From 54c78ba001a04710f0f81e8109af82f251dfb588 Mon Sep 17 00:00:00 2001
From: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Date: Tue, 14 Jan 2025 12:55:58 -0700
Subject: [PATCH] Issue Templates for New Analysis and Tuning (#1464)

---
 .github/ISSUE_TEMPLATE/new_analysis.yml | 41 ++++++++++++
 .github/ISSUE_TEMPLATE/tuning.yml       | 86 +++++++++++++++++++++++++
 2 files changed, 127 insertions(+)
 create mode 100644 .github/ISSUE_TEMPLATE/new_analysis.yml
 create mode 100644 .github/ISSUE_TEMPLATE/tuning.yml

diff --git a/.github/ISSUE_TEMPLATE/new_analysis.yml b/.github/ISSUE_TEMPLATE/new_analysis.yml
new file mode 100644
index 000000000..05ac89c35
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/new_analysis.yml
@@ -0,0 +1,41 @@
+name: "New Analysis Request"
+description: "Request a new rule, policy, or helper to be added to the Panther platform."
+title: "[New] Name of Rule, Policy, or Helper"
+labels: ["enhancement"]
+
+body:
+  - type: textarea
+    attributes:
+      label: "Description"
+      description: "Provide a detailed description of the rule, policy, or helper."
+      placeholder: "Detailed description..."
+
+  - type: dropdown
+    attributes:
+      label: "Analysis Type"
+      description: "Select the type of analysis."
+      options:
+        - rule
+        - policy
+        - global_helper
+        - data_model
+        - scheduled_query
+        - correlation_rule
+
+  - type: input
+    attributes:
+      label: "Log Source"
+      description: "Provide the relevant log source (optional)."
+      placeholder: "AWS.CloudTrail"
+
+  - type: textarea
+    attributes:
+      label: "References"
+      description: "Provide any reference links (optional)."
+      placeholder: "References..."
+
+  - type: textarea
+    attributes:
+      label: "Example Log Data (redacted)."
+      description: "Provide an example log that would trigger this rule. Please make sure to redact any sensitive information."
+      placeholder: "Example JSON data..."
\ No newline at end of file
diff --git a/.github/ISSUE_TEMPLATE/tuning.yml b/.github/ISSUE_TEMPLATE/tuning.yml
new file mode 100644
index 000000000..834381420
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/tuning.yml
@@ -0,0 +1,86 @@
+name: "Tuning Request"
+description: "Report false positives or bugs with existing detections."
+title: "[Tuning] Rule ID"
+labels: [tuning]
+body:
+- type: input
+  attributes:
+    label: "Rule ID"
+    placeholder: "AWS.CloudTrail.Stopped"
+    description: |
+      "RuleID of the rule that you are reporting a false positive for"
+  validations:
+    required: true
+
+- type: textarea
+  attributes:
+    label: "Description"
+    placeholder: |
+      "This rule is triggering on the `StartLogging` event, which is not expected behavior."
+    description: |
+      "Describe why you believe this is a false positive or bug."
+  validations:
+    required: true
+    
+- type: textarea
+  attributes:
+    label: "Example Log (redacted)"
+    description: |
+      "Provide an example log that triggered the rule. Please make sure to redact any sensitive information."
+    placeholder: |
+      {
+        "eventVersion": "1.05",
+        "userIdentity":
+          {
+            "type": "AssumedRole",
+            "principalId": "111:panther-snapshot-scheduler",
+            "arn": "arn:aws:sts::123456789012:assumed-role/tester",
+            "accountId": "123456789012",
+            "accessKeyId": "1",
+            "sessionContext":
+              {
+                "attributes":
+                  {
+                    "mfaAuthenticated": "false",
+                    "creationDate": "2019-01-01T00:00:00Z",
+                  },
+                "sessionIssuer":
+                  {
+                    "type": "Role",
+                    "principalId": "1111",
+                    "arn": "arn:aws:iam::123456789012:role/tester",
+                    "accountId": "123456789012",
+                    "userName": "tester",
+                  },
+              },
+          },
+        "eventTime": "2019-01-01T00:00:00Z",
+        "eventSource": "cloudtrail.amazonaws.com",
+        "eventName": "StartLogging",
+        "awsRegion": "us-west-2",
+        "sourceIPAddress": "111.111.111.111",
+        "userAgent": "Mozilla",
+        "requestParameters":
+          {
+            "encryptionContext":
+              {
+                "aws:lambda:FunctionArn": "arn:aws:lambda:us-west-2:123456789012:function:test-function",
+              },
+          },
+        "responseElements": null,
+        "requestID": "1",
+        "eventID": "1",
+        "readOnly": true,
+        "resources":
+          [
+            {
+              "ARN": "arn:aws:kms:us-west-2:123456789012:key/1",
+              "accountId": "123456789012",
+              "type": "AWS::KMS::Key",
+            },
+          ],
+        "eventType": "AwsApiCall",
+        "recipientAccountId": "123456789012",
+      }
+  validations:
+    required: true