panther-labs · egibs · Jan 30, 2024 · Jan 30, 2024 · Jan 30, 2024 · Jan 30, 2024
@@ -0,0 +1,66 @@
+# Panther is a Cloud-Native SIEM for the Modern Security Team.
+# Copyright (C) 2023 Panther Labs Inc
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+on: pull_request
+
+jobs:
+  check_packs:
+    name: check packs
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout panther-analysis
+        uses: actions/checkout@v4
+
+      - name: Set python version  
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.9'
+
+      - name: Install panther_analysis_tool
+        run: pip install panther_analysis_tool
+
+      - name: Check packs
+        continue-on-error: true
+        id: check-packs
+        run: |
+          panther_analysis_tool check-packs 2> errors.txt || true
+
+          # run again to get exit code
+          panther_analysis_tool check-packs || echo ::set-output name=errors::`cat errors.txt`
+
+      - name: Comment PR
+        uses: thollander/actions-comment-pull-request@v2
+        if: ${{ steps.check-packs.outputs.errors }}
+        with:
+          mode: upsert
+          message: |
+            :scream: 
+            looks like somethings could be wrong with the packs
+            ```diff
+            ${{ steps.check-packs.outputs.errors }}
+          comment_tag: check-packs
+      - name: Delete comment
+        uses: thollander/actions-comment-pull-request@v2
+        if: ${{ !steps.check-packs.outputs.errors }}
+        with:
+          mode: delete
+          message: |
+            :scream: 
+            looks like somethings could be wrong with the packs
+            ```diff
+            ${{ steps.check-packs.outputs.errors }}
+          comment_tag: check-packs
@@ -133,6 +133,80 @@ PackDefinition:
     - AWS.VPC.FlowLogs
     - AWS.WAF.Disassociation
     - AWS.WAF.HasXSSPredicate
+    # Other rules
+    - AWS.ACM.HasSecureAlgorithms
+    - AWS.ApplicationLoadBalancer.WebACL
+    - AWS.Authentication.From.CrowdStrike.Unmanaged.Device
+    - AWS.CMK.KeyRotation
+    - AWS.CloudTrail.Account.Discovery
+    - AWS.CloudTrail.CloudWatchLogs
+    - AWS.CloudTrail.IAMAssumeRoleBlacklistIgnored
+    - AWS.CloudTrail.IAMEntityCreatedWithoutCloudFormation
+    - AWS.CloudTrail.LeastPrivilege
+    - AWS.CloudTrail.LogEncryption
+    - AWS.CloudTrail.LogValidation
+    - AWS.CloudTrail.S3Bucket.AccessLogging
+    - AWS.CloudWatchLogs.SensitiveLogGroup.Encryption
+    - AWS.DynamoDB.AutoscalingConfiguration
+    - AWS.DynamoDB.TableTTLEnabled
+    - AWS.EC2.AMI.ApprovedHost
+    - AWS.EC2.AMI.ApprovedInstanceType
+    - AWS.EC2.AMI.ApprovedTenancy
+    - AWS.EC2.CDEVolumeEncrypted
+    - AWS.EC2.Instance.ApprovedAMI
+    - AWS.EC2.Instance.ApprovedHost
+    - AWS.EC2.Instance.ApprovedInstanceType
+    - AWS.EC2.Instance.ApprovedTenancy
+    - AWS.EC2.Instance.ApprovedVPC
+    - AWS.EC2.ManualSecurityGroupChange
+    - AWS.ECR.CRUD
+    - AWS.ECR.EVENTS
+    - AWS.GuardDuty.MasterAccount
+    - AWS.IAM.Group.Read.Only.Events
+    - AWS.IAM.Policy.Blacklist
+    - AWS.IAM.Policy.DoesNotGrantAdminAccess
+    - AWS.IAM.Policy.DoesNotGrantNetworkAdminAccess
+    - AWS.IAM.Policy.RoleMapping
+    - AWS.IAM.Resource.DoesNotHaveInlinePolicy
+    - AWS.IAM.Role.ExternalPermission
+    - AWS.IAM.Role.RestrictsUsage
+    - AWS.IAM.User.NotInConflictingGroups
+    - AWS.LAMBDA.CRUD
+    - AWS.Modify.Cloud.Compute.Infrastructure
+    - AWS.NetworkACL.RestrictedSSH
+    - AWS.NetworkACL.RestrictsInsecureProtocols
+    - AWS.NetworkACL.RestrictsOutboundTraffic
+    - AWS.RDS.Instance.AutoMinorVersionUpgradeEnabled
+    - AWS.RDS.InstanceBackup
+    - AWS.RDS.InstanceBackupRetentionAcceptable
+    - AWS.Redshift.Cluster.MaintenanceWindow
+    - AWS.Redshift.Cluster.SnapshotRetentionAcceptable
+    - AWS.Resource.MinimumTags
+    - AWS.Resource.RequiredTags
+    - AWS.RootAccount.HardwareMFA
+    - AWS.S3.BucketObjectLockConfigured
+    - AWS.S3.ServerAccess.IPWhitelist
+    - AWS.S3.ServerAccess.Unauthenticated
+    - AWS.S3.ServerAccess.UnknownRequester
+    - AWS.SecurityGroup.RestrictsAccessToCDE
+    - AWS.SecurityGroup.RestrictsInterSecurityGroupTraffic
+    - AWS.SecurityGroup.RestrictsOutboundTraffic
+    - AWS.SecurityGroup.RestrictsTrafficLeavingCDE
+    - AWS.SecurityGroup.TightlyRestrictsInboundTraffic
+    - AWS.SecurityGroup.TightlyRestrictsOutboundTraffic
+    - AWS.Software.Discovery
+    - AWS.Unsuccessful.MFA.attempt
+    - AWS.UnusedRegion
+    - AWS.VPC.DefaultNetworkACLRestrictsAllTraffic
+    - AWS.VPC.DefaultSecurityGroup.Restrictions
+    - AWS.VPC.InboundPortBlacklist
+    - AWS.VPC.InboundPortWhitelist
+    - AWS.VPC.UnapprovedOutboundDNS
+    - AWS.WAF.RuleOrdering
+    - CloudTrail.Password.Spraying
+    - VPC.DNS.Tunneling
+    - VPCFlow.Port.Scanning
+
     # AWS DataModels
     - Standard.AWS.ALB
     - Standard.AWS.CloudTrail

@@ -16,6 +16,8 @@ PackDefinition:
     - Notion.Workspace.SCIM.Token.Generated
     - Notion.Workspace.Public.Page.Added
     - Notion.LoginFromBlockedIP
+    - Notion.SharingSettingsUpdated
+    - Notion.TeamspaceOwnerAdded
     # Globals used in these detections
     - panther_base_helpers
     - panther_oss_helpers