Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upstream master #2

Merged
merged 58 commits into from
Oct 5, 2022
Merged
Changes from 1 commit
Commits
Show all changes
58 commits
Select commit Hold shift + click to select a range
18a58fc
Cleanup CODEOWNERS (#459)
k-bailey Jul 28, 2022
3b552f5
Slack Data Models & Alert Context Helper (#458)
wey-chiang Jul 28, 2022
c6e6863
Add example lookup table and data file (#446)
Jul 29, 2022
9139402
Update GSuite Alerts Rules with Rule Name (#440)
Jeffreyhung Aug 2, 2022
22a8248
Slack Detections - Workspace/Org (#460)
wey-chiang Aug 2, 2022
aad1873
Slack Detections - Channel (#461)
wey-chiang Aug 2, 2022
2a05930
Initial Commit - Slack Detections - File (#465)
wey-chiang Aug 3, 2022
a3b6cfb
Slack Detections - App (#462)
wey-chiang Aug 3, 2022
d89befa
Slack Detections - EKM (#463)
wey-chiang Aug 3, 2022
d071b43
Slack Detections - User (#464)
wey-chiang Aug 3, 2022
af06d4a
Remove managed schemas (#421)
Aug 4, 2022
4321c05
fix: panther specific github actions should not run on forks (#469)
edyesed Aug 5, 2022
59f8f22
Kbroughton/make lint action (#452)
kbroughton Aug 5, 2022
b6f96df
kbailey: remove circleCI (#470)
k-bailey Aug 5, 2022
409acf8
Combine GSuite High/Medium/Low Rule alerts into one (#467)
Jeffreyhung Aug 5, 2022
6e6b7e5
chore: update test badge to use github actions (#471)
edyesed Aug 5, 2022
22541ed
Tweak - Cloudflare L7 DDoS (#475)
wey-chiang Aug 8, 2022
ba559fb
feat: cyclomatic complexity linting (#474)
edyesed Aug 10, 2022
d79d703
feat: bring additional alert_context to AWS rules which had none (#472)
edyesed Aug 10, 2022
70294f9
Packs: Cloudflare & Slack (#478)
wey-chiang Aug 15, 2022
0c9c65c
fix: greynoise object function call not attribute (#479)
k-bailey Aug 16, 2022
8239133
feat: add detection for changes to a GCP IAM organization or folder p…
kbroughton Aug 29, 2022
bcb4026
fix: update GCP data model to correctly identify users and roles for …
Jeffreyhung Aug 29, 2022
f924129
chore: workflow tweak to allow sync to dogfood for both forks and bra…
edyesed Aug 31, 2022
5cc4287
feat: require compliance with the black python code formatter to pass…
k-bailey Aug 31, 2022
cd220c8
feat: organize queries, policies, and rules into subdirectories (#484)
edyesed Sep 2, 2022
a8db48e
feat: remove the automagic sync to panther's dogfood repo (#483)
edyesed Sep 7, 2022
4bd1d14
chore: update linter versions and respond to new findings (#485)
edyesed Sep 7, 2022
f86b06b
bug: GreyNoise last_seen attribute had been referenced by a non-extan…
LCMeed Sep 8, 2022
738972b
Remove pat imports (#487)
lindsey-w Sep 8, 2022
32b2a25
fix: There was an un-exercised codepath for GreyNoise Advanced in aws…
edyesed Sep 9, 2022
d72f3ee
kbailey: feat GitHub Advanced Security Rules (#489)
k-bailey Sep 9, 2022
ef6d8e9
k8s-unauthorized-exec-into-pod (#456)
kbroughton Sep 10, 2022
efa6f1d
kbailey: potentially malicious SSO DNS lookup (#490)
k-bailey Sep 12, 2022
7c69fba
fix: detailed ec2 instance monitoring should only alert if an instanc…
Sep 12, 2022
e45530f
kbailey: fix gcp k8s folder structure (#491)
k-bailey Sep 13, 2022
5af19ca
create pack for snowflake detections (#495)
calkim-panther Sep 15, 2022
54517b8
fix: Revert "bug: GreyNoise last_seen attribute had been referenced b…
Sep 15, 2022
154c140
fix: Packs based on scheduled queries also need the scheduled queries…
Sep 16, 2022
0e28280
fix: remove double comma 😱 (#501)
benjamminj Sep 16, 2022
5e9165b
fix: unroll the snowflake pack (#503)
Sep 16, 2022
541f00c
Add IpInfo LUT (#498)
rmarathay-zz Sep 19, 2022
b50498c
Fix primary key issue (#504)
rmarathay-zz Sep 20, 2022
2d4c1f2
check not first login, test case (#502)
calkim-panther Sep 20, 2022
d3d0941
Deprecate unusual login detection (#506)
jstan12 Sep 22, 2022
2554e95
chore: revert of #498 and #504 (#511)
Sep 22, 2022
e155ff0
adds Okta Password Access detection and list iterate global helper (#…
cpascale43 Sep 23, 2022
37c0141
fix: panther_oss_helpers.listify should also return [maybe_list] for …
nskobov Sep 23, 2022
44c3e0c
kbailey: fix rename gsuite rule (#493)
k-bailey Sep 23, 2022
227a9c7
feat: a GitHub workflow that will sync a fork to upstream's latest-re…
Sep 26, 2022
4bb21cf
feat: cloudtrail based RDS Updated Password detection (#515)
jacknagz Sep 27, 2022
70f1774
calkim: Sigma High Rules (#512)
calkim-panther Sep 27, 2022
32e2699
enable new rules (#517)
calkim-panther Sep 27, 2022
3f89216
bugfix p_any_ip_address -> p_any_ip_addresses (#518)
calkim-panther Sep 27, 2022
32615e4
fix: remove localdev stuff from github workflow (#519)
Sep 28, 2022
df70f0a
fix: sometimes box_parse_additional_details could raise an error whe…
Sep 29, 2022
e771c3d
feat: detection for AWS Macie Evasion (#520)
jacknagz Sep 29, 2022
fdf1ed2
AWS CloudTrail detections (#521)
jstan12 Oct 3, 2022
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Add IpInfo LUT (panther-labs#498)
* Add ipinfo lookup tables

* Add lut schemas

* Remove unused

* Add updated

* Remove None row

* Remove whitespace
rmarathay-zz authored Sep 19, 2022
commit 541f00ce40cab4ebf8e55f336b4111450c662149
186 changes: 185 additions & 1 deletion lookup_tables/greynoise/advanced/noise_advanced.yml
Original file line number Diff line number Diff line change
@@ -20,6 +20,9 @@ LogTypeMap:
- LogType: Apache.AccessCommon
Selectors:
- "remote_host_ip_address"
- LogType: Asana.Audit
Selectors:
- "$.context.client_ip_address"
- LogType: Atlassian.Audit
Selectors:
- "$.attributes.location.ip"
@@ -57,6 +60,10 @@ LogTypeMap:
Selectors:
- "externalIp"
- "internalIp"
- LogType: CiscoUmbrealla.IP
Selectors:
- "destinationIp"
- "sourceIp"
- LogType: CiscoUmbrella.Proxy
Selectors:
- "destinationIp"
@@ -74,17 +81,23 @@ LogTypeMap:
Selectors:
- "ClientIP"
- "OriginIP"
- LogType: Crowdstrike.AIDMaster
Selectors:
- "aip"
- LogType: Crowdstrike.ActivityAudit
Selectors:
- "UserIp"
- LogType: Crowdstrike.CriticalFile
Selectors:
- "aip"
- LogType: Crowdstrike.DetectionSummary
Selectors:
- "LocalIP"
- "OriginSourceIpAddress"
- LogType: Crowdstrike.DNSRequest
Selectors:
- "IpAddress"
- LogType: Crowdstrike.AIDMaster
- LogType: Crowdstrike.GroupIdentity
Selectors:
- "aip"
- LogType: Crowdstrike.ManagedAssets
@@ -102,21 +115,60 @@ LogTypeMap:
- "LocalAddressIP6"
- "RemoteAddressIP4"
- "RemoteAddressIP6"
- LogType: Crowdstrike.NotManagedAssets
Selectors:
- "aip"
- "CurrentLocalIP"
- "LocalAddressIP4"
- LogType: Crowdstike.ProcessRollup2
Selectors:
- "aip"
- LogType: Crowdstrike.ProcessRollup2Stats
Selectors:
- "aip"
- LogType: Crowdstrike.SyntheticProcessRollup2
Selectors:
- "aip"
- LogType: Crowdstrike.Unknown
Selectors:
- "aip"
- LogType: Crowdstrike.UserIdentity
Selectors:
- "aip"
- LogType: Crowdstrike.UserLogonLogoff
Selectors:
- "aip"
- LogType: Dropbox.TeamEvent
Selectors:
- "$.origin.geo_location.ip_address"
- LogType: Duo.Authentication
Selectors:
- "$.access_device.ip"
- "$.auth_device.ip"
- LogType: Box.Event
Selectors:
- "ip_address"
- LogType: Fastly.Access
Selectors:
- "remote_host_ip_address"
- LogType: GCP.AuditLog
Selectors:
- "$.protoPayload.requestMetadata.callerIP"
- "$.httpRequest.remoteIP"
- "$.httpRequest.serverIP"
- LogType: GCP.HTTPLoadBalancer
Selectors:
- "$.httpRequest.remoteIP"
- "$.httpRequest.serverIP"
- LogType: GitLab.API
Selectors:
- "remote_ip"
- LogType: GitLab.Exceptions
Selectors:
- "remote_ip"
- LogType: GitLab.Integrations
Selectors:
- "p_any_ip_addresses"
- LogType: GitLab.Production
Selectors:
- "remote_ip"
@@ -130,6 +182,9 @@ LogTypeMap:
- LogType: GSuite.Reports
Selectors:
- "ipAddress"
- LogType: Jamfpro.Login
Selectors:
- "ipAddress"
- LogType: Juniper.Access
Selectors:
# use p_any_ip_addresses because we extract ip addresses but have no fields
@@ -148,6 +203,36 @@ LogTypeMap:
Selectors:
# use p_any_ip_addresses because we extract ip addresses but fields are variable
- "p_any_ip_addresses"
- LogType: Lacework.AgentManagement
Selectors:
- "IP_ADDR"
- LogType: Lacework.Connections
Selectors:
- "$.ENDPOINT_DETAILS.dst_ip_addr"
- "$.ENDPOINT_DETAILS.src_ip_addr"
- LogType: Lacework.ContainerSummary
Selectors:
- "$.PROPS_CONTAINER.POD_IP_ADDR"
- "$.PROPS_CONTAINER.IPV4"
- LogType: Lacework.DNSQuery
Selectors:
- "DNS_SERVER_IP"
- "HOST_IP_ADDR"
- LogType: Lacework.Image
Selectors:
- "p_any_ip_addresses"
- LogType: Lacework.Interfaces
Selectors:
- "IP_ADDR"
- LogType: Lacework.InternalIPA
Selectors:
- "IP_ADDR"
- LogType: Lacework.MachineSummary
Selectors:
- "PRIMARY_IP_ADDR"
- LogType: Lacework.PodSummary
Selectors:
- "PRIMARY_IP_ADDR"
- LogType: Microsoft365.Audit.AzureActiveDirectory
Selectors:
- "ActorIpAddress"
@@ -165,6 +250,21 @@ LogTypeMap:
- LogType: Microsoft365.DLP.All
Selectors:
- "ClientIP"
- LogType: MicrosoftGraph.SecurityAlert #Beta
Selectors:
- "$.cloudAppStates[0].destinationServiceIp"
- "$.hostStates[6].privateIpAddress"
- "$.cloudAppStates[7].publicIpAddress"
- "$.networkConnections[1].destinationAddress"
- "$.networkConnections[9].natDestinationAddress"
- "$.networkConnections[11].natSourceAddress"
- "$.networkConnections[15].sourceAddress"
- LogType: MongoDB.OrganizationalEvent
Selectors:
- "remoteAddress"
- LogType: MongoDB.ProjectEvent
Selectors:
- "remoteAddress"
- LogType: Nginx.Access
Selectors:
- "remoteAddr"
@@ -180,6 +280,12 @@ LogTypeMap:
- LogType: OnePassword.SignInAttempt
Selectors:
- "$.client.ip_address"
- LogType: OSSEC.EventInfo
Selectors:
- "srcip"
- "agentip"
- "dstgeoip"
- "dstip"
- LogType: Salesforce.Login
Selectors:
- "CLIENT_IP"
@@ -202,6 +308,16 @@ LogTypeMap:
- LogType: Sophos.Central
Selectors:
- "$.source_info.ip"
- LogType: Suricata.Alert
Selectors:
- "$.tls.sni"
- "dest_ip"
- "src_ip"
- LogType: Suricata.DHCP
Selectors:
- "dest_ip"
- "$.dhcp.assigned_ip"
- "src_ip"
- LogType: Suricata.Anomaly
Selectors:
- "dest_ip"
@@ -210,10 +326,78 @@ LogTypeMap:
Selectors:
- "dest_ip"
- "src_ip"
- LogType: Suricata.FileInfo
Selectors:
- "dest_ip"
- "src_ip"
- LogType: Suricata.Flow
Selectors:
- "dest_ip"
- "src_ip"
- LogType: Suricata.HTTP
Selectors:
- "dest_ip"
- "src_ip"
- LogType: Suricata.SSH
Selectors:
- "dest_ip"
- "src_ip"
- LogType: Suricata.TLS
Selectors:
- "dest_ip"
- "src_ip"
- LogType: Zeek.Conn
Selectors:
- "id.orig_h"
- "id.resp_h"
- LogType: Zeek.DHCP
Selectors:
- "requested_addr"
- LogType: Zeek.DNS
Selectors:
- "id.orig_h"
- "id.resp_h"
- LogType: Zeek.DPD
Selectors:
- "id.orig_h"
- "id.resp_h"
- LogType: Zeek.Files
Selectors:
- "$.rx_hosts[0]" # type array
- "$.tx_hosts[0]" # type array
- LogType: Zeek.HTTP
Selectors:
- "id.orig_h"
- "id.resp_h"
- LogType: Zeek.Notice
Selectors:
- "dst"
- "id.orig_h"
- "id.resp_h"
- "src"
- LogType: Zeek.NTP
Selectors:
- "id.orig_h"
- "id.resp_h"
- LogType: Zeek.Software
Selectors:
- "host"
- LogType: Zeek.SSH
Selectors:
- "id.orig_h"
- "id.resp_h"
- LogType: Zeek.Stats
Selectors:
- "id.orig_h"
- "id.resp_h"
- LogType: Zeek.Tunnel
Selectors:
- "id.orig_h"
- "id.resp_h"
- LogType: Zeek.Weird
Selectors:
- "id.orig_h"
- "id.resp_h"
- LogType: Zendesk.Audit
Selectors:
- "ip_address"
Loading