From d2bcda6d633d4dc1279b390d10d6953b5786f4d7 Mon Sep 17 00:00:00 2001 From: Ben Airey Date: Mon, 23 Sep 2024 10:46:43 -0500 Subject: [PATCH 1/4] fully deprecate GitHub.Repo.HookModified --- packs/github.yml | 1 - rules/github_rules/github_repo_hook_modified.yml | 5 +++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/packs/github.yml b/packs/github.yml index cd8c7e0e4..c3582c652 100644 --- a/packs/github.yml +++ b/packs/github.yml @@ -15,7 +15,6 @@ PackDefinition: - Github.Repo.Archived - Github.Repo.CollaboratorChange - Github.Repo.Created - #- GitHub.Repo.HookModified - GitHub.Repo.InitialAccess - Github.Repo.VisibilityChange - Github.Repo.VulnerabilityDismissed diff --git a/rules/github_rules/github_repo_hook_modified.yml b/rules/github_rules/github_repo_hook_modified.yml index 8e39ac3aa..f19eea119 100644 --- a/rules/github_rules/github_repo_hook_modified.yml +++ b/rules/github_rules/github_repo_hook_modified.yml @@ -1,19 +1,20 @@ AnalysisType: rule Filename: github_repo_hook_modified.py RuleID: "GitHub.Repo.HookModified" -DisplayName: "GitHub Web Hook Modified" +DisplayName: "DEPRECATED - GitHub Web Hook Modified" Enabled: false LogTypes: - GitHub.Audit Tags: - GitHub - Exfiltration:Automated Exfiltration + - Deprecated Reports: MITRE ATT&CK: - TA0010:T1020 Reference: https://docs.github.com/en/webhooks/about-webhooks Severity: Info -Description: Detects when a web hook is added, modified, or deleted in an org repository. +Description: Deprecated. See GitHub.Webhook.Modified instead. Tests: - Name: GitHub - Webhook Created ExpectedResult: true From 4f54068a8b4c49e7e8f93c65fd62d8e6fb906e03 Mon Sep 17 00:00:00 2001 From: Ben Airey Date: Mon, 23 Sep 2024 10:49:09 -0500 Subject: [PATCH 2/4] create pack for GCP K8 detections --- packs/gcp_k8.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 packs/gcp_k8.yml diff --git a/packs/gcp_k8.yml b/packs/gcp_k8.yml new file mode 100644 index 000000000..72bb28a89 --- /dev/null +++ b/packs/gcp_k8.yml @@ -0,0 +1,21 @@ +AnalysisType: pack +PackID: PantherManaged.GCP.K8 +DisplayName: "Panther GCP Kubernetes Pack" +Description: Group of all Google Cloud Platform (GCP) K8 detections +PackDefinition: + IDs: + # DataModel + - Standard.GCP.AuditLog + # Rules + - GCP.K8S.Pot.Create.Or.Modify.Host.Path.Volume.Mount + - GCP.K8S.Privileged.Pod.Created + - GCP.K8S.Service.Type.NodePort.Deployed + - GCP.K8s.IOC.Activity + - GCP.K8s.Pod.Attached.To.Node.Host.Network + - GCP.K8s.Pod.Using.Host.PID.Namespace + # Globals + - gcp_base_helpers + - panther_base_helpers + - panther_config + - panther_config_defaults + - panther_config_overrides \ No newline at end of file From 29d4e1ea68a5e616fd63c248d9d2b0917221cfe4 Mon Sep 17 00:00:00 2001 From: Ben Airey Date: Mon, 23 Sep 2024 10:58:12 -0500 Subject: [PATCH 3/4] misc pack management --- packs/auth0.yml | 1 + packs/aws.yml | 5 +++++ packs/multisource_correlations.yml | 5 ++++- packs/snowflake.yml | 4 ++++ .../AWS_Authentication_from_CrowdStrike_Unmanaged_Device.yml | 2 ++ .../Okta_Login_From_CrowdStrike_Unmanaged_Device.yml | 2 ++ .../onepassword_login_from_crowdstrike_unmanaged_device.yml | 2 ++ queries/dropbox_queries/Dropbox_Many_Deletes.yml | 2 ++ queries/dropbox_queries/Dropbox_Many_Downloads.yml | 2 ++ .../gitlab_audit_password_reset_multiple_emails.yml | 1 + .../gitlab_production_password_reset_multiple_emails.yml | 1 + templates/example_scheduled_rule.yml | 1 + 12 files changed, 27 insertions(+), 1 deletion(-) diff --git a/packs/auth0.yml b/packs/auth0.yml index 5ffb82d9d..a48fc108d 100644 --- a/packs/auth0.yml +++ b/packs/auth0.yml @@ -3,6 +3,7 @@ PackID: PantherManaged.Auth0 Description: Group of all Auth0 detections PackDefinition: IDs: + - Auth0.CIC.Credential.Stuffing - Auth0.Custom.Role.Created - Auth0.Integration.Installed - Auth0.MFA.Factor.Setting.Enabled diff --git a/packs/aws.yml b/packs/aws.yml index aef920d52..28e4fcb96 100644 --- a/packs/aws.yml +++ b/packs/aws.yml @@ -73,6 +73,7 @@ PackDefinition: - AWS.PasswordPolicy.ComplexityGuidelines - AWS.PasswordPolicy.PasswordAgeLimit - AWS.PasswordPolicy.PasswordReuse + - AWS.Potentially.Stolen.Service.Role.Scheduled - AWS.Suspicious.SAML.Activity - AWS.User.Login.Profile.Modified # General Policies and Rules @@ -165,6 +166,7 @@ PackDefinition: # Correlation Rules - AWS.Potentially.Stolen.Service.Role - AWS.Privilege.Escalation.Via.User.Compromise + - AWS.SSO.Access.Token.Retrieved.by.Unauthenticated.IP - AWS.User.Takeover.Via.Password.Reset # Signal Rules - Role.Assumed.by.AWS.Service @@ -172,7 +174,10 @@ PackDefinition: - AWS.CloudTrail.UserAccessKeyAuth - AWS.CloudTrail.LoginProfileCreatedOrModified - AWS.Console.Login + - Retrieve.SSO.access.token + - Sign-in.with.AWS.CLI.prompt # Queries + - AWS Potentially Stolen Service Role - Query.CloudTrail.Password.Spraying - Query.VPC.DNS.Tunneling - VPC Flow Port Scanning diff --git a/packs/multisource_correlations.yml b/packs/multisource_correlations.yml index 1500f6e7e..0bc0dacf0 100644 --- a/packs/multisource_correlations.yml +++ b/packs/multisource_correlations.yml @@ -8,7 +8,9 @@ PackDefinition: - Secret.Exposed.and.not.Quarantined - GitHub.Secret.Scanning.Alert.Created - AWS.CloudTrail.IAMCompromisedKeyQuarantine - - global_filter_github + - Okta.SSO.to.AWS + - AWS.Console.Sign-In + - AWS.Console.Sign-In.NOT.PRECEDED.BY.Okta # Okta + Push Security - Okta.Login.Without.Push @@ -24,6 +26,7 @@ PackDefinition: - Standard.AWS.CloudTrail # Global Helpers + - global_filter_github - panther_base_helpers - panther_config - panther_config_defaults diff --git a/packs/snowflake.yml b/packs/snowflake.yml index 7ee3b1511..c8a0d74fc 100644 --- a/packs/snowflake.yml +++ b/packs/snowflake.yml @@ -18,7 +18,9 @@ PackDefinition: - Query.Snowflake.External.Shares - Query.Snowflake.FileDownloaded - Query.Snowflake.KeyUserPasswordLogin + - Query.Snowflake.MFALogin - Query.Snowflake.Multiple.Logins.Followed.By.Success + - Query.Snowflake.PublicRoleGrant - Query.Snowflake.SuspectedUserAccess - Query.Snowflake.TempStageCreated - Query.Snowflake.UserCreated @@ -34,7 +36,9 @@ PackDefinition: - Snowflake.External.Shares - Snowflake.FileDownloaded - Snowflake.KeyUserPasswordLogin + - Snowflake.LoginWithoutMFA - Snowflake.Multiple.Failed.Logins.Followed.By.Success + - Snowflake.PublicRoleGrant - Snowflake.TempStageCreated - Snowflake.User.Access - Snowflake.UserCreated diff --git a/queries/crowdstrike_queries/AWS_Authentication_from_CrowdStrike_Unmanaged_Device.yml b/queries/crowdstrike_queries/AWS_Authentication_from_CrowdStrike_Unmanaged_Device.yml index d09d83efc..b77ad6c7e 100644 --- a/queries/crowdstrike_queries/AWS_Authentication_from_CrowdStrike_Unmanaged_Device.yml +++ b/queries/crowdstrike_queries/AWS_Authentication_from_CrowdStrike_Unmanaged_Device.yml @@ -44,3 +44,5 @@ RuleID: "AWS.Authentication.From.CrowdStrike.Unmanaged.Device" Threshold: 1 ScheduledQueries: - AWS Authentication from CrowdStrike Unmanaged Device +Tags: + - Multi-Table Query diff --git a/queries/crowdstrike_queries/Okta_Login_From_CrowdStrike_Unmanaged_Device.yml b/queries/crowdstrike_queries/Okta_Login_From_CrowdStrike_Unmanaged_Device.yml index ed4d0a4e4..3d7107474 100644 --- a/queries/crowdstrike_queries/Okta_Login_From_CrowdStrike_Unmanaged_Device.yml +++ b/queries/crowdstrike_queries/Okta_Login_From_CrowdStrike_Unmanaged_Device.yml @@ -162,3 +162,5 @@ RuleID: "Okta.Login.From.CrowdStrike.Unmanaged.Device" Threshold: 1 ScheduledQueries: - Okta Login From CrowdStrike Unmanaged Device +Tags: + - Multi-Table Query diff --git a/queries/crowdstrike_queries/onepassword_login_from_crowdstrike_unmanaged_device.yml b/queries/crowdstrike_queries/onepassword_login_from_crowdstrike_unmanaged_device.yml index 5c1c03de6..c84b5c60f 100644 --- a/queries/crowdstrike_queries/onepassword_login_from_crowdstrike_unmanaged_device.yml +++ b/queries/crowdstrike_queries/onepassword_login_from_crowdstrike_unmanaged_device.yml @@ -49,3 +49,5 @@ RuleID: "OnePassword.Login.From.CrowdStrike.Unmanaged.Device" Threshold: 1 ScheduledQueries: - 1Password Login From CrowdStrike Unmanaged Device Query +Tags: + - Multi-Table Query diff --git a/queries/dropbox_queries/Dropbox_Many_Deletes.yml b/queries/dropbox_queries/Dropbox_Many_Deletes.yml index 502aba3b6..3fff58dfe 100644 --- a/queries/dropbox_queries/Dropbox_Many_Deletes.yml +++ b/queries/dropbox_queries/Dropbox_Many_Deletes.yml @@ -22,3 +22,5 @@ RuleID: "Dropbox.Many.Deletes" Threshold: 1 ScheduledQueries: - Dropbox Many Deletes +Tags: + - Configuration Required diff --git a/queries/dropbox_queries/Dropbox_Many_Downloads.yml b/queries/dropbox_queries/Dropbox_Many_Downloads.yml index 92d85e326..1fbe372e9 100644 --- a/queries/dropbox_queries/Dropbox_Many_Downloads.yml +++ b/queries/dropbox_queries/Dropbox_Many_Downloads.yml @@ -22,3 +22,5 @@ RuleID: "Dropbox.Many.Downloads" Threshold: 1 ScheduledQueries: - Dropbox Many Downloads +Tags: + - Configuration Required diff --git a/rules/gitlab_rules/gitlab_audit_password_reset_multiple_emails.yml b/rules/gitlab_rules/gitlab_audit_password_reset_multiple_emails.yml index be4bfd5d6..fbf8bcd1a 100644 --- a/rules/gitlab_rules/gitlab_audit_password_reset_multiple_emails.yml +++ b/rules/gitlab_rules/gitlab_audit_password_reset_multiple_emails.yml @@ -8,6 +8,7 @@ LogTypes: Tags: - GitLab - CVE-2023-7028 + - No Pack Reports: MITRE ATT&CK: - TA0001:T1195 diff --git a/rules/gitlab_rules/gitlab_production_password_reset_multiple_emails.yml b/rules/gitlab_rules/gitlab_production_password_reset_multiple_emails.yml index fa47691f1..be48d43b2 100644 --- a/rules/gitlab_rules/gitlab_production_password_reset_multiple_emails.yml +++ b/rules/gitlab_rules/gitlab_production_password_reset_multiple_emails.yml @@ -8,6 +8,7 @@ LogTypes: Tags: - GitLab - CVE-2023-7028 + - No Pack Reports: MITRE ATT&CK: - TA0001:T1195 diff --git a/templates/example_scheduled_rule.yml b/templates/example_scheduled_rule.yml index fc23c4be7..33d0d55e0 100644 --- a/templates/example_scheduled_rule.yml +++ b/templates/example_scheduled_rule.yml @@ -7,6 +7,7 @@ ScheduledQueries: - My Query Name Tags: - Tag + - No Pack Severity: Medium Description: > An optional Description From 78e1bc3fc749949b4fc04c00357ee5ad8bfd60ed Mon Sep 17 00:00:00 2001 From: Ben Airey Date: Fri, 27 Sep 2024 13:44:11 -0500 Subject: [PATCH 4/4] move 'GCP.K8s.New.Daemonset.Deployed' to GCP K8 pack from GCP Audit --- packs/gcp_audit.yml | 1 - packs/gcp_k8.yml | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/packs/gcp_audit.yml b/packs/gcp_audit.yml index 85b7271e5..17fc09f05 100644 --- a/packs/gcp_audit.yml +++ b/packs/gcp_audit.yml @@ -27,7 +27,6 @@ PackDefinition: - GCP.iam.roles.update.Privilege.Escalation - GCP.iam.serviceAccountKeys.create - GCP.Inbound.SSO.Profile.Created - - GCP.K8s.New.Daemonset.Deployed - GCP.Log.Bucket.Or.Sink.Deleted - GCP.Logging.Settings.Modified - GCP.Logging.Sink.Modified diff --git a/packs/gcp_k8.yml b/packs/gcp_k8.yml index 72bb28a89..77db82283 100644 --- a/packs/gcp_k8.yml +++ b/packs/gcp_k8.yml @@ -7,6 +7,7 @@ PackDefinition: # DataModel - Standard.GCP.AuditLog # Rules + - GCP.K8s.New.Daemonset.Deployed - GCP.K8S.Pot.Create.Or.Modify.Host.Path.Volume.Mount - GCP.K8S.Privileged.Pod.Created - GCP.K8S.Service.Type.NodePort.Deployed