Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prepare for v3.55.0 #1271

Merged
merged 36 commits into from
Jun 27, 2024
Merged

Prepare for v3.55.0 #1271

merged 36 commits into from
Jun 27, 2024

Conversation

ben-githubs
Copy link
Contributor

Background

Move PRs for 3.55.0 into main

Changes

  • All the commits below

Testing

  • N/A

Evan Gibler and others added 30 commits May 7, 2024 08:43
Replace panther_analysis_tool import with updated import (#1230)
cd042d2
Update Action versions; use SHAs (#1231)
5e5f196 
* Update Action versions; use SHAs

* Add dependabot.yml to keep Actions updated

* Update PAT to 0.49.0
@arielkr256
migrates the gcp_storage_hmac_keys_create rule to (#1233)
0f28285 
python from sdyaml
@arielkr256
move scheduled rules to the queries directory (#1234)
83e6d74
@kjihso
consistency nit fixes (#1235)
575cf47 
* consistency nit fixes

* - somethings -> some things
@jzandona @melenevskyi
@arielkr256 @akozlovets098 @le4ker @ben-githubs @nhakmiller
AppOmni Alert passthrough (#1211)
c8b6ad9 
* alert passthrough

* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* linting

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (#1216)

* add file/host state to msft graph alert context (#1220)

* fix timestamps (#1219)

* Update PAT to 0.46.1 (#1222)

* pack for traildiscover LUT (#1221)

* use event.deep_get and remove InlineFilters

* add pack

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Nick Hakmiller <49166439+nhakmiller@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>
@jstanulis-push @melenevskyi
@arielkr256 @akozlovets098 @le4ker @ben-githubs @nhakmiller
Push Security rules (#1207)
8012f11 
* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* Push Security rules

* remove codeowners (#1208)

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (#1216)

* add file/host state to msft graph alert context (#1220)

* fix timestamps (#1219)

* Update PAT to 0.46.1 (#1222)

* pack for traildiscover LUT (#1221)

* pack, fmt lint, event.deep_get

* pack update

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Nick Hakmiller <49166439+nhakmiller@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>
@arielkr256
created pack and updated event.deep_get (#1239)
1252a70
@arielkr256
Push logtype update (#1240)
63db6ce 
* created pack and updated event.deep_get

* update logtype
@egibs
Remove Node/NPM/Prettier (#1241)
442849c 
* Remove Node/NPM/Prettier

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Update README; add removal notes

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
@egibs
Small Workflow tweaks (#1243)
c8b23bd 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
@egibs
Use harden-runner Action for all Workflows (#1244)
dc7070c 
* Use harden-runner Action for all Workflows

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Run Docker Workflow

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Add blocking policy for docker.yml

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Add permissions to Workflow

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* More permissions

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
@akozlovets098 @melenevskyi
@arielkr256 @le4ker @ben-githubs @egibs
Threat 319 Replace geoinfo_from_ip with new version (#1242)
736c250 
* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (#1216)

* THREAT-319 Replace geoinfo_from_ip with new version

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com>
@egibs
Use full Action SHAs rather than versioned releases (#1245)
cec5c8c 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
@arielkr256
auth0-cic-credential-stuffing rule and query (#1246)
ca6f7de
@egibs
Merge branch 'main' into release
7eed675 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
@egibs
Update panther-core to 0.10.1 via PAT (#1249)
12ff27b 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
@egibs @arielkr256
Tweak Snowflake queries (#1250)
aa5ae8b 
* Tweak Snowflake queries

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Remove configuration drift query from Pack

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Threat Hunting queries are okay

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Fix comment Workflow

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* 12 hours -> 1 day

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Update queries/snowflake_queries/snowflake_0108977_configuration_drift.yml

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
@JPhenglavong
Fixed typo in README.md (#1253)
d700925 
fixed 'unintall' typo to 'npm uninstall prettier'
@dependabot
build(deps): bump step-security/harden-runner from 2.8.0 to 2.8.1 (#1254
9156338 
)

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.8.0 to 2.8.1.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@f086349...17d0e2b)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@c0nfleis
Using GITHUB_OUTPUT env var instead of old ::set-output shorthand (#1255
2f8c64f 
)
@akozlovets098 @melenevskyi
@arielkr256 @le4ker @ben-githubs
OCSF data model, VPC/DNS (#1214)
41e0c46 
* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (#1216)

* THREAT-278 OCSF data model, VPC

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
@skeggse @arielkr256
fix: consider deny rules for ssh network acl policy (#1236)
2b80d94 
* fix: consider deny rules for ssh network acl policy

* Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py

* Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
@JPhenglavong @arielkr256
AWS Honeypot Detections threat-306 (#1252)
1772ca0 
* AWS Honeypot Detections threat-306

AWS Security Finding rules on decoy AWS resources:
https://aws.amazon.com/blogs/security/how-to-detect-suspicious-activity-in-your-aws-account-by-using-private-decoy-resources/

* Update decoy_dynamodb_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_s3_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_dynamodb_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_s3_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_s3_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_dynamodb_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* reformatted and linted

* removed unused methods

* fixed trailing lines

* add decoy rules as a pack

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
@JPhenglavong @arielkr256
@egibs @dependabot @c0nfleis @akozlovets098 @melenevskyi @le4ker @ben-githubs @skeggse
Update aws_console_login_without_mfa.py (#1237)
a15c5e6 
* Update aws_console_login_without_mfa.py

is_new_account has been checking with only recipientAccountId but our new aws account indicator creation rule has been checking for "new_account - recipientAccountId"

* Update aws_console_login_without_mfa.py

Casted str to account for NoneType

* Update new_user_account_logging.py

Added an alternative string in the case udm user is empty

* Update new_user_account_logging.yml

add mock test

* Standard user creation fixes (#1256)

* Prepare for `3.53.0` (#1232)

* Replace panther_analysis_tool import with updated import (#1230)

* Update Action versions; use SHAs (#1231)

* Update Action versions; use SHAs

* Add dependabot.yml to keep Actions updated

* Update PAT to 0.49.0

* auth0-cic-credential-stuffing rule and query (#1246)

* Add saved queries for ongoing Snowflake threats (#1248)

* Add saved queries for ongoing Snowflake threats

* Add limits

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* snowflake pack

* Add scheduled queries and rules

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* pack update

* ruleID fix

* make fmt

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Fix merge conflicts

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Turn off by default

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>

* Update panther-core to 0.10.1 via PAT (#1249)

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Tweak Snowflake queries (#1250)

* Tweak Snowflake queries

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Remove configuration drift query from Pack

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Threat Hunting queries are okay

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Fix comment Workflow

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* 12 hours -> 1 day

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Update queries/snowflake_queries/snowflake_0108977_configuration_drift.yml

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* Fixed typo in README.md (#1253)

fixed 'unintall' typo to 'npm uninstall prettier'

* build(deps): bump step-security/harden-runner from 2.8.0 to 2.8.1 (#1254)

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.8.0 to 2.8.1.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@f086349...17d0e2b)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Using GITHUB_OUTPUT env var instead of old ::set-output shorthand (#1255)

* OCSF data model, VPC/DNS (#1214)

* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (#1216)

* THREAT-278 OCSF data model, VPC

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>

* fix: consider deny rules for ssh network acl policy (#1236)

* fix: consider deny rules for ssh network acl policy

* Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py

* Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* AWS Honeypot Detections threat-306 (#1252)

* AWS Honeypot Detections threat-306

AWS Security Finding rules on decoy AWS resources:
https://aws.amazon.com/blogs/security/how-to-detect-suspicious-activity-in-your-aws-account-by-using-private-decoy-resources/

* Update decoy_dynamodb_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_s3_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_dynamodb_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_s3_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_s3_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_dynamodb_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* reformatted and linted

* removed unused methods

* fixed trailing lines

* add decoy rules as a pack

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: BJ Maldonado <bj.maldonado-miranda@panther.com>
Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Eli Skeggs <1348991+skeggse@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: BJ Maldonado <bj.maldonado-miranda@panther.com>
Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Eli Skeggs <1348991+skeggse@users.noreply.github.com>
@egibs
Update PAT to 0.50.0 (#1259)
3fa12da 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
@arielkr256
schema rename (#1258)
69ad583
@dependabot
build(deps): bump actions/checkout from 4.1.6 to 4.1.7 (#1263)
73cdbde 
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.6 to 4.1.7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@a5ac7e5...692973e)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@egibs
Update PAT to 0.50.1 (#1261)
1aaef4e 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
@arielkr256
improve error handling for dynamic functions (#1262)
327008e 
* improve error handling for dynamic functions

* remove unused import

* additional fixes

* more fixes
nskobov and others added 6 commits June 17, 2024 08:52
@nskobov @arielkr256
update vscode schema to honor correlation rules (#1264)
bcf9088 
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
@le4ker
remove .husky directory (#1266)
fbdd0c4
@arielkr256
update snowflake queries with p_occurs_since (#1265)
33335ca 
* update snowflake queries with p_occurs_since

* a few more fixes

* typo
@arielkr256
remove greynoise luts (#1267)
7ff3c9f
@ben-githubs
added dynamic severity to okta vpn rule, with tests (#1268)
1f1a05e
@egibs
Remove unnecessary pipenv step (#1270)
bc59473 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
@ben-githubs ben-githubs requested a review from a team as a code owner June 27, 2024 15:11
@github-actions GitHub Actions
Copy link

😱
looks like some things could be wrong with the packs

[INFO][root]: ignoring file dependabot.yml

@ben-githubs ben-githubs merged commit 575dc62 into main Jun 27, 2024
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@le4ker le4ker le4ker approved these changes

@arielkr256 arielkr256 arielkr256 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.