Standard user creation fixes (#1256)

* Prepare for `3.53.0` (#1232) * Replace panther_analysis_tool import with updated import (#1230) * Update Action versions; use SHAs (#1231) * Update Action versions; use SHAs * Add dependabot.yml to keep Actions updated * Update PAT to 0.49.0 * auth0-cic-credential-stuffing rule and query (#1246) * Add saved queries for ongoing Snowflake threats (#1248) * Add saved queries for ongoing Snowflake threats * Add limits Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * snowflake pack * Add scheduled queries and rules Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * pack update * ruleID fix * make fmt Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Fix merge conflicts Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Turn off by default Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --------- Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> Co-authored-by: Ariel Ropek <ariel.ropek@panther.com> * Update panther-core to 0.10.1 via PAT (#1249) Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Tweak Snowflake queries (#1250) * Tweak Snowflake queries Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Remove configuration drift query from Pack Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Threat Hunting queries are okay Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Fix comment Workflow Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * 12 hours -> 1 day Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Update queries/snowflake_queries/snowflake_0108977_configuration_drift.yml --------- Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * Fixed typo in README.md (#1253) fixed 'unintall' typo to 'npm uninstall prettier' * build(deps): bump step-security/harden-runner from 2.8.0 to 2.8.1 (#1254) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.8.0 to 2.8.1. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@f086349...17d0e2b) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Using GITHUB_OUTPUT env var instead of old ::set-output shorthand (#1255) * OCSF data model, VPC/DNS (#1214) * Deprecate GreyNoise detections (#1205) * Deprecate GreyNoise detections * Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml * Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml * Update cloudflare_httpreq_bot_high_volume_greynoise.yml --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * fix - Notion Login From New Location - NoneType error (#1206) * fix - Notion Login From New Location - NoneType error * fix - Notion Login From New Location - NoneType error - linter fix * remove codeowners (#1208) * fix - GCP rules - AttributeError (#1210) * fix - GCP rules - AttributeError * fix - GCP rules - AttributeError - linter fix * MITRE ATT&CK Mappings for MS Rules (#1209) * added MITRE mappings for microsoft rules * fixed formatting on some helper files --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * traildiscover enrichment with managed schema (#1177) * traildiscover enrichment with managed schema * Add npm install in dockerfile (#1172) * add npm install in dockerfile * Remove Python optimizations; add prettier to PATH --------- Co-authored-by: egibs <keybase@egibs.xyz> * schema name: TrailDiscover.CloudTrail * Fix Dockerfile; add Workflow to test image * updated data set * Add MongoDB.2FA.Disabled rule (#1190) Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * lint and fmt * fmt * add OCSF selector * additional OCSF mappings * Fix Pipfile * Rebase changes --------- Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> * Update PAT to 0.46.0 (#1216) * THREAT-278 OCSF data model, VPC --------- Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Evan Gibler <evan.gibler@panther.com> * fix: consider deny rules for ssh network acl policy (#1236) * fix: consider deny rules for ssh network acl policy * Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py * Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * AWS Honeypot Detections threat-306 (#1252) * AWS Honeypot Detections threat-306 AWS Security Finding rules on decoy AWS resources: https://aws.amazon.com/blogs/security/how-to-detect-suspicious-activity-in-your-aws-account-by-using-private-decoy-resources/ * Update decoy_dynamodb_accessed.py * Update decoy_iam_assumed.py * Update decoy_s3_accessed.py * Update decoy_secret_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_dynamodb_accessed.py * Update decoy_iam_assumed.py * Update decoy_s3_accessed.py * Update decoy_secret_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_secret_accessed.py * Update decoy_s3_accessed.py * Update decoy_iam_assumed.py * Update decoy_dynamodb_accessed.py * Update decoy_systems_manager_parameter_accessed.py * reformatted and linted * removed unused methods * fixed trailing lines * add decoy rules as a pack --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> --------- Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Evan Gibler <evan.gibler@panther.com> Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com> Co-authored-by: Ariel Ropek <ariel.ropek@panther.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: BJ Maldonado <bj.maldonado-miranda@panther.com> Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Eli Skeggs <1348991+skeggse@users.noreply.github.com>
panther-labs · Jun 10, 2024 · 56e014b · 56e014b
1 parent 72f363c
commit 56e014b
Show file tree

Hide file tree

Showing 52 changed files with 4,681 additions and 2,238 deletions.
diff --git a/.github/workflows/check-packs.yml b/.github/workflows/check-packs.yml
@@ -2,15 +2,16 @@ on:
   pull_request:
 
 permissions:
-  contents: read    
+  contents: read
+  pull-requests: write
 
 jobs:
   check_packs:
     name: check packs
     runs-on: ubuntu-latest
 
     steps:
-      - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           disable-sudo: true
           egress-policy: block
@@ -19,7 +20,7 @@ jobs:
             files.pythonhosted.org:443
             github.com:443
             pypi.org:443
-    
+
       - name: Checkout panther-analysis
         uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
 
@@ -38,7 +39,7 @@ jobs:
           panther_analysis_tool check-packs 2> errors.txt || true
 
           # run again to get exit code
-          panther_analysis_tool check-packs || echo ::set-output name=errors::`cat errors.txt`
+          panther_analysis_tool check-packs || echo "errors=`cat errors.txt`" >> $GITHUB_OUTPUT
 
       - name: Comment PR
         uses: thollander/actions-comment-pull-request@fabd468d3a1a0b97feee5f6b9e499eab0dd903f6
@@ -50,6 +51,7 @@ jobs:
             looks like some things could be wrong with the packs
             ```diff
             ${{ steps.check-packs.outputs.errors }}
+            ```
           comment_tag: check-packs
       - name: Delete comment
         uses: thollander/actions-comment-pull-request@fabd468d3a1a0b97feee5f6b9e499eab0dd903f6
@@ -61,4 +63,5 @@ jobs:
             looks like some things could be wrong with the packs
             ```diff
             ${{ steps.check-packs.outputs.errors }}
+            ```
           comment_tag: check-packs
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -11,7 +11,7 @@ jobs:
     name: Build Dockerfile
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           disable-sudo: true
           egress-policy: block

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           disable-sudo: true
           egress-policy: block

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -15,7 +15,7 @@ jobs:
     env:
       GITHUB_TOKEN: ${{ secrets.PANTHER_BOT_AUTOMATION_TOKEN }}
     steps:
-      - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           egress-policy: audit
       - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           disable-sudo: true
           egress-policy: block

diff --git a/.github/workflows/upload.yml b/.github/workflows/upload.yml
@@ -14,7 +14,7 @@ jobs:
       API_HOST: ${{ secrets.API_HOST }}
       API_TOKEN: ${{ secrets.API_TOKEN }}
     steps:
-      - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           egress-policy: audit
       - name: Validate Secrets

diff --git a/Pipfile.lock b/Pipfile.lock
diff --git a/README.md b/README.md
@@ -265,7 +265,7 @@ Previously, Node, NPM and Prettier were used for formatting Markdown and YAML fi
 
 Depending on how Node is managed, it will need to be uninstalled or removed if it is no longer needed elsewhere. Refer to your system/package manager's documentation for instructions on removing Node.
 
-Otherwise, running `npm unintall prettier` will remove Prettier.
+Otherwise, running `npm uninstall prettier` will remove Prettier.
 
 # License
 

diff --git a/data_models/aws_vpcflow_data_model.yml b/data_models/aws_vpcflow_data_model.yml
@@ -15,3 +15,5 @@ Mappings:
     Path: srcPort
   - Name: user_agent
     Path: userAgent
+  - Name: log_status
+    Path: log-status
diff --git a/data_models/ocsf_dnsactivity_data_model.yml b/data_models/ocsf_dnsactivity_data_model.yml
@@ -0,0 +1,13 @@
+AnalysisType: datamodel
+LogTypes:
+  - OCSF.DnsActivity
+DataModelID: "Standard.OCSF.DnsActivity"
+DisplayName: "OCSF DNS Activity"
+Enabled: true
+Mappings:
+  - Name: source_ip
+    Path: $.src_endpoint.ip
+  - Name: source_port
+    Path: $.src_endpoint.port
+  - Name: dns_query
+    Path: $.query.hostname
diff --git a/data_models/ocsf_networkactivity_data_model.yml b/data_models/ocsf_networkactivity_data_model.yml
@@ -0,0 +1,17 @@
+AnalysisType: datamodel
+LogTypes:
+  - OCSF.NetworkActivity
+DataModelID: "Standard.OCSF.NetworkActivity"
+DisplayName: "OCSF Network Activity"
+Enabled: true
+Mappings:
+  - Name: destination_ip
+    Path: $.dst_endpoint.ip
+  - Name: destination_port
+    Path: $.dst_endpoint.port
+  - Name: source_ip
+    Path: $.src_endpoint.ip
+  - Name: source_port
+    Path: $.src_endpoint.port
+  - Name: log_status
+    Path: status_code
diff --git a/packs/aws.yml b/packs/aws.yml
@@ -167,6 +167,8 @@ PackDefinition:
     - Standard.AWS.CloudTrail
     - Standard.AWS.S3ServerAccess
     - Standard.AWS.VPCFlow
+    - Standard.OCSF.NetworkActivity
+    - Standard.OCSF.DnsActivity
     # Globals used in these rules/policies
     - panther_base_helpers
     - panther_config

diff --git a/packs/aws_decoy.yml b/packs/aws_decoy.yml
@@ -0,0 +1,11 @@
+AnalysisType: pack
+PackID: PantherManaged.AWSDecoy
+Description: Group of all AWS Decoy resources detections
+PackDefinition:
+  IDs:
+    - Decoy.S3.Accessed
+    - Decoy.Systems.Manager.Parameter.Accessed
+    - Decoy.DynamoDB.Accessed
+    - Decoy.IAM.Assumed
+    - Decoy.Secret.Accessed
+DisplayName: "Panther AWS Decoy Detections"
diff --git a/packs/snowflake.yml b/packs/snowflake.yml
@@ -0,0 +1,38 @@
+AnalysisType: pack
+PackID: PantherManaged.Snowflake.Account_Usage
+Description: >
+  Group of all Snowflake account_usage audit log detections and threat hunting queries.
+  These queries require that Panther's read-only role has access to the snowflake.account_usage audit database 
+  (this may need to be done by the Snowflake admins).
+  https://docs.panther.com/search/scheduled-searches/examples#database-monitoring-snowflake
+DisplayName: "Panther Snowflake Account_Usage Pack"
+PackDefinition:
+  IDs:
+    # Queries
+    - Query.Snowflake.AccountAdminGranted
+    - Query.Snowflake.BruteForceByIp
+    - Query.Snowflake.BruteForceByUsername
+    - Query.Snowflake.ClientIp
+    - Query.Snowflake.External.Shares
+    - Query.Snowflake.KeyUserPasswordLogin
+    - Query.Snowflake.Multiple.Logins.Followed.By.Success
+    - Query.Snowflake.SuspectedUserAccess
+    - Query.Snowflake.UserCreated
+    - Query.Snowflake.UserEnabled
+    # Rules
+    - Snowflake.AccountAdminGranted
+    - Snowflake.BruteForceByIp
+    - Snowflake.BruteForceByUsername
+    - Snowflake.Client.IP
+    - Snowflake.Configuration.Drift
+    - Snowflake.External.Shares
+    - Snowflake.KeyUserPasswordLogin
+    - Snowflake.Multiple.Failed.Logins.Followed.By.Success
+    - Snowflake.User.Access
+    - Snowflake.UserCreated
+    - Snowflake.UserEnabled
+    # Threat Hunting Queries
+    - Query.Snowflake.ThreatHunting.ConfigurationDrift
+    - Query.Snowflake.ThreatHunting.ClientIp
+    - Query.Snowflake.ThreatHunting.SuspectedUserAccess
+    - Query.Snowflake.ThreatHunting.SuspectedUserActivity
diff --git a/policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py b/policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py
@@ -1,19 +1,33 @@
+import ipaddress
+
+GLOBAL_IPV6 = ipaddress.IPv6Network("::/0")
+# Choose an arbitrary sentinel value that isn't equivalent to the GLOBAL_IPV6 value.
+IPV6_SENTINEL = ipaddress.IPv6Network("::1/128")
+
+
 def policy(resource):
-    for entry in resource["Entries"]:
-        # Look for ingress rules from any IP.
-        # This could be modified in the future to inspect the size
-        # of the source network with the ipaddress.ip_network.num_addresses call.
+    # Enumerate the entries in the network ACL, in evaluation order.
+    ingress_entries = sorted(
+        (entry for entry in resource["Entries"] if not entry["Egress"]),
+        key=lambda x: x["RuleNumber"],
+    )
+    for entry in ingress_entries:
+        # Look for SSH ingress rules from wildcard IPs.
         if (
-            not entry["Egress"]
-            and entry["CidrBlock"] == "0.0.0.0/0"
-            and entry["RuleAction"] == "allow"
+            entry.get("CidrBlock") == "0.0.0.0/0"
+            # Handle non-standard representations like `"0::/0"`.
+            or ipaddress.IPv6Network(entry.get("Ipv6CidrBlock") or IPV6_SENTINEL) == GLOBAL_IPV6
+        ) and (
+            not entry.get("PortRange")
+            or entry["PortRange"]["From"] <= 22 <= entry["PortRange"]["To"]
         ):
-            # Check within a range of ports, normally the From/To would be set to 22,
-            # but this covers the case where it could be 0-1024.
-            if (
-                "PortRange" not in entry
-                or not entry["PortRange"]
-                or entry["PortRange"]["From"] <= 22 <= entry["PortRange"]["To"]
-            ):
-                return False
+            # If this is a deny rule, then the ACL has an explicit deny rule with a lower (more
+            # important) precedence than any rule that would allow SSH from arbitrary IPs. If it's
+            # an allow rule, then the opposite is true. Either way, this rule determines the
+            # entire outcome of the policy evaluation.
+            #
+            # Another way to read this: pass the policy check if the SSH rule here is a deny.
+            return entry["RuleAction"] == "deny"
+
+    # Found no SSH ingress rules from wildcard IPs.
     return True