sync this fork to panther-labs/panther-analysis v3.42.0

.github/workflows/release.yml

@@ -17,7 +17,7 @@ jobs:
           fetch-depth: 0
           token: ${{ env.GITHUB_TOKEN }}
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           role-to-assume: ${{ secrets.AWS_ROLE }}
           aws-region: ${{ secrets.AWS_REGION }}

Pipfile

@@ -19,7 +19,7 @@ wrapt = "~=1.15"
 [packages]
 policyuniverse = "==1.5.1.20230817"
 requests = "==2.31.0"
-panther-analysis-tool = "~=0.39"
+panther-analysis-tool = "~=0.40"
 panther-detection-helpers = "==0.2.0"
 
 [requires]

data_models/github_data_model.py

@@ -6,14 +6,25 @@
     "team.promote_maintainer",
 }
 
+CONDITIONAL_ADMIN_EVENTS = {
+    "team.add_repository",
+}
+
 
 def get_admin_role(event):
     action = event.get("action", "")
+    permission = event.get("permission", "")
+    if action in CONDITIONAL_ADMIN_EVENTS and permission == "admin":
+        return action
     return action if action in ADMIN_EVENTS else "<UNKNOWN_ADMIN_ROLE>"
 
 
 def get_event_type(event):
-    if event.get("action", "") in ADMIN_EVENTS:
+    action = event.get("action", "")
+    permission = event.get("permission", "")
+    if action in ADMIN_EVENTS:
+        return event_type.ADMIN_ROLE_ASSIGNED
+    if action in CONDITIONAL_ADMIN_EVENTS and permission == "admin":
         return event_type.ADMIN_ROLE_ASSIGNED
     if event.get("action", "") == "org.disable_two_factor_requirement":
         return event_type.MFA_DISABLED

lookup_tables/tor/tor_exit_nodes.yml

@@ -211,6 +211,7 @@ LogTypeMap:
         - "$.protoPayload.requestMetadata.callerIP"
         - "$.httpRequest.remoteIP"
         - "$.httpRequest.serverIP"
+        - "$.requestMetadata.callerIP"
     - LogType: GCP.HTTPLoadBalancer
       Selectors:
         - "$.jsonPayload.removeIp"

packs/auth0.yml

@@ -5,6 +5,7 @@ PackDefinition:
   IDs:
     - Auth0.Custom.Role.Created
     - Auth0.Integration.Installed
+    - Auth0.MFA.Factor.Setting.Enabled
     - Auth0.MFA.Policy.Disabled
     - Auth0.MFA.Policy.Enabled
     - Auth0.MFA.Risk.Assessment.Disabled

packs/aws.yml

@@ -49,6 +49,7 @@ PackDefinition:
     # Root Activity
     - AWS.CloudTrail.RootAccessKeyCreated
     - AWS.CloudTrail.RootPasswordChanged
+    - AWS.Console.RootLogin
     - AWS.Console.RootLoginFailed
     - AWS.EC2.Instance.DetailedMonitoring
     - AWS.Root.Activity
@@ -110,6 +111,7 @@ PackDefinition:
     - AWS.GuardDuty.MediumSeverityFinding
     - AWS.IAM.Policy.AdministrativePrivileges
     - AWS.RDS.InstanceHighAvailability
+    - AWS.RDS.ManualSnapshotCreated
     - AWS.RDS.MasterPasswordUpdated
     - AWS.RDS.PublicRestore
     - AWS.RDS.SnapshotShared

packs/carbonblack.yml

@@ -3,6 +3,7 @@ PackID: PantherManaged.CarbonBlack
 Description: Group of all Carbon Black detections
 PackDefinition:
   IDs:
+    - CarbonBlack.AlertV2.Passthrough
     - CarbonBlack.Audit.Admin.Grant
     - CarbonBlack.Audit.API.Key.Created.Retrieved
     - CarbonBlack.Audit.Data.Forwarder.Stopped

packs/cloudflare.yml

@@ -6,6 +6,8 @@ PackDefinition:
   IDs:
     - Cloudflare.Firewall.L7DDoS
     - Cloudflare.Firewall.SuspiciousEventGreyNoise
+    - Cloudflare.HttpRequest.BotHighVolume
+    - Cloudflare.HttpRequest.BotHighVolumeGreyNoise
     # Globals used in these rules/policies
     - panther_base_helpers
     - panther_cloudflare_helpers

packs/gcp_audit.yml

@@ -7,43 +7,46 @@ PackDefinition:
     - GCP.Access.Attempts.Violating.VPC.Service.Controls
     - GCP.BigQuery.Large.Scan
     - GCP.Cloud.Storage.Buckets.Modified.Or.Deleted
-    - GCP.CloudBuild.Potential.Privilege.Escalation
-    - GCP.Cloudfunctions.Functions.Create
-    - GCP.Cloudfunctions.Functions.Update
+    - GCP.CloudBuild.Potential.Privilege.Escalation.Simple
+    - GCP.Cloudfunctions.Functions.Create.Simple
+    - GCP.Cloudfunctions.Functions.Update.Simple
     - GCP.Destructive.Queries
     - GCP.DNS.Zone.Modified.or.Deleted
     - GCP.Firewall.Rule.Created
     - GCP.Firewall.Rule.Deleted
     - GCP.Firewall.Rule.Modified
     - GCP.GCS.IAMChanges
     - GCP.GCS.Public
+    - GCP.GKE.Kubernetes.Cron.Job.Created.Or.Modified.Simple
     - GCP.IAM.CorporateEmail
     - GCP.IAM.CustomRoleChanges
     - GCP.IAM.OrgFolderIAMChanges
-    - GCP.iam.roles.update.Privilege.Escalation
-    - GCP.iam.serviceAccountKeys.create
+    - GCP.iam.roles.update.Privilege.Escalation.Simple
+    - GCP.iam.serviceAccountKeys.create.Simple
     - GCP.Inbound.SSO.Profile.Created
+    - GCP.K8s.New.Daemonset.Deployed.Simple
     - GCP.Log.Bucket.Or.Sink.Deleted
     - GCP.Logging.Settings.Modified
     - GCP.Logging.Sink.Modified
     - GCP.Permissions.Granted.to.Create.or.Manage.Service.Account.Key
-    - GCP.Privilege.Escalation.By.Deployments.Create
+    - GCP.Privilege.Escalation.By.Deployments.Create.Simple
     - GCP.Service.Account.Access.Denied
     - GCP.Service.Account.or.Keys.Created
-    - GCP.serviceusage.apiKeys.create.Privilege.Escalation
+    - GCP.serviceusage.apiKeys.create.Privilege.Escalation.Simple
     - GCP.SQL.ConfigChanges
+    - GCP.Storage.Hmac.Keys.Create
     - GCP.User.Added.to.IAP.Protected.Service
     - GCP.VPC.Flow.Logs.Disabled
     - GCP.Workforce.Pool.Created.or.Updated
     - GCP.Workload.Identity.Pool.Created.or.Updated
     # Data model
     - Standard.GCP.AuditLog
     # Globals used in these rules/policies
-    - panther_base_helpers
-    - panther_event_type_helpers
     - gcp_base_helpers
     - gcp_environment
+    - panther_base_helpers
     - panther_config
     - panther_config_defaults
     - panther_config_overrides
+    - panther_event_type_helpers
 DisplayName: "Panther GCP Audit Pack"