diff --git a/rules/panther_audit_rules/panther_detection_deleted.yml b/rules/panther_audit_rules/panther_detection_deleted.yml index 5938d2a7b..d8fcba243 100644 --- a/rules/panther_audit_rules/panther_detection_deleted.yml +++ b/rules/panther_audit_rules/panther_detection_deleted.yml @@ -14,6 +14,7 @@ Reports: - TA0005:T1562 Description: Detection content has been removed from Panther. Runbook: Ensure this change was approved and appropriate. +Reference: https://docs.panther.com/system-configuration/panther-audit-logs/querying-and-writing-detections-for-panther-audit-logs SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/panther_audit_rules/panther_saml_modified.yml b/rules/panther_audit_rules/panther_saml_modified.yml index cf73682ba..daaa7b943 100644 --- a/rules/panther_audit_rules/panther_saml_modified.yml +++ b/rules/panther_audit_rules/panther_saml_modified.yml @@ -14,6 +14,7 @@ Reports: - TA0005:T1562 Description: An Admin has modified Panther's SAML configuration. Runbook: Ensure this change was approved and appropriate. +Reference: https://docs.panther.com/system-configuration/saml SummaryAttributes: - p_any_ip_addresses - p_any_usernames diff --git a/rules/panther_audit_rules/panther_sensitive_role_created.yml b/rules/panther_audit_rules/panther_sensitive_role_created.yml index 93e5ac17b..36ec77ca6 100644 --- a/rules/panther_audit_rules/panther_sensitive_role_created.yml +++ b/rules/panther_audit_rules/panther_sensitive_role_created.yml @@ -14,6 +14,7 @@ Reports: - TA0003:T1098 Description: A Panther user role has been created that contains admin level permissions. Runbook: Contact the creator of this role to ensure its creation was appropriate. +Reference: https://docs.panther.com/system-configuration/rbac SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/panther_audit_rules/panther_user_modified.yml b/rules/panther_audit_rules/panther_user_modified.yml index ca28a4a69..95280e28c 100644 --- a/rules/panther_audit_rules/panther_user_modified.yml +++ b/rules/panther_audit_rules/panther_user_modified.yml @@ -14,6 +14,7 @@ Reports: - TA0003:T1098 Description: A Panther user's role has been modified. This could mean password, email, or role has changed for the user. Runbook: Validate that this user modification was intentional. +Reference: https://docs.panther.com/panther-developer-workflows/api/operations/user-management SummaryAttributes: - p_any_ip_addresses Tests: