netskope_rules/netskope_many_deletes.yml create mode 100644 rules/netskope_rules/netskope_personnel_action.yml create mode 100644 rules/netskope_rules/netskope_unauthorized_api_calls.yml diff --git a/packs/netskope.yml b/packs/netskope.yml new file mode 100644 index 000000000..45758b437 --- /dev/null +++ b/packs/netskope.yml @@ -0,0 +1,11 @@ +AnalysisType: pack +PackID: PantherManaged.Netskope +Description: Group of all Netskope detections +PackDefinition: + IDs: + - Netskope.AdminLoggedOutLoginFailures + - Netskope.AdminUserChange + - Netskope.ManyDeletes + - Netskope.NetskopePersonnelActivity + - Netskope.UnauthorizedAPICalls +DisplayName: "Panther Netskope Pack" diff --git a/rules/netskope_rules/netskope_admin_logged_out.yml b/rules/netskope_rules/netskope_admin_logged_out.yml new file mode 100644 index 000000000..993033c96 --- /dev/null +++ b/rules/netskope_rules/netskope_admin_logged_out.yml @@ -0,0 +1,73 @@ +AnalysisType: rule +RuleID: "Netskope.AdminLoggedOutLoginFailures" +DisplayName: "Admin logged out because of successive login failures" +AlertTitle: "Admin [{user}] was logged out because of successive login failures" +Detection: + - All: + - KeyPath: audit_log_event + Condition: Equals + Value: "Admin logged out because of successive login failures" +Enabled: true +LogTypes: + - Netskope.Audit +Tags: + - Netskope + - Brute Force +Reports: + MITRE ATT&CK: + - TA0006:T1110 +Severity: Medium +Description: An admin was logged out because of successive login failures. +DedupPeriodMinutes: 60 +Threshold: 1 +Runbook: An admin was logged out because of successive login failures. This could indicate brute force activity against this account. +Tests: + - Name: True positive + ExpectedResult: true + Log: + { + "_id": "e5ca619b059fccdd0cfd9398", + "_insertion_epoch_timestamp": 1702308331, + "audit_log_event": "Admin logged out because of successive login failures", + "count": 1, + "is_netskope_personnel": true, + "organization_unit": "", + "severity_level": 2, + "supporting_data": { + "data_type": "user", + "data_values": [ + "11.22.33.44", + "adminsupport@netskope.com" + ] + }, + "timestamp": "2023-12-11 15:25:31.000000000", + "type": "admin_audit_logs", + "ur_normalized": "adminsupport@netskope.com", + "user": "adminsupport@netskope.com" + } + - Name: True negative + ExpectedResult: false + Log: + { + "_id": "1e589befa3da30132362f32a", + "_insertion_epoch_timestamp": 1702318213, + "audit_log_event": "Rest API V2 Call", + "count": 1, + "is_netskope_personnel": false, + "organization_unit": "", + "severity_level": 2, + "supporting_data": { + "data_type": "incidents", + "data_values": [ + 200, + "POST", + "/api/v2/incidents/uba/getuci", + "trid=ccb898fgrhvdd0v0lebg" + ] + }, + "timestamp": "2023-12-11 18:10:13.000000000", + "type": "admin_audit_logs", + "ur_normalized": "service-account", + "user": "service-account" + } + diff --git a/rules/netskope_rules/netskope_admin_user_change.yml b/rules/netskope_rules/netskope_admin_user_change.yml new file mode 100644 index 000000000..f98513b87 --- /dev/null +++ b/rules/netskope_rules/netskope_admin_user_change.yml @@ -0,0 +1,93 @@ +AnalysisType: rule +RuleID: "Netskope.AdminUserChange" +DisplayName: "An administrator account was created, deleted, or modified." +AlertTitle: "User [{user}] performed [{audit_log_event}]" +Detection: + - All: + - KeyPath: audit_log_event + Condition: IsIn + Values: + - Created new admin + - Added SSO Admin + - Edited SSO Admin Record + - Created new support admin + - Edit admin record + - Deleted admin + - Enabled admin + - Disabled admin + - Unlocked admin + - Updated admin settings + - Deleted Netskope SSO admin +Enabled: true +LogTypes: + - Netskope.Audit +Tags: + - Netskope + - Account Manipulation +Reports: + MITRE ATT&CK: + - TA0004:T1098 +Severity: High +DynamicSeverities: + - ChangeTo: Critical + Conditions: + - KeyPath: audit_log_event + Condition: Contains + Values: + - Create + - Add + - Delete +Description: An administrator account was created, deleted, or modified. +DedupPeriodMinutes: 60 +Threshold: 1 +Runbook: An administrator account was created, deleted, or modified. Validate that this activity is expected and authorized. +Tests: + - Name: True positive + ExpectedResult: true + Log: + { + "_id": "e5ca619b059fccdd0cfd9398", + "_insertion_epoch_timestamp": 1702308331, + "audit_log_event": "Created new admin", + "count": 1, + "is_netskope_personnel": true, + "organization_unit": "", + "severity_level": 2, + "supporting_data": { + "data_type": "user", + "data_values": [ + "11.22.33.44", + "adminsupport@netskope.com" + ] + }, + "timestamp": "2023-12-11 15:25:31.000000000", + "type": "admin_audit_logs", + "ur_normalized": "adminsupport@netskope.com", + "user": "adminsupport@netskope.com" + } + - Name: True negative + ExpectedResult: false + Log: + { + "_id": "1e589befa3da30132362f32a", + "_insertion_epoch_timestamp": 1702318213, + "audit_log_event": "Rest API V2 Call", + "count": 1, + "is_netskope_personnel": false, + "organization_unit": "", + "severity_level": 2, + "supporting_data": { + "data_type": "incidents", + "data_values": [ + 200, + "POST", + "/api/v2/incidents/uba/getuci", + "trid=ccb898fgrhvdd0v0lebg" + ] + }, + "timestamp": "2023-12-11 18:10:13.000000000", + "type": "admin_audit_logs", + "ur_normalized": "service-account", + "user": "service-account" + } + diff --git a/rules/netskope_rules/netskope_many_deletes.yml b/rules/netskope_rules/netskope_many_deletes.yml new file mode 100644 index 000000000..6663338eb --- /dev/null +++ b/rules/netskope_rules/netskope_many_deletes.yml @@ -0,0 +1,67 @@ +AnalysisType: rule +RuleID: "Netskope.ManyDeletes" +DisplayName: "Netskope Many Objects Deleted" +AlertTitle: "[{user}] deleted many objects in a short time" +Detection: + - All: + - KeyPath: audit_log_event + Condition: Contains + Value: Delete +Enabled: true +LogTypes: + - Netskope.Audit +Tags: + - Netskope + - Configuration Required + - Data Destruction +Reports: + MITRE ATT&CK: + - TA0040:T1485 +Severity: High +Description: A user deleted a large number of objects in a short period of time. +DedupPeriodMinutes: 60 +Threshold: 10 +Runbook: A user deleted a large number of objects in a short period of time. Validate that this activity is expected and authorized. +Tests: + - Name: True positive + ExpectedResult: true + Log: + { + "_id": "1e589befa3da30132362f32a", + "_insertion_epoch_timestamp": 1702318213, + "audit_log_event": "Deleted rbi template", + "count": 1, + "is_netskope_personnel": false, + "organization_unit": "", + "severity_level": 2, + "timestamp": "2023-12-11 18:10:13.000000000", + "type": "admin_audit_logs", + "ur_normalized": "service-account", + "user": "service-account" + } + - Name: True negative + ExpectedResult: false + Log: + { + "_id": "1e589befa3da30132362f32a", + "_insertion_epoch_timestamp": 1702318213, + "audit_log_event": "Rest API V2 Call", + "count": 1, + "is_netskope_personnel": false, + "organization_unit": "", + "severity_level": 2, + "supporting_data": { + "data_type": "incidents", + "data_values": [ + 200, + "POST", + "/api/v2/incidents/uba/getuci", + "trid=ccb898fgrhvdd0v0lebg" + ] + }, + "timestamp": "2023-12-11 18:10:13.000000000", + "type": "admin_audit_logs", + "ur_normalized": "service-account", + "user": "service-account" + } + diff --git a/rules/netskope_rules/netskope_personnel_action.yml b/rules/netskope_rules/netskope_personnel_action.yml new file mode 100644 index 000000000..53fb387a0 --- /dev/null +++ b/rules/netskope_rules/netskope_personnel_action.yml @@ -0,0 +1,73 @@ +AnalysisType: rule +RuleID: "Netskope.NetskopePersonnelActivity" +DisplayName: "Action Performed by Netskope Personnel" +AlertTitle: "Action [{audit_log_event}] performed by Netskope personnel [{user}]" +Detection: + - All: + - KeyPath: is_netskope_personnel + Condition: Equals + Value: true +Enabled: true +LogTypes: + - Netskope.Audit +Tags: + - Netskope + - Supply Chain Compromise +Reports: + MITRE ATT&CK: + - TA0001:T1195 +Severity: Medium +Description: An action was performed by Netskope personnel. +DedupPeriodMinutes: 60 +Threshold: 1 +Runbook: Action taken by Netskope Personnel. Validate that this action was authorized. +Tests: + - Name: True positive + ExpectedResult: true + Log: + { + "_id": "e5ca619b059fccdd0cfd9398", + "_insertion_epoch_timestamp": 1702308331, + "audit_log_event": "Login Successful", + "count": 1, + "is_netskope_personnel": true, + "organization_unit": "", + "severity_level": 2, + "supporting_data": { + "data_type": "user", + "data_values": [ + "11.22.33.44", + "adminsupport@netskope.com" + ] + }, + "timestamp": "2023-12-11 15:25:31.000000000", + "type": "admin_audit_logs", + "ur_normalized": "adminsupport@netskope.com", + "user": "adminsupport@netskope.com" + } + - Name: True negative + ExpectedResult: false + Log: + { + "_id": "1e589befa3da30132362f32a", + "_insertion_epoch_timestamp": 1702318213, + "audit_log_event": "Rest API V2 Call", + "count": 1, + "is_netskope_personnel": false, + "organization_unit": "", + "severity_level": 2, + "supporting_data": { + "data_type": "incidents", + "data_values": [ + 200, + "POST", + "/api/v2/incidents/uba/getuci", + "trid=ccb898fgrhvdd0v0lebg" + ] + }, + "timestamp": "2023-12-11 18:10:13.000000000", + "type": "admin_audit_logs", + "ur_normalized": "service-account", + "user": "service-account" + } + diff --git a/rules/netskope_rules/netskope_unauthorized_api_calls.yml b/rules/netskope_rules/netskope_unauthorized_api_calls.yml new file mode 100644 index 000000000..6fe10496f --- /dev/null +++ b/rules/netskope_rules/netskope_unauthorized_api_calls.yml @@ -0,0 +1,76 @@ +AnalysisType: rule +RuleID: "Netskope.UnauthorizedAPICalls" +DisplayName: "Netskope Many Unauthorized API Calls" +AlertTitle: "Many unauthorized API calls from user [{user}]" +Detection: + - All: + - KeyPath: supporting_data.data_values[0] + Condition: Equals + Value: 403 +Enabled: true +LogTypes: + - Netskope.Audit +Tags: + - Netskope + - Configuration Required + - Brute Force +Reports: + MITRE ATT&CK: + - TA0006:T1110 +Severity: High +Description: Many unauthorized API calls were observed for a user in a short period of time. +DedupPeriodMinutes: 60 +Threshold: 10 +Runbook: An account is making many unauthorized API calls. This could indicate brute force activity, or expired service account credentials. +Tests: + - Name: True positive + ExpectedResult: true + Log: + { + "_id": "1e589befa3da30132362f32a", + "_insertion_epoch_timestamp": 1702318213, + "audit_log_event": "Rest API V2 Call", + "count": 1, + "is_netskope_personnel": false, + "organization_unit": "", + "severity_level": 2, + "supporting_data": { + "data_type": "incidents", + "data_values": [ + 403, + "POST", + "/api/v2/incidents/uba/getuci", + "trid=ccb898fgrhvdd0v0lebg" + ] + }, + "timestamp": "2023-12-11 18:10:13.000000000", + "type": "admin_audit_logs", + "ur_normalized": "service-account", + "user": "service-account" + } + - Name: True negative + ExpectedResult: false + Log: + { + "_id": "1e589befa3da30132362f32a", + "_insertion_epoch_timestamp": 1702318213, + "audit_log_event": "Rest API V2 Call", + "count": 1, + "is_netskope_personnel": false, + "organization_unit": "", + "severity_level": 2, + "supporting_data": { + "data_type": "incidents", + "data_values": [ + 200, + "POST", + "/api/v2/incidents/uba/getuci", + "trid=ccb898fgrhvdd0v0lebg" + ] + }, + "timestamp": "2023-12-11 18:10:13.000000000", + "type": "admin_audit_logs", + "ur_normalized": "service-account", + "user": "service-account" + } + From 193d5968e3c948f4804be6363556310aa36399d2 Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Tue, 12 Dec 2023 12:23:20 +0200 Subject: [PATCH 02/35] Add references to rules (duo_rules) (#1007) --- rules/duo_rules/duo_admin_bypass_code_created.yml | 1 + rules/duo_rules/duo_admin_create_admin.yml | 1 + rules/duo_rules/duo_admin_mfa_restrictions_updated.yml | 1 + rules/duo_rules/duo_admin_new_admin_api_app_integration.yml | 1 + rules/duo_rules/duo_admin_policy_updated.yml | 1 + rules/duo_rules/duo_admin_sso_saml_requirement_disabled.yml | 1 + rules/duo_rules/duo_admin_user_mfa_bypass_enabled.yml | 1 + 7 files changed, 7 insertions(+) diff --git a/rules/duo_rules/duo_admin_bypass_code_created.yml b/rules/duo_rules/duo_admin_bypass_code_created.yml index 9f7b8e625..ccdad3c59 100644 --- a/rules/duo_rules/duo_admin_bypass_code_created.yml +++ b/rules/duo_rules/duo_admin_bypass_code_created.yml @@ -4,6 +4,7 @@ DisplayName: "Duo Admin Bypass Code Created" Enabled: true Filename: duo_admin_bypass_code_created.py Runbook: Confirm this was authorized and necessary behavior. +Reference: https://duo.com/docs/administration-users#generating-a-bypass-code Severity: Medium Tests: - ExpectedResult: true diff --git a/rules/duo_rules/duo_admin_create_admin.yml b/rules/duo_rules/duo_admin_create_admin.yml index 1a3d725c4..9eb6972b5 100644 --- a/rules/duo_rules/duo_admin_create_admin.yml +++ b/rules/duo_rules/duo_admin_create_admin.yml @@ -3,6 +3,7 @@ Description: 'A new Duo Administrator was created. ' DisplayName: "Duo Admin Create Admin" Enabled: true Filename: duo_admin_create_admin.py +Reference: https://duo.com/docs/administration-admins#add-an-administrator Severity: High Tests: - ExpectedResult: true diff --git a/rules/duo_rules/duo_admin_mfa_restrictions_updated.yml b/rules/duo_rules/duo_admin_mfa_restrictions_updated.yml index 145a5cf0a..88392ef26 100644 --- a/rules/duo_rules/duo_admin_mfa_restrictions_updated.yml +++ b/rules/duo_rules/duo_admin_mfa_restrictions_updated.yml @@ -3,6 +3,7 @@ Description: Detects changes to allowed MFA factors administrators can use to lo DisplayName: "Duo Admin MFA Restrictions Updated" Enabled: true Filename: duo_admin_mfa_restrictions_updated.py +Reference: https://duo.com/docs/essentials-overview Severity: Medium Tests: - ExpectedResult: true diff --git a/rules/duo_rules/duo_admin_new_admin_api_app_integration.yml b/rules/duo_rules/duo_admin_new_admin_api_app_integration.yml index ae51824a4..b685a7879 100644 --- a/rules/duo_rules/duo_admin_new_admin_api_app_integration.yml +++ b/rules/duo_rules/duo_admin_new_admin_api_app_integration.yml @@ -3,6 +3,7 @@ Description: Identifies creation of new Admin API integrations for Duo. DisplayName: "Duo Admin New Admin API App Integration" Enabled: true Filename: duo_admin_new_admin_api_app_integration.py +Reference: https://duo.com/docs/adminapi#overview Severity: High Tests: - ExpectedResult: true diff --git a/rules/duo_rules/duo_admin_policy_updated.yml b/rules/duo_rules/duo_admin_policy_updated.yml index eeb9f01dd..073245588 100644 --- a/rules/duo_rules/duo_admin_policy_updated.yml +++ b/rules/duo_rules/duo_admin_policy_updated.yml @@ -3,6 +3,7 @@ Description: A Duo Administrator updated a Policy, which governs how users authe DisplayName: "Duo Admin Policy Updated" Enabled: true Filename: duo_admin_policy_updated.py +Reference: https://duo.com/docs/policy#authenticators-policy-settings Severity: Medium Tests: - ExpectedResult: true diff --git a/rules/duo_rules/duo_admin_sso_saml_requirement_disabled.yml b/rules/duo_rules/duo_admin_sso_saml_requirement_disabled.yml index 9711c1509..fc6fd5618 100644 --- a/rules/duo_rules/duo_admin_sso_saml_requirement_disabled.yml +++ b/rules/duo_rules/duo_admin_sso_saml_requirement_disabled.yml @@ -3,6 +3,7 @@ Description: Detects when SAML Authentication for Administrators is marked as Di DisplayName: "Duo Admin SSO SAML Requirement Disabled" Enabled: true Filename: duo_admin_sso_saml_requirement_disabled.py +Reference: https://duo.com/docs/sso#saml:~:text=Modify%20Authentication%20Sources Severity: Medium Tests: - ExpectedResult: true diff --git a/rules/duo_rules/duo_admin_user_mfa_bypass_enabled.yml b/rules/duo_rules/duo_admin_user_mfa_bypass_enabled.yml index 55e36f3e2..690fba5b0 100644 --- a/rules/duo_rules/duo_admin_user_mfa_bypass_enabled.yml +++ b/rules/duo_rules/duo_admin_user_mfa_bypass_enabled.yml @@ -3,6 +3,7 @@ Description: An Administrator enabled a user to authenticate without MFA. DisplayName: "Duo Admin User MFA Bypass Enabled" Enabled: true Filename: duo_admin_user_mfa_bypass_enabled.py +Reference: https://duo.com/docs/policy#authentication-policy Severity: Medium Tests: - ExpectedResult: false From c78cda0835ec573eafa1f5e1e40d9b55cdc85d92 Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Tue, 12 Dec 2023 12:26:52 +0200 Subject: [PATCH 03/35] Add references to rules (gcp_audit_rules) (#1008) * Add references to rules (gcp_audit_rules) * Add references to rules (gcp_audit_rules) --- .../gcp_access_attempts_violating_vpc_service_controls.yml | 1 + rules/gcp_audit_rules/gcp_bigquery_large_scan.yml | 1 + .../gcp_cloud_storage_buckets_modified_or_deleted.yml | 1 + rules/gcp_audit_rules/gcp_destructive_queries.yml | 3 ++- rules/gcp_audit_rules/gcp_dns_zone_modified_or_deleted.yml | 1 + rules/gcp_audit_rules/gcp_gcs_iam_changes.yml | 1 + rules/gcp_audit_rules/gcp_gcs_public.yml | 1 + rules/gcp_audit_rules/gcp_iam_admin_role_assigned.yml | 3 ++- rules/gcp_audit_rules/gcp_iam_corp_email.yml | 1 + rules/gcp_audit_rules/gcp_iam_custom_role_changes.yml | 1 + rules/gcp_audit_rules/gcp_iam_org_folder_changes.yml | 1 + rules/gcp_audit_rules/gcp_logging_settings_modified.yml | 1 + ...issions_granted_to_create_or_manage_service_account_key.yml | 1 + rules/gcp_audit_rules/gcp_service_account_or_keys_created.yml | 1 + rules/gcp_audit_rules/gcp_sql_config_changes.yml | 3 ++- rules/gcp_audit_rules/gcp_unused_regions.yml | 1 + .../gcp_user_added_to_iap_protected_service.yml | 1 + rules/gcp_audit_rules/gcp_vpc_flow_logs_disabled.yml | 1 + 18 files changed, 21 insertions(+), 3 deletions(-) diff --git a/rules/gcp_audit_rules/gcp_access_attempts_violating_vpc_service_controls.yml b/rules/gcp_audit_rules/gcp_access_attempts_violating_vpc_service_controls.yml index 92f25b2b7..3643fa046 100644 --- a/rules/gcp_audit_rules/gcp_access_attempts_violating_vpc_service_controls.yml +++ b/rules/gcp_audit_rules/gcp_access_attempts_violating_vpc_service_controls.yml @@ -3,6 +3,7 @@ Description: An access attempt violating VPC service controls (such as Perimeter DisplayName: "GCP Access Attempts Violating VPC Service Controls" Enabled: true Filename: gcp_access_attempts_violating_vpc_service_controls.py +Reference: https://cloud.google.com/vpc-service-controls/docs/troubleshooting#debugging Severity: Medium Tests: - ExpectedResult: false diff --git a/rules/gcp_audit_rules/gcp_bigquery_large_scan.yml b/rules/gcp_audit_rules/gcp_bigquery_large_scan.yml index 6d958742f..f29330f5f 100644 --- a/rules/gcp_audit_rules/gcp_bigquery_large_scan.yml +++ b/rules/gcp_audit_rules/gcp_bigquery_large_scan.yml @@ -3,6 +3,7 @@ Description: Detect any BigQuery query that is doing a very large scan (> 1 GB). DisplayName: "GCP BigQuery Large Scan" Enabled: true Filename: gcp_bigquery_large_scan.py +Reference: https://cloud.google.com/bigquery/docs/running-queries Severity: Info Tests: - ExpectedResult: false diff --git a/rules/gcp_audit_rules/gcp_cloud_storage_buckets_modified_or_deleted.yml b/rules/gcp_audit_rules/gcp_cloud_storage_buckets_modified_or_deleted.yml index d99e225b9..92662a5b4 100644 --- a/rules/gcp_audit_rules/gcp_cloud_storage_buckets_modified_or_deleted.yml +++ b/rules/gcp_audit_rules/gcp_cloud_storage_buckets_modified_or_deleted.yml @@ -3,6 +3,7 @@ Description: Detects GCP cloud storage bucket updates and deletes. DisplayName: "GCP Cloud Storage Buckets Modified Or Deleted" Enabled: true Filename: gcp_cloud_storage_buckets_modified_or_deleted.py +Reference: https://cloud.google.com/storage/docs/buckets Severity: Low Tests: - ExpectedResult: false diff --git a/rules/gcp_audit_rules/gcp_destructive_queries.yml b/rules/gcp_audit_rules/gcp_destructive_queries.yml index 2d79a2ef0..811a45657 100644 --- a/rules/gcp_audit_rules/gcp_destructive_queries.yml +++ b/rules/gcp_audit_rules/gcp_destructive_queries.yml @@ -1,8 +1,9 @@ AnalysisType: rule Description: Detect any destructive BigQuery queries or jobs such as update, delete, drop, alter or truncate. -DisplayName: "'GCP Destructive Queries '" +DisplayName: "GCP Destructive Queries" Enabled: true Filename: gcp_destructive_queries.py +Reference: https://cloud.google.com/bigquery/docs/managing-tables Severity: Info Tests: - ExpectedResult: true diff --git a/rules/gcp_audit_rules/gcp_dns_zone_modified_or_deleted.yml b/rules/gcp_audit_rules/gcp_dns_zone_modified_or_deleted.yml index fbca2d1ff..033000dd6 100644 --- a/rules/gcp_audit_rules/gcp_dns_zone_modified_or_deleted.yml +++ b/rules/gcp_audit_rules/gcp_dns_zone_modified_or_deleted.yml @@ -4,6 +4,7 @@ DisplayName: "GCP DNS Zone Modified or Deleted" Enabled: true Filename: gcp_dns_zone_modified_or_deleted.py Runbook: Verify that this modification or deletion was expected. These operations are high-impact events and can result in downtimes or total outages. +Reference: https://cloud.google.com/dns/docs/zones Severity: Low Tests: - ExpectedResult: true diff --git a/rules/gcp_audit_rules/gcp_gcs_iam_changes.yml b/rules/gcp_audit_rules/gcp_gcs_iam_changes.yml index 9919a83d7..9fe1a32e1 100644 --- a/rules/gcp_audit_rules/gcp_gcs_iam_changes.yml +++ b/rules/gcp_audit_rules/gcp_gcs_iam_changes.yml @@ -19,6 +19,7 @@ Severity: Low Description: > Monitoring changes to Cloud Storage bucket permissions may reduce time to detect and correct permissions on sensitive Cloud Storage bucket and objects inside the bucket. Runbook: Validate the GCS bucket change was safe. +Reference: https://cloud.google.com/storage/docs/access-control/iam-permissions SummaryAttributes: - severity - p_any_ip_addresses diff --git a/rules/gcp_audit_rules/gcp_gcs_public.yml b/rules/gcp_audit_rules/gcp_gcs_public.yml index c6ef9584c..97ea5a66b 100644 --- a/rules/gcp_audit_rules/gcp_gcs_public.yml +++ b/rules/gcp_audit_rules/gcp_gcs_public.yml @@ -16,6 +16,7 @@ Reports: Severity: High Description: Adversaries may access data objects from improperly secured cloud storage. Runbook: Validate the GCS bucket change was safe. +Reference: https://cloud.google.com/storage/docs/access-control/making-data-public SummaryAttributes: - severity - p_any_ip_addresses diff --git a/rules/gcp_audit_rules/gcp_iam_admin_role_assigned.yml b/rules/gcp_audit_rules/gcp_iam_admin_role_assigned.yml index 723ee126a..7cfcb7e17 100644 --- a/rules/gcp_audit_rules/gcp_iam_admin_role_assigned.yml +++ b/rules/gcp_audit_rules/gcp_iam_admin_role_assigned.yml @@ -13,8 +13,9 @@ Reports: MITRE ATT&CK: - TA0004:T1078 Severity: Medium -Description: Attaching an audit role manually could be a sign of privilege escalation +Description: Attaching an admin role manually could be a sign of privilege escalation Runbook: Verify with the user who attached the role or add to a allowlist +Reference: https://cloud.google.com/looker/docs/admin-panel-users-roles SummaryAttributes: - severity - p_any_ip_addresses diff --git a/rules/gcp_audit_rules/gcp_iam_corp_email.yml b/rules/gcp_audit_rules/gcp_iam_corp_email.yml index b10cfc183..96a295c5a 100644 --- a/rules/gcp_audit_rules/gcp_iam_corp_email.yml +++ b/rules/gcp_audit_rules/gcp_iam_corp_email.yml @@ -18,6 +18,7 @@ Reports: Severity: Low Description: A Gmail account is being used instead of a corporate email Runbook: Remove the user +Reference: https://cloud.google.com/iam/docs/service-account-overview SummaryAttributes: - severity - p_any_ip_addresses diff --git a/rules/gcp_audit_rules/gcp_iam_custom_role_changes.yml b/rules/gcp_audit_rules/gcp_iam_custom_role_changes.yml index 93cc4f8e4..46314380a 100644 --- a/rules/gcp_audit_rules/gcp_iam_custom_role_changes.yml +++ b/rules/gcp_audit_rules/gcp_iam_custom_role_changes.yml @@ -18,6 +18,7 @@ Reports: Severity: Info Description: A custom role has been created, deleted, or updated. Runbook: No action needed, informational +Reference: https://cloud.google.com/iam/docs/creating-custom-roles SummaryAttributes: - severity - p_any_ip_addresses diff --git a/rules/gcp_audit_rules/gcp_iam_org_folder_changes.yml b/rules/gcp_audit_rules/gcp_iam_org_folder_changes.yml index 2f10997da..cbd5dd7cf 100644 --- a/rules/gcp_audit_rules/gcp_iam_org_folder_changes.yml +++ b/rules/gcp_audit_rules/gcp_iam_org_folder_changes.yml @@ -24,6 +24,7 @@ Runbook: > Direct them to make the change in Terraform to avoid automated rollback. Grep for google_org and google_folder in terraform repos for places to put your new policy bindings. +Reference: https://cloud.google.com/iam/docs/granting-changing-revoking-access SummaryAttributes: - severity - p_any_ip_addresses diff --git a/rules/gcp_audit_rules/gcp_logging_settings_modified.yml b/rules/gcp_audit_rules/gcp_logging_settings_modified.yml index d3f3829c7..c5fcc1867 100644 --- a/rules/gcp_audit_rules/gcp_logging_settings_modified.yml +++ b/rules/gcp_audit_rules/gcp_logging_settings_modified.yml @@ -3,6 +3,7 @@ Description: Detects any changes made to logging settings DisplayName: "GCP Logging Settings Modified" Enabled: true Filename: gcp_logging_settings_modified.py +Reference: https://cloud.google.com/logging/docs/default-settings Severity: Low Tests: - ExpectedResult: false diff --git a/rules/gcp_audit_rules/gcp_permissions_granted_to_create_or_manage_service_account_key.yml b/rules/gcp_audit_rules/gcp_permissions_granted_to_create_or_manage_service_account_key.yml index 46b233e43..bbdf443b5 100644 --- a/rules/gcp_audit_rules/gcp_permissions_granted_to_create_or_manage_service_account_key.yml +++ b/rules/gcp_audit_rules/gcp_permissions_granted_to_create_or_manage_service_account_key.yml @@ -3,6 +3,7 @@ Description: Permissions granted to impersonate a service account. This includes DisplayName: GCP Permissions Granted to Create or Manage Service Account Key Enabled: true Filename: gcp_permissions_granted_to_create_or_manage_service_account_key.py +Reference: https://cloud.google.com/iam/docs/keys-create-delete Severity: Low Tests: - ExpectedResult: false diff --git a/rules/gcp_audit_rules/gcp_service_account_or_keys_created.yml b/rules/gcp_audit_rules/gcp_service_account_or_keys_created.yml index 0d0cf7536..84d6d800b 100644 --- a/rules/gcp_audit_rules/gcp_service_account_or_keys_created.yml +++ b/rules/gcp_audit_rules/gcp_service_account_or_keys_created.yml @@ -3,6 +3,7 @@ Description: Detects when a service account or key is created manually by a user DisplayName: "GCP Service Account or Keys Created " Enabled: true Filename: gcp_service_account_or_keys_created.py +Reference: https://cloud.google.com/iam/docs/keys-create-delete Severity: Low Tests: - ExpectedResult: true diff --git a/rules/gcp_audit_rules/gcp_sql_config_changes.yml b/rules/gcp_audit_rules/gcp_sql_config_changes.yml index 40c900d5d..9869d37f1 100644 --- a/rules/gcp_audit_rules/gcp_sql_config_changes.yml +++ b/rules/gcp_audit_rules/gcp_sql_config_changes.yml @@ -14,8 +14,9 @@ Reports: - 2.11 Severity: Low Description: > - Monitoring changes to Sql Instance configuration changes may reduce time to detect and correct misconfigurations done on sql server. + Monitoring changes to Sql Instance configuration may reduce time to detect and correct misconfigurations done on sql server. Runbook: Validate the Sql Instance configuration change was safe +Reference: https://cloud.google.com/sql/docs/mysql/instance-settings SummaryAttributes: - severity - p_any_ip_addresses diff --git a/rules/gcp_audit_rules/gcp_unused_regions.yml b/rules/gcp_audit_rules/gcp_unused_regions.yml index 985f17741..7d8eff7af 100644 --- a/rules/gcp_audit_rules/gcp_unused_regions.yml +++ b/rules/gcp_audit_rules/gcp_unused_regions.yml @@ -18,6 +18,7 @@ Severity: Medium Description: > Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Runbook: Validate the user making the request and the resource created. +Reference: https://cloud.google.com/docs/geography-and-regions SummaryAttributes: - severity - p_any_ip_addresses diff --git a/rules/gcp_audit_rules/gcp_user_added_to_iap_protected_service.yml b/rules/gcp_audit_rules/gcp_user_added_to_iap_protected_service.yml index ee4c30639..ac54512f6 100644 --- a/rules/gcp_audit_rules/gcp_user_added_to_iap_protected_service.yml +++ b/rules/gcp_audit_rules/gcp_user_added_to_iap_protected_service.yml @@ -4,6 +4,7 @@ DisplayName: "GCP User Added to IAP Protected Service" Enabled: true Filename: gcp_user_added_to_iap_protected_service.py Runbook: 'Note: GCP logs all bindings everytime this event occurs, not just changes. Bindings should be reviewed to ensure no unintended users have been added. ' +Reference: https://cloud.google.com/iap/docs/managing-access Severity: Low Tests: - ExpectedResult: false diff --git a/rules/gcp_audit_rules/gcp_vpc_flow_logs_disabled.yml b/rules/gcp_audit_rules/gcp_vpc_flow_logs_disabled.yml index 508880fd5..1686bcedc 100644 --- a/rules/gcp_audit_rules/gcp_vpc_flow_logs_disabled.yml +++ b/rules/gcp_audit_rules/gcp_vpc_flow_logs_disabled.yml @@ -3,6 +3,7 @@ Description: VPC flow logs were disabled for a subnet. DisplayName: "GCP VPC Flow Logs Disabled" Enabled: true Filename: gcp_vpc_flow_logs_disabled.py +Reference: https://cloud.google.com/vpc/docs/using-flow-logs Severity: Medium Tests: - ExpectedResult: true From 9469d3287967b1aa24d7100aef481c2c1a50917a Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Tue, 12 Dec 2023 12:29:37 +0200 Subject: [PATCH 04/35] Add references to rules (gcp_http_lb_rules) (#1009) --- .../gcp_access_attempts_violating_iap_access_controls.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/gcp_http_lb_rules/gcp_access_attempts_violating_iap_access_controls.yml b/rules/gcp_http_lb_rules/gcp_access_attempts_violating_iap_access_controls.yml index 5b9c77f04..2ae78e9bd 100644 --- a/rules/gcp_http_lb_rules/gcp_access_attempts_violating_iap_access_controls.yml +++ b/rules/gcp_http_lb_rules/gcp_access_attempts_violating_iap_access_controls.yml @@ -3,6 +3,7 @@ Description: GCP Access Attempts Violating IAP Access Controls DisplayName: "GCP Access Attempts Violating IAP Access Controls" Enabled: true Filename: gcp_access_attempts_violating_iap_access_controls.py +Reference: https://cloud.google.com/iap/docs/concepts-overview Severity: Medium Tests: - ExpectedResult: true From 5826100bb5674176fdb3f2a5614418c7f3b232a3 Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Tue, 12 Dec 2023 12:32:28 +0200 Subject: [PATCH 05/35] Add references to rules (gcp_k8s_rules) (#1010) --- rules/gcp_k8s_rules/gcp_k8s_exec_into_pod.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/gcp_k8s_rules/gcp_k8s_exec_into_pod.yml b/rules/gcp_k8s_rules/gcp_k8s_exec_into_pod.yml index 29f00a269..be6b0f3f4 100644 --- a/rules/gcp_k8s_rules/gcp_k8s_exec_into_pod.yml +++ b/rules/gcp_k8s_rules/gcp_k8s_exec_into_pod.yml @@ -14,6 +14,7 @@ Description: > Alerts when users exec into pod. Possible to specify specific projects and allowed users. Runbook: > Investigate the user and determine why. Advise that it is discouraged practice. Create ticket if appropriate. +Reference: https://cloud.google.com/migrate/containers/docs/troubleshooting/executing-shell-commands Tests: - Name: Allowed User From bfcf240f49658506f87c4917491b99c2692e5c34 Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Tue, 12 Dec 2023 12:35:16 +0200 Subject: [PATCH 06/35] Add references to rules (github_rules) (#1011) --- rules/github_rules/github_action_failed.yml | 1 + rules/github_rules/github_advanced_security_change.yml | 1 + rules/github_rules/github_branch_policy_override.yml | 1 + rules/github_rules/github_branch_protection_disabled.yml | 1 + rules/github_rules/github_org_auth_modified.yml | 1 + rules/github_rules/github_org_ip_allowlist.yml | 1 + rules/github_rules/github_org_moderators_add.yml | 1 + rules/github_rules/github_org_modified.yml | 1 + rules/github_rules/github_public_repository_created.yml | 1 + rules/github_rules/github_repo_collaborator_change.yml | 1 + rules/github_rules/github_repo_created.yml | 1 + rules/github_rules/github_repo_hook_modified.yml | 1 + rules/github_rules/github_repo_initial_access.yml | 1 + rules/github_rules/github_repo_visibility_change.yml | 1 + rules/github_rules/github_secret_scanning_alert_created.yml | 1 + rules/github_rules/github_team_modified.yml | 1 + rules/github_rules/github_user_access_key_created.yml | 1 + rules/github_rules/github_user_role_updated.yml | 1 + 18 files changed, 18 insertions(+) diff --git a/rules/github_rules/github_action_failed.yml b/rules/github_rules/github_action_failed.yml index 231733863..deea10e98 100644 --- a/rules/github_rules/github_action_failed.yml +++ b/rules/github_rules/github_action_failed.yml @@ -13,6 +13,7 @@ Description: A monitored github action has failed. Runbook: > Inspect the action failure link and take appropriate response. There are no general plans of response for this activity. +Reference: https://docs.github.com/en/actions/creating-actions/setting-exit-codes-for-actions#about-exit-codes Tests: - Name: GitHub - Branch Protection Disabled diff --git a/rules/github_rules/github_advanced_security_change.yml b/rules/github_rules/github_advanced_security_change.yml index 9096cb2d4..0b24948dd 100644 --- a/rules/github_rules/github_advanced_security_change.yml +++ b/rules/github_rules/github_advanced_security_change.yml @@ -13,6 +13,7 @@ Reports: Severity: Low Description: The rule alerts when GitHub Security tools (Dependabot, Secret Scanner, etc) are disabled. Runbook: Confirm with GitHub administrators and re-enable the tools as applicable. +Reference: https://docs.github.com/en/code-security/getting-started/auditing-security-alerts Tests: - Name: Secret Scanning Disabled on a Repo diff --git a/rules/github_rules/github_branch_policy_override.yml b/rules/github_rules/github_branch_policy_override.yml index 8ab3bc1b5..227269aee 100644 --- a/rules/github_rules/github_branch_policy_override.yml +++ b/rules/github_rules/github_branch_policy_override.yml @@ -14,6 +14,7 @@ Reports: Severity: High Description: Bypassing branch protection controls could indicate malicious use of admin credentials in an attempt to hide activity. Runbook: Verify that the GitHub admin performed this activity and validate its use. +Reference: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule Tests: - Name: GitHub - Branch Protection Policy Override diff --git a/rules/github_rules/github_branch_protection_disabled.yml b/rules/github_rules/github_branch_protection_disabled.yml index f95aece76..61f67094c 100644 --- a/rules/github_rules/github_branch_protection_disabled.yml +++ b/rules/github_rules/github_branch_protection_disabled.yml @@ -14,6 +14,7 @@ Reports: Severity: High Description: Disabling branch protection controls could indicate malicious use of admin credentials in an attempt to hide activity. Runbook: Verify that branch protection should be disabled on the repository and re-enable as necessary. +Reference: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule Tests: - Name: GitHub - Branch Protection Disabled diff --git a/rules/github_rules/github_org_auth_modified.yml b/rules/github_rules/github_org_auth_modified.yml index 59b3a3acb..2516b10a4 100644 --- a/rules/github_rules/github_org_auth_modified.yml +++ b/rules/github_rules/github_org_auth_modified.yml @@ -17,6 +17,7 @@ SummaryAttributes: - action Description: Detects changes to GitHub org authentication changes. Runbook: Verify that the GitHub admin performed this activity and validate its use. +Reference: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-authentication-to-github Tests: - Name: GitHub - Authentication Method Changed diff --git a/rules/github_rules/github_org_ip_allowlist.yml b/rules/github_rules/github_org_ip_allowlist.yml index 9cf761a16..33fea5b23 100644 --- a/rules/github_rules/github_org_ip_allowlist.yml +++ b/rules/github_rules/github_org_ip_allowlist.yml @@ -17,6 +17,7 @@ SummaryAttributes: - action Description: Detects changes to a GitHub Org IP Allow List Runbook: Verify that the change was authorized and appropriate. +Reference: https://docs.github.com/en/apps/maintaining-github-apps/managing-allowed-ip-addresses-for-a-github-app Tests: - Name: GitHub - IP Allow list modified diff --git a/rules/github_rules/github_org_moderators_add.yml b/rules/github_rules/github_org_moderators_add.yml index be58c94e4..911a134e3 100644 --- a/rules/github_rules/github_org_moderators_add.yml +++ b/rules/github_rules/github_org_moderators_add.yml @@ -10,6 +10,7 @@ Tags: - Initial Access:Supply Chain Compromise Severity: Medium Description: Detects when a user is added to a GitHub org's list of moderators. +Reference: https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/managing-moderators-in-your-organization Tests: - Name: GitHub - Org Moderator Added diff --git a/rules/github_rules/github_org_modified.yml b/rules/github_rules/github_org_modified.yml index ee7c3f91c..08cfe0d06 100644 --- a/rules/github_rules/github_org_modified.yml +++ b/rules/github_rules/github_org_modified.yml @@ -11,6 +11,7 @@ Tags: Reports: MITRE ATT&CK: - TA0001:T1195 +Reference: https://docs.github.com/en/organizations/managing-membership-in-your-organization Severity: Info Description: Detects when a user is added or removed from a GitHub Org. Tests: diff --git a/rules/github_rules/github_public_repository_created.yml b/rules/github_rules/github_public_repository_created.yml index 87a3cfa12..4ea2114f3 100644 --- a/rules/github_rules/github_public_repository_created.yml +++ b/rules/github_rules/github_public_repository_created.yml @@ -4,6 +4,7 @@ DisplayName: "Github Public Repository Created" Enabled: true Filename: github_public_repository_created.py Runbook: Confirm this github repository was intended to be created as 'public' versus 'private'. +Reference: https://docs.github.com/en/get-started/quickstart/create-a-repo Severity: Medium Tags: - Github Repository diff --git a/rules/github_rules/github_repo_collaborator_change.yml b/rules/github_rules/github_repo_collaborator_change.yml index 330ca18e1..e73cdf0bd 100644 --- a/rules/github_rules/github_repo_collaborator_change.yml +++ b/rules/github_rules/github_repo_collaborator_change.yml @@ -14,6 +14,7 @@ Reports: Severity: Medium Description: Detects when a repository collaborator is added or removed. Runbook: Determine if the new collaborator is authorized to access the repository. +Reference: https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-an-individuals-access-to-an-organization-repository Tests: - Name: GitHub - Collaborator Added diff --git a/rules/github_rules/github_repo_created.yml b/rules/github_rules/github_repo_created.yml index 6def51348..d8ac3e042 100644 --- a/rules/github_rules/github_repo_created.yml +++ b/rules/github_rules/github_repo_created.yml @@ -7,6 +7,7 @@ LogTypes: - GitHub.Audit Tags: - GitHub +Reference: https://docs.github.com/en/get-started/quickstart/create-a-repo Severity: Info Description: Detects when a repository is created. Tests: diff --git a/rules/github_rules/github_repo_hook_modified.yml b/rules/github_rules/github_repo_hook_modified.yml index 69bea8d84..44d994a80 100644 --- a/rules/github_rules/github_repo_hook_modified.yml +++ b/rules/github_rules/github_repo_hook_modified.yml @@ -11,6 +11,7 @@ Tags: Reports: MITRE ATT&CK: - TA0010:T1020 +Reference: https://docs.github.com/en/webhooks/about-webhooks Severity: Info Description: Detects when a web hook is added, modified, or deleted in an org repository. Tests: diff --git a/rules/github_rules/github_repo_initial_access.yml b/rules/github_rules/github_repo_initial_access.yml index 75b247298..276edf580 100644 --- a/rules/github_rules/github_repo_initial_access.yml +++ b/rules/github_rules/github_repo_initial_access.yml @@ -7,6 +7,7 @@ LogTypes: - GitHub.Audit Tags: - GitHub +Reference: https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-an-individuals-access-to-an-organization-repository Severity: Info Description: Detects when a user initially accesses a private organization repository. Tests: diff --git a/rules/github_rules/github_repo_visibility_change.yml b/rules/github_rules/github_repo_visibility_change.yml index e7fb25e6e..4625d4895 100644 --- a/rules/github_rules/github_repo_visibility_change.yml +++ b/rules/github_rules/github_repo_visibility_change.yml @@ -11,6 +11,7 @@ Tags: Reports: MITRE ATT&CK: - TA0010:T1567 +Reference: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility Severity: High Description: Detects when an organization repository visibility changes. Tests: diff --git a/rules/github_rules/github_secret_scanning_alert_created.yml b/rules/github_rules/github_secret_scanning_alert_created.yml index 105994a33..5e59c12a7 100644 --- a/rules/github_rules/github_secret_scanning_alert_created.yml +++ b/rules/github_rules/github_secret_scanning_alert_created.yml @@ -13,6 +13,7 @@ Reports: Severity: Medium Description: GitHub detected a secret and created a secret scanning alert. Runbook: Review the secret to determine if it needs to be revoked or the alert suppressed. +Reference: https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning Tests: - Name: secret_scanning_alert.create-true diff --git a/rules/github_rules/github_team_modified.yml b/rules/github_rules/github_team_modified.yml index fb9c9600c..4a1642273 100644 --- a/rules/github_rules/github_team_modified.yml +++ b/rules/github_rules/github_team_modified.yml @@ -11,6 +11,7 @@ Tags: Reports: MITRE ATT&CK: - TA0001:T1195 +Reference: https://docs.github.com/en/organizations/organizing-members-into-teams Severity: Info Description: Detects when a team is modified in some way, such as adding a new team, deleting a team, modifying members, or a change in repository control. Tests: diff --git a/rules/github_rules/github_user_access_key_created.yml b/rules/github_rules/github_user_access_key_created.yml index 184b9141a..f5e2a3463 100644 --- a/rules/github_rules/github_user_access_key_created.yml +++ b/rules/github_rules/github_user_access_key_created.yml @@ -11,6 +11,7 @@ Tags: Reports: MITRE ATT&CK: - TA0003:T1078 +Reference: https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent Severity: Info Description: Detects when a GitHub user access key is created. Tests: diff --git a/rules/github_rules/github_user_role_updated.yml b/rules/github_rules/github_user_role_updated.yml index 31952c3d7..7c552bdf2 100644 --- a/rules/github_rules/github_user_role_updated.yml +++ b/rules/github_rules/github_user_role_updated.yml @@ -11,6 +11,7 @@ Tags: Reports: MITRE ATT&CK: - TA0003:T1098 +Reference: https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization Severity: High Description: Detects when a GitHub user role is upgraded to an admin or downgraded to a member Tests: From 1e5c3e3237df433dccdd8f0bfa9527b9ab072cbd Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Tue, 12 Dec 2023 12:39:55 +0200 Subject: [PATCH 07/35] Add references to rules (gsuite_activityevent_rules) (#1012) --- .../google_workspace_admin_custom_role.yml | 1 + .../google_workspace_advanced_protection_program.yml | 1 + .../google_workspace_apps_marketplace_allowlist.yml | 1 + .../google_workspace_apps_marketplace_new_domain_application.yml | 1 + .../google_workspace_apps_new_mobile_app_installed.yml | 1 + .../gsuite_drive_many_docs_deleted.yml | 1 + .../gsuite_drive_many_docs_downloaded.yml | 1 + 7 files changed, 7 insertions(+) diff --git a/rules/gsuite_activityevent_rules/google_workspace_admin_custom_role.yml b/rules/gsuite_activityevent_rules/google_workspace_admin_custom_role.yml index 8c42da68f..4e4c025ca 100644 --- a/rules/gsuite_activityevent_rules/google_workspace_admin_custom_role.yml +++ b/rules/gsuite_activityevent_rules/google_workspace_admin_custom_role.yml @@ -4,6 +4,7 @@ DisplayName: "Google Workspace Admin Custom Role" Enabled: true Filename: google_workspace_admin_custom_role.py Runbook: Please review this activity with the administrator and ensure this behavior was authorized. +Reference: https://support.google.com/a/answer/2406043?hl=en#:~:text=under%20the%20limit.-,Create%20a%20custom%20role,-Before%20you%20begin Severity: Medium Tags: - admin diff --git a/rules/gsuite_activityevent_rules/google_workspace_advanced_protection_program.yml b/rules/gsuite_activityevent_rules/google_workspace_advanced_protection_program.yml index 08d698e7c..dc439e1a2 100644 --- a/rules/gsuite_activityevent_rules/google_workspace_advanced_protection_program.yml +++ b/rules/gsuite_activityevent_rules/google_workspace_advanced_protection_program.yml @@ -4,6 +4,7 @@ DisplayName: "Google Workspace Advanced Protection Program" Enabled: true Filename: google_workspace_advanced_protection_program.py Runbook: Confirm the changes made were authorized for your organization. +Reference: https://support.google.com/a/answer/9378686?hl=en Severity: Medium Tests: - ExpectedResult: false diff --git a/rules/gsuite_activityevent_rules/google_workspace_apps_marketplace_allowlist.yml b/rules/gsuite_activityevent_rules/google_workspace_apps_marketplace_allowlist.yml index 26e457e86..1c5f04a36 100644 --- a/rules/gsuite_activityevent_rules/google_workspace_apps_marketplace_allowlist.yml +++ b/rules/gsuite_activityevent_rules/google_workspace_apps_marketplace_allowlist.yml @@ -4,6 +4,7 @@ DisplayName: "Google Workspace Apps Marketplace Allowlist" Enabled: true Filename: google_workspace_apps_marketplace_allowlist.py Runbook: Confirm with the acting user that this change was authorized. +Reference: https://support.google.com/a/answer/6089179?hl=en Severity: Medium Tests: - ExpectedResult: false diff --git a/rules/gsuite_activityevent_rules/google_workspace_apps_marketplace_new_domain_application.yml b/rules/gsuite_activityevent_rules/google_workspace_apps_marketplace_new_domain_application.yml index e4a18a462..298f5e88e 100644 --- a/rules/gsuite_activityevent_rules/google_workspace_apps_marketplace_new_domain_application.yml +++ b/rules/gsuite_activityevent_rules/google_workspace_apps_marketplace_new_domain_application.yml @@ -4,6 +4,7 @@ DisplayName: "Google Workspace Apps Marketplace New Domain Application" Enabled: true Filename: google_workspace_apps_marketplace_new_domain_application.py Runbook: Confirm this was the intended behavior. +Reference: https://developers.google.com/workspace/marketplace/overview Severity: Medium Tests: - ExpectedResult: false diff --git a/rules/gsuite_activityevent_rules/google_workspace_apps_new_mobile_app_installed.yml b/rules/gsuite_activityevent_rules/google_workspace_apps_new_mobile_app_installed.yml index fb6bf1356..52d9d4a9c 100644 --- a/rules/gsuite_activityevent_rules/google_workspace_apps_new_mobile_app_installed.yml +++ b/rules/gsuite_activityevent_rules/google_workspace_apps_new_mobile_app_installed.yml @@ -4,6 +4,7 @@ DisplayName: "Google Workspace Apps New Mobile App Installed" Enabled: true Filename: google_workspace_apps_new_mobile_app_installed.py Runbook: https://admin.google.com/ac/apps/unified +Reference: https://support.google.com/a/answer/6089179?hl=en Severity: Medium Tests: - ExpectedResult: true diff --git a/rules/gsuite_activityevent_rules/gsuite_drive_many_docs_deleted.yml b/rules/gsuite_activityevent_rules/gsuite_drive_many_docs_deleted.yml index 1191c5b7a..252a796dc 100644 --- a/rules/gsuite_activityevent_rules/gsuite_drive_many_docs_deleted.yml +++ b/rules/gsuite_activityevent_rules/gsuite_drive_many_docs_deleted.yml @@ -3,6 +3,7 @@ Description: Scheduled rule for the GSuite Drive Many Documents Deleted query. L DisplayName: "GSuite Drive Many Documents Deleted" Enabled: true Filename: gsuite_drive_many_docs_deleted.py +Reference: https://support.google.com/drive/answer/2375102?hl=en&co=GENIE.Platform%3DAndroid#:~:text=To%20delete%20your%20Google%20Drive,them%20to%20empty%20your%20trash. Severity: Medium Tests: - ExpectedResult: true diff --git a/rules/gsuite_activityevent_rules/gsuite_drive_many_docs_downloaded.yml b/rules/gsuite_activityevent_rules/gsuite_drive_many_docs_downloaded.yml index a3038e507..225a14576 100644 --- a/rules/gsuite_activityevent_rules/gsuite_drive_many_docs_downloaded.yml +++ b/rules/gsuite_activityevent_rules/gsuite_drive_many_docs_downloaded.yml @@ -3,6 +3,7 @@ Description: Scheduled rule for the High Google Drive Download Count query which DisplayName: "Google Drive High Download Count" Enabled: true Filename: gsuite_drive_many_docs_downloaded.py +Reference: https://support.google.com/drive/answer/2423534?hl=en&co=GENIE.Platform%3DDesktop Severity: Medium Tests: - ExpectedResult: true From 2e8e932a61034299bf3fef30fd22385c3cd6d13b Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Tue, 12 Dec 2023 12:42:16 +0200 Subject: [PATCH 08/35] Add references to rules (gsuite_reports_rules) (#1013) --- rules/gsuite_reports_rules/gsuite_drive_external_share.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/gsuite_reports_rules/gsuite_drive_external_share.yml b/rules/gsuite_reports_rules/gsuite_drive_external_share.yml index 4fd8368d8..39d87bdef 100644 --- a/rules/gsuite_reports_rules/gsuite_drive_external_share.yml +++ b/rules/gsuite_reports_rules/gsuite_drive_external_share.yml @@ -18,6 +18,7 @@ Description: An employee shared a sensitive file externally with another organiz Runbook: > Contact the employee who made the share and make sure they redact the access. If the share was legitimate, add to the EXCEPTION_PATTERNS in the detection. +Reference: https://developers.google.com/admin-sdk/reports/v1/appendix/usage/user/drive#visibility-parameters Tests: - Name: Dangerous Share of Known Document with a Missing User From 1bfce8c52abd8a3c9a3888d7fc1e4ec0f6660d73 Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Tue, 12 Dec 2023 12:44:39 +0200 Subject: [PATCH 09/35] Add references to rules (indicator_creation_rules) (#1014) --- rules/indicator_creation_rules/new_aws_account_logging.yml | 1 + rules/indicator_creation_rules/new_user_account_logging.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/rules/indicator_creation_rules/new_aws_account_logging.yml b/rules/indicator_creation_rules/new_aws_account_logging.yml index cac085a9c..e00618000 100644 --- a/rules/indicator_creation_rules/new_aws_account_logging.yml +++ b/rules/indicator_creation_rules/new_aws_account_logging.yml @@ -15,6 +15,7 @@ Reports: - TA0003:T1136 Description: A new AWS account was created Runbook: A new AWS account was created, ensure it was created through standard practice and is for a valid purpose. +Reference: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_incident-response.html#:~:text=AWS%20Organizations%20information%20in%20CloudTrail SummaryAttributes: - p_any_aws_account_ids Tests: diff --git a/rules/indicator_creation_rules/new_user_account_logging.yml b/rules/indicator_creation_rules/new_user_account_logging.yml index 4c0ffef80..bbe24533b 100644 --- a/rules/indicator_creation_rules/new_user_account_logging.yml +++ b/rules/indicator_creation_rules/new_user_account_logging.yml @@ -24,6 +24,7 @@ Reports: - TA0003:T1136 Description: A new account was created Runbook: A new user account was created, ensure it was created through standard practice and is for a valid purpose. +Reference: https://attack.mitre.org/techniques/T1136/001/ SummaryAttributes: - p_any_usernames Tests: From 37c6ca79b489553e53131dcd9c29af1ce4202a5d Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Tue, 12 Dec 2023 12:47:41 +0200 Subject: [PATCH 10/35] Add references to rules (microsoft_rules) (#1015) --- rules/microsoft_rules/microsoft365_brute_force_login_by_user.yml | 1 + rules/microsoft_rules/microsoft365_external_sharing.yml | 1 + rules/microsoft_rules/microsoft365_mfa_disabled.yml | 1 + rules/microsoft_rules/microsoft_exchange_external_forwarding.yml | 1 + 4 files changed, 4 insertions(+) diff --git a/rules/microsoft_rules/microsoft365_brute_force_login_by_user.yml b/rules/microsoft_rules/microsoft365_brute_force_login_by_user.yml index 7d541b532..920e107be 100644 --- a/rules/microsoft_rules/microsoft365_brute_force_login_by_user.yml +++ b/rules/microsoft_rules/microsoft365_brute_force_login_by_user.yml @@ -4,6 +4,7 @@ DisplayName: "Microsoft365 Brute Force Login by User" Enabled: true Filename: microsoft365_brute_force_login_by_user.py Runbook: Analyze the IP they came from and actions taken before/after. +Reference: https://learn.microsoft.com/en-us/microsoft-365/troubleshoot/authentication/access-denied-when-connect-to-office-365 Severity: Medium Tests: - ExpectedResult: true diff --git a/rules/microsoft_rules/microsoft365_external_sharing.yml b/rules/microsoft_rules/microsoft365_external_sharing.yml index bad1a18e6..e11325818 100644 --- a/rules/microsoft_rules/microsoft365_external_sharing.yml +++ b/rules/microsoft_rules/microsoft365_external_sharing.yml @@ -4,6 +4,7 @@ DisplayName: "Microsoft365 External Document Sharing" Enabled: true Filename: microsoft365_external_sharing.py Runbook: Check the document metadata to ensure it is not a sensitive document. +Reference: https://support.microsoft.com/en-us/topic/manage-sharing-with-external-users-in-microsoft-365-small-business-2951a85f-c970-4375-aa4f-6b0d7035fe35#:~:text=Top%20of%20Page-,Turn%20external%20sharing%20on%20or%20off,-The%20ability%20to Severity: Low Tests: - ExpectedResult: false diff --git a/rules/microsoft_rules/microsoft365_mfa_disabled.yml b/rules/microsoft_rules/microsoft365_mfa_disabled.yml index 61fa9ef70..7b9b0207b 100644 --- a/rules/microsoft_rules/microsoft365_mfa_disabled.yml +++ b/rules/microsoft_rules/microsoft365_mfa_disabled.yml @@ -4,6 +4,7 @@ DisplayName: "Microsoft365 MFA Disabled" Enabled: true Filename: microsoft365_mfa_disabled.py Runbook: Depending on company policy, either suggest or require the user re-enable two step verification. +Reference: https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide Severity: Low Tests: - ExpectedResult: false diff --git a/rules/microsoft_rules/microsoft_exchange_external_forwarding.yml b/rules/microsoft_rules/microsoft_exchange_external_forwarding.yml index bd2a734f1..09695a918 100644 --- a/rules/microsoft_rules/microsoft_exchange_external_forwarding.yml +++ b/rules/microsoft_rules/microsoft_exchange_external_forwarding.yml @@ -3,6 +3,7 @@ Description: Detects creation of forwarding rule to external domains DisplayName: "Microsoft Exchange External Forwarding" Enabled: true Filename: microsoft_exchange_external_forwarding.py +Reference: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/outbound-spam-policies-external-email-forwarding?view=o365-worldwide Severity: High Tests: - ExpectedResult: true From 5c734121b56d44d3af1db6c680ffd0a411d5e32c Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Tue, 12 Dec 2023 12:57:09 +0200 Subject: [PATCH 11/35] Add references to rules (mongodb_rules) (#1016) --- rules/mongodb_rules/mongodb_atlas_api_key_created.yml | 1 + rules/mongodb_rules/mongodb_external_user_invited.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/rules/mongodb_rules/mongodb_atlas_api_key_created.yml b/rules/mongodb_rules/mongodb_atlas_api_key_created.yml index d6a84d53c..712dfbe83 100644 --- a/rules/mongodb_rules/mongodb_atlas_api_key_created.yml +++ b/rules/mongodb_rules/mongodb_atlas_api_key_created.yml @@ -4,6 +4,7 @@ DisplayName: "MongoDB Atlas API Key Created" Enabled: true Filename: mongodb_atlas_api_key_created.py Severity: Medium +Reference: https://www.mongodb.com/docs/atlas/configure-api-access/#std-label-about-org-api-keys Tests: - ExpectedResult: false Log: diff --git a/rules/mongodb_rules/mongodb_external_user_invited.yml b/rules/mongodb_rules/mongodb_external_user_invited.yml index 8f61ed84b..1480be553 100644 --- a/rules/mongodb_rules/mongodb_external_user_invited.yml +++ b/rules/mongodb_rules/mongodb_external_user_invited.yml @@ -4,6 +4,7 @@ DisplayName: "MongoDB External User Invited" Enabled: true Filename: mongodb_external_user_invited.py Severity: Medium +Reference: https://www.mongodb.com/docs/v4.2/tutorial/create-users/ Tags: - Configuration Required Tests: From 21ec5cc241114fa2b145e0a0b5563f44bfbe851d Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Tue, 12 Dec 2023 16:02:14 +0200 Subject: [PATCH 12/35] Add references to rules (netskope_rules) (#1021) --- rules/netskope_rules/netskope_admin_logged_out.yml | 1 + rules/netskope_rules/netskope_admin_user_change.yml | 1 + rules/netskope_rules/netskope_many_deletes.yml | 1 + rules/netskope_rules/netskope_personnel_action.yml | 1 + rules/netskope_rules/netskope_unauthorized_api_calls.yml | 1 + 5 files changed, 5 insertions(+) diff --git a/rules/netskope_rules/netskope_admin_logged_out.yml b/rules/netskope_rules/netskope_admin_logged_out.yml index 993033c96..b0e6cf9c2 100644 --- a/rules/netskope_rules/netskope_admin_logged_out.yml +++ b/rules/netskope_rules/netskope_admin_logged_out.yml @@ -21,6 +21,7 @@ Description: An admin was logged out because of successive login failures. DedupPeriodMinutes: 60 Threshold: 1 Runbook: An admin was logged out because of successive login failures. This could indicate brute force activity against this account. +Reference: https://docs.netskope.com/en/netskope-help/admin-console/administration/audit-log/ Tests: - Name: True positive ExpectedResult: true diff --git a/rules/netskope_rules/netskope_admin_user_change.yml b/rules/netskope_rules/netskope_admin_user_change.yml index f98513b87..abc84d284 100644 --- a/rules/netskope_rules/netskope_admin_user_change.yml +++ b/rules/netskope_rules/netskope_admin_user_change.yml @@ -27,6 +27,7 @@ Tags: Reports: MITRE ATT&CK: - TA0004:T1098 +Reference: https://docs.netskope.com/en/netskope-help/admin-console/administration/managing-administrators/ Severity: High DynamicSeverities: - ChangeTo: Critical diff --git a/rules/netskope_rules/netskope_many_deletes.yml b/rules/netskope_rules/netskope_many_deletes.yml index 6663338eb..c89c54fe6 100644 --- a/rules/netskope_rules/netskope_many_deletes.yml +++ b/rules/netskope_rules/netskope_many_deletes.yml @@ -22,6 +22,7 @@ Description: A user deleted a large number of objects in a short period of time. DedupPeriodMinutes: 60 Threshold: 10 Runbook: A user deleted a large number of objects in a short period of time. Validate that this activity is expected and authorized. +Reference: https://docs.netskope.com/en/netskope-help/admin-console/administration/audit-log/ Tests: - Name: True positive ExpectedResult: true diff --git a/rules/netskope_rules/netskope_personnel_action.yml b/rules/netskope_rules/netskope_personnel_action.yml index 53fb387a0..cd3b2f389 100644 --- a/rules/netskope_rules/netskope_personnel_action.yml +++ b/rules/netskope_rules/netskope_personnel_action.yml @@ -21,6 +21,7 @@ Description: An action was performed by Netskope personnel. DedupPeriodMinutes: 60 Threshold: 1 Runbook: Action taken by Netskope Personnel. Validate that this action was authorized. +Reference: https://docs.netskope.com/en/netskope-help/admin-console/administration/audit-log/#filters-1 Tests: - Name: True positive ExpectedResult: true diff --git a/rules/netskope_rules/netskope_unauthorized_api_calls.yml b/rules/netskope_rules/netskope_unauthorized_api_calls.yml index 6fe10496f..74758ed4f 100644 --- a/rules/netskope_rules/netskope_unauthorized_api_calls.yml +++ b/rules/netskope_rules/netskope_unauthorized_api_calls.yml @@ -22,6 +22,7 @@ Description: Many unauthorized API calls were observed for a user in a short per DedupPeriodMinutes: 60 Threshold: 10 Runbook: An account is making many unauthorized API calls. This could indicate brute force activity, or expired service account credentials. +Reference: https://docs.netskope.com/en/netskope-help/data-security/netskope-private-access/private-access-rest-apis/ Tests: - Name: True positive ExpectedResult: true From fb621313ca1412cab6f2a5ef031886bc0e8b4f62 Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Tue, 12 Dec 2023 16:04:41 +0200 Subject: [PATCH 13/35] Add references to rules (notion_rules) (#1022) --- rules/notion_rules/notion_account_changed_after_login.yml | 1 + rules/notion_rules/notion_login_from_blocked_ip.yml | 1 + rules/notion_rules/notion_login_from_new_location.yml | 1 + rules/notion_rules/notion_many_pages_deleted.yml | 1 + rules/notion_rules/notion_many_pages_exported.yml | 1 + rules/notion_rules/notion_page_accessible_to_api.yml | 1 + rules/notion_rules/notion_page_accessible_to_guests.yml | 1 + rules/notion_rules/notion_page_shared_to_web.yml | 1 + rules/notion_rules/notion_page_view_impossible_travel.yml | 1 + rules/notion_rules/notion_scim_token_generated.yml | 1 + rules/notion_rules/notion_workspace_audit_log_exported.yml | 1 + rules/notion_rules/notion_workspace_exported.yml | 1 + ...notion_workspace_settings_enforce_saml_sso_config_updated.yml | 1 + .../notion_workspace_settings_public_homepage_added.yml | 1 + 14 files changed, 14 insertions(+) diff --git a/rules/notion_rules/notion_account_changed_after_login.yml b/rules/notion_rules/notion_account_changed_after_login.yml index c3f6d1609..59cf99205 100644 --- a/rules/notion_rules/notion_account_changed_after_login.yml +++ b/rules/notion_rules/notion_account_changed_after_login.yml @@ -14,6 +14,7 @@ Description: A Notion User logged in then changed their account details. DedupPeriodMinutes: 60 Threshold: 1 Runbook: Possible account takeover. Follow up with the Notion User to determine if this email change is genuine. +Reference: https://www.notion.so/help/account-settings Tests: - # This unit test is to make sure the logic for handling login events successfully results in # caching the login info. The outputted title/alert_context are not important. diff --git a/rules/notion_rules/notion_login_from_blocked_ip.yml b/rules/notion_rules/notion_login_from_blocked_ip.yml index b32b63256..af4e2134b 100644 --- a/rules/notion_rules/notion_login_from_blocked_ip.yml +++ b/rules/notion_rules/notion_login_from_blocked_ip.yml @@ -14,3 +14,4 @@ Description: "A user attempted to access Notion from a blocked IP address. Note: DedupPeriodMinutes: 60 Threshold: 1 Runbook: Confirm with user if the login was legitimate. If so, determine why the IP is blocked. +Reference: https://www.notion.so/help/allowlist-ip diff --git a/rules/notion_rules/notion_login_from_new_location.yml b/rules/notion_rules/notion_login_from_new_location.yml index d3461b477..8cf3202d4 100644 --- a/rules/notion_rules/notion_login_from_new_location.yml +++ b/rules/notion_rules/notion_login_from_new_location.yml @@ -14,6 +14,7 @@ Description: A Notion User logged in from a new location. DedupPeriodMinutes: 60 Threshold: 1 # Number of pages deleted; please change this value to suit your organization's needs. Runbook: Possible account takeover. Follow up with the Notion User to determine if this login is genuine. +Reference: https://ipinfo.io/products/ip-geolocation-api Tests: - Name: Login from normal location ExpectedResult: false diff --git a/rules/notion_rules/notion_many_pages_deleted.yml b/rules/notion_rules/notion_many_pages_deleted.yml index ef5ba1205..81257217b 100644 --- a/rules/notion_rules/notion_many_pages_deleted.yml +++ b/rules/notion_rules/notion_many_pages_deleted.yml @@ -14,6 +14,7 @@ Description: A Notion User deleted multiple pages. DedupPeriodMinutes: 60 Threshold: 10 # Number of pages deleted; please change this value to suit your organization's needs. Runbook: Possible Data Destruction. Follow up with the Notion User to determine if this was done for a valid business reason. +Reference: https://www.notion.so/help/duplicate-delete-and-restore-content Tests: - Name: Other Event ExpectedResult: false diff --git a/rules/notion_rules/notion_many_pages_exported.yml b/rules/notion_rules/notion_many_pages_exported.yml index fb5f13740..010245809 100644 --- a/rules/notion_rules/notion_many_pages_exported.yml +++ b/rules/notion_rules/notion_many_pages_exported.yml @@ -14,6 +14,7 @@ Description: A Notion User exported multiple pages. DedupPeriodMinutes: 60 Threshold: 10 # Number of pages exported; please change this value to suit your organization's needs. Runbook: Possible Data Exfiltration. Follow up with the Notion User to determine if this was done for a valid business reason. +Reference: https://www.notion.so/help/export-your-content Tests: - Name: Other Event ExpectedResult: false diff --git a/rules/notion_rules/notion_page_accessible_to_api.yml b/rules/notion_rules/notion_page_accessible_to_api.yml index 288174f6e..4f8ba6c0c 100644 --- a/rules/notion_rules/notion_page_accessible_to_api.yml +++ b/rules/notion_rules/notion_page_accessible_to_api.yml @@ -14,3 +14,4 @@ Description: "A new API integration was added to a Notion page, or it's permissi DedupPeriodMinutes: 60 Threshold: 1 Runbook: Potential information exposure - review the shared page and rectify if needed. +Reference: https://www.notion.so/help/sharing-and-permissions diff --git a/rules/notion_rules/notion_page_accessible_to_guests.yml b/rules/notion_rules/notion_page_accessible_to_guests.yml index ec3ef9fdf..53db176be 100644 --- a/rules/notion_rules/notion_page_accessible_to_guests.yml +++ b/rules/notion_rules/notion_page_accessible_to_guests.yml @@ -14,6 +14,7 @@ Description: The external guest permissions for a Notion page have been altered. DedupPeriodMinutes: 60 Threshold: 1 Runbook: Potential information exposure - review the shared page and rectify if needed. +Reference: https://www.notion.so/help/sharing-and-permissions Tests: - Name: Guest Role Added ExpectedResult: true diff --git a/rules/notion_rules/notion_page_shared_to_web.yml b/rules/notion_rules/notion_page_shared_to_web.yml index 620d59920..777237005 100644 --- a/rules/notion_rules/notion_page_shared_to_web.yml +++ b/rules/notion_rules/notion_page_shared_to_web.yml @@ -14,3 +14,4 @@ Description: A Notion User published a page to the web. DedupPeriodMinutes: 60 Threshold: 1 Runbook: Potential information exposure - review the shared page and rectify if needed. +Reference: https://www.notion.so/help/public-pages-and-web-publishing diff --git a/rules/notion_rules/notion_page_view_impossible_travel.yml b/rules/notion_rules/notion_page_view_impossible_travel.yml index f7ecce6d3..3d9f98fe3 100644 --- a/rules/notion_rules/notion_page_view_impossible_travel.yml +++ b/rules/notion_rules/notion_page_view_impossible_travel.yml @@ -15,6 +15,7 @@ Description: A Notion User viewed a page from 2 locations simultaneously DedupPeriodMinutes: 60 Threshold: 1 Runbook: Possible account compromise. Review activity of this user. +Reference: https://raxis.com/blog/simultaneous-sessions/ Tests: - Name: Normal Page View ExpectedResult: False diff --git a/rules/notion_rules/notion_scim_token_generated.yml b/rules/notion_rules/notion_scim_token_generated.yml index b30115211..e13e18c44 100644 --- a/rules/notion_rules/notion_scim_token_generated.yml +++ b/rules/notion_rules/notion_scim_token_generated.yml @@ -14,6 +14,7 @@ Severity: Medium DedupPeriodMinutes: 60 Threshold: 1 Runbook: Possible Initial Access. Follow up with the Notion User to determine if this was done for a valid business reason. +Reference: https://www.notion.so/help/provision-users-and-groups-with-scim Tests: - ExpectedResult: false Log: diff --git a/rules/notion_rules/notion_workspace_audit_log_exported.yml b/rules/notion_rules/notion_workspace_audit_log_exported.yml index f18a3a767..6c80f8550 100644 --- a/rules/notion_rules/notion_workspace_audit_log_exported.yml +++ b/rules/notion_rules/notion_workspace_audit_log_exported.yml @@ -14,6 +14,7 @@ Description: A Notion User exported audit logs for your organization’s workspa DedupPeriodMinutes: 60 Threshold: 1 Runbook: Possible Data Exfiltration. Follow up with the Notion User to determine if this was done for a valid business reason. +Reference: https://www.notion.so/help/audit-log#export-your-audit-log Tests: - Name: Other Event ExpectedResult: false diff --git a/rules/notion_rules/notion_workspace_exported.yml b/rules/notion_rules/notion_workspace_exported.yml index 2232647de..c40f7ec5c 100644 --- a/rules/notion_rules/notion_workspace_exported.yml +++ b/rules/notion_rules/notion_workspace_exported.yml @@ -14,6 +14,7 @@ Description: A Notion User exported an existing workspace. DedupPeriodMinutes: 60 Threshold: 1 Runbook: Possible Data Exfiltration. Follow up with the Notion User to determine if this was done for a valid business reason. +Reference: https://www.notion.so/help/workspace-settings#export-an-entire-workspace Tests: - Name: Workspace Exported ExpectedResult: true diff --git a/rules/notion_rules/notion_workspace_settings_enforce_saml_sso_config_updated.yml b/rules/notion_rules/notion_workspace_settings_enforce_saml_sso_config_updated.yml index 199009e77..a81cbe9c0 100644 --- a/rules/notion_rules/notion_workspace_settings_enforce_saml_sso_config_updated.yml +++ b/rules/notion_rules/notion_workspace_settings_enforce_saml_sso_config_updated.yml @@ -14,6 +14,7 @@ Description: A Notion User changed settings to enforce SAML SSO configurations f DedupPeriodMinutes: 60 Threshold: 1 Runbook: Follow up with the Notion User to determine if this was done for a valid business reason and to ensure these settings get re-enabled quickly for best security practices. +Reference: https://www.notion.so/help/saml-sso-configuration Tests: - Name: Other Event ExpectedResult: false diff --git a/rules/notion_rules/notion_workspace_settings_public_homepage_added.yml b/rules/notion_rules/notion_workspace_settings_public_homepage_added.yml index 221c8ca0b..0147311d7 100644 --- a/rules/notion_rules/notion_workspace_settings_public_homepage_added.yml +++ b/rules/notion_rules/notion_workspace_settings_public_homepage_added.yml @@ -14,6 +14,7 @@ Description: A Notion page was set to public in your worksace. DedupPeriodMinutes: 60 Threshold: 1 Runbook: A Notion page was made public. Check with the author to determine why this page was made public. +Reference: https://www.notion.so/help/public-pages-and-web-publishing Tests: - Name: Public page added ExpectedResult: true From c393954a12ccded847476f2c744c0ea8d64f8010 Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Tue, 12 Dec 2023 16:07:29 +0200 Subject: [PATCH 14/35] Add references to rules (onelogin_rules) (#1024) --- rules/onelogin_rules/onelogin_admin_role_assigned.yml | 1 + rules/onelogin_rules/onelogin_unusual_login.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/rules/onelogin_rules/onelogin_admin_role_assigned.yml b/rules/onelogin_rules/onelogin_admin_role_assigned.yml index cac026bee..d8bcaef05 100644 --- a/rules/onelogin_rules/onelogin_admin_role_assigned.yml +++ b/rules/onelogin_rules/onelogin_admin_role_assigned.yml @@ -7,6 +7,7 @@ LogTypes: - OneLogin.Events Tags: - Identity & Access Management +Reference: https://onelogin.service-now.com/kb_view_customer.do?sysparm_article=KB0010391 Severity: Low SummaryAttributes: - account_id diff --git a/rules/onelogin_rules/onelogin_unusual_login.yml b/rules/onelogin_rules/onelogin_unusual_login.yml index 1e982554d..d614e0344 100644 --- a/rules/onelogin_rules/onelogin_unusual_login.yml +++ b/rules/onelogin_rules/onelogin_unusual_login.yml @@ -9,6 +9,7 @@ LogTypes: - OneLogin.Events Tags: - Identity & Access Management +Reference: https://actzero.ai/resources/blog/a-smarter-way-to-detect-suspicious-cloud-logins Severity: Medium Description: Deprecated. Please see Standard.UnusualLogin instead. SummaryAttributes: From 4c9102eb675797560cb0ff6e4e2cf7ae0770ad0e Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Tue, 12 Dec 2023 16:09:57 +0200 Subject: [PATCH 15/35] Add references to rules (onepassword_rules) (#1025) --- .../onepassword_rules/onepassword_lut_sensitive_item_access.yml | 1 + rules/onepassword_rules/onepassword_sensitive_item_access.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/rules/onepassword_rules/onepassword_lut_sensitive_item_access.yml b/rules/onepassword_rules/onepassword_lut_sensitive_item_access.yml index f1a0ca2fd..9dbed6ae1 100644 --- a/rules/onepassword_rules/onepassword_lut_sensitive_item_access.yml +++ b/rules/onepassword_rules/onepassword_lut_sensitive_item_access.yml @@ -6,6 +6,7 @@ DisplayName: "BETA - Sensitive 1Password Item Accessed" Enabled: false LogTypes: - OnePassword.ItemUsage +Reference: https://support.1password.com/1password-com-items/ Severity: Low Description: Alerts when a user defined list of sensitive items in 1Password is accessed SummaryAttributes: diff --git a/rules/onepassword_rules/onepassword_sensitive_item_access.yml b/rules/onepassword_rules/onepassword_sensitive_item_access.yml index 8e5ab5bd3..22a937473 100644 --- a/rules/onepassword_rules/onepassword_sensitive_item_access.yml +++ b/rules/onepassword_rules/onepassword_sensitive_item_access.yml @@ -6,6 +6,7 @@ DisplayName: "Configuration Required - Sensitive 1Password Item Accessed" Enabled: false LogTypes: - OnePassword.ItemUsage +Reference: https://support.1password.com/1password-com-items/ Severity: Low Description: Alerts when a user defined list of sensitive items in 1Password is accessed SummaryAttributes: From 323e365d4cd83073c9c837aa6ef34a2c1de4058b Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Tue, 12 Dec 2023 16:12:23 +0200 Subject: [PATCH 16/35] Add references to rules (panther_audit_rules) (#1027) --- rules/panther_audit_rules/panther_detection_deleted.yml | 1 + rules/panther_audit_rules/panther_saml_modified.yml | 1 + rules/panther_audit_rules/panther_sensitive_role_created.yml | 1 + rules/panther_audit_rules/panther_user_modified.yml | 1 + 4 files changed, 4 insertions(+) diff --git a/rules/panther_audit_rules/panther_detection_deleted.yml b/rules/panther_audit_rules/panther_detection_deleted.yml index 5938d2a7b..d8fcba243 100644 --- a/rules/panther_audit_rules/panther_detection_deleted.yml +++ b/rules/panther_audit_rules/panther_detection_deleted.yml @@ -14,6 +14,7 @@ Reports: - TA0005:T1562 Description: Detection content has been removed from Panther. Runbook: Ensure this change was approved and appropriate. +Reference: https://docs.panther.com/system-configuration/panther-audit-logs/querying-and-writing-detections-for-panther-audit-logs SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/panther_audit_rules/panther_saml_modified.yml b/rules/panther_audit_rules/panther_saml_modified.yml index cf73682ba..daaa7b943 100644 --- a/rules/panther_audit_rules/panther_saml_modified.yml +++ b/rules/panther_audit_rules/panther_saml_modified.yml @@ -14,6 +14,7 @@ Reports: - TA0005:T1562 Description: An Admin has modified Panther's SAML configuration. Runbook: Ensure this change was approved and appropriate. +Reference: https://docs.panther.com/system-configuration/saml SummaryAttributes: - p_any_ip_addresses - p_any_usernames diff --git a/rules/panther_audit_rules/panther_sensitive_role_created.yml b/rules/panther_audit_rules/panther_sensitive_role_created.yml index 93e5ac17b..36ec77ca6 100644 --- a/rules/panther_audit_rules/panther_sensitive_role_created.yml +++ b/rules/panther_audit_rules/panther_sensitive_role_created.yml @@ -14,6 +14,7 @@ Reports: - TA0003:T1098 Description: A Panther user role has been created that contains admin level permissions. Runbook: Contact the creator of this role to ensure its creation was appropriate. +Reference: https://docs.panther.com/system-configuration/rbac SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/panther_audit_rules/panther_user_modified.yml b/rules/panther_audit_rules/panther_user_modified.yml index ca28a4a69..95280e28c 100644 --- a/rules/panther_audit_rules/panther_user_modified.yml +++ b/rules/panther_audit_rules/panther_user_modified.yml @@ -14,6 +14,7 @@ Reports: - TA0003:T1098 Description: A Panther user's role has been modified. This could mean password, email, or role has changed for the user. Runbook: Validate that this user modification was intentional. +Reference: https://docs.panther.com/panther-developer-workflows/api/operations/user-management SummaryAttributes: - p_any_ip_addresses Tests: From a6d7e1c36189e2a8dc0244c358966c07e5762efc Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Tue, 12 Dec 2023 16:14:48 +0200 Subject: [PATCH 17/35] Add references to rules (salesforce_rules) (#1028) --- rules/salesforce_rules/salesforce_admin_login_as_user.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/salesforce_rules/salesforce_admin_login_as_user.yml b/rules/salesforce_rules/salesforce_admin_login_as_user.yml index 5c55e71ae..8421ec35c 100644 --- a/rules/salesforce_rules/salesforce_admin_login_as_user.yml +++ b/rules/salesforce_rules/salesforce_admin_login_as_user.yml @@ -4,6 +4,7 @@ DisplayName: "Salesforce Admin Login As User" Enabled: true Filename: salesforce_admin_login_as_user.py Runbook: 'Please do an indicator search on USER_ID to find which user was assumed. ' +Reference: https://help.salesforce.com/s/articleView?id=sf.logging_in_as_another_user.htm&type=5 Severity: Info Tests: - ExpectedResult: false From 71c5df9988d798ce87daa60cad250f894d3de0b5 Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Tue, 12 Dec 2023 16:17:16 +0200 Subject: [PATCH 18/35] Add references to rules (sentinelone_rules) (#1029) --- rules/sentinelone_rules/sentinelone_alert_passthrough.yml | 1 + rules/sentinelone_rules/sentinelone_threats.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/rules/sentinelone_rules/sentinelone_alert_passthrough.yml b/rules/sentinelone_rules/sentinelone_alert_passthrough.yml index 935d220fe..5e16edc36 100644 --- a/rules/sentinelone_rules/sentinelone_alert_passthrough.yml +++ b/rules/sentinelone_rules/sentinelone_alert_passthrough.yml @@ -3,6 +3,7 @@ Description: SentinelOne Alert Passthrough DisplayName: "SentinelOne Alert Passthrough" Enabled: true Filename: sentinelone_alert_passthrough.py +Reference: https://www.sentinelone.com/blog/feature-spotlight-introducing-the-new-threat-center/ Severity: High Tests: - ExpectedResult: true diff --git a/rules/sentinelone_rules/sentinelone_threats.yml b/rules/sentinelone_rules/sentinelone_threats.yml index b22c72f3c..f861b3cf8 100644 --- a/rules/sentinelone_rules/sentinelone_threats.yml +++ b/rules/sentinelone_rules/sentinelone_threats.yml @@ -3,6 +3,7 @@ Description: 'Passthrough SentinelOne Threats ' DisplayName: "SentinelOne Threats" Enabled: true Filename: sentinelone_threats.py +Reference: https://www.sentinelone.com/blog/feature-spotlight-introducing-the-new-threat-center/ Severity: High Tests: - ExpectedResult: true From 92dfc5f65acd7e9e6a4c755902e310da84ceea51 Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Tue, 12 Dec 2023 16:19:34 +0200 Subject: [PATCH 19/35] Add references to rules (snyk_rules) (#1030) --- rules/snyk_rules/snyk_misc_settings.yml | 1 + rules/snyk_rules/snyk_org_settings.yml | 1 + rules/snyk_rules/snyk_project_settings.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/rules/snyk_rules/snyk_misc_settings.yml b/rules/snyk_rules/snyk_misc_settings.yml index b6b4df89a..4d7c41974 100644 --- a/rules/snyk_rules/snyk_misc_settings.yml +++ b/rules/snyk_rules/snyk_misc_settings.yml @@ -8,6 +8,7 @@ LogTypes: - Snyk.OrgAudit Tags: - Snyk +Reference: https://docs.snyk.io/snyk-admin/manage-settings Severity: Low Description: > Detects when Snyk settings that lack a clear security impact are changed diff --git a/rules/snyk_rules/snyk_org_settings.yml b/rules/snyk_rules/snyk_org_settings.yml index 3716d8c5c..18dae4e54 100644 --- a/rules/snyk_rules/snyk_org_settings.yml +++ b/rules/snyk_rules/snyk_org_settings.yml @@ -8,6 +8,7 @@ LogTypes: - Snyk.OrgAudit Tags: - Snyk +Reference: https://docs.snyk.io/snyk-admin/manage-settings/organization-general-settings Severity: Medium Description: > Detects when Snyk Organization settings, like Integrations and Webhooks, are changed diff --git a/rules/snyk_rules/snyk_project_settings.yml b/rules/snyk_rules/snyk_project_settings.yml index a0d294745..9d52d8289 100644 --- a/rules/snyk_rules/snyk_project_settings.yml +++ b/rules/snyk_rules/snyk_project_settings.yml @@ -8,6 +8,7 @@ LogTypes: - Snyk.OrgAudit Tags: - Snyk +Reference: https://docs.snyk.io/snyk-admin/introduction-to-snyk-projects/view-and-edit-project-settings Severity: Medium Description: > Detects when Snyk Project settings are changed From 14d9912533437bc3675488b0bf2a76bc8219a16c Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Tue, 12 Dec 2023 16:22:17 +0200 Subject: [PATCH 20/35] Add references to rules (tailscale_rules) (#1032) --- rules/tailscale_rules/tailscale_https_disabled.yml | 1 + .../tailscale_machine_approval_requirements_disabled.yml | 1 + rules/tailscale_rules/tailscale_magicdns_disabled.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/rules/tailscale_rules/tailscale_https_disabled.yml b/rules/tailscale_rules/tailscale_https_disabled.yml index 15dd0a239..8f786c969 100644 --- a/rules/tailscale_rules/tailscale_https_disabled.yml +++ b/rules/tailscale_rules/tailscale_https_disabled.yml @@ -4,6 +4,7 @@ DisplayName: "Tailscale HTTPS Disabled" Enabled: true Filename: tailscale_https_disabled.py Runbook: Assess if this was done by the user for a valid business reason. Be vigilant to re-enable this setting as it's in the best security interest for your organization's security posture. +Reference: https://tailscale.com/kb/1153/enabling-https/#disable-https Severity: High Tests: - ExpectedResult: true diff --git a/rules/tailscale_rules/tailscale_machine_approval_requirements_disabled.yml b/rules/tailscale_rules/tailscale_machine_approval_requirements_disabled.yml index 268e95db4..fe7a3e8a5 100644 --- a/rules/tailscale_rules/tailscale_machine_approval_requirements_disabled.yml +++ b/rules/tailscale_rules/tailscale_machine_approval_requirements_disabled.yml @@ -4,6 +4,7 @@ DisplayName: "Tailscale Machine Approval Requirements Disabled" Enabled: true Filename: tailscale_machine_approval_requirements_disabled.py Runbook: Assess if this was done by the user for a valid business reason. Be vigilant to re-enable this setting as it's in the best security interest for your organization's security posture. +Reference: https://tailscale.com/kb/1099/device-approval/ Severity: High Tests: - ExpectedResult: true diff --git a/rules/tailscale_rules/tailscale_magicdns_disabled.yml b/rules/tailscale_rules/tailscale_magicdns_disabled.yml index 513da6419..c84f88818 100644 --- a/rules/tailscale_rules/tailscale_magicdns_disabled.yml +++ b/rules/tailscale_rules/tailscale_magicdns_disabled.yml @@ -4,6 +4,7 @@ DisplayName: "Tailscale Magic DNS Disabled" Enabled: true Filename: tailscale_magicdns_disabled.py Runbook: Assess if this was done by the user for a valid business reason. Be vigilant to re-enable this setting as it's in the best security interest for your organization's security posture. +Reference: https://tailscale.com/kb/1081/magicdns/ Severity: High Tests: - ExpectedResult: true From 1643a029fc6623b058c84d3b535aab827ac18aac Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Tue, 12 Dec 2023 16:24:40 +0200 Subject: [PATCH 21/35] Add references to rules (tines_rules) (#1033) --- rules/tines_rules/tines_actions_disabled_changes.yml | 1 + rules/tines_rules/tines_custom_ca.yml | 1 + rules/tines_rules/tines_enqueued_retrying_job_deletion.yml | 1 + rules/tines_rules/tines_global_resource_destruction.yml | 1 + rules/tines_rules/tines_sso_settings.yml | 1 + rules/tines_rules/tines_story_items_destruction.yml | 1 + rules/tines_rules/tines_story_jobs_clearance.yml | 1 + rules/tines_rules/tines_team_destruction.yml | 1 + rules/tines_rules/tines_tenant_authtoken.yml | 1 + 9 files changed, 9 insertions(+) diff --git a/rules/tines_rules/tines_actions_disabled_changes.yml b/rules/tines_rules/tines_actions_disabled_changes.yml index 0b311afc2..f5e0fbc6d 100644 --- a/rules/tines_rules/tines_actions_disabled_changes.yml +++ b/rules/tines_rules/tines_actions_disabled_changes.yml @@ -7,6 +7,7 @@ LogTypes: - Tines.Audit Tags: - Tines +Reference: https://www.tines.com/university/tines-basics/architecture-of-an-action Severity: Medium Description: > Detections when Tines Actions are set to Disabled Change diff --git a/rules/tines_rules/tines_custom_ca.yml b/rules/tines_rules/tines_custom_ca.yml index b61097e4f..645d2b85f 100644 --- a/rules/tines_rules/tines_custom_ca.yml +++ b/rules/tines_rules/tines_custom_ca.yml @@ -8,6 +8,7 @@ LogTypes: Tags: - Tines - IAM - Credential Security +Reference: https://www.tines.com/docs/admin/custom-certificate-authority Severity: High Description: > Detects when Tines Custom CertificateAuthority settings are changed diff --git a/rules/tines_rules/tines_enqueued_retrying_job_deletion.yml b/rules/tines_rules/tines_enqueued_retrying_job_deletion.yml index 1b1282def..4c5cbd566 100644 --- a/rules/tines_rules/tines_enqueued_retrying_job_deletion.yml +++ b/rules/tines_rules/tines_enqueued_retrying_job_deletion.yml @@ -10,6 +10,7 @@ Tags: Severity: Low Description: "Currently enqueued or retrying jobs were cleared" Runbook: "Possible data destruction. Please reach out to the user and confirm this was done for valid business reasons." +Reference: https://www.tines.com/docs/self-hosting/job-management DedupPeriodMinutes: 60 Threshold: 1 Tests: diff --git a/rules/tines_rules/tines_global_resource_destruction.yml b/rules/tines_rules/tines_global_resource_destruction.yml index 6e50d9be7..4b16a7a22 100644 --- a/rules/tines_rules/tines_global_resource_destruction.yml +++ b/rules/tines_rules/tines_global_resource_destruction.yml @@ -15,6 +15,7 @@ Tags: Severity: Low Description: "A Tines user has destroyed a global resource." Runbook: "Possible data destruction. Please reach out to the user and confirm this was done for valid business reasons." +Reference: https://www.tines.com/docs/resources DedupPeriodMinutes: 60 Threshold: 1 Tests: diff --git a/rules/tines_rules/tines_sso_settings.yml b/rules/tines_rules/tines_sso_settings.yml index af54cc371..841ef9c6a 100644 --- a/rules/tines_rules/tines_sso_settings.yml +++ b/rules/tines_rules/tines_sso_settings.yml @@ -11,6 +11,7 @@ Tags: Severity: High Description: > Detects when Tines SSO settings are changed +Reference: https://www.tines.com/docs/admin/single-sign-on DedupPeriodMinutes: 60 Threshold: 1 SummaryAttributes: diff --git a/rules/tines_rules/tines_story_items_destruction.yml b/rules/tines_rules/tines_story_items_destruction.yml index d4021b6b2..df94d9a30 100644 --- a/rules/tines_rules/tines_story_items_destruction.yml +++ b/rules/tines_rules/tines_story_items_destruction.yml @@ -10,6 +10,7 @@ Tags: Severity: Info Description: "A user has destroyed a story item" Runbook: "Possible data destruction. Please reach out to the user and confirm this was done for valid business reasons." +Reference: https://www.tines.com/docs/stories DedupPeriodMinutes: 60 Threshold: 1 Tests: diff --git a/rules/tines_rules/tines_story_jobs_clearance.yml b/rules/tines_rules/tines_story_jobs_clearance.yml index b812abe4b..8310aca46 100644 --- a/rules/tines_rules/tines_story_jobs_clearance.yml +++ b/rules/tines_rules/tines_story_jobs_clearance.yml @@ -10,6 +10,7 @@ Tags: Severity: Low Description: "A Tines User has cleared story jobs." Runbook: "Possible data destruction. Please reach out to the user and confirm this was done for valid business reasons." +Reference: https://www.tines.com/docs/stories DedupPeriodMinutes: 60 Threshold: 1 Tests: diff --git a/rules/tines_rules/tines_team_destruction.yml b/rules/tines_rules/tines_team_destruction.yml index 85375c64f..329da0272 100644 --- a/rules/tines_rules/tines_team_destruction.yml +++ b/rules/tines_rules/tines_team_destruction.yml @@ -10,6 +10,7 @@ Tags: Severity: Low Description: "A user has destroyed a team" Runbook: "Possible data destruction. Please reach out to the user and confirm this was done for valid business reasons." +Reference: https://www.tines.com/docs/admin/teams DedupPeriodMinutes: 60 Threshold: 1 Tests: diff --git a/rules/tines_rules/tines_tenant_authtoken.yml b/rules/tines_rules/tines_tenant_authtoken.yml index ff366f3d2..33bb4fd94 100644 --- a/rules/tines_rules/tines_tenant_authtoken.yml +++ b/rules/tines_rules/tines_tenant_authtoken.yml @@ -11,6 +11,7 @@ Tags: Severity: Medium Description: > Detects when Tines Tenant API Keys are added +Reference: https://www.tines.com/api/authentication DedupPeriodMinutes: 60 Threshold: 1 SummaryAttributes: From 550c7aca50be9efb50dcc567777b64287319f54b Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Wed, 13 Dec 2023 00:05:41 +0200 Subject: [PATCH 22/35] Add references to rules (okta_rules) (#1023) * Add references to rules (okta_rules) * Add references to rules (okta_rules) --------- Co-authored-by: Evan Gibler --- rules/okta_rules/okta_app_unauthorized_access_attempt.yml | 1 + rules/okta_rules/okta_geo_improbable_access.yml | 1 + rules/okta_rules/okta_group_admin_role_assigned.yml | 1 + rules/okta_rules/okta_user_account_locked.yml | 1 + rules/okta_rules/okta_user_mfa_factor_suspend.yml | 1 + rules/okta_rules/okta_user_mfa_reset.yml | 1 + rules/okta_rules/okta_user_mfa_reset_all.yml | 1 + 7 files changed, 7 insertions(+) diff --git a/rules/okta_rules/okta_app_unauthorized_access_attempt.yml b/rules/okta_rules/okta_app_unauthorized_access_attempt.yml index 3d6cfeb11..ff18e8a81 100644 --- a/rules/okta_rules/okta_app_unauthorized_access_attempt.yml +++ b/rules/okta_rules/okta_app_unauthorized_access_attempt.yml @@ -4,6 +4,7 @@ DisplayName: "Okta App Unauthorized Access Attempt" Enabled: true Filename: okta_app_unauthorized_access_attempt.py Severity: Low +Reference: https://support.okta.com/help/s/article/App-Sign-on-Error-403-User-attempted-unauthorized-access-to-app?language=en_US Tests: - ExpectedResult: true Log: diff --git a/rules/okta_rules/okta_geo_improbable_access.yml b/rules/okta_rules/okta_geo_improbable_access.yml index 20e9d65b9..6eb4d46ea 100644 --- a/rules/okta_rules/okta_geo_improbable_access.yml +++ b/rules/okta_rules/okta_geo_improbable_access.yml @@ -15,6 +15,7 @@ Reports: Severity: High Description: A user has subsequent logins from two geographic locations that are very far apart Runbook: Reach out to the user if needed to validate the activity, then lock the account +Reference: https://www.blinkops.com/blog/how-to-detect-and-remediate-okta-impossible-traveler-alerts SummaryAttributes: - eventType - severity diff --git a/rules/okta_rules/okta_group_admin_role_assigned.yml b/rules/okta_rules/okta_group_admin_role_assigned.yml index 4f6a8dcb9..def8bcd08 100644 --- a/rules/okta_rules/okta_group_admin_role_assigned.yml +++ b/rules/okta_rules/okta_group_admin_role_assigned.yml @@ -3,6 +3,7 @@ Description: Detect when an admin role is assigned to a group DisplayName: "Okta Group Admin Role Assigned" Enabled: true Filename: okta_group_admin_role_assigned.py +Reference: https://support.okta.com/help/s/article/How-to-assign-Administrator-roles-to-groups?language=en_US#:~:text=Log%20in%20to%20the%20Admin,user%20and%20click%20Save%20changes Severity: High Tests: - ExpectedResult: true diff --git a/rules/okta_rules/okta_user_account_locked.yml b/rules/okta_rules/okta_user_account_locked.yml index 97a4a074d..c7dbf6303 100644 --- a/rules/okta_rules/okta_user_account_locked.yml +++ b/rules/okta_rules/okta_user_account_locked.yml @@ -3,6 +3,7 @@ Description: An Okta user has locked their account. DisplayName: "Okta User Account Locked" Enabled: true Filename: okta_user_account_locked.py +Reference: https://support.okta.com/help/s/article/How-to-Configure-the-Number-of-Failed-Login-Attempts-Before-User-Lockout?language=en_US Severity: Low Tests: - ExpectedResult: true diff --git a/rules/okta_rules/okta_user_mfa_factor_suspend.yml b/rules/okta_rules/okta_user_mfa_factor_suspend.yml index 45d60f71b..7364a4231 100644 --- a/rules/okta_rules/okta_user_mfa_factor_suspend.yml +++ b/rules/okta_rules/okta_user_mfa_factor_suspend.yml @@ -3,6 +3,7 @@ Description: Suspend factor or authenticator enrollment method for user. DisplayName: "Okta User MFA Factor Suspend" Enabled: true Filename: okta_user_mfa_factor_suspend.py +Reference: https://help.okta.com/en-us/content/topics/security/mfa/mfa-factors.htm Severity: High Tests: - ExpectedResult: true diff --git a/rules/okta_rules/okta_user_mfa_reset.yml b/rules/okta_rules/okta_user_mfa_reset.yml index d21c22df7..4bd2ee8c0 100644 --- a/rules/okta_rules/okta_user_mfa_reset.yml +++ b/rules/okta_rules/okta_user_mfa_reset.yml @@ -4,6 +4,7 @@ DisplayName: "Okta User MFA Own Reset" RuleID: "Okta.User.MFA.Reset.Single" Enabled: true Filename: okta_user_mfa_reset.py +Reference: https://support.okta.com/help/s/article/How-to-avoid-lockouts-and-reset-your-Multifactor-Authentication-MFA-for-Okta-Admins?language=en_US Severity: Info Tests: - diff --git a/rules/okta_rules/okta_user_mfa_reset_all.yml b/rules/okta_rules/okta_user_mfa_reset_all.yml index c8826818a..f2a44444c 100644 --- a/rules/okta_rules/okta_user_mfa_reset_all.yml +++ b/rules/okta_rules/okta_user_mfa_reset_all.yml @@ -3,6 +3,7 @@ Description: 'All MFA factors have been reset for a user.' DisplayName: "Okta User MFA Reset All" Enabled: true Filename: okta_user_mfa_reset_all.py +Reference: https://help.okta.com/en-us/content/topics/security/mfa/mfa-reset-users.htm#:~:text=the%20Admin%20Console%3A-,In%20the%20Admin%20Console%2C%20go%20to%20DirectoryPeople.,Selected%20Factors%20or%20Reset%20All Severity: Low Tests: - ExpectedResult: true From 1692899f6d268c405ca73ac41bb13454020485a4 Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Wed, 13 Dec 2023 00:07:34 +0200 Subject: [PATCH 23/35] Add references to rules (osquery_rules) (#1026) * Add references to rules (osquery_rules) * Add references to rules (osquery_rules) --------- Co-authored-by: Evan Gibler --- rules/osquery_rules/osquery_mac_enable_auto_update.yml | 1 + .../osquery_rules/osquery_mac_unwanted_chrome_extensions.yml | 1 + rules/osquery_rules/osquery_ossec.yml | 1 + rules/osquery_rules/osquery_outdated.py | 2 +- rules/osquery_rules/osquery_outdated.yml | 5 +++-- rules/osquery_rules/osquery_outdated_macos.yml | 1 + rules/osquery_rules/osquery_ssh_listener.yml | 1 + 7 files changed, 9 insertions(+), 3 deletions(-) diff --git a/rules/osquery_rules/osquery_mac_enable_auto_update.yml b/rules/osquery_rules/osquery_mac_enable_auto_update.yml index 7360f78fe..6039f11ca 100644 --- a/rules/osquery_rules/osquery_mac_enable_auto_update.yml +++ b/rules/osquery_rules/osquery_mac_enable_auto_update.yml @@ -21,6 +21,7 @@ Description: > Verifies that MacOS has automatic software updates enabled. Runbook: > Enable the auto updates on the host. +Reference: https://support.apple.com/en-gb/guide/mac-help/mchlpx1065/mac SummaryAttributes: - name - action diff --git a/rules/osquery_rules/osquery_mac_unwanted_chrome_extensions.yml b/rules/osquery_rules/osquery_mac_unwanted_chrome_extensions.yml index 1e7c2180b..e3012725f 100644 --- a/rules/osquery_rules/osquery_mac_unwanted_chrome_extensions.yml +++ b/rules/osquery_rules/osquery_mac_unwanted_chrome_extensions.yml @@ -17,6 +17,7 @@ Severity: Medium Description: > Monitor for chrome extensions that could lead to a credential compromise. Runbook: Uninstall the unwanted extension +Reference: https://securelist.com/threat-in-your-browser-extensions/107181/ SummaryAttributes: - action - hostIdentifier diff --git a/rules/osquery_rules/osquery_ossec.yml b/rules/osquery_rules/osquery_ossec.yml index 93c53f3f9..3ef6ad2ab 100644 --- a/rules/osquery_rules/osquery_ossec.yml +++ b/rules/osquery_rules/osquery_ossec.yml @@ -17,6 +17,7 @@ Description: > Checks if any results are returned for the Osquery OSSEC Rootkit pack. Runbook: > Verify the presence of the rootkit and re-image the machine. +Reference: https://panther.com/blog/osquery-log-analysis/ SummaryAttributes: - name - hostIdentifier diff --git a/rules/osquery_rules/osquery_outdated.py b/rules/osquery_rules/osquery_outdated.py index cb190758c..7e9005acf 100644 --- a/rules/osquery_rules/osquery_outdated.py +++ b/rules/osquery_rules/osquery_outdated.py @@ -1,6 +1,6 @@ from panther_base_helpers import deep_get -LATEST_VERSION = "4.2.0" +LATEST_VERSION = "5.10.2" def rule(event): diff --git a/rules/osquery_rules/osquery_outdated.yml b/rules/osquery_rules/osquery_outdated.yml index b276f2f11..6c0af5fa1 100644 --- a/rules/osquery_rules/osquery_outdated.yml +++ b/rules/osquery_rules/osquery_outdated.yml @@ -9,8 +9,9 @@ Tags: - Osquery - Compliance Severity: Info -Description: Keep track of osquery versions, current is 4.1.2. +Description: Keep track of osquery versions, current is 5.10.2. Runbook: Update the osquery agent. +Reference: https://www.osquery.io/downloads/official/5.10.2 SummaryAttributes: - name - hostIdentifier @@ -74,7 +75,7 @@ Tests: "system_time": "12472", "user_time": "31800", "uuid": "37821E12-CC8A-5AA3-A90C-FAB28A5BF8F9", - "version": "4.2.0", + "version": "5.10.2", "watcher": "92" }, "counter": "255", diff --git a/rules/osquery_rules/osquery_outdated_macos.yml b/rules/osquery_rules/osquery_outdated_macos.yml index 32490ce9c..2e51f2f6a 100644 --- a/rules/osquery_rules/osquery_outdated_macos.yml +++ b/rules/osquery_rules/osquery_outdated_macos.yml @@ -12,6 +12,7 @@ Severity: Low Description: > Check that all laptops on the corporate environment are on a version of MacOS supported by IT. Runbook: Update the MacOs version +Reference: https://support.apple.com/en-eg/HT201260 SummaryAttributes: - name - hostIdentifier diff --git a/rules/osquery_rules/osquery_ssh_listener.yml b/rules/osquery_rules/osquery_ssh_listener.yml index 880b70ed1..765a8ca8f 100644 --- a/rules/osquery_rules/osquery_ssh_listener.yml +++ b/rules/osquery_rules/osquery_ssh_listener.yml @@ -16,6 +16,7 @@ Description: > Check if SSH is listening in a non-production environment. This could be an indicator of persistent access within an environment. Runbook: > Terminate the SSH daemon, investigate for signs of compromise. +Reference: https://medium.com/uptycs/osquery-what-it-is-how-it-works-and-how-to-use-it-ce4e81e60dfc SummaryAttributes: - action - hostIdentifier From ac00a3c1975ade4be6ab21a4feadd841b89b6183 Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Wed, 13 Dec 2023 00:09:24 +0200 Subject: [PATCH 24/35] Add references to rules (standard_rules) (#1031) * Add references to rules (standard_rules) * Add references to rules (standard_rules) --------- Co-authored-by: Evan Gibler --- rules/standard_rules/admin_assigned.yml | 3 ++- rules/standard_rules/brute_force_by_ip.yml | 1 + rules/standard_rules/impossible_travel_login.yml | 1 + rules/standard_rules/malicious_sso_dns_lookup.yml | 1 + rules/standard_rules/mfa_disabled.yml | 1 + rules/standard_rules/standard_dns_base64.yml | 1 + rules/standard_rules/unusual_login_deprecated.yml | 1 + 7 files changed, 8 insertions(+), 1 deletion(-) diff --git a/rules/standard_rules/admin_assigned.yml b/rules/standard_rules/admin_assigned.yml index a1f954efa..ab6f1b58d 100644 --- a/rules/standard_rules/admin_assigned.yml +++ b/rules/standard_rules/admin_assigned.yml @@ -18,8 +18,9 @@ Severity: Medium Reports: MITRE ATT&CK: - TA0004:T1078 -Description: Attaching an audit role manually could be a sign of privilege escalation +Description: Assigning an admin role manually could be a sign of privilege escalation Runbook: Verify with the user who attached the role or add to a allowlist +Reference: https://medium.com/@gokulelango1040/privilege-escalation-attacks-28a9ef226abb SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/standard_rules/brute_force_by_ip.yml b/rules/standard_rules/brute_force_by_ip.yml index 79e32f277..74eed9ed7 100644 --- a/rules/standard_rules/brute_force_by_ip.yml +++ b/rules/standard_rules/brute_force_by_ip.yml @@ -23,6 +23,7 @@ Reports: - TA0006:T1110 Description: An actor user was denied login access more times than the configured threshold. Runbook: Analyze the IP they came from, and other actions taken before/after. Check if a user from this ip eventually authenticated successfully. +Reference: https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/standard_rules/impossible_travel_login.yml b/rules/standard_rules/impossible_travel_login.yml index 113f89663..1d7175827 100644 --- a/rules/standard_rules/impossible_travel_login.yml +++ b/rules/standard_rules/impossible_travel_login.yml @@ -21,6 +21,7 @@ Runbook: > If the user responds that the geolocation on the new location is incorrect, you can directly report the inaccuracy via https://ipinfo.io/corrections +Reference: https://expertinsights.com/insights/what-are-impossible-travel-logins/#:~:text=An%20impossible%20travel%20login%20is,of%20the%20logins%20is%20fraudulent SummaryAttributes: - p_any_usernames - p_any_ip_addresses diff --git a/rules/standard_rules/malicious_sso_dns_lookup.yml b/rules/standard_rules/malicious_sso_dns_lookup.yml index 3320ffd90..a9f88593c 100644 --- a/rules/standard_rules/malicious_sso_dns_lookup.yml +++ b/rules/standard_rules/malicious_sso_dns_lookup.yml @@ -19,6 +19,7 @@ Reports: - TA0001:T1566 Description: The rule looks for DNS requests to sites potentially posing as SSO domains. Runbook: Verify if the destination domain is owned by your organization. +Reference: https://www.cloudns.net/wiki/article/254/#:~:text=A%20DNS%20query%20(also%20known,associated%20with%20a%20domain%20name SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/standard_rules/mfa_disabled.yml b/rules/standard_rules/mfa_disabled.yml index 21e8d3c81..b71485cda 100644 --- a/rules/standard_rules/mfa_disabled.yml +++ b/rules/standard_rules/mfa_disabled.yml @@ -15,6 +15,7 @@ Tags: Reports: MITRE ATT&CK: - TA0005:T1556 +Reference: https://en.wikipedia.org/wiki/Multi-factor_authentication Severity: High Description: Detects when Multi-Factor Authentication (MFA) is disabled SummaryAttributes: diff --git a/rules/standard_rules/standard_dns_base64.yml b/rules/standard_rules/standard_dns_base64.yml index 21f585d1e..5bcbb7f44 100644 --- a/rules/standard_rules/standard_dns_base64.yml +++ b/rules/standard_rules/standard_dns_base64.yml @@ -4,6 +4,7 @@ Description: Detects DNS queries with Base64 encoded subdomains, which could ind RuleID: "Standard.DNSBase64" Enabled: false Filename: standard_dns_base64.py +Reference: https://zofixer.com/what-is-base64-disclosure-vulnerability/ Severity: Medium DedupPeriodMinutes: 60 Threshold: 1 diff --git a/rules/standard_rules/unusual_login_deprecated.yml b/rules/standard_rules/unusual_login_deprecated.yml index dfd2f3eaf..ce7088b55 100644 --- a/rules/standard_rules/unusual_login_deprecated.yml +++ b/rules/standard_rules/unusual_login_deprecated.yml @@ -29,6 +29,7 @@ Runbook: > Reach out to the user to ensure the login was legitimate. Be sure to use a means outside the one the unusual login originated from, if one is available. CC an individual that works with the user for visibility, usually the user’s manager if they’re available. The second user is not expected to respond, unless they find the response unusual or the location unexpected. To reduce noise, geolocation history length can be configured in the rule body to increase the number of allowed locations per user. +Reference: https://d3fend.mitre.org/technique/d3f:UserGeolocationLogonPatternAnalysis/ SummaryAttributes: - p_any_ip_addresses Tests: From 6d95214059b2a92d8d382d472c32ecb24faa09ec Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Wed, 13 Dec 2023 00:11:21 +0200 Subject: [PATCH 25/35] Add references to rules (zendesk_rules) (#1034) * Add references to rules (zendesk_rules) * Add references to rules (zendesk_rules) --------- Co-authored-by: Evan Gibler --- rules/zendesk_rules/zendesk_mobile_app_access.yml | 1 + rules/zendesk_rules/zendesk_new_api_token.yml | 1 + rules/zendesk_rules/zendesk_new_owner.yml | 1 + rules/zendesk_rules/zendesk_sensitive_data_redaction.yml | 1 + rules/zendesk_rules/zendesk_user_assumption.yml | 1 + rules/zendesk_rules/zendesk_user_role.yml | 1 + rules/zendesk_rules/zendesk_user_suspension.yml | 1 + 7 files changed, 7 insertions(+) diff --git a/rules/zendesk_rules/zendesk_mobile_app_access.yml b/rules/zendesk_rules/zendesk_mobile_app_access.yml index 48c78101b..e14dbebca 100644 --- a/rules/zendesk_rules/zendesk_mobile_app_access.yml +++ b/rules/zendesk_rules/zendesk_mobile_app_access.yml @@ -14,6 +14,7 @@ Reports: - TA0003:T1078 Severity: Medium Description: A user updated account setting that enabled or disabled mobile app access. +Reference: https://support.zendesk.com/hc/en-us/articles/4408846407066-About-the-Zendesk-Support-mobile-app#:~:text=More%20settings.-,Configuring%20the%20mobile%20app,-Activate%20the%20new SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/zendesk_rules/zendesk_new_api_token.yml b/rules/zendesk_rules/zendesk_new_api_token.yml index b384d5256..cafcb2bdd 100644 --- a/rules/zendesk_rules/zendesk_new_api_token.yml +++ b/rules/zendesk_rules/zendesk_new_api_token.yml @@ -15,6 +15,7 @@ Reports: - TA0006:T1528 Description: A user created a new API token to be used with Zendesk. Runbook: Validate the api token was created for valid use case, otherwise delete the token immediately. +Reference: https://support.zendesk.com/hc/en-us/articles/4408889192858-Managing-access-to-the-Zendesk-API#topic_bsw_lfg_mmb:~:text=enable%20token%20access.-,Generating%20API%20tokens,-To%20generate%20an SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/zendesk_rules/zendesk_new_owner.yml b/rules/zendesk_rules/zendesk_new_owner.yml index 9e5cb5657..cc4ddb6d4 100644 --- a/rules/zendesk_rules/zendesk_new_owner.yml +++ b/rules/zendesk_rules/zendesk_new_owner.yml @@ -14,6 +14,7 @@ Reports: MITRE ATT&CK: - TA0004:T1078 Description: Only one admin user can be the account owner. Ensure the change in ownership is expected. +Reference: https://support.zendesk.com/hc/en-us/articles/4408822084634-Changing-the-account-owner SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/zendesk_rules/zendesk_sensitive_data_redaction.yml b/rules/zendesk_rules/zendesk_sensitive_data_redaction.yml index 0f050887a..36e31095c 100644 --- a/rules/zendesk_rules/zendesk_sensitive_data_redaction.yml +++ b/rules/zendesk_rules/zendesk_sensitive_data_redaction.yml @@ -15,6 +15,7 @@ Reports: Severity: High Description: A user updated account setting that disabled credit card redaction. Runbook: Re-enable credit card redaction. +Reference: https://support.zendesk.com/hc/en-us/articles/4408822124314-Automatically-redacting-credit-card-numbers-from-tickets SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/zendesk_rules/zendesk_user_assumption.yml b/rules/zendesk_rules/zendesk_user_assumption.yml index fbc40da9e..12b3ef138 100644 --- a/rules/zendesk_rules/zendesk_user_assumption.yml +++ b/rules/zendesk_rules/zendesk_user_assumption.yml @@ -15,6 +15,7 @@ Severity: Medium Description: User enabled or disabled zendesk support user assumption. Runbook: > Investigate whether allowing zendesk support to assume users is necessary. If not, disable the feature. +Reference: https://support.zendesk.com/hc/en-us/articles/4408894200474-Assuming-end-users#:~:text=In%20Support%2C%20click%20the%20Customers,user%20in%20the%20information%20dialog SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/zendesk_rules/zendesk_user_role.yml b/rules/zendesk_rules/zendesk_user_role.yml index 70205aeac..731f41c53 100644 --- a/rules/zendesk_rules/zendesk_user_role.yml +++ b/rules/zendesk_rules/zendesk_user_role.yml @@ -8,6 +8,7 @@ LogTypes: - Zendesk.Audit Severity: Info Description: A user's Zendesk role was changed +Reference: https://support.zendesk.com/hc/en-us/articles/4408824375450-Setting-roles-and-access-in-Zendesk-Admin-Center SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/zendesk_rules/zendesk_user_suspension.yml b/rules/zendesk_rules/zendesk_user_suspension.yml index 08f1a1410..b0c3f4a18 100644 --- a/rules/zendesk_rules/zendesk_user_suspension.yml +++ b/rules/zendesk_rules/zendesk_user_suspension.yml @@ -15,6 +15,7 @@ Reports: Severity: High Description: A user's Zendesk suspension status was changed. Runbook: Ensure the user's suspension status is appropriate. +Reference: https://support.zendesk.com/hc/en-us/articles/4408889293978-Suspending-a-user#:~:text=select%20Unsuspend%20access.-,Identifying%20suspended%20users,name%20on%20the%20Customers%20page SummaryAttributes: - p_any_ip_addresses Tests: From 28189dcba4d7b89eceb677ab22d150d2e858c853 Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Wed, 13 Dec 2023 00:13:02 +0200 Subject: [PATCH 26/35] Add references to rules (zoom_rules) (#1035) * Add references to rules (zoom_rules) * Add references to rules (zoom_rules) --------- Co-authored-by: Evan Gibler --- .../zoom_all_meetings_secured_with_one_option_disabled.yml | 1 + .../zoom_new_meeting_passcode_required_disabled.yml | 1 + rules/zoom_operation_rules/zoom_sign_in_method_modified.yml | 1 + rules/zoom_operation_rules/zoom_sign_in_requirements_changed.yml | 1 + .../zoom_two_factor_authentication_disabled.yml | 1 + .../zoom_user_promoted_to_privileged_role.yml | 1 + 6 files changed, 6 insertions(+) diff --git a/rules/zoom_operation_rules/zoom_all_meetings_secured_with_one_option_disabled.yml b/rules/zoom_operation_rules/zoom_all_meetings_secured_with_one_option_disabled.yml index 59aceef44..e6ad39e30 100644 --- a/rules/zoom_operation_rules/zoom_all_meetings_secured_with_one_option_disabled.yml +++ b/rules/zoom_operation_rules/zoom_all_meetings_secured_with_one_option_disabled.yml @@ -4,6 +4,7 @@ DisplayName: "Zoom All Meetings Secured With One Option Disabled" Enabled: true Filename: zoom_all_meetings_secured_with_one_option_disabled.py Runbook: Confirm this user acted with valid business intent and determine whether this activity was authorized. +Reference: https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0059862 Severity: Medium Tests: - ExpectedResult: true diff --git a/rules/zoom_operation_rules/zoom_new_meeting_passcode_required_disabled.yml b/rules/zoom_operation_rules/zoom_new_meeting_passcode_required_disabled.yml index ad8c23032..6624c596e 100644 --- a/rules/zoom_operation_rules/zoom_new_meeting_passcode_required_disabled.yml +++ b/rules/zoom_operation_rules/zoom_new_meeting_passcode_required_disabled.yml @@ -4,6 +4,7 @@ DisplayName: "Zoom New Meeting Passcode Required Disabled" Enabled: true Filename: zoom_new_meeting_passcode_required_disabled.py Runbook: Confirm this user acted with valid business intent and determine whether this activity was authorized. +Reference: https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0063160#:~:text=Since%20September%202022%2C%20Zoom%20requires,enforced%20for%20all%20free%20accounts Severity: Medium Tests: - ExpectedResult: true diff --git a/rules/zoom_operation_rules/zoom_sign_in_method_modified.yml b/rules/zoom_operation_rules/zoom_sign_in_method_modified.yml index ffc9170c0..100ef51ff 100644 --- a/rules/zoom_operation_rules/zoom_sign_in_method_modified.yml +++ b/rules/zoom_operation_rules/zoom_sign_in_method_modified.yml @@ -4,6 +4,7 @@ DisplayName: "Zoom Sign In Method Modified" Enabled: true Filename: zoom_sign_in_method_modified.py Runbook: Confirm this user acted with valid business intent and determine whether this activity was authorized. +Reference: https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0067602#:~:text=Go%20to%20the%20Zoom%20site,click%20Link%20and%20Sign%20In Severity: Medium Tests: - ExpectedResult: true diff --git a/rules/zoom_operation_rules/zoom_sign_in_requirements_changed.yml b/rules/zoom_operation_rules/zoom_sign_in_requirements_changed.yml index 360679621..7830d2686 100644 --- a/rules/zoom_operation_rules/zoom_sign_in_requirements_changed.yml +++ b/rules/zoom_operation_rules/zoom_sign_in_requirements_changed.yml @@ -4,6 +4,7 @@ DisplayName: "Zoom Sign In Requirements Changed" Enabled: true Filename: zoom_sign_in_requirements_changed.py Runbook: Confirm this user acted with valid business intent and determine whether this activity was authorized. +Reference: https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0061263 Severity: Medium Tests: - ExpectedResult: true diff --git a/rules/zoom_operation_rules/zoom_two_factor_authentication_disabled.yml b/rules/zoom_operation_rules/zoom_two_factor_authentication_disabled.yml index c6dc6f62a..a54cca9d2 100644 --- a/rules/zoom_operation_rules/zoom_two_factor_authentication_disabled.yml +++ b/rules/zoom_operation_rules/zoom_two_factor_authentication_disabled.yml @@ -4,6 +4,7 @@ DisplayName: "Zoom Two Factor Authentication Disabled" Enabled: true Filename: zoom_two_factor_authentication_disabled.py Runbook: Confirm this user acted with valid business intent and determine whether this activity was authorized. +Reference: https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0066054 Severity: Medium Tests: - ExpectedResult: true diff --git a/rules/zoom_operation_rules/zoom_user_promoted_to_privileged_role.yml b/rules/zoom_operation_rules/zoom_user_promoted_to_privileged_role.yml index 991e2813e..d57ba3068 100644 --- a/rules/zoom_operation_rules/zoom_user_promoted_to_privileged_role.yml +++ b/rules/zoom_operation_rules/zoom_user_promoted_to_privileged_role.yml @@ -3,6 +3,7 @@ Description: A Zoom user was promoted to a privileged role. DisplayName: "Zoom User Promoted to Privileged Role" Enabled: true Filename: zoom_user_promoted_to_privileged_role.py +Reference: https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0064983 Severity: Medium Tests: - ExpectedResult: true From 89b6a1f7bbde6a64d12b9a1529d9e683b31a6da0 Mon Sep 17 00:00:00 2001 From: Jonathan Lassoff Date: Tue, 12 Dec 2023 14:15:41 -0800 Subject: [PATCH 27/35] Add PCI and DMZ network configuration to panther_config (#1018) Co-authored-by: Evan Gibler --- global_helpers/panther_base_helpers.py | 14 +++----------- global_helpers/panther_config_defaults.py | 8 ++++++++ 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/global_helpers/panther_base_helpers.py b/global_helpers/panther_base_helpers.py index 8ebeb2a27..8b91b3dbd 100644 --- a/global_helpers/panther_base_helpers.py +++ b/global_helpers/panther_base_helpers.py @@ -7,6 +7,7 @@ from functools import reduce from ipaddress import ip_address, ip_network from typing import Any, List, Optional, Sequence, Union +from panther_config import config # # # # # # # # # # # # # # # Exceptions # @@ -35,25 +36,16 @@ def in_pci_scope_tags(resource): return resource["Tags"].get(CDE_TAG_KEY) == CDE_TAG_VALUE +PCI_NETWORKS = config.PCI_NETWORKS # Expects a string in cidr notation (e.g. '10.0.0.0/24') indicating the ip range being checked # Returns True if any ip in the range is marked as in scope -PCI_NETWORKS = [ - ip_network("10.0.0.0/24"), -] - - def is_pci_scope_cidr(ip_range): return any(ip_network(ip_range).overlaps(pci_network) for pci_network in PCI_NETWORKS) +DMZ_NETWORKS = config.DMZ_NETWORKS # Expects a string in cidr notation (e.g. '10.0.0.0/24') indicating the ip range being checked # Returns True if any ip in the range is marked as DMZ space. -DMZ_NETWORKS = [ - ip_network("10.1.0.0/24"), - ip_network("100.1.0.0/24"), -] - - def is_dmz_cidr(ip_range): """This function determines whether a given IP range is within the defined DMZ IP range.""" return any(ip_network(ip_range).overlaps(dmz_network) for dmz_network in DMZ_NETWORKS) diff --git a/global_helpers/panther_config_defaults.py b/global_helpers/panther_config_defaults.py index 87a8f01bb..988f727df 100644 --- a/global_helpers/panther_config_defaults.py +++ b/global_helpers/panther_config_defaults.py @@ -13,3 +13,11 @@ MS_EXCHANGE_ALLOWED_FORWARDING_DESTINATION_DOMAINS = ORGANIZATION_DOMAINS MS_EXCHANGE_ALLOWED_FORWARDING_DESTINATION_EMAILS = ["postmaster@" + ORGANIZATION_DOMAINS[0]] TELEPORT_ORGANIZATION_DOMAINS = ORGANIZATION_DOMAINS + +PCI_NETWORKS = [ + # ip_network("10.0.0.0/24"), +] + +DMZ_NETWORKS = [ + # ip_network("10.1.0.0/24"), +] From 33f892283a7069c1f2198e3cb0695411ec68e188 Mon Sep 17 00:00:00 2001 From: Jonathan Lassoff Date: Tue, 12 Dec 2023 14:21:31 -0800 Subject: [PATCH 28/35] DMZ Tagging: Support multiple tags, move to panther_config (#1019) Co-authored-by: Evan Gibler --- global_helpers/panther_base_helpers.py | 12 +++++------- global_helpers/panther_config_defaults.py | 14 ++++++++++---- ...only_dmz_security_groups_publicly_accessible.py | 12 ++++++++++-- ...nly_dmz_security_groups_publicly_accessible.yml | 9 +++++++++ 4 files changed, 34 insertions(+), 13 deletions(-) diff --git a/global_helpers/panther_base_helpers.py b/global_helpers/panther_base_helpers.py index 8b91b3dbd..83826c44f 100644 --- a/global_helpers/panther_base_helpers.py +++ b/global_helpers/panther_base_helpers.py @@ -51,23 +51,21 @@ def is_dmz_cidr(ip_range): return any(ip_network(ip_range).overlaps(dmz_network) for dmz_network in DMZ_NETWORKS) -DMZ_TAG_KEY = "environment" -DMZ_TAG_VALUE = "dmz" - - # Defaults to False to assume something is not a DMZ if it is not tagged -def is_dmz_tags(resource): +def is_dmz_tags(resource, dmz_tags): """This function determines whether a given resource is tagged as existing in a DMZ.""" if resource["Tags"] is None: return False - return resource["Tags"].get(DMZ_TAG_KEY) == DMZ_TAG_VALUE + for key, value in dmz_tags: + if resource["Tags"].get(key) == value: + return True + return False # Function variables here so that implementation details of these functions can be changed without # having to rename the function in all locations its used, or having an outdated name on the actual # function being used, etc. IN_PCI_SCOPE = in_pci_scope_tags -IS_DMZ = is_dmz_tags # # # # # # # # # # # # # # # GSuite Helpers # diff --git a/global_helpers/panther_config_defaults.py b/global_helpers/panther_config_defaults.py index 988f727df..d98ac2f3a 100644 --- a/global_helpers/panther_config_defaults.py +++ b/global_helpers/panther_config_defaults.py @@ -14,10 +14,16 @@ MS_EXCHANGE_ALLOWED_FORWARDING_DESTINATION_EMAILS = ["postmaster@" + ORGANIZATION_DOMAINS[0]] TELEPORT_ORGANIZATION_DOMAINS = ORGANIZATION_DOMAINS -PCI_NETWORKS = [ - # ip_network("10.0.0.0/24"), -] - DMZ_NETWORKS = [ # ip_network("10.1.0.0/24"), ] + +DMZ_TAGS = set( + [ + ("environment", "dmz"), + ] +) + +PCI_NETWORKS = [ + # ip_network("10.0.0.0/24"), +] diff --git a/policies/aws_vpc_policies/aws_only_dmz_security_groups_publicly_accessible.py b/policies/aws_vpc_policies/aws_only_dmz_security_groups_publicly_accessible.py index deb985053..1c8e209a7 100644 --- a/policies/aws_vpc_policies/aws_only_dmz_security_groups_publicly_accessible.py +++ b/policies/aws_vpc_policies/aws_only_dmz_security_groups_publicly_accessible.py @@ -1,6 +1,11 @@ +import json from ipaddress import ip_network +from unittest.mock import MagicMock -from panther_base_helpers import IS_DMZ +from panther_base_helpers import is_dmz_tags +from panther_config import config + +DMZ_TAGS = config.DMZ_TAGS def policy(resource): @@ -9,7 +14,10 @@ def policy(resource): return True # DMZ security groups can have inbound permissions from the internet - if IS_DMZ(resource): + global DMZ_TAGS # pylint: disable=global-statement + if isinstance(DMZ_TAGS, MagicMock): + DMZ_TAGS = {tuple(kv) for kv in json.loads(DMZ_TAGS())} + if is_dmz_tags(resource, DMZ_TAGS): return True for permission in resource["IpPermissions"]: diff --git a/policies/aws_vpc_policies/aws_only_dmz_security_groups_publicly_accessible.yml b/policies/aws_vpc_policies/aws_only_dmz_security_groups_publicly_accessible.yml index 38495c771..b6e86c30f 100644 --- a/policies/aws_vpc_policies/aws_only_dmz_security_groups_publicly_accessible.yml +++ b/policies/aws_vpc_policies/aws_only_dmz_security_groups_publicly_accessible.yml @@ -25,6 +25,9 @@ Tests: - Name: DMZ Security Group Does Allows Public Access ExpectedResult: true + Mocks: + - objectName: DMZ_TAGS + returnValue: '[["environment", "dmz"]]' Resource: { "Description": "example VPC security group", @@ -88,6 +91,9 @@ Tests: - Name: Non DMZ Security Group Allows Public Access ExpectedResult: false + Mocks: + - objectName: DMZ_TAGS + returnValue: '[["environment", "dmz"]]' Resource: { "Description": "example VPC security group", @@ -151,6 +157,9 @@ Tests: - Name: Non DMZ Security Group Does Not Allow Public Access ExpectedResult: true + Mocks: + - objectName: DMZ_TAGS + returnValue: '[["environment", "dmz"]]' Resource: { "Description": "example VPC security group", From ff81fc6c6572a22cc3bdd34bb1e93cba7538410d Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Wed, 13 Dec 2023 11:57:02 +0200 Subject: [PATCH 29/35] Add references to rules (aws_cloudtrail_rules) (#1037) --- .../aws_cloudtrail_password_policy_discovery.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/aws_cloudtrail_rules/aws_cloudtrail_password_policy_discovery.yml b/rules/aws_cloudtrail_rules/aws_cloudtrail_password_policy_discovery.yml index fb2d91778..24d8e8bc6 100644 --- a/rules/aws_cloudtrail_rules/aws_cloudtrail_password_policy_discovery.yml +++ b/rules/aws_cloudtrail_rules/aws_cloudtrail_password_policy_discovery.yml @@ -6,6 +6,7 @@ Filename: aws_cloudtrail_password_policy_discovery.py Reports: MITRE ATT&CK: - TA0007:T1201 +Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html Severity: Info Tests: - ExpectedResult: false From 46395178a71b2e416b5001799fb253793483bc5c Mon Sep 17 00:00:00 2001 From: Evan Gibler Date: Wed, 13 Dec 2023 10:07:09 -0600 Subject: [PATCH 30/35] Tweak existing exfiltration rules; add additional rules (#1036) * Tweak existing exfiltration rules; add additional rules * Check shared_account_ids against current Account ID * Retrieve the current account ID once --- packs/aws.yml | 136 +++---- .../aws_ami_modified_for_public_access.py | 2 +- .../aws_ami_modified_for_public_access.yml | 2 +- .../aws_rds_manual_snapshot_created.py | 21 ++ .../aws_rds_manual_snapshot_created.yml | 331 ++++++++++++++++++ .../aws_rds_snapshot_shared.py | 32 ++ .../aws_rds_snapshot_shared.yml | 150 ++++++++ .../aws_snapshot_made_public.py | 6 +- 8 files changed, 606 insertions(+), 74 deletions(-) create mode 100644 rules/aws_cloudtrail_rules/aws_rds_manual_snapshot_created.py create mode 100644 rules/aws_cloudtrail_rules/aws_rds_manual_snapshot_created.yml create mode 100644 rules/aws_cloudtrail_rules/aws_rds_snapshot_shared.py create mode 100644 rules/aws_cloudtrail_rules/aws_rds_snapshot_shared.yml diff --git a/packs/aws.yml b/packs/aws.yml index 865d1eaf2..62bfae245 100644 --- a/packs/aws.yml +++ b/packs/aws.yml @@ -7,130 +7,132 @@ PackDefinition: # Data Exposure - AWS.AMI.Private - AWS.CloudTrail.AMIModifiedForPublicAccess + - AWS.CloudTrail.ResourceMadePublic - AWS.CloudTrail.S3Bucket.Public + - AWS.CloudTrail.SnapshotMadePublic + - AWS.EC2.Instance.DetailedMonitoring + - AWS.EC2.Traffic.Mirroring - AWS.IAM.AccessKeyCompromised - - AWS.KMS.RestrictsUsage - AWS.KMS.CustomerManagedKeyLoss + - AWS.KMS.RestrictsUsage + - AWS.Macie.Evasion - AWS.RDS.Instance.PublicAccess - AWS.RDS.Instance.SnapshotPublicAccess - - AWS.S3.Bucket.PublicRead - - AWS.S3.Bucket.PublicWrite - AWS.S3.Bucket.PolicyAllowWithNotPrincipal - AWS.S3.Bucket.PrincipalRestrictions - AWS.S3.Bucket.PublicAccessBlock + - AWS.S3.Bucket.PublicRead + - AWS.S3.Bucket.PublicWrite - AWS.S3.Bucket.SecureAccess - AWS.S3.Bucket.Versioning - - AWS.EC2.Traffic.Mirroring - - AWS.Macie.Evasion - - AWS.CloudTrail.ResourceMadePublic - - AWS.CloudTrail.SnapshotMadePublic - - AWS.EC2.Instance.DetailedMonitoring # Encryption Status + - AWS.EC2.EBS.Encryption.Disabled - AWS.EC2.Volume.Encryption - AWS.EC2.Volume.Snapshot.Encrypted - - AWS.EC2.EBS.Encryption.Disabled - - AWS.Redshift.Cluster.Encryption - AWS.RDS.Instance.Encryption + - AWS.Redshift.Cluster.Encryption - AWS.S3.Bucket.Encryption # Networking Policies - - AWS.NetworkACL.RestrictsInboundTraffic - - AWS.SecurityGroup.AdministrativeIngress - - AWS.SecurityGroup.OnlyDMZPubliclyAccessible - - AWS.SecurityGroup.RestrictsInboundTraffic + - AWS.CloudTrail.NetworkACLPermissiveEntry + - AWS.DNS.Crypto.Domain - AWS.EC2.GatewayModified - AWS.EC2.Monitoring - AWS.EC2.NetworkACLModified - AWS.EC2.RouteTableModified - AWS.EC2.VPCModified - AWS.IPSet.Modified - - AWS.CloudTrail.NetworkACLPermissiveEntry - - AWS.DNS.Crypto.Domain + - AWS.NetworkACL.RestrictsInboundTraffic + - AWS.SecurityGroup.AdministrativeIngress + - AWS.SecurityGroup.OnlyDMZPubliclyAccessible + - AWS.SecurityGroup.RestrictsInboundTraffic - AWS.VPC.HealthyLogStatus # Root Activity + - AWS.CloudTrail.RootAccessKeyCreated + - AWS.CloudTrail.RootPasswordChanged - AWS.Console.RootLogin - AWS.Console.RootLoginFailed + - AWS.EC2.Instance.DetailedMonitoring - AWS.Root.Activity - - AWS.CloudTrail.RootAccessKeyCreated - - AWS.CloudTrail.RootPasswordChanged - AWS.RootAccount.AccessKeys - AWS.RootAccount.MFA - - AWS.EC2.Instance.DetailedMonitoring # User and Account Policies and Rules + - AWS.CloudTrail.IAMAnythingChanged + - AWS.CloudTrail.IAMCompromisedKeyQuarantine + - AWS.CloudTrail.Password.Policy.Discovery - AWS.Console.LoginWithoutMFA - AWS.Console.LoginWithoutSAML - - AWS.PasswordPolicy.PasswordReuse - - AWS.Suspicious.SAML.Activity + - AWS.EC2.SecurityGroupModified + - AWS.IAM.Backdoor.User.Keys + - AWS.IAM.CredentialsUpdated - AWS.IAM.Entity.InlinePolicyDoesNotGrantNetworkAdminAccess + - AWS.IAM.Group.Users + - AWS.IAM.Policy.AssignedToUser + - AWS.IAM.PolicyModified - AWS.IAM.User.MFA + - AWS.IAMUser.ReconAccessDenied - AWS.Password.Unused - AWS.PasswordPolicy.ComplexityGuidelines - AWS.PasswordPolicy.PasswordAgeLimit - - AWS.EC2.SecurityGroupModified - - AWS.CloudTrail.IAMAnythingChanged - - AWS.IAM.PolicyModified - - AWS.IAM.Backdoor.User.Keys - - AWS.IAMUser.ReconAccessDenied - - AWS.IAM.CredentialsUpdated + - AWS.PasswordPolicy.PasswordReuse + - AWS.Suspicious.SAML.Activity - AWS.User.Login.Profile.Modified - - AWS.CloudTrail.Password.Policy.Discovery - - AWS.IAM.Group.Users - - AWS.IAM.Policy.AssignedToUser - - AWS.CloudTrail.IAMCompromisedKeyQuarantine # General Policies and Rules - - AWS.ACM.Certificate.Valid + - Amazon.EKS.Audit.Multiple403 + - Amazon.EKS.Audit.SystemNamespaceFromPublicIP + - AWS.AccessKey.Rotation + - AWS.AccessKey.Unused + - AWS.AccessKeys.AccountCreation - AWS.ACM.Certificate.Expiration + - AWS.ACM.Certificate.Valid + - AWS.CloudFormation.Stack.Drifted + - AWS.CloudFormation.Stack.TerminationProtection + - AWS.CloudFormation.Stack.UsesIAMServiceRole + - AWS.CloudTrail.CodebuildProjectMadePublic - AWS.CloudTrail.Created - AWS.CloudTrail.Enabled + - AWS.CloudTrail.SecurityConfigurationChange - AWS.CloudTrail.Stopped - - AWS.CloudTrail.CodebuildProjectMadePublic - - AWS.ConfigService.Created - - AWS.ConfigService.DisabledDeleted + - AWS.CloudTrail.UnauthorizedAPICall + - AWS.CloudWatchLogs.DataRetention1Year + - AWS.CloudWatchLogs.Encrypted + - AWS.Config.GlobalResources + - AWS.Config.RecordAllResourceTypes - AWS.Config.RecordingEnabled - AWS.Config.RecordingNoErrors - - AWS.IAM.Policy.AdministrativePrivileges + - AWS.ConfigService.Created + - AWS.ConfigService.DisabledDeleted + - AWS.DynamoDB.Autoscaling + - AWS.EC2.Instance.EBSOptimization + - AWS.EC2.Startup.Script.Change + - AWS.ELBV2.LoadBalancer.HasSSLPolicy + - AWS.ELBv2.SSLPolicy - AWS.GuardDuty.Enabled - AWS.GuardDuty.HighSeverityFinding - - AWS.GuardDuty.MediumSeverityFinding - AWS.GuardDuty.LowSeverityFinding - - AWS.ELBV2.LoadBalancer.HasSSLPolicy - - AWS.ELBv2.SSLPolicy - - AWS.WAF.HasXSSPredicate - - AWS.WAF.Disassociation - - AWS.EC2.Startup.Script.Change - - AWS.EC2.Instance.EBSOptimization + - AWS.GuardDuty.MediumSeverityFinding + - AWS.IAM.Policy.AdministrativePrivileges + - AWS.RDS.InstanceHighAvailability + - AWS.RDS.ManualSnapshotCreated - AWS.RDS.MasterPasswordUpdated - AWS.RDS.PublicRestore - - AWS.RDS.InstanceHighAvailability - - AWS.S3.GreyNoiseActivity - - AWS.S3.BucketDeleted - - AWS.S3.BucketPolicyModified + - AWS.RDS.SnapshotShared + - AWS.Redshift.Cluster.Logging + - AWS.Redshift.Cluster.SnapshotRetention + - AWS.Redshift.Cluster.VersionUpgrade - AWS.S3.Bucket.ActionRestrictions - - AWS.S3.ServerAccess.Error - - AWS.S3.ServerAccess.Insecure - AWS.S3.Bucket.LifecycleConfiguration - AWS.S3.Bucket.Logging - AWS.S3.Bucket.MFADelete - AWS.S3.Bucket.NameDNSCompliance - - AWS.CloudTrail.SecurityConfigurationChange + - AWS.S3.BucketDeleted + - AWS.S3.BucketPolicyModified + - AWS.S3.GreyNoiseActivity + - AWS.S3.ServerAccess.Error + - AWS.S3.ServerAccess.Insecure - AWS.SecurityHub.Finding.Evasion - - AWS.CloudTrail.UnauthorizedAPICall - - Amazon.EKS.Audit.Multiple403 - - Amazon.EKS.Audit.SystemNamespaceFromPublicIP - - AWS.CloudFormation.Stack.Drifted - - AWS.CloudFormation.Stack.UsesIAMServiceRole - - AWS.CloudFormation.Stack.TerminationProtection - - AWS.CloudWatchLogs.DataRetention1Year - - AWS.CloudWatchLogs.Encrypted - - AWS.Config.RecordAllResourceTypes - - AWS.Config.GlobalResources - - AWS.DynamoDB.Autoscaling - - AWS.AccessKey.Rotation - - AWS.AccessKey.Unused - - AWS.AccessKeys.AccountCreation - - AWS.Redshift.Cluster.Logging - - AWS.Redshift.Cluster.SnapshotRetention - - AWS.Redshift.Cluster.VersionUpgrade - AWS.VPC.FlowLogs + - AWS.WAF.Disassociation + - AWS.WAF.HasXSSPredicate # AWS DataModels - Standard.AWS.ALB - Standard.AWS.CloudTrail diff --git a/rules/aws_cloudtrail_rules/aws_ami_modified_for_public_access.py b/rules/aws_cloudtrail_rules/aws_ami_modified_for_public_access.py index 819a87e49..8204d6d6f 100644 --- a/rules/aws_cloudtrail_rules/aws_ami_modified_for_public_access.py +++ b/rules/aws_cloudtrail_rules/aws_ami_modified_for_public_access.py @@ -12,7 +12,7 @@ def rule(event): ) for item in added_perms: - if item.get("group") == "all": + if item.get("userId") or item.get("group") == "all": return True return False diff --git a/rules/aws_cloudtrail_rules/aws_ami_modified_for_public_access.yml b/rules/aws_cloudtrail_rules/aws_ami_modified_for_public_access.yml index 1f076391f..8e54d3c77 100644 --- a/rules/aws_cloudtrail_rules/aws_ami_modified_for_public_access.yml +++ b/rules/aws_cloudtrail_rules/aws_ami_modified_for_public_access.yml @@ -190,7 +190,7 @@ Tests: } - Name: AMI Added to User - ExpectedResult: false + ExpectedResult: true Log: { "awsRegion": "us-west-2", diff --git a/rules/aws_cloudtrail_rules/aws_rds_manual_snapshot_created.py b/rules/aws_cloudtrail_rules/aws_rds_manual_snapshot_created.py new file mode 100644 index 000000000..4261f41f3 --- /dev/null +++ b/rules/aws_cloudtrail_rules/aws_rds_manual_snapshot_created.py @@ -0,0 +1,21 @@ +from panther_base_helpers import aws_rule_context + + +def rule(event): + return all( + [ + event.get("eventSource", "") == "rds.amazonaws.com", + event.get("eventName", "") == "CreateDBSnapshot", + event.deep_get("responseElements", "snapshotType") in {"manual", "public"}, + ] + ) + + +def title(event): + account_id = event.get("recipientAccountId", "") + rds_instance_id = event.deep_get("responseElements", "dBInstanceIdentifier") + return f"Manual RDS Snapshot Created in [{account_id}] for RDS instance [{rds_instance_id}]" + + +def alert_context(event): + return aws_rule_context(event) diff --git a/rules/aws_cloudtrail_rules/aws_rds_manual_snapshot_created.yml b/rules/aws_cloudtrail_rules/aws_rds_manual_snapshot_created.yml new file mode 100644 index 000000000..54fb358aa --- /dev/null +++ b/rules/aws_cloudtrail_rules/aws_rds_manual_snapshot_created.yml @@ -0,0 +1,331 @@ +AnalysisType: rule +Filename: aws_rds_manual_snapshot_created.py +RuleID: "AWS.RDS.ManualSnapshotCreated" +DisplayName: "AWS RDS Manual/Public Snapshot Created" +Enabled: false +LogTypes: + - AWS.CloudTrail +Tags: + - AWS + - Exfiltration + - Transfer Data to Cloud Account +Reports: + MITRE ATT&CK: + - TA0010:T1537 +Severity: Low +Description: > + A manual snapshot of an RDS database was created. + An attacker may use this to exfiltrate the DB contents to another account; use this as a correlation rule. +Runbook: > + Ensure the snapshot was shared with an allowed AWS account. If not, delete the snapshot and quarantine the compromised IAM user. +Reference: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CreateSnapshot.html +SummaryAttributes: + - eventSource + - recipientAccountId + - awsRegion + - p_any_aws_arns +Tests: + - + Name: Manual Snapshot Created + ExpectedResult: true + Log: + { + "eventVersion": "1.08", + "userIdentity": { + "type": "AssumedRole", + "principalId": "AROA2DFDF0C1FDFCAD2B2:fake.user", + "arn": "arn:aws:sts::123456789012:assumed-role/ARole/fake.user", + "accountId": "123456789012", + "accessKeyId": "ASIAFFA5AFEC02FFCD8ED", + "sessionContext": { + "sessionIssuer": { + "type": "Role", + "principalId": "AROA2DFDF0C1FDFCAD2B2", + "arn": "arn:aws:iam::123456789012:role/aws-reserved/sso.amazonaws.com/us-west-2/ARole", + "accountId": "123456789012", + "userName": "ARole" + }, + "webIdFederationData": {}, + "attributes": { + "creationDate": "2023-12-08T13:53:48Z", + "mfaAuthenticated": "false" + } + } + }, + "eventTime": "2023-12-08T14:55:19Z", + "eventSource": "rds.amazonaws.com", + "eventName": "CreateDBSnapshot", + "awsRegion": "us-west-2", + "sourceIPAddress": "1.2.3.4", + "userAgent": "APN/1.0 HashiCorp/1.0 Terraform/1.1.2 (+https://www.terraform.io) terraform-provider-aws/3.76.1 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.44.157 (go1.19.3; darwin; arm64) 68319f60-9dec-43b2-9702-de3a08c9d8a3 HashiCorp-terraform-exec/0.17.3", + "requestParameters": { + "dBInstanceIdentifier": "terraform-20231208145149286600000001", + "dBSnapshotIdentifier": "exfiltration" + }, + "responseElements": { + "allocatedStorage": 10, + "instanceCreateTime": "Dec 8, 2023 2:55:17 PM", + "dBSnapshotIdentifier": "exfiltration", + "dbiResourceId": "db-TYZSSMTWIABIR6QKKFGI55XKJQ", + "port": 3306, + "availabilityZone": "us-west-2b", + "dBSnapshotArn": "arn:aws:rds:us-west-2:123456789012:snapshot:exfiltration", + "processorFeatures": [], + "encrypted": false, + "percentProgress": 0, + "optionGroupName": "default:mysql-8-0", + "dBInstanceIdentifier": "terraform-20231208145149286600000001", + "storageType": "gp2", + "iAMDatabaseAuthenticationEnabled": false, + "vpcId": "vpc-0c9c141888d129377", + "storageThroughput": 0, + "dedicatedLogVolume": false, + "status": "creating", + "masterUsername": "admin", + "engine": "mysql", + "snapshotType": "manual", + "engineVersion": "8.0.33", + "licenseModel": "general-public-license", + "snapshotTarget": "region" + }, + "requestID": "e5fd8d41-db7c-45df-a21a-f9cff8c19755", + "eventID": "c665b42c-89b4-4072-ad71-0f9c8d50f649", + "readOnly": false, + "eventType": "AwsApiCall", + "managementEvent": true, + "recipientAccountId": "123456789012", + "eventCategory": "Management", + "tlsDetails": { + "tlsVersion": "TLSv1.3", + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "rds.us-west-2.amazonaws.com" + } + } + - + Name: Public Snapshot Created + ExpectedResult: true + Log: + { + "eventVersion": "1.08", + "userIdentity": { + "type": "AssumedRole", + "principalId": "AROA2DFDF0C1FDFCAD2B2:fake.user", + "arn": "arn:aws:sts::123456789012:assumed-role/ARole/fake.user", + "accountId": "123456789012", + "accessKeyId": "ASIAFFA5AFEC02FFCD8ED", + "sessionContext": { + "sessionIssuer": { + "type": "Role", + "principalId": "AROA2DFDF0C1FDFCAD2B2", + "arn": "arn:aws:iam::123456789012:role/aws-reserved/sso.amazonaws.com/us-west-2/ARole", + "accountId": "123456789012", + "userName": "ARole" + }, + "webIdFederationData": {}, + "attributes": { + "creationDate": "2023-12-08T13:53:48Z", + "mfaAuthenticated": "false" + } + } + }, + "eventTime": "2023-12-08T14:55:19Z", + "eventSource": "rds.amazonaws.com", + "eventName": "CreateDBSnapshot", + "awsRegion": "us-west-2", + "sourceIPAddress": "1.2.3.4", + "userAgent": "APN/1.0 HashiCorp/1.0 Terraform/1.1.2 (+https://www.terraform.io) terraform-provider-aws/3.76.1 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.44.157 (go1.19.3; darwin; arm64) 68319f60-9dec-43b2-9702-de3a08c9d8a3 HashiCorp-terraform-exec/0.17.3", + "requestParameters": { + "dBInstanceIdentifier": "terraform-20231208145149286600000001", + "dBSnapshotIdentifier": "exfiltration" + }, + "responseElements": { + "allocatedStorage": 10, + "instanceCreateTime": "Dec 8, 2023 2:55:17 PM", + "dBSnapshotIdentifier": "exfiltration", + "dbiResourceId": "db-TYZSSMTWIABIR6QKKFGI55XKJQ", + "port": 3306, + "availabilityZone": "us-west-2b", + "dBSnapshotArn": "arn:aws:rds:us-west-2:123456789012:snapshot:exfiltration", + "processorFeatures": [], + "encrypted": false, + "percentProgress": 0, + "optionGroupName": "default:mysql-8-0", + "dBInstanceIdentifier": "terraform-20231208145149286600000001", + "storageType": "gp2", + "iAMDatabaseAuthenticationEnabled": false, + "vpcId": "vpc-0c9c141888d129377", + "storageThroughput": 0, + "dedicatedLogVolume": false, + "status": "creating", + "masterUsername": "admin", + "engine": "mysql", + "snapshotType": "public", + "engineVersion": "8.0.33", + "licenseModel": "general-public-license", + "snapshotTarget": "region" + }, + "requestID": "e5fd8d41-db7c-45df-a21a-f9cff8c19755", + "eventID": "c665b42c-89b4-4072-ad71-0f9c8d50f649", + "readOnly": false, + "eventType": "AwsApiCall", + "managementEvent": true, + "recipientAccountId": "123456789012", + "eventCategory": "Management", + "tlsDetails": { + "tlsVersion": "TLSv1.3", + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "rds.us-west-2.amazonaws.com" + } + } + - + Name: Automated Snapshot Created + ExpectedResult: false + Log: + { + "eventVersion": "1.08", + "userIdentity": { + "type": "AssumedRole", + "principalId": "AROA2DFDF0C1FDFCAD2B2:fake.user", + "arn": "arn:aws:sts::123456789012:assumed-role/ARole/fake.user", + "accountId": "123456789012", + "accessKeyId": "ASIAFFA5AFEC02FFCD8ED", + "sessionContext": { + "sessionIssuer": { + "type": "Role", + "principalId": "AROA2DFDF0C1FDFCAD2B2", + "arn": "arn:aws:iam::123456789012:role/aws-reserved/sso.amazonaws.com/us-west-2/ARole", + "accountId": "123456789012", + "userName": "ARole" + }, + "webIdFederationData": {}, + "attributes": { + "creationDate": "2023-12-08T13:53:48Z", + "mfaAuthenticated": "false" + } + } + }, + "eventTime": "2023-12-08T14:55:19Z", + "eventSource": "rds.amazonaws.com", + "eventName": "CreateDBSnapshot", + "awsRegion": "us-west-2", + "sourceIPAddress": "1.2.3.4", + "userAgent": "APN/1.0 HashiCorp/1.0 Terraform/1.1.2 (+https://www.terraform.io) terraform-provider-aws/3.76.1 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.44.157 (go1.19.3; darwin; arm64) 68319f60-9dec-43b2-9702-de3a08c9d8a3 HashiCorp-terraform-exec/0.17.3", + "requestParameters": { + "dBInstanceIdentifier": "terraform-20231208145149286600000001", + "dBSnapshotIdentifier": "exfiltration" + }, + "responseElements": { + "allocatedStorage": 10, + "instanceCreateTime": "Dec 8, 2023 2:55:17 PM", + "dBSnapshotIdentifier": "exfiltration", + "dbiResourceId": "db-TYZSSMTWIABIR6QKKFGI55XKJQ", + "port": 3306, + "availabilityZone": "us-west-2b", + "dBSnapshotArn": "arn:aws:rds:us-west-2:123456789012:snapshot:exfiltration", + "processorFeatures": [], + "encrypted": false, + "percentProgress": 0, + "optionGroupName": "default:mysql-8-0", + "dBInstanceIdentifier": "terraform-20231208145149286600000001", + "storageType": "gp2", + "iAMDatabaseAuthenticationEnabled": false, + "vpcId": "vpc-0c9c141888d129377", + "storageThroughput": 0, + "dedicatedLogVolume": false, + "status": "creating", + "masterUsername": "admin", + "engine": "mysql", + "snapshotType": "automated", + "engineVersion": "8.0.33", + "licenseModel": "general-public-license", + "snapshotTarget": "region" + }, + "requestID": "e5fd8d41-db7c-45df-a21a-f9cff8c19755", + "eventID": "c665b42c-89b4-4072-ad71-0f9c8d50f649", + "readOnly": false, + "eventType": "AwsApiCall", + "managementEvent": true, + "recipientAccountId": "123456789012", + "eventCategory": "Management", + "tlsDetails": { + "tlsVersion": "TLSv1.3", + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "rds.us-west-2.amazonaws.com" + } + } + - + Name: Awsbackup Snapshot Created + ExpectedResult: false + Log: + { + "eventVersion": "1.08", + "userIdentity": { + "type": "AssumedRole", + "principalId": "AROA2DFDF0C1FDFCAD2B2:fake.user", + "arn": "arn:aws:sts::123456789012:assumed-role/ARole/fake.user", + "accountId": "123456789012", + "accessKeyId": "ASIAFFA5AFEC02FFCD8ED", + "sessionContext": { + "sessionIssuer": { + "type": "Role", + "principalId": "AROA2DFDF0C1FDFCAD2B2", + "arn": "arn:aws:iam::123456789012:role/aws-reserved/sso.amazonaws.com/us-west-2/ARole", + "accountId": "123456789012", + "userName": "ARole" + }, + "webIdFederationData": {}, + "attributes": { + "creationDate": "2023-12-08T13:53:48Z", + "mfaAuthenticated": "false" + } + } + }, + "eventTime": "2023-12-08T14:55:19Z", + "eventSource": "rds.amazonaws.com", + "eventName": "CreateDBSnapshot", + "awsRegion": "us-west-2", + "sourceIPAddress": "1.2.3.4", + "userAgent": "APN/1.0 HashiCorp/1.0 Terraform/1.1.2 (+https://www.terraform.io) terraform-provider-aws/3.76.1 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.44.157 (go1.19.3; darwin; arm64) 68319f60-9dec-43b2-9702-de3a08c9d8a3 HashiCorp-terraform-exec/0.17.3", + "requestParameters": { + "dBInstanceIdentifier": "terraform-20231208145149286600000001", + "dBSnapshotIdentifier": "exfiltration" + }, + "responseElements": { + "allocatedStorage": 10, + "instanceCreateTime": "Dec 8, 2023 2:55:17 PM", + "dBSnapshotIdentifier": "exfiltration", + "dbiResourceId": "db-TYZSSMTWIABIR6QKKFGI55XKJQ", + "port": 3306, + "availabilityZone": "us-west-2b", + "dBSnapshotArn": "arn:aws:rds:us-west-2:123456789012:snapshot:exfiltration", + "processorFeatures": [], + "encrypted": false, + "percentProgress": 0, + "optionGroupName": "default:mysql-8-0", + "dBInstanceIdentifier": "terraform-20231208145149286600000001", + "storageType": "gp2", + "iAMDatabaseAuthenticationEnabled": false, + "vpcId": "vpc-0c9c141888d129377", + "storageThroughput": 0, + "dedicatedLogVolume": false, + "status": "creating", + "masterUsername": "admin", + "engine": "mysql", + "snapshotType": "awsbackup", + "engineVersion": "8.0.33", + "licenseModel": "general-public-license", + "snapshotTarget": "region" + }, + "requestID": "e5fd8d41-db7c-45df-a21a-f9cff8c19755", + "eventID": "c665b42c-89b4-4072-ad71-0f9c8d50f649", + "readOnly": false, + "eventType": "AwsApiCall", + "managementEvent": true, + "recipientAccountId": "123456789012", + "eventCategory": "Management", + "tlsDetails": { + "tlsVersion": "TLSv1.3", + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "rds.us-west-2.amazonaws.com" + } + } diff --git a/rules/aws_cloudtrail_rules/aws_rds_snapshot_shared.py b/rules/aws_cloudtrail_rules/aws_rds_snapshot_shared.py new file mode 100644 index 000000000..3729e2e95 --- /dev/null +++ b/rules/aws_cloudtrail_rules/aws_rds_snapshot_shared.py @@ -0,0 +1,32 @@ +from panther_base_helpers import aws_rule_context + + +def rule(event): + if all( + [ + event.get("eventSource", "") == "rds.amazonaws.com", + event.get("eventName", "") == "ModifyDBSnapshotAttribute" + or event.get("eventName", "") == "ModifyDBClusterSnapshotAttribute", + event.deep_get("requestParameters", "attributeName") == "restore", + ] + ): + current_account_id = event.deep_get("userIdentity", "accountId", default="") + shared_account_ids = event.deep_get("requestParameters", "valuesToAdd", default=[]) + if shared_account_ids: + return any( + account_id for account_id in shared_account_ids if account_id != current_account_id + ) + return False + return False + + +def title(event): + account_id = event.get("recipientAccountId", default="") + rds_instance_id = event.deep_get( + "responseElements", "dBInstanceIdentifier", default="" + ) + return f"RDS Snapshot Shared in [{account_id}] for RDS instance [{rds_instance_id}]" + + +def alert_context(event): + return aws_rule_context(event) diff --git a/rules/aws_cloudtrail_rules/aws_rds_snapshot_shared.yml b/rules/aws_cloudtrail_rules/aws_rds_snapshot_shared.yml new file mode 100644 index 000000000..eb77d4b8b --- /dev/null +++ b/rules/aws_cloudtrail_rules/aws_rds_snapshot_shared.yml @@ -0,0 +1,150 @@ +AnalysisType: rule +Filename: aws_rds_snapshot_shared.py +RuleID: "AWS.RDS.SnapshotShared" +DisplayName: "AWS RDS Snapshot Shared" +Enabled: true +LogTypes: + - AWS.CloudTrail +Tags: + - AWS + - Exfiltration + - Transfer Data to Cloud Account +Severity: High +Reports: + MITRE ATT&CK: + - TA0010:T1537 +Description: > + An RDS snapshot was shared with another account. This could be an indicator of exfiltration. +Runbook: > + Ensure that the snapshot was shared intentionally and with an approved account. If not, remove the snapshot and quarantine the compromised IAM user. +Reference: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html +SummaryAttributes: + - eventSource + - recipientAccountId + - awsRegion + - p_any_aws_arns +Tests: + - + Name: Snapshot shared with another account + ExpectedResult: true + Log: + { + "eventVersion": "1.08", + "userIdentity": { + "type": "AssumedRole", + "principalId": "AROA2DFDF0C1FDFCAD2B2:fake.user", + "arn": "arn:aws:sts::123456789012:assumed-role/AWSReservedSSO_DevAdmin_635426549a280cc6/fake.user", + "accountId": "123456789012", + "accessKeyId": "ASIAFFA5AFEC02FFCD8ED", + "sessionContext": { + "sessionIssuer": { + "type": "Role", + "principalId": "AROA2DFDF0C1FDFCAD2B2", + "arn": "arn:aws:iam::123456789012:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_DevAdmin_635426549a280cc6", + "accountId": "123456789012", + "userName": "AWSReservedSSO_DevAdmin_635426549a280cc6" + }, + "webIdFederationData": {}, + "attributes": { + "creationDate": "2023-12-12T19:43:57Z", + "mfaAuthenticated": "false" + } + } + }, + "eventTime": "2023-12-12T20:12:22Z", + "eventSource": "rds.amazonaws.com", + "eventName": "ModifyDBSnapshotAttribute", + "awsRegion": "us-west-2", + "sourceIPAddress": "1.2.3.4", + "userAgent": "68319f60-9dec-43b2-9702-de3a08c9d8a3", + "requestParameters": { + "dBSnapshotIdentifier": "exfiltration", + "attributeName": "restore", + "valuesToAdd": [ + "193672423079" + ] + }, + "responseElements": { + "dBSnapshotIdentifier": "exfiltration", + "dBSnapshotAttributes": [ + { + "attributeName": "restore", + "attributeValues": [ + "193672423079" + ] + } + ] + }, + "requestID": "b7f91314-eb8b-4be5-995d-6b97d70dfb3b", + "eventID": "86581591-0f39-4eae-9a8d-b2224a3c91fa", + "readOnly": false, + "eventType": "AwsApiCall", + "managementEvent": true, + "recipientAccountId": "123456789012", + "eventCategory": "Management", + "tlsDetails": { + "tlsVersion": "TLSv1.3", + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "rds.us-west-2.amazonaws.com" + } + } + - + Name: Snapshot shared with no accounts + ExpectedResult: false + Log: + { + "eventVersion": "1.08", + "userIdentity": { + "type": "AssumedRole", + "principalId": "AROA2DFDF0C1FDFCAD2B2:fake.user", + "arn": "arn:aws:sts::123456789012:assumed-role/AWSReservedSSO_DevAdmin_635426549a280cc6/fake.user", + "accountId": "123456789012", + "accessKeyId": "ASIAFFA5AFEC02FFCD8ED", + "sessionContext": { + "sessionIssuer": { + "type": "Role", + "principalId": "AROA2DFDF0C1FDFCAD2B2", + "arn": "arn:aws:iam::123456789012:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_DevAdmin_635426549a280cc6", + "accountId": "123456789012", + "userName": "AWSReservedSSO_DevAdmin_635426549a280cc6" + }, + "webIdFederationData": {}, + "attributes": { + "creationDate": "2023-12-12T19:43:57Z", + "mfaAuthenticated": "false" + } + } + }, + "eventTime": "2023-12-12T20:12:22Z", + "eventSource": "rds.amazonaws.com", + "eventName": "ModifyDBSnapshotAttribute", + "awsRegion": "us-west-2", + "sourceIPAddress": "1.2.3.4", + "userAgent": "68319f60-9dec-43b2-9702-de3a08c9d8a3", + "requestParameters": { + "dBSnapshotIdentifier": "exfiltration", + "attributeName": "restore", + "valuesToAdd": [] + }, + "responseElements": { + "dBSnapshotIdentifier": "exfiltration", + "dBSnapshotAttributes": [ + { + "attributeName": "restore", + "attributeValues": [] + } + ] + }, + "requestID": "b7f91314-eb8b-4be5-995d-6b97d70dfb3b", + "eventID": "86581591-0f39-4eae-9a8d-b2224a3c91fa", + "readOnly": false, + "eventType": "AwsApiCall", + "managementEvent": true, + "recipientAccountId": "123456789012", + "eventCategory": "Management", + "tlsDetails": { + "tlsVersion": "TLSv1.3", + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "rds.us-west-2.amazonaws.com" + } + } diff --git a/rules/aws_cloudtrail_rules/aws_snapshot_made_public.py b/rules/aws_cloudtrail_rules/aws_snapshot_made_public.py index 78304036a..caee2aa97 100644 --- a/rules/aws_cloudtrail_rules/aws_snapshot_made_public.py +++ b/rules/aws_cloudtrail_rules/aws_snapshot_made_public.py @@ -18,14 +18,10 @@ def rule(event): for item in items: if not isinstance(item, (Mapping, dict)): continue - if item.get("group") == "all": + if item.get("userId") or item.get("group") == "all": return True return False - # RDS snapshot made public - if event.get("eventName") == "ModifyDBClusterSnapshotAttribute": - return "all" in deep_get(event, "requestParameters", "valuesToAdd", default=[]) - return False From 12019bc2ac97afdf8028bc50fcbaafee0175ad05 Mon Sep 17 00:00:00 2001 From: Evan Gibler Date: Wed, 13 Dec 2023 14:00:16 -0600 Subject: [PATCH 31/35] Add panther_config to packs using panther_base_helpers (#1040) --- packs/asana.yml | 1 + packs/atlassian.yml | 1 + packs/auth0.yml | 1 + packs/aws.yml | 1 + packs/aws_cis.yml | 1 + packs/azure_signin.yml | 1 + packs/cloudflare.yml | 1 + packs/credential_security.yml | 1 + packs/crowdstrike.yml | 1 + packs/duo.yml | 1 + packs/gcp_audit.yml | 1 + packs/github.yml | 1 + packs/gravitational_teleport.yml | 1 + packs/greynoise_advanced.yml | 1 + packs/greynoise_basic.yml | 1 + packs/ipinfo.yml | 1 + packs/mongodb.yml | 1 + packs/notion.yml | 1 + packs/okta.yml | 1 + packs/onelogin.yml | 1 + packs/onepassword.yml | 1 + packs/osquery.yml | 1 + packs/panther.yml | 1 + packs/sentinelone.yml | 1 + packs/slack.yml | 1 + packs/snyk.yml | 1 + packs/tailscale.yml | 1 + packs/tines.yml | 1 + packs/tor.yml | 1 + packs/zendesk.yml | 1 + packs/zoom.yml | 1 + 31 files changed, 31 insertions(+) diff --git a/packs/asana.yml b/packs/asana.yml index d346d0f88..14abb221f 100644 --- a/packs/asana.yml +++ b/packs/asana.yml @@ -16,4 +16,5 @@ PackDefinition: # Globals used in these detections - panther_asana_helpers - panther_base_helpers + - panther_config DisplayName: "Panther Asana Pack" diff --git a/packs/atlassian.yml b/packs/atlassian.yml index 28c5c25a4..944b942e0 100644 --- a/packs/atlassian.yml +++ b/packs/atlassian.yml @@ -6,4 +6,5 @@ PackDefinition: - Atlassian.User.LoggedInAsUser # Globals used in these detections - panther_base_helpers + - panther_config DisplayName: "Panther Atlassian Pack" diff --git a/packs/auth0.yml b/packs/auth0.yml index 1bc288ac4..e1495327c 100644 --- a/packs/auth0.yml +++ b/packs/auth0.yml @@ -17,4 +17,5 @@ PackDefinition: - panther_base_helpers - panther_auth0_helpers - global_filter_auth0 + - panther_config DisplayName: "Panther Auth0 Pack" diff --git a/packs/aws.yml b/packs/aws.yml index 62bfae245..ee81bd293 100644 --- a/packs/aws.yml +++ b/packs/aws.yml @@ -145,3 +145,4 @@ PackDefinition: - panther_greynoise_helpers - panther_lookuptable_helpers - panther_oss_helpers + - panther_config diff --git a/packs/aws_cis.yml b/packs/aws_cis.yml index bf0be9ee8..f13fa6325 100644 --- a/packs/aws_cis.yml +++ b/packs/aws_cis.yml @@ -38,4 +38,5 @@ PackDefinition: # Globals used in these detections - panther_base_helpers - panther_oss_helpers + - panther_config DisplayName: "Panther AWS CIS Pack" diff --git a/packs/azure_signin.yml b/packs/azure_signin.yml index d8a165841..fda95493a 100644 --- a/packs/azure_signin.yml +++ b/packs/azure_signin.yml @@ -10,4 +10,5 @@ PackDefinition: - global_filter_azuresignin - panther_azuresignin_helpers - panther_base_helpers + - panther_config DisplayName: "Panther Azure.Audit SignIn Pack" diff --git a/packs/cloudflare.yml b/packs/cloudflare.yml index 05a6f75b6..56731ddf3 100644 --- a/packs/cloudflare.yml +++ b/packs/cloudflare.yml @@ -14,3 +14,4 @@ PackDefinition: - panther_greynoise_helpers - panther_lookuptable_helpers - global_filter_cloudflare + - panther_config diff --git a/packs/credential_security.yml b/packs/credential_security.yml index 23c5c5251..59129ea82 100644 --- a/packs/credential_security.yml +++ b/packs/credential_security.yml @@ -16,6 +16,7 @@ PackDefinition: - panther_base_helpers - panther_default - panther_event_type_helpers + - panther_config # Rules - AWS.CloudTrail.RootPasswordChanged - AWS.IAM.AccessKeyCompromised diff --git a/packs/crowdstrike.yml b/packs/crowdstrike.yml index d3e7a51ed..5c2f6cf4e 100644 --- a/packs/crowdstrike.yml +++ b/packs/crowdstrike.yml @@ -21,6 +21,7 @@ PackDefinition: - Crowdstrike.Macos.Osascript.Administrator # Globals used in these detections - panther_base_helpers + - panther_config # Data models - Standard.Crowdstrike.FDR DisplayName: "Panther Crowdstrike Pack" diff --git a/packs/duo.yml b/packs/duo.yml index bd80f7073..a0e59e8be 100644 --- a/packs/duo.yml +++ b/packs/duo.yml @@ -22,3 +22,4 @@ PackDefinition: # Globals used in these detections - panther_base_helpers - panther_duo_helpers + - panther_config diff --git a/packs/gcp_audit.yml b/packs/gcp_audit.yml index 488b7f00d..cb667d3f3 100644 --- a/packs/gcp_audit.yml +++ b/packs/gcp_audit.yml @@ -39,4 +39,5 @@ PackDefinition: - panther_event_type_helpers - gcp_base_helpers - gcp_environment + - panther_config DisplayName: "Panther GCP Audit Pack" diff --git a/packs/github.yml b/packs/github.yml index 3349e4908..63ab6fa70 100644 --- a/packs/github.yml +++ b/packs/github.yml @@ -30,3 +30,4 @@ PackDefinition: - panther_event_type_helpers - panther_oss_helpers - global_filter_github + - panther_config diff --git a/packs/gravitational_teleport.yml b/packs/gravitational_teleport.yml index 4c9fb8e2b..076815739 100644 --- a/packs/gravitational_teleport.yml +++ b/packs/gravitational_teleport.yml @@ -10,4 +10,5 @@ PackDefinition: - Teleport.SuspiciousCommands # Globals used in these detections - panther_base_helpers + - panther_config DisplayName: "Panther Teleport Pack" diff --git a/packs/greynoise_advanced.yml b/packs/greynoise_advanced.yml index 44f89a12a..09f7971f5 100644 --- a/packs/greynoise_advanced.yml +++ b/packs/greynoise_advanced.yml @@ -8,4 +8,5 @@ PackDefinition: - panther_base_helpers - panther_greynoise_helpers - panther_lookuptable_helpers + - panther_config DisplayName: "GreyNoise Advanced" diff --git a/packs/greynoise_basic.yml b/packs/greynoise_basic.yml index 9eacc1772..eccc80d16 100644 --- a/packs/greynoise_basic.yml +++ b/packs/greynoise_basic.yml @@ -8,4 +8,5 @@ PackDefinition: - panther_base_helpers - panther_greynoise_helpers - panther_lookuptable_helpers + - panther_config DisplayName: "GreyNoise Basic" diff --git a/packs/ipinfo.yml b/packs/ipinfo.yml index 791b2c09f..a54fcb2b1 100644 --- a/packs/ipinfo.yml +++ b/packs/ipinfo.yml @@ -12,4 +12,5 @@ PackDefinition: - panther_base_helpers - panther_ipinfo_helpers - panther_lookuptable_helpers + - panther_config DisplayName: "IPInfo" diff --git a/packs/mongodb.yml b/packs/mongodb.yml index bcd29ddf3..96a34bc5c 100644 --- a/packs/mongodb.yml +++ b/packs/mongodb.yml @@ -8,3 +8,4 @@ PackDefinition: - MongoDB.External.UserInvited # Globals - panther_base_helpers + - panther_config diff --git a/packs/notion.yml b/packs/notion.yml index 4e6b28bfa..3ee9f3cd0 100644 --- a/packs/notion.yml +++ b/packs/notion.yml @@ -20,6 +20,7 @@ PackDefinition: - panther_oss_helpers - panther_notion_helpers - global_filter_notion + - panther_config # Data Model - Standard.Notion.AuditLogs DisplayName: "Panther Notion Pack" diff --git a/packs/okta.yml b/packs/okta.yml index 603d6546b..ac5b33ce7 100644 --- a/packs/okta.yml +++ b/packs/okta.yml @@ -29,6 +29,7 @@ PackDefinition: - panther_base_helpers - panther_oss_helpers - panther_event_type_helpers + - panther_config # Data Model - Standard.Okta.SystemLog DisplayName: "Panther Okta Pack" diff --git a/packs/onelogin.yml b/packs/onelogin.yml index 3555a3da0..e004327df 100644 --- a/packs/onelogin.yml +++ b/packs/onelogin.yml @@ -17,4 +17,5 @@ PackDefinition: # Globals used in these detections - panther_base_helpers - panther_oss_helpers + - panther_config DisplayName: "Panther OneLogin Pack" diff --git a/packs/onepassword.yml b/packs/onepassword.yml index f4b418a9d..ecdff0ca0 100644 --- a/packs/onepassword.yml +++ b/packs/onepassword.yml @@ -11,3 +11,4 @@ PackDefinition: # Supporting Global Helpers - panther_base_helpers - panther_event_type_helpers + - panther_config diff --git a/packs/osquery.yml b/packs/osquery.yml index 41a8ad3e4..193bc32d8 100644 --- a/packs/osquery.yml +++ b/packs/osquery.yml @@ -16,4 +16,5 @@ PackDefinition: - Osquery.SuspiciousCron # Globals used in these detections - panther_base_helpers + - panther_config DisplayName: "Panther OSQuery Pack" diff --git a/packs/panther.yml b/packs/panther.yml index 1d5ffabc4..a2801b129 100644 --- a/packs/panther.yml +++ b/packs/panther.yml @@ -12,4 +12,5 @@ PackDefinition: # Helpers - panther_base_helpers - panther_event_type_helpers + - panther_config DisplayName: "Panther Audit Logs Pack" diff --git a/packs/sentinelone.yml b/packs/sentinelone.yml index 77eb5b998..f851060cd 100644 --- a/packs/sentinelone.yml +++ b/packs/sentinelone.yml @@ -7,4 +7,5 @@ PackDefinition: - SentinelOne.Threats # Globals used in these detections - panther_base_helpers + - panther_config DisplayName: "Panther SentinelOne Pack" diff --git a/packs/slack.yml b/packs/slack.yml index b7af19334..1d0235f98 100644 --- a/packs/slack.yml +++ b/packs/slack.yml @@ -29,3 +29,4 @@ PackDefinition: # Globals used in these rules/policies - panther_base_helpers - panther_oss_helpers + - panther_config diff --git a/packs/snyk.yml b/packs/snyk.yml index d1cc27337..a0484d41e 100644 --- a/packs/snyk.yml +++ b/packs/snyk.yml @@ -18,3 +18,4 @@ PackDefinition: - global_filter_snyk - panther_base_helpers - panther_snyk_helpers + - panther_config diff --git a/packs/tailscale.yml b/packs/tailscale.yml index be101abab..8a7c4bba5 100644 --- a/packs/tailscale.yml +++ b/packs/tailscale.yml @@ -10,4 +10,5 @@ PackDefinition: - panther_base_helpers - panther_tailscale_helpers - global_filter_tailscale + - panther_config DisplayName: "Panther Tailscale Pack" diff --git a/packs/tines.yml b/packs/tines.yml index 08a815560..239486be7 100644 --- a/packs/tines.yml +++ b/packs/tines.yml @@ -16,3 +16,4 @@ PackDefinition: - global_filter_tines - panther_base_helpers - panther_tines_helpers + - panther_config diff --git a/packs/tor.yml b/packs/tor.yml index 5c9b444c2..4cf2397aa 100644 --- a/packs/tor.yml +++ b/packs/tor.yml @@ -7,4 +7,5 @@ PackDefinition: - panther_base_helpers - panther_lookuptable_helpers - panther_tor_helpers + - panther_config DisplayName: "Tor Lookup Tables" diff --git a/packs/zendesk.yml b/packs/zendesk.yml index efcb1ecfa..3abba045e 100644 --- a/packs/zendesk.yml +++ b/packs/zendesk.yml @@ -16,3 +16,4 @@ PackDefinition: # Globals - panther_base_helpers - panther_event_type_helpers + - panther_config diff --git a/packs/zoom.yml b/packs/zoom.yml index 35857ceee..4ae78d44b 100644 --- a/packs/zoom.yml +++ b/packs/zoom.yml @@ -18,3 +18,4 @@ PackDefinition: - panther_base_helpers - panther_oss_helpers - panther_zoom_helpers + - panther_config From aea6bb2bc76151cbc97f2ece9cc5da19e6b65d8e Mon Sep 17 00:00:00 2001 From: Kostas Papageorgiou Date: Thu, 14 Dec 2023 15:10:42 +0200 Subject: [PATCH 32/35] Fixing rules that were failing validation (#1041) * Fixed rules * Removed deleted rule from pack * Reverted changes * Remove tailscale selectors * Fixed riot basic --- .../greynoise/advanced/noise_advanced.yml | 10 -- .../greynoise/advanced/riot_advanced.yml | 10 -- lookup_tables/greynoise/basic/noise_basic.yml | 10 -- lookup_tables/greynoise/basic/riot_basic.yml | 10 -- lookup_tables/ipinfo/ipinfo_asn.yml | 10 -- lookup_tables/ipinfo/ipinfo_asn_datalake.yml | 10 -- lookup_tables/ipinfo/ipinfo_location.yml | 10 -- .../ipinfo/ipinfo_location_datalake.yml | 10 -- lookup_tables/ipinfo/ipinfo_privacy.yml | 10 -- .../ipinfo/ipinfo_privacy_datalake.yml | 10 -- lookup_tables/tor/tor_exit_nodes.yml | 10 -- packs/netskope.yml | 1 - .../netskope_admin_user_change.yml | 94 ------------------- 13 files changed, 205 deletions(-) delete mode 100644 rules/netskope_rules/netskope_admin_user_change.yml diff --git a/lookup_tables/greynoise/advanced/noise_advanced.yml b/lookup_tables/greynoise/advanced/noise_advanced.yml index a09f5d3c3..11b978f8d 100644 --- a/lookup_tables/greynoise/advanced/noise_advanced.yml +++ b/lookup_tables/greynoise/advanced/noise_advanced.yml @@ -422,16 +422,6 @@ LogTypeMap: - LogType: Sysdig.Audit Selectors: - "$.content.userOriginIP" - - LogType: Tailscale.Network - Selectors: - - "$.event.virtualTraffic[].srcIp" - - "$.event.virtualTraffic[].dstIp" - - "$.event.subnetTraffic[].srcIp" - - "$.event.subnetTraffic[].dstIp" - - "$.event.exitTraffic[].srcIp" - - "$.event.exitTraffic[].dstIp" - - "$.event.physicalTraffic[].srcIp" - - "$.event.physicalTraffic[].dstIp" - LogType: Tines.Audit Selectors: - "request_ip" diff --git a/lookup_tables/greynoise/advanced/riot_advanced.yml b/lookup_tables/greynoise/advanced/riot_advanced.yml index ae82a0797..6348c01c1 100644 --- a/lookup_tables/greynoise/advanced/riot_advanced.yml +++ b/lookup_tables/greynoise/advanced/riot_advanced.yml @@ -422,16 +422,6 @@ LogTypeMap: - LogType: Sysdig.Audit Selectors: - "$.content.userOriginIP" - - LogType: Tailscale.Network - Selectors: - - "$.event.virtualTraffic[].srcIp" - - "$.event.virtualTraffic[].dstIp" - - "$.event.subnetTraffic[].srcIp" - - "$.event.subnetTraffic[].dstIp" - - "$.event.exitTraffic[].srcIp" - - "$.event.exitTraffic[].dstIp" - - "$.event.physicalTraffic[].srcIp" - - "$.event.physicalTraffic[].dstIp" - LogType: Tines.Audit Selectors: - "request_ip" diff --git a/lookup_tables/greynoise/basic/noise_basic.yml b/lookup_tables/greynoise/basic/noise_basic.yml index dcb235596..9be4bd1c3 100644 --- a/lookup_tables/greynoise/basic/noise_basic.yml +++ b/lookup_tables/greynoise/basic/noise_basic.yml @@ -422,16 +422,6 @@ LogTypeMap: - LogType: Sysdig.Audit Selectors: - "$.content.userOriginIP" - - LogType: Tailscale.Network - Selectors: - - "$.event.virtualTraffic[].srcIp" - - "$.event.virtualTraffic[].dstIp" - - "$.event.subnetTraffic[].srcIp" - - "$.event.subnetTraffic[].dstIp" - - "$.event.exitTraffic[].srcIp" - - "$.event.exitTraffic[].dstIp" - - "$.event.physicalTraffic[].srcIp" - - "$.event.physicalTraffic[].dstIp" - LogType: Tines.Audit Selectors: - "request_ip" diff --git a/lookup_tables/greynoise/basic/riot_basic.yml b/lookup_tables/greynoise/basic/riot_basic.yml index 0705637d2..7dceb4667 100644 --- a/lookup_tables/greynoise/basic/riot_basic.yml +++ b/lookup_tables/greynoise/basic/riot_basic.yml @@ -422,16 +422,6 @@ LogTypeMap: - LogType: Sysdig.Audit Selectors: - "$.content.userOriginIP" - - LogType: Tailscale.Network - Selectors: - - "$.event.virtualTraffic[].srcIp" - - "$.event.virtualTraffic[].dstIp" - - "$.event.subnetTraffic[].srcIp" - - "$.event.subnetTraffic[].dstIp" - - "$.event.exitTraffic[].srcIp" - - "$.event.exitTraffic[].dstIp" - - "$.event.physicalTraffic[].srcIp" - - "$.event.physicalTraffic[].dstIp" - LogType: Tines.Audit Selectors: - "request_ip" diff --git a/lookup_tables/ipinfo/ipinfo_asn.yml b/lookup_tables/ipinfo/ipinfo_asn.yml index a9f7602d7..5aee66a28 100644 --- a/lookup_tables/ipinfo/ipinfo_asn.yml +++ b/lookup_tables/ipinfo/ipinfo_asn.yml @@ -422,16 +422,6 @@ LogTypeMap: - LogType: Sysdig.Audit Selectors: - "$.content.userOriginIP" - - LogType: Tailscale.Network - Selectors: - - "$.event.virtualTraffic[].srcIp" - - "$.event.virtualTraffic[].dstIp" - - "$.event.subnetTraffic[].srcIp" - - "$.event.subnetTraffic[].dstIp" - - "$.event.exitTraffic[].srcIp" - - "$.event.exitTraffic[].dstIp" - - "$.event.physicalTraffic[].srcIp" - - "$.event.physicalTraffic[].dstIp" - LogType: Tines.Audit Selectors: - "request_ip" diff --git a/lookup_tables/ipinfo/ipinfo_asn_datalake.yml b/lookup_tables/ipinfo/ipinfo_asn_datalake.yml index de1b02e2f..ee6b613af 100644 --- a/lookup_tables/ipinfo/ipinfo_asn_datalake.yml +++ b/lookup_tables/ipinfo/ipinfo_asn_datalake.yml @@ -422,16 +422,6 @@ LogTypeMap: - LogType: Sysdig.Audit Selectors: - "$.content.userOriginIP" - - LogType: Tailscale.Network - Selectors: - - "$.event.virtualTraffic[].srcIp" - - "$.event.virtualTraffic[].dstIp" - - "$.event.subnetTraffic[].srcIp" - - "$.event.subnetTraffic[].dstIp" - - "$.event.exitTraffic[].srcIp" - - "$.event.exitTraffic[].dstIp" - - "$.event.physicalTraffic[].srcIp" - - "$.event.physicalTraffic[].dstIp" - LogType: Tines.Audit Selectors: - "request_ip" diff --git a/lookup_tables/ipinfo/ipinfo_location.yml b/lookup_tables/ipinfo/ipinfo_location.yml index 9aff65042..c49741798 100644 --- a/lookup_tables/ipinfo/ipinfo_location.yml +++ b/lookup_tables/ipinfo/ipinfo_location.yml @@ -422,16 +422,6 @@ LogTypeMap: - LogType: Sysdig.Audit Selectors: - "$.content.userOriginIP" - - LogType: Tailscale.Network - Selectors: - - "$.event.virtualTraffic[].srcIp" - - "$.event.virtualTraffic[].dstIp" - - "$.event.subnetTraffic[].srcIp" - - "$.event.subnetTraffic[].dstIp" - - "$.event.exitTraffic[].srcIp" - - "$.event.exitTraffic[].dstIp" - - "$.event.physicalTraffic[].srcIp" - - "$.event.physicalTraffic[].dstIp" - LogType: Tines.Audit Selectors: - "request_ip" diff --git a/lookup_tables/ipinfo/ipinfo_location_datalake.yml b/lookup_tables/ipinfo/ipinfo_location_datalake.yml index da657eeb9..9f22a415f 100644 --- a/lookup_tables/ipinfo/ipinfo_location_datalake.yml +++ b/lookup_tables/ipinfo/ipinfo_location_datalake.yml @@ -422,16 +422,6 @@ LogTypeMap: - LogType: Sysdig.Audit Selectors: - "$.content.userOriginIP" - - LogType: Tailscale.Network - Selectors: - - "$.event.virtualTraffic[].srcIp" - - "$.event.virtualTraffic[].dstIp" - - "$.event.subnetTraffic[].srcIp" - - "$.event.subnetTraffic[].dstIp" - - "$.event.exitTraffic[].srcIp" - - "$.event.exitTraffic[].dstIp" - - "$.event.physicalTraffic[].srcIp" - - "$.event.physicalTraffic[].dstIp" - LogType: Tines.Audit Selectors: - "request_ip" diff --git a/lookup_tables/ipinfo/ipinfo_privacy.yml b/lookup_tables/ipinfo/ipinfo_privacy.yml index da7781172..375ebf5a3 100644 --- a/lookup_tables/ipinfo/ipinfo_privacy.yml +++ b/lookup_tables/ipinfo/ipinfo_privacy.yml @@ -422,16 +422,6 @@ LogTypeMap: - LogType: Sysdig.Audit Selectors: - "$.content.userOriginIP" - - LogType: Tailscale.Network - Selectors: - - "$.event.virtualTraffic[].srcIp" - - "$.event.virtualTraffic[].dstIp" - - "$.event.subnetTraffic[].srcIp" - - "$.event.subnetTraffic[].dstIp" - - "$.event.exitTraffic[].srcIp" - - "$.event.exitTraffic[].dstIp" - - "$.event.physicalTraffic[].srcIp" - - "$.event.physicalTraffic[].dstIp" - LogType: Tines.Audit Selectors: - "request_ip" diff --git a/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml b/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml index 5e4b45faa..2715aaa6c 100644 --- a/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml +++ b/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml @@ -422,16 +422,6 @@ LogTypeMap: - LogType: Sysdig.Audit Selectors: - "$.content.userOriginIP" - - LogType: Tailscale.Network - Selectors: - - "$.event.virtualTraffic[].srcIp" - - "$.event.virtualTraffic[].dstIp" - - "$.event.subnetTraffic[].srcIp" - - "$.event.subnetTraffic[].dstIp" - - "$.event.exitTraffic[].srcIp" - - "$.event.exitTraffic[].dstIp" - - "$.event.physicalTraffic[].srcIp" - - "$.event.physicalTraffic[].dstIp" - LogType: Tines.Audit Selectors: - "request_ip" diff --git a/lookup_tables/tor/tor_exit_nodes.yml b/lookup_tables/tor/tor_exit_nodes.yml index 9e1011174..103ff3392 100644 --- a/lookup_tables/tor/tor_exit_nodes.yml +++ b/lookup_tables/tor/tor_exit_nodes.yml @@ -422,16 +422,6 @@ LogTypeMap: - LogType: Sysdig.Audit Selectors: - "$.content.userOriginIP" - - LogType: Tailscale.Network - Selectors: - - "$.event.virtualTraffic[].srcIp" - - "$.event.virtualTraffic[].dstIp" - - "$.event.subnetTraffic[].srcIp" - - "$.event.subnetTraffic[].dstIp" - - "$.event.exitTraffic[].srcIp" - - "$.event.exitTraffic[].dstIp" - - "$.event.physicalTraffic[].srcIp" - - "$.event.physicalTraffic[].dstIp" - LogType: Tines.Audit Selectors: - "request_ip" diff --git a/packs/netskope.yml b/packs/netskope.yml index 45758b437..b15ed4273 100644 --- a/packs/netskope.yml +++ b/packs/netskope.yml @@ -4,7 +4,6 @@ Description: Group of all Netskope detections PackDefinition: IDs: - Netskope.AdminLoggedOutLoginFailures - - Netskope.AdminUserChange - Netskope.ManyDeletes - Netskope.NetskopePersonnelActivity - Netskope.UnauthorizedAPICalls diff --git a/rules/netskope_rules/netskope_admin_user_change.yml b/rules/netskope_rules/netskope_admin_user_change.yml deleted file mode 100644 index abc84d284..000000000 --- a/rules/netskope_rules/netskope_admin_user_change.yml +++ /dev/null @@ -1,94 +0,0 @@ -AnalysisType: rule -RuleID: "Netskope.AdminUserChange" -DisplayName: "An administrator account was created, deleted, or modified." -AlertTitle: "User [{user}] performed [{audit_log_event}]" -Detection: - - All: - - KeyPath: audit_log_event - Condition: IsIn - Values: - - Created new admin - - Added SSO Admin - - Edited SSO Admin Record - - Created new support admin - - Edit admin record - - Deleted admin - - Enabled admin - - Disabled admin - - Unlocked admin - - Updated admin settings - - Deleted Netskope SSO admin -Enabled: true -LogTypes: - - Netskope.Audit -Tags: - - Netskope - - Account Manipulation -Reports: - MITRE ATT&CK: - - TA0004:T1098 -Reference: https://docs.netskope.com/en/netskope-help/admin-console/administration/managing-administrators/ -Severity: High -DynamicSeverities: - - ChangeTo: Critical - Conditions: - - KeyPath: audit_log_event - Condition: Contains - Values: - - Create - - Add - - Delete -Description: An administrator account was created, deleted, or modified. -DedupPeriodMinutes: 60 -Threshold: 1 -Runbook: An administrator account was created, deleted, or modified. Validate that this activity is expected and authorized. -Tests: - - Name: True positive - ExpectedResult: true - Log: - { - "_id": "e5ca619b059fccdd0cfd9398", - "_insertion_epoch_timestamp": 1702308331, - "audit_log_event": "Created new admin", - "count": 1, - "is_netskope_personnel": true, - "organization_unit": "", - "severity_level": 2, - "supporting_data": { - "data_type": "user", - "data_values": [ - "11.22.33.44", - "adminsupport@netskope.com" - ] - }, - "timestamp": "2023-12-11 15:25:31.000000000", - "type": "admin_audit_logs", - "ur_normalized": "adminsupport@netskope.com", - "user": "adminsupport@netskope.com" - } - - Name: True negative - ExpectedResult: false - Log: - { - "_id": "1e589befa3da30132362f32a", - "_insertion_epoch_timestamp": 1702318213, - "audit_log_event": "Rest API V2 Call", - "count": 1, - "is_netskope_personnel": false, - "organization_unit": "", - "severity_level": 2, - "supporting_data": { - "data_type": "incidents", - "data_values": [ - 200, - "POST", - "/api/v2/incidents/uba/getuci", - "trid=ccb898fgrhvdd0v0lebg" - ] - }, - "timestamp": "2023-12-11 18:10:13.000000000", - "type": "admin_audit_logs", - "ur_normalized": "service-account", - "user": "service-account" - } - From 48a851eb6b1d9319a55186912ad518369280aeb0 Mon Sep 17 00:00:00 2001 From: Evan Gibler Date: Thu, 14 Dec 2023 11:01:44 -0600 Subject: [PATCH 33/35] Add additional panther_config modules to Packs (#1042) --- packs/asana.yml | 2 ++ packs/atlassian.yml | 2 ++ packs/auth0.yml | 2 ++ packs/aws.yml | 2 ++ packs/aws_cis.yml | 2 ++ packs/azure_signin.yml | 2 ++ packs/cloudflare.yml | 2 ++ packs/credential_security.yml | 2 ++ packs/crowdstrike.yml | 2 ++ packs/duo.yml | 2 ++ packs/gcp_audit.yml | 2 ++ packs/github.yml | 2 ++ packs/gravitational_teleport.yml | 2 ++ packs/greynoise_advanced.yml | 2 ++ packs/greynoise_basic.yml | 2 ++ packs/ipinfo.yml | 2 ++ packs/mongodb.yml | 2 ++ packs/notion.yml | 2 ++ packs/okta.yml | 2 ++ packs/onelogin.yml | 2 ++ packs/onepassword.yml | 2 ++ packs/osquery.yml | 2 ++ packs/panther.yml | 2 ++ packs/sentinelone.yml | 2 ++ packs/slack.yml | 2 ++ packs/snyk.yml | 2 ++ packs/tailscale.yml | 2 ++ packs/tines.yml | 2 ++ packs/tor.yml | 2 ++ packs/zendesk.yml | 2 ++ packs/zoom.yml | 2 ++ 31 files changed, 62 insertions(+) diff --git a/packs/asana.yml b/packs/asana.yml index 14abb221f..e22778505 100644 --- a/packs/asana.yml +++ b/packs/asana.yml @@ -17,4 +17,6 @@ PackDefinition: - panther_asana_helpers - panther_base_helpers - panther_config + - panther_config_defaults + - panther_config_overrides DisplayName: "Panther Asana Pack" diff --git a/packs/atlassian.yml b/packs/atlassian.yml index 944b942e0..2e9616228 100644 --- a/packs/atlassian.yml +++ b/packs/atlassian.yml @@ -7,4 +7,6 @@ PackDefinition: # Globals used in these detections - panther_base_helpers - panther_config + - panther_config_defaults + - panther_config_overrides DisplayName: "Panther Atlassian Pack" diff --git a/packs/auth0.yml b/packs/auth0.yml index e1495327c..5ffb82d9d 100644 --- a/packs/auth0.yml +++ b/packs/auth0.yml @@ -18,4 +18,6 @@ PackDefinition: - panther_auth0_helpers - global_filter_auth0 - panther_config + - panther_config_defaults + - panther_config_overrides DisplayName: "Panther Auth0 Pack" diff --git a/packs/aws.yml b/packs/aws.yml index ee81bd293..3ff011fe8 100644 --- a/packs/aws.yml +++ b/packs/aws.yml @@ -146,3 +146,5 @@ PackDefinition: - panther_lookuptable_helpers - panther_oss_helpers - panther_config + - panther_config_defaults + - panther_config_overrides diff --git a/packs/aws_cis.yml b/packs/aws_cis.yml index f13fa6325..abb278a91 100644 --- a/packs/aws_cis.yml +++ b/packs/aws_cis.yml @@ -39,4 +39,6 @@ PackDefinition: - panther_base_helpers - panther_oss_helpers - panther_config + - panther_config_defaults + - panther_config_overrides DisplayName: "Panther AWS CIS Pack" diff --git a/packs/azure_signin.yml b/packs/azure_signin.yml index fda95493a..8669bf631 100644 --- a/packs/azure_signin.yml +++ b/packs/azure_signin.yml @@ -11,4 +11,6 @@ PackDefinition: - panther_azuresignin_helpers - panther_base_helpers - panther_config + - panther_config_defaults + - panther_config_overrides DisplayName: "Panther Azure.Audit SignIn Pack" diff --git a/packs/cloudflare.yml b/packs/cloudflare.yml index 56731ddf3..332d00808 100644 --- a/packs/cloudflare.yml +++ b/packs/cloudflare.yml @@ -15,3 +15,5 @@ PackDefinition: - panther_lookuptable_helpers - global_filter_cloudflare - panther_config + - panther_config_defaults + - panther_config_overrides diff --git a/packs/credential_security.yml b/packs/credential_security.yml index 59129ea82..64b3b2a6c 100644 --- a/packs/credential_security.yml +++ b/packs/credential_security.yml @@ -17,6 +17,8 @@ PackDefinition: - panther_default - panther_event_type_helpers - panther_config + - panther_config_defaults + - panther_config_overrides # Rules - AWS.CloudTrail.RootPasswordChanged - AWS.IAM.AccessKeyCompromised diff --git a/packs/crowdstrike.yml b/packs/crowdstrike.yml index 5c2f6cf4e..273913382 100644 --- a/packs/crowdstrike.yml +++ b/packs/crowdstrike.yml @@ -22,6 +22,8 @@ PackDefinition: # Globals used in these detections - panther_base_helpers - panther_config + - panther_config_defaults + - panther_config_overrides # Data models - Standard.Crowdstrike.FDR DisplayName: "Panther Crowdstrike Pack" diff --git a/packs/duo.yml b/packs/duo.yml index a0e59e8be..aaa99e3a3 100644 --- a/packs/duo.yml +++ b/packs/duo.yml @@ -23,3 +23,5 @@ PackDefinition: - panther_base_helpers - panther_duo_helpers - panther_config + - panther_config_defaults + - panther_config_overrides diff --git a/packs/gcp_audit.yml b/packs/gcp_audit.yml index cb667d3f3..15250156a 100644 --- a/packs/gcp_audit.yml +++ b/packs/gcp_audit.yml @@ -40,4 +40,6 @@ PackDefinition: - gcp_base_helpers - gcp_environment - panther_config + - panther_config_defaults + - panther_config_overrides DisplayName: "Panther GCP Audit Pack" diff --git a/packs/github.yml b/packs/github.yml index 63ab6fa70..bb5de9948 100644 --- a/packs/github.yml +++ b/packs/github.yml @@ -31,3 +31,5 @@ PackDefinition: - panther_oss_helpers - global_filter_github - panther_config + - panther_config_defaults + - panther_config_overrides diff --git a/packs/gravitational_teleport.yml b/packs/gravitational_teleport.yml index 076815739..e29f3403d 100644 --- a/packs/gravitational_teleport.yml +++ b/packs/gravitational_teleport.yml @@ -11,4 +11,6 @@ PackDefinition: # Globals used in these detections - panther_base_helpers - panther_config + - panther_config_defaults + - panther_config_overrides DisplayName: "Panther Teleport Pack" diff --git a/packs/greynoise_advanced.yml b/packs/greynoise_advanced.yml index 09f7971f5..3f0105a66 100644 --- a/packs/greynoise_advanced.yml +++ b/packs/greynoise_advanced.yml @@ -9,4 +9,6 @@ PackDefinition: - panther_greynoise_helpers - panther_lookuptable_helpers - panther_config + - panther_config_defaults + - panther_config_overrides DisplayName: "GreyNoise Advanced" diff --git a/packs/greynoise_basic.yml b/packs/greynoise_basic.yml index eccc80d16..ecaa63bf2 100644 --- a/packs/greynoise_basic.yml +++ b/packs/greynoise_basic.yml @@ -9,4 +9,6 @@ PackDefinition: - panther_greynoise_helpers - panther_lookuptable_helpers - panther_config + - panther_config_defaults + - panther_config_overrides DisplayName: "GreyNoise Basic" diff --git a/packs/ipinfo.yml b/packs/ipinfo.yml index a54fcb2b1..771b49594 100644 --- a/packs/ipinfo.yml +++ b/packs/ipinfo.yml @@ -13,4 +13,6 @@ PackDefinition: - panther_ipinfo_helpers - panther_lookuptable_helpers - panther_config + - panther_config_defaults + - panther_config_overrides DisplayName: "IPInfo" diff --git a/packs/mongodb.yml b/packs/mongodb.yml index 96a34bc5c..7188ae8d3 100644 --- a/packs/mongodb.yml +++ b/packs/mongodb.yml @@ -9,3 +9,5 @@ PackDefinition: # Globals - panther_base_helpers - panther_config + - panther_config_defaults + - panther_config_overrides diff --git a/packs/notion.yml b/packs/notion.yml index 3ee9f3cd0..c50e9f5b6 100644 --- a/packs/notion.yml +++ b/packs/notion.yml @@ -21,6 +21,8 @@ PackDefinition: - panther_notion_helpers - global_filter_notion - panther_config + - panther_config_defaults + - panther_config_overrides # Data Model - Standard.Notion.AuditLogs DisplayName: "Panther Notion Pack" diff --git a/packs/okta.yml b/packs/okta.yml index ac5b33ce7..faf4469fb 100644 --- a/packs/okta.yml +++ b/packs/okta.yml @@ -30,6 +30,8 @@ PackDefinition: - panther_oss_helpers - panther_event_type_helpers - panther_config + - panther_config_defaults + - panther_config_overrides # Data Model - Standard.Okta.SystemLog DisplayName: "Panther Okta Pack" diff --git a/packs/onelogin.yml b/packs/onelogin.yml index e004327df..30f8166b5 100644 --- a/packs/onelogin.yml +++ b/packs/onelogin.yml @@ -18,4 +18,6 @@ PackDefinition: - panther_base_helpers - panther_oss_helpers - panther_config + - panther_config_defaults + - panther_config_overrides DisplayName: "Panther OneLogin Pack" diff --git a/packs/onepassword.yml b/packs/onepassword.yml index ecdff0ca0..8ea7183df 100644 --- a/packs/onepassword.yml +++ b/packs/onepassword.yml @@ -12,3 +12,5 @@ PackDefinition: - panther_base_helpers - panther_event_type_helpers - panther_config + - panther_config_defaults + - panther_config_overrides diff --git a/packs/osquery.yml b/packs/osquery.yml index 193bc32d8..adac2b24d 100644 --- a/packs/osquery.yml +++ b/packs/osquery.yml @@ -17,4 +17,6 @@ PackDefinition: # Globals used in these detections - panther_base_helpers - panther_config + - panther_config_defaults + - panther_config_overrides DisplayName: "Panther OSQuery Pack" diff --git a/packs/panther.yml b/packs/panther.yml index a2801b129..678ea2ad0 100644 --- a/packs/panther.yml +++ b/packs/panther.yml @@ -13,4 +13,6 @@ PackDefinition: - panther_base_helpers - panther_event_type_helpers - panther_config + - panther_config_defaults + - panther_config_overrides DisplayName: "Panther Audit Logs Pack" diff --git a/packs/sentinelone.yml b/packs/sentinelone.yml index f851060cd..2824e6d8e 100644 --- a/packs/sentinelone.yml +++ b/packs/sentinelone.yml @@ -8,4 +8,6 @@ PackDefinition: # Globals used in these detections - panther_base_helpers - panther_config + - panther_config_defaults + - panther_config_overrides DisplayName: "Panther SentinelOne Pack" diff --git a/packs/slack.yml b/packs/slack.yml index 1d0235f98..4766ae4ea 100644 --- a/packs/slack.yml +++ b/packs/slack.yml @@ -30,3 +30,5 @@ PackDefinition: - panther_base_helpers - panther_oss_helpers - panther_config + - panther_config_defaults + - panther_config_overrides diff --git a/packs/snyk.yml b/packs/snyk.yml index a0484d41e..68466acae 100644 --- a/packs/snyk.yml +++ b/packs/snyk.yml @@ -19,3 +19,5 @@ PackDefinition: - panther_base_helpers - panther_snyk_helpers - panther_config + - panther_config_defaults + - panther_config_overrides diff --git a/packs/tailscale.yml b/packs/tailscale.yml index 8a7c4bba5..1eb976890 100644 --- a/packs/tailscale.yml +++ b/packs/tailscale.yml @@ -11,4 +11,6 @@ PackDefinition: - panther_tailscale_helpers - global_filter_tailscale - panther_config + - panther_config_defaults + - panther_config_overrides DisplayName: "Panther Tailscale Pack" diff --git a/packs/tines.yml b/packs/tines.yml index 239486be7..bca8c6bda 100644 --- a/packs/tines.yml +++ b/packs/tines.yml @@ -17,3 +17,5 @@ PackDefinition: - panther_base_helpers - panther_tines_helpers - panther_config + - panther_config_defaults + - panther_config_overrides diff --git a/packs/tor.yml b/packs/tor.yml index 4cf2397aa..c4360bcad 100644 --- a/packs/tor.yml +++ b/packs/tor.yml @@ -8,4 +8,6 @@ PackDefinition: - panther_lookuptable_helpers - panther_tor_helpers - panther_config + - panther_config_defaults + - panther_config_overrides DisplayName: "Tor Lookup Tables" diff --git a/packs/zendesk.yml b/packs/zendesk.yml index 3abba045e..3476be440 100644 --- a/packs/zendesk.yml +++ b/packs/zendesk.yml @@ -17,3 +17,5 @@ PackDefinition: - panther_base_helpers - panther_event_type_helpers - panther_config + - panther_config_defaults + - panther_config_overrides diff --git a/packs/zoom.yml b/packs/zoom.yml index 4ae78d44b..454d05822 100644 --- a/packs/zoom.yml +++ b/packs/zoom.yml @@ -19,3 +19,5 @@ PackDefinition: - panther_oss_helpers - panther_zoom_helpers - panther_config + - panther_config_defaults + - panther_config_overrides From a0b6039dbe1966d29ddd80937b9a790a59ef9cfe Mon Sep 17 00:00:00 2001 From: Evan Gibler Date: Fri, 15 Dec 2023 09:18:24 -0600 Subject: [PATCH 34/35] Sync changes from staging repository (#1043) * Add validate Workflow; separate lint and test checks (#1) * Add Workflow to upload on merge to main (#2) * Add Workflow to upload on merge to main * Update job names * Update validate and upload step names (#3) * Update Validate Workflow name * Small tweaks --- .github/workflows/{lint-test.yml => lint.yml} | 7 +--- .github/workflows/test.yml | 27 +++++++++++++ .github/workflows/upload.yml | 39 +++++++++++++++++++ .github/workflows/validate.yml | 36 +++++++++++++++++ 4 files changed, 104 insertions(+), 5 deletions(-) rename .github/workflows/{lint-test.yml => lint.yml} (93%) create mode 100644 .github/workflows/test.yml create mode 100644 .github/workflows/upload.yml create mode 100644 .github/workflows/validate.yml diff --git a/.github/workflows/lint-test.yml b/.github/workflows/lint.yml similarity index 93% rename from .github/workflows/lint-test.yml rename to .github/workflows/lint.yml index 215309465..917f2d00f 100644 --- a/.github/workflows/lint-test.yml +++ b/.github/workflows/lint.yml @@ -17,8 +17,8 @@ on: pull_request jobs: - make_lint: - name: lint and test + lint: + name: Lint runs-on: ubuntu-latest steps: @@ -41,6 +41,3 @@ jobs: - name: make lint run: make lint - - - name: make test - run: make test diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 000000000..2eb871922 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,27 @@ +on: pull_request + +jobs: + test: + name: Test + runs-on: ubuntu-latest + + steps: + - name: Checkout panther-analysis + uses: actions/checkout@v4 + + - name: Set python version + uses: actions/setup-python@v4 + with: + python-version: '3.9' + + - name: Install pipenv + run: pip install pipenv + + - name: Install + run: make install + + - name: Setup venv + run: make venv + + - name: make test + run: make test diff --git a/.github/workflows/upload.yml b/.github/workflows/upload.yml new file mode 100644 index 000000000..39c829ce5 --- /dev/null +++ b/.github/workflows/upload.yml @@ -0,0 +1,39 @@ +on: + push: + branches: + - main + +jobs: + upload: + name: + runs-on: ubuntu-latest + env: + API_HOST: ${{ secrets.API_HOST }} + API_TOKEN: ${{ secrets.API_TOKEN }} + steps: + - name: Validate Secrets + if: ${{ env.API_HOST == '' || env.API_TOKEN == '' }} + run: | + echo "API_HOST or API_TOKEN not set" + exit 0 + + - name: Checkout panther-analysis + uses: actions/checkout@v4 + + - name: Set python version + uses: actions/setup-python@v4 + with: + python-version: '3.9' + + - name: Install pipenv + run: pip install pipenv + + - name: Install + run: make install + + - name: Setup venv + run: make venv + + - name: upload + run: | + pipenv run panther_analysis_tool upload --api-host ${{ env.API_HOST }} --api-token ${{ env.API_TOKEN }} diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml new file mode 100644 index 000000000..189ec23c1 --- /dev/null +++ b/.github/workflows/validate.yml @@ -0,0 +1,36 @@ +on: pull_request + +jobs: + validate: + name: Validate + runs-on: ubuntu-latest + env: + API_HOST: ${{ secrets.API_HOST }} + API_TOKEN: ${{ secrets.API_TOKEN }} + steps: + - name: Validate Secrets + if: ${{ env.API_HOST == '' || env.API_TOKEN == '' }} + run: | + echo "API_HOST or API_TOKEN not set" + exit 0 + + - name: Checkout panther-analysis + uses: actions/checkout@v4 + + - name: Set python version + uses: actions/setup-python@v4 + with: + python-version: '3.9' + + - name: Install pipenv + run: pip install pipenv + + - name: Install + run: make install + + - name: Setup venv + run: make venv + + - name: validate + run: | + pipenv run panther_analysis_tool validate --api-host ${{ env.API_HOST }} --api-token ${{ env.API_TOKEN }} From c63982e002434a041956c2f460efe8d2992b26ca Mon Sep 17 00:00:00 2001 From: Evan Gibler Date: Tue, 9 Jan 2024 15:06:20 -0600 Subject: [PATCH 35/35] Update how tests are run in test.yml (#1053) --- .github/workflows/test.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 2eb871922..0c0ba8c38 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -23,5 +23,6 @@ jobs: - name: Setup venv run: make venv - - name: make test - run: make test + - name: test + run: | + pipenv run panther_analysis_tool test --api-host ${{ secrets.API_HOST }} --api-token ${{ secrets.API_TOKEN }}