Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

traildiscover enrichment with managed schema #1177

Merged
merged 12 commits into from
Apr 23, 2024
Merged

traildiscover enrichment with managed schema #1177

merged 12 commits into from
Apr 23, 2024

Conversation

arielkr256
Copy link
Contributor

Background

Adds TrailDiscover enrichment with managed schema for TrailDiscover data.

Changes

  • Adds LUT for TrailDiscover, referencing managed schema, and data file with TrailDiscover data.
  • Relies on PRs in PE and PAT to merge first

Testing

  • make test

@arielkr256 arielkr256 requested review from a team March 29, 2024 20:09
@arielkr256 arielkr256 mentioned this pull request Mar 29, 2024
Merged
@arielkr256
Copy link
Contributor Author

THREAT-248

le4ker
le4ker previously approved these changes Apr 1, 2024
View reviewed changes
@egibs egibs force-pushed the traildiscover-enrichment-managed branch from 6d02ace to 3d5784e Compare April 23, 2024 15:21
@egibs egibs merged commit 6eeb515 into release Apr 23, 2024
5 checks passed
@egibs egibs deleted the traildiscover-enrichment-managed branch April 23, 2024 15:24
egibs pushed a commit that referenced this pull request Apr 23, 2024
@melenevskyi @arielkr256
@akozlovets098 @le4ker @ben-githubs
Prepare for 3.50.0 (#1217)
ecf74bf 
* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (#1216)

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
egibs pushed a commit that referenced this pull request Apr 30, 2024
@le4ker @melenevskyi
traildiscover enrichment with managed schema (#1177)
0478ad9 
* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
egibs pushed a commit that referenced this pull request May 1, 2024
@le4ker @melenevskyi
traildiscover enrichment with managed schema (#1177)
8f4a8f0 
* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
arielkr256 added a commit that referenced this pull request May 14, 2024
@jzandona @melenevskyi
@arielkr256 @akozlovets098 @le4ker @ben-githubs @nhakmiller
AppOmni Alert passthrough (#1211)
c8b6ad9 
* alert passthrough

* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* linting

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (#1216)

* add file/host state to msft graph alert context (#1220)

* fix timestamps (#1219)

* Update PAT to 0.46.1 (#1222)

* pack for traildiscover LUT (#1221)

* use event.deep_get and remove InlineFilters

* add pack

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Nick Hakmiller <49166439+nhakmiller@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>
egibs pushed a commit to jstanulis-push/panther-analysis that referenced this pull request May 21, 2024
@arielkr256 @le4ker
@melenevskyi @egibs
traildiscover enrichment with managed schema (panther-labs#1177)
c873d7d 
* traildiscover enrichment with managed schema

* Add npm install in dockerfile (panther-labs#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (panther-labs#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
egibs pushed a commit to jstanulis-push/panther-analysis that referenced this pull request May 21, 2024
@jzandona @melenevskyi
@arielkr256 @akozlovets098 @le4ker @ben-githubs @nhakmiller @egibs
AppOmni Alert passthrough (panther-labs#1211)
4cca997 
* alert passthrough

* Deprecate GreyNoise detections (panther-labs#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (panther-labs#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (panther-labs#1208)

* linting

* fix - GCP rules - AttributeError (panther-labs#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (panther-labs#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (panther-labs#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (panther-labs#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (panther-labs#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (panther-labs#1216)

* add file/host state to msft graph alert context (panther-labs#1220)

* fix timestamps (panther-labs#1219)

* Update PAT to 0.46.1 (panther-labs#1222)

* pack for traildiscover LUT (panther-labs#1221)

* use event.deep_get and remove InlineFilters

* add pack

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Nick Hakmiller <49166439+nhakmiller@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>
arielkr256 added a commit that referenced this pull request May 21, 2024
@jstanulis-push @melenevskyi
@arielkr256 @akozlovets098 @le4ker @ben-githubs @nhakmiller
Push Security rules (#1207)
8012f11 
* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* Push Security rules

* remove codeowners (#1208)

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (#1216)

* add file/host state to msft graph alert context (#1220)

* fix timestamps (#1219)

* Update PAT to 0.46.1 (#1222)

* pack for traildiscover LUT (#1221)

* pack, fmt lint, event.deep_get

* pack update

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Nick Hakmiller <49166439+nhakmiller@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>
arielkr256 added a commit that referenced this pull request May 30, 2024
@akozlovets098 @melenevskyi
@arielkr256 @le4ker @ben-githubs @egibs
Threat 319 Replace geoinfo_from_ip with new version (#1242)
736c250 
* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (#1216)

* THREAT-319 Replace geoinfo_from_ip with new version

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com>
arielkr256 added a commit that referenced this pull request Jun 10, 2024
@akozlovets098 @melenevskyi
@arielkr256 @le4ker @ben-githubs
OCSF data model, VPC/DNS (#1214)
41e0c46 
* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (#1216)

* THREAT-278 OCSF data model, VPC

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
JPhenglavong added a commit that referenced this pull request Jun 10, 2024
@JPhenglavong @arielkr256
@egibs @dependabot @c0nfleis @akozlovets098 @melenevskyi @le4ker @ben-githubs @skeggse
Standard user creation fixes (#1256)
56e014b 
* Prepare for `3.53.0` (#1232)

* Replace panther_analysis_tool import with updated import (#1230)

* Update Action versions; use SHAs (#1231)

* Update Action versions; use SHAs

* Add dependabot.yml to keep Actions updated

* Update PAT to 0.49.0

* auth0-cic-credential-stuffing rule and query (#1246)

* Add saved queries for ongoing Snowflake threats (#1248)

* Add saved queries for ongoing Snowflake threats

* Add limits

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* snowflake pack

* Add scheduled queries and rules

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* pack update

* ruleID fix

* make fmt

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Fix merge conflicts

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Turn off by default

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>

* Update panther-core to 0.10.1 via PAT (#1249)

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Tweak Snowflake queries (#1250)

* Tweak Snowflake queries

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Remove configuration drift query from Pack

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Threat Hunting queries are okay

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Fix comment Workflow

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* 12 hours -> 1 day

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Update queries/snowflake_queries/snowflake_0108977_configuration_drift.yml

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* Fixed typo in README.md (#1253)

fixed 'unintall' typo to 'npm uninstall prettier'

* build(deps): bump step-security/harden-runner from 2.8.0 to 2.8.1 (#1254)

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.8.0 to 2.8.1.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@f086349...17d0e2b)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Using GITHUB_OUTPUT env var instead of old ::set-output shorthand (#1255)

* OCSF data model, VPC/DNS (#1214)

* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (#1216)

* THREAT-278 OCSF data model, VPC

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>

* fix: consider deny rules for ssh network acl policy (#1236)

* fix: consider deny rules for ssh network acl policy

* Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py

* Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* AWS Honeypot Detections threat-306 (#1252)

* AWS Honeypot Detections threat-306

AWS Security Finding rules on decoy AWS resources:
https://aws.amazon.com/blogs/security/how-to-detect-suspicious-activity-in-your-aws-account-by-using-private-decoy-resources/

* Update decoy_dynamodb_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_s3_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_dynamodb_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_s3_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_s3_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_dynamodb_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* reformatted and linted

* removed unused methods

* fixed trailing lines

* add decoy rules as a pack

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: BJ Maldonado <bj.maldonado-miranda@panther.com>
Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Eli Skeggs <1348991+skeggse@users.noreply.github.com>
arielkr256 added a commit that referenced this pull request Jun 10, 2024
@JPhenglavong @arielkr256
@egibs @dependabot @c0nfleis @akozlovets098 @melenevskyi @le4ker @ben-githubs @skeggse
Update aws_console_login_without_mfa.py (#1237)
a15c5e6 
* Update aws_console_login_without_mfa.py

is_new_account has been checking with only recipientAccountId but our new aws account indicator creation rule has been checking for "new_account - recipientAccountId"

* Update aws_console_login_without_mfa.py

Casted str to account for NoneType

* Update new_user_account_logging.py

Added an alternative string in the case udm user is empty

* Update new_user_account_logging.yml

add mock test

* Standard user creation fixes (#1256)

* Prepare for `3.53.0` (#1232)

* Replace panther_analysis_tool import with updated import (#1230)

* Update Action versions; use SHAs (#1231)

* Update Action versions; use SHAs

* Add dependabot.yml to keep Actions updated

* Update PAT to 0.49.0

* auth0-cic-credential-stuffing rule and query (#1246)

* Add saved queries for ongoing Snowflake threats (#1248)

* Add saved queries for ongoing Snowflake threats

* Add limits

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* snowflake pack

* Add scheduled queries and rules

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* pack update

* ruleID fix

* make fmt

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Fix merge conflicts

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Turn off by default

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>

* Update panther-core to 0.10.1 via PAT (#1249)

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Tweak Snowflake queries (#1250)

* Tweak Snowflake queries

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Remove configuration drift query from Pack

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Threat Hunting queries are okay

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Fix comment Workflow

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* 12 hours -> 1 day

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Update queries/snowflake_queries/snowflake_0108977_configuration_drift.yml

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* Fixed typo in README.md (#1253)

fixed 'unintall' typo to 'npm uninstall prettier'

* build(deps): bump step-security/harden-runner from 2.8.0 to 2.8.1 (#1254)

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.8.0 to 2.8.1.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@f086349...17d0e2b)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Using GITHUB_OUTPUT env var instead of old ::set-output shorthand (#1255)

* OCSF data model, VPC/DNS (#1214)

* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (#1216)

* THREAT-278 OCSF data model, VPC

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>

* fix: consider deny rules for ssh network acl policy (#1236)

* fix: consider deny rules for ssh network acl policy

* Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py

* Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* AWS Honeypot Detections threat-306 (#1252)

* AWS Honeypot Detections threat-306

AWS Security Finding rules on decoy AWS resources:
https://aws.amazon.com/blogs/security/how-to-detect-suspicious-activity-in-your-aws-account-by-using-private-decoy-resources/

* Update decoy_dynamodb_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_s3_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_dynamodb_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_s3_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_s3_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_dynamodb_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* reformatted and linted

* removed unused methods

* fixed trailing lines

* add decoy rules as a pack

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: BJ Maldonado <bj.maldonado-miranda@panther.com>
Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Eli Skeggs <1348991+skeggse@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: BJ Maldonado <bj.maldonado-miranda@panther.com>
Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Eli Skeggs <1348991+skeggse@users.noreply.github.com>
ben-githubs added a commit that referenced this pull request Jun 27, 2024
@jzandona @melenevskyi
@arielkr256 @akozlovets098 @le4ker @ben-githubs @nhakmiller
AppOmni Alert passthrough (#1211)
9b9aaf4 
* alert passthrough

* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* linting

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (#1216)

* add file/host state to msft graph alert context (#1220)

* fix timestamps (#1219)

* Update PAT to 0.46.1 (#1222)

* pack for traildiscover LUT (#1221)

* use event.deep_get and remove InlineFilters

* add pack

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Nick Hakmiller <49166439+nhakmiller@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>
ben-githubs added a commit that referenced this pull request Jun 27, 2024
@jstanulis-push @melenevskyi
@arielkr256 @akozlovets098 @le4ker @ben-githubs @nhakmiller
Push Security rules (#1207)
2e917d8 
* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* Push Security rules

* remove codeowners (#1208)

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (#1216)

* add file/host state to msft graph alert context (#1220)

* fix timestamps (#1219)

* Update PAT to 0.46.1 (#1222)

* pack for traildiscover LUT (#1221)

* pack, fmt lint, event.deep_get

* pack update

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Nick Hakmiller <49166439+nhakmiller@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>
ben-githubs added a commit that referenced this pull request Jun 27, 2024
@akozlovets098 @melenevskyi
@arielkr256 @le4ker @ben-githubs @egibs
Threat 319 Replace geoinfo_from_ip with new version (#1242)
12a88b2 
* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (#1216)

* THREAT-319 Replace geoinfo_from_ip with new version

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com>
ben-githubs added a commit that referenced this pull request Jun 27, 2024
@akozlovets098 @melenevskyi
@arielkr256 @le4ker @ben-githubs
OCSF data model, VPC/DNS (#1214)
f715e86 
* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (#1216)

* THREAT-278 OCSF data model, VPC

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
ben-githubs added a commit that referenced this pull request Jun 27, 2024
@JPhenglavong @arielkr256
@egibs @dependabot @c0nfleis @akozlovets098 @melenevskyi @le4ker @ben-githubs @skeggse
Update aws_console_login_without_mfa.py (#1237)
a1e9c1f 
* Update aws_console_login_without_mfa.py

is_new_account has been checking with only recipientAccountId but our new aws account indicator creation rule has been checking for "new_account - recipientAccountId"

* Update aws_console_login_without_mfa.py

Casted str to account for NoneType

* Update new_user_account_logging.py

Added an alternative string in the case udm user is empty

* Update new_user_account_logging.yml

add mock test

* Standard user creation fixes (#1256)

* Prepare for `3.53.0` (#1232)

* Replace panther_analysis_tool import with updated import (#1230)

* Update Action versions; use SHAs (#1231)

* Update Action versions; use SHAs

* Add dependabot.yml to keep Actions updated

* Update PAT to 0.49.0

* auth0-cic-credential-stuffing rule and query (#1246)

* Add saved queries for ongoing Snowflake threats (#1248)

* Add saved queries for ongoing Snowflake threats

* Add limits

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* snowflake pack

* Add scheduled queries and rules

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* pack update

* ruleID fix

* make fmt

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Fix merge conflicts

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Turn off by default

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>

* Update panther-core to 0.10.1 via PAT (#1249)

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Tweak Snowflake queries (#1250)

* Tweak Snowflake queries

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Remove configuration drift query from Pack

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Threat Hunting queries are okay

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Fix comment Workflow

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* 12 hours -> 1 day

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Update queries/snowflake_queries/snowflake_0108977_configuration_drift.yml

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* Fixed typo in README.md (#1253)

fixed 'unintall' typo to 'npm uninstall prettier'

* build(deps): bump step-security/harden-runner from 2.8.0 to 2.8.1 (#1254)

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.8.0 to 2.8.1.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@f086349...17d0e2b)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Using GITHUB_OUTPUT env var instead of old ::set-output shorthand (#1255)

* OCSF data model, VPC/DNS (#1214)

* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (#1216)

* THREAT-278 OCSF data model, VPC

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>

* fix: consider deny rules for ssh network acl policy (#1236)

* fix: consider deny rules for ssh network acl policy

* Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py

* Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* AWS Honeypot Detections threat-306 (#1252)

* AWS Honeypot Detections threat-306

AWS Security Finding rules on decoy AWS resources:
https://aws.amazon.com/blogs/security/how-to-detect-suspicious-activity-in-your-aws-account-by-using-private-decoy-resources/

* Update decoy_dynamodb_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_s3_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_dynamodb_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_s3_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_s3_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_dynamodb_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* reformatted and linted

* removed unused methods

* fixed trailing lines

* add decoy rules as a pack

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: BJ Maldonado <bj.maldonado-miranda@panther.com>
Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Eli Skeggs <1348991+skeggse@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: BJ Maldonado <bj.maldonado-miranda@panther.com>
Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Eli Skeggs <1348991+skeggse@users.noreply.github.com>
egibs pushed a commit that referenced this pull request Jun 28, 2024
@arielkr256 @le4ker
@melenevskyi @egibs
traildiscover enrichment with managed schema (#1177)
ba72f94 
* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
arielkr256 added a commit that referenced this pull request Aug 22, 2024
@arielkr256 @le4ker @melenevskyi
traildiscover enrichment with managed schema (#1177)
c7c7705 
* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
le4ker added a commit that referenced this pull request Aug 23, 2024
@arielkr256 @le4ker @melenevskyi
traildiscover enrichment with managed schema (#1177)
97fe1bc 
* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
@arielkr256 arielkr256 added the lookup_table LookUpTables provide enrichment for Rules label Sep 10, 2024
arielkr256 added a commit that referenced this pull request Sep 16, 2024
@arielkr256 @le4ker @melenevskyi
traildiscover enrichment with managed schema (#1177)
b11d926 
* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
arielkr256 added a commit that referenced this pull request Sep 16, 2024
@akozlovets098 @arielkr256
@le4ker @melenevskyi
Wiz audit rules (#1323)
a39d69c 
* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (#1216)

* sample_logs

* Wiz Audit rules (without Mitre mappings, Severities and Runbooks)

* Wiz Audit rules (updated Mitre mappings, Severities and Runbooks)

* Validate on PR approval (#1354)

* more correlation rules from AWS re:inforce (#1289)

* more correlation rules from AWS re:inforce

* unit tests

* MITRE ATT&CK and severity

* packs

* pipfile update

* update

* pipfile

* fix upload

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@egibs egibs egibs approved these changes

@le4ker le4ker le4ker left review comments

Assignees
No one assigned
Labels
lookup_table LookUpTables provide enrichment for Rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@arielkr256 @le4ker @egibs @melenevskyi