Upstream master #2
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Fixed 1Password Unusual Client MITRE ATT&CK mapping * Added Data Models for Slack logs * Added helper for slack alert context * Changed underscores to be dashes for the slack alert context * Added missing newlines
* Add example lookup table and data file * Update example_cidr_lookup_table.yml * Update example_cidr_lookup_content.csv
* Update GSuite Alerts Rules Add the rule name to the Panther alert title to provide more context * Fix lint error R1705 and C0304 C0304: Final newline missing R1705: Unnecessary "else" after "return" * Fix Line too long issue * Fix Trailing whitespace issue Co-authored-by: Kyle Bailey <kyle.o.bailey@gmail.com>
* Fixed 1Password Unusual Client MITRE ATT&CK mapping * Added Data Models for Slack logs * Initial commit of Slack Workspace/Org rules * Removed trailing newline * Revert newline deletions * Anonymized IPs * Apply suggestions from code review
* Initial commit of Slack Channel detections * Anonymized IPs
* Initial commit for Slack Detections - App * Anonymized IPs * Added example for scope change in the Slack.AuditLogs.AppAccessExpanded detection Co-authored-by: Ed <edyesed@gmail.com>
* Initial commit - Slack EKM * Anonymized IPs * Fixed wording for descritpion on Slack.AuditLogs.EKMSlackbotUnenrolled
* Initial commit - Slack Detections - User * Anonymized IP * Downgraded user priv esc to High and updated comment
- Remove associated CI commands for schema testing and linting - Remove associated Makefile commands for publishing a new distribution Co-authored-by: George Papanikolaou <george.papanikolaou@panther.io>
* kbroughton/make_lint_action * working * remove dogfood, add make install and test * update filename * update trigger action * update name Co-authored-by: Kyle Bailey <kyle.o.bailey@gmail.com>
* Combine GSuite Alerts Rules * Update the GSuite Report Pack yml to reflect the combined GSuite Alerts Rules Co-authored-by: Kyle Bailey <kyle.o.bailey@gmail.com> Co-authored-by: Ed <ed.anderson@panther.io>
* Tweaked the Cloudflare L7 DDoS detection to filter out blocks * Update cloudflare_rules/cloudflare_firewall_ddos.yml
* feat: enable mccabe method cyclomatic complexity to linter with default setting of 10
…ther-labs#472) * feat: add alert_context and global helper for all aws*rules/*py that lack them Co-authored-by: Weyland <71197790+wey-chiang@users.noreply.github.com>
* Tweaked the Cloudflare L7 DDoS detection to filter out blocks * Added new packs for Cloudflare and Slack * Removed erroneous new line * Removed unused globals
…olicy, lower severity if terraform (panther-labs#454) feat: add detection for changes to a GCP IAM organization or folder policy, lower severity if terraform Co-authored-by: Kyle Bailey <kyle.o.bailey@gmail.com>
…role assignment events (panther-labs#480)
…t field name. update to an extant field (panther-labs#486)
* init: remove pat imports * move pat to dev-packages Co-authored-by: lindsey-w <lindsey.whitehurst@panther.com>
…_s3_activity_greynoise. this fixes the error and adds a test case to exercise the codepath (panther-labs#488)
* kbailey: feat GitHub Advanced Security Rules * make fmt * add bypass; fix review comments * fix displayname * chore: change typo Co-authored-by: Ed <ed.anderson@panther.io>
* k8s-unauthorized-exec-into-pod * remove SampleSQL * add checks for project_id exception * fix linting and test * make fmt Co-authored-by: Kyle Bailey <kyle.o.bailey@gmail.com>
* kbailey: potentially malicious SSO DNS lookup * make lint/fmt * typos * adjust filter for allowed domains * add test, multiple domains
…e is Pending or Running (panther-labs#492)
Co-authored-by: Ed <ed.anderson@panther.io>
…y a non-extant field name. update to an extant field (panther-labs#486)" (panther-labs#496) This reverts commit f86b06b.
… to be defined in the pack. Also, added a name for onepassword pack (panther-labs#499)
* Add ipinfo lookup tables * Add lut schemas * Remove unused * Add updated * Remove None row * Remove whitespace
* Fix primary key issue * Fix log issues
Co-authored-by: Ed <ed.anderson@panther.io>
* Remove unusual login detection This rule is passing every successful login through the geoinfo_from_ip helper which uses IPInfo. Rate limits can cause this detection to break entirely. Removing this detection until LUT is available * Update onepassword.yml * Re-added Unusual Login rule as deprecated * Update unusual_login_deprecated.py * Update unusual_login_deprecated.yml
…anther-labs#509) * adds Okta Password Access detection and list iterate global helper * fixes linting errors, makes formatting changes, small logic edits
…dicts (panther-labs#513) * sometimes IAM policy documents have statements that are `[dict(), dict()]` if they have only one statement, they are `dict()`. This PR updates listify to wrap the non-list form in a list.
…lease on Mondays. This upstream sync is disabled by default (panther-labs#514)
* [aws_cloudtrail_rules] RDS master pass updated * Updated README and removal of old directory listing * [readme] update writing detections likn * fmt * [pr feedback] simplify rule and move name attr up * [pr feedback] readme edits * [templates] updated rule template * [rds] updated souce label Co-authored-by: Jack Naglieri <jack@panther.io>
… trying to json.loads (panther-labs#516)
Co-authored-by: Jack Naglieri <jack@panther.io>
AWS CloudTrail detections. AWS ECR CRUD events AWS ECR events from uncommon IAM users AWS ECR events outside of authorized accounts and regions AWS Lambda CRUD events
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Merge latest master from panther-analysis