Merge branch 'fix/edyesed/box_helpers_caseimmutable' of https://githu…

…b.com/panther-labs/panther-analysis into fix/edyesed/box_helpers_caseimmutable

README.md

@@ -16,11 +16,9 @@
 
 ---
 
-Panther is a security analytics platform built for cloud-focused security teams.
+Panther is a modern SIEM built for security operations at scale.
 
-Panther enables teams to define detections as code and programmatically upload them to your Panther deployment.
-
-This repository contains all the detections developed by Panther for use in your Panther deployment.
+With Panther, teams can define detections as code and programmatically upload them to your Panther deployment. This repository contains all detections developed by the Panther Team and the Community.
 
 We welcome all contributions! Please read the [contributing guidelines](https://github.com/panther-labs/panther-analysis/blob/master/CONTRIBUTING.md) before submitting pull requests.
 
@@ -40,43 +38,30 @@ Each folder contains detections in the format of `<log/resource type>_<detecton_
 * **Policies** represent the desired secure state of a [resource](https://docs.panther.com/cloud-scanning) to detect security misconfigurations
 * **Scheduled rules** analyze output of periodically executed [SQL queries](https://docs.panther.com/data-analytics/example-queries)
 
-### Available Detections by Platform/Service 
-[AWS](indexes/aws.md)
-
-[Google Cloud Platform](indexes/gcp.md)
-
-[Google Workspace](indexes/gworkspace.md)
-
-[Okta](indexes/okta.md)
-
-[OSquery](indexes/osquery.md)
-
-[Snowflake](indexes/snowflake.md)
-
-[Other SaaS Services](indexes/saas.md)
-
-[Panther Standard Detections](indexes/standard.md)
-
 ## Configure your Python environment
+
 ```bash
 make install
-make venv
 pipenv shell # Optional, this will spawn a subshell containing pipenv environment variables. Running pipenv run before commands becomes optional after this step
 ````
+
 ### Install dependencies and run your first test!
+
 ```bash 
-make deps
+make install
 pipenv run panther_analysis_tool test --path aws_cloudtrail_rules/
 ```
+
 ### Run detection tests
 ```bash
 pipenv run panther_analysis_tool test [-h] [--path PATH]
                                 [--filter KEY=VALUE [KEY=VALUE ...]
                                 [--debug]
-````
+```
+
 ### Test with a specific path
 ```bash
-pipenv run panther_analysis_tool test --path cisco_umbrella_dns_rules`
+pipenv run panther_analysis_tool test --path rules/cisco_umbrella_dns_rules
 ```
 ### Test by severity
 ```bash
@@ -94,10 +79,12 @@ pipenv run panther_analysis_tool zip [-h] [--path PATH] [--out OUT]
                                [--filter KEY=VALUE [KEY=VALUE ...]]
                                [--debug]
 ```
+
 ### Zip all Critical severity detections
 ```bash
 pipenv run panther_analysis_tool zip --filter Severity=Critical
 ````
+
 ### Upload detections to your Panther instance
 ```bash
 pipenv run panther_analysis_tool upload [-h] [--path PATH] [--out OUT]
@@ -113,7 +100,7 @@ Additionally, groups of detections may be linked to multiple "Reports", which is
 
 # Writing Detections
 
-*For a full reference on writing detections, read our [docs](https://docs.runpanther.io/writing-detections/panther-analysis-tool)!*
+*For a full reference on writing detections, read our [guide](https://docs.panther.com/writing-detections)!*
 
 Each detection has a Python file (`.py`) and a metadata file (`.yml`) of the same name (in the same location), for example:
 

rules/aws_cloudtrail_rules/aws_ec2_startup_script_change.py

@@ -0,0 +1,25 @@
+from panther_base_helpers import aws_rule_context, deep_get
+
+
+def rule(event):
+    if event.get("eventName") == "ModifyInstanceAttribute" and deep_get(
+        event, "requestParameters", "userData"
+    ):
+        return True
+    return False
+
+
+def title(event):
+    return (
+        "Startup script for instance"
+        f" [{deep_get(event, 'requestParameters', 'instanceId')}] "
+        "was modified."
+    )
+
+
+def dedup(event):
+    return deep_get(event, "requestParameters", "instanceId")
+
+
+def alert_context(event):
+    return aws_rule_context(event)

rules/aws_cloudtrail_rules/aws_ec2_startup_script_change.yml

@@ -0,0 +1,71 @@
+AnalysisType: rule
+Description: 'Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.'
+DisplayName: AWS EC2 Startup Script Change
+Enabled: true
+Filename: aws_ec2_startup_script_change.py
+Reports:
+    MITRE ATT&CK:
+        - TA0002:T1059
+Severity: High
+Tests:
+    - ExpectedResult: true
+      Log:
+        awsregion: us-east-1
+        eventid: abc-123
+        eventname: ModifyInstanceAttribute
+        eventsource: ec2.amazonaws.com
+        eventtime: "2022-07-17 04:50:23"
+        eventtype: AwsApiCall
+        eventversion: "1.08"
+        p_any_aws_instance_ids:
+            - testinstanceid
+        p_event_time: "2022-07-17 04:50:23"
+        p_log_type: AWS.CloudTrail
+        p_parse_time: "2022-07-17 04:55:11.788"
+        requestParameters:
+            instanceId: testinstanceid
+            userData: <scripthere>
+      Name: ModifyInstanceAttributeUserdata
+    - ExpectedResult: false
+      Log:
+        awsregion: us-east-1
+        eventid: abc-123
+        eventname: ModifyInstanceAttribute
+        eventsource: ec2.amazonaws.com
+        eventtime: "2022-07-17 04:50:23"
+        eventtype: AwsApiCall
+        eventversion: "1.08"
+        p_any_aws_instance_ids:
+            - testinstanceid
+        p_event_time: "2022-07-17 04:50:23"
+        p_log_type: AWS.CloudTrail
+        p_parse_time: "2022-07-17 04:55:11.788"
+        requestParameters:
+            instanceId: testinstanceid
+            instanceType:
+                value: t3.nano
+      Name: ModifyInstanceAttribute-NoUserData
+    - ExpectedResult: false
+      Log:
+        awsregion: us-east-1
+        eventid: abc-123
+        eventname: ModifyImageAttribute
+        eventsource: ec2.amazonaws.com
+        eventtime: "2022-07-17 04:50:23"
+        eventtype: AwsApiCall
+        eventversion: "1.08"
+        p_any_aws_instance_ids:
+            - testinstanceid
+        p_event_time: "2022-07-17 04:50:23"
+        p_log_type: AWS.CloudTrail
+        p_parse_time: "2022-07-17 04:55:11.788"
+        requestParameters:
+            instanceId: testinstanceid
+            instanceType:
+                value: t3.nano
+      Name: NoModifyInstanceAttribute
+DedupPeriodMinutes: 60
+LogTypes:
+    - AWS.CloudTrail
+RuleID: AWS.EC2.Startup.Script.Change
+Threshold: 1

rules/aws_cloudtrail_rules/aws_ipset_modified.py

@@ -0,0 +1,21 @@
+from panther_base_helpers import aws_rule_context
+
+IPSET_ACTIONS = ["CreateIPSet", "UpdateIPSet"]
+
+
+def rule(event):
+    if (
+        event.get("eventSource", "") == "guardduty.amazonaws.com"
+        or event.get("eventSource", "") == "wafv2.amazonaws.com"
+    ):
+        if event.get("eventName", "") in IPSET_ACTIONS:
+            return True
+    return False
+
+
+def title(event):
+    return "IPSet was modified in " f"[{event.get('recepientAccountId','')}]"
+
+
+def alert_context(event):
+    return aws_rule_context(event)

rules/aws_cloudtrail_rules/aws_ipset_modified.yml

@@ -0,0 +1,60 @@
+AnalysisType: rule
+Description: 'Detects creation and updates of the list of trusted IPs used by GuardDuty and WAF. Potentially to disable security alerts against malicious IPs.'
+DisplayName: AWS Trusted IPSet Modified
+Enabled: true
+Filename: aws_ipset_modified.py
+Reports:
+    MITRE ATT&CK:
+        - TA0005:T1562
+Severity: High
+Tests:
+    - ExpectedResult: true
+      Log:
+        awsregion: us-east-1
+        eventid: abc-123
+        eventname: CreateIPSet
+        eventsource: guardduty.amazonaws.com
+        eventtime: "2022-07-17 04:50:23"
+        eventtype: AwsApiCall
+        eventversion: "1.08"
+        p_any_aws_instance_ids:
+            - testinstanceid
+        p_event_time: "2022-07-17 04:50:23"
+        p_log_type: AWS.CloudTrail
+        p_parse_time: "2022-07-17 04:55:11.788"
+      Name: CreateIPSet Event
+    - ExpectedResult: true
+      Log:
+        awsregion: us-east-1
+        eventid: abc-123
+        eventname: CreateIPSet
+        eventsource: guardduty.amazonaws.com
+        eventtime: "2022-07-17 04:50:23"
+        eventtype: AwsApiCall
+        eventversion: "1.08"
+        p_any_aws_instance_ids:
+            - testinstanceid
+        p_event_time: "2022-07-17 04:50:23"
+        p_log_type: AWS.CloudTrail
+        p_parse_time: "2022-07-17 04:55:11.788"
+      Name: UpdateIPSet
+    - ExpectedResult: false
+      Log:
+        awsregion: us-east-1
+        eventid: abc-123
+        eventname: ModifyInstanceAttributes
+        eventsource: guardduty.amazonaws.com
+        eventtime: "2022-07-17 04:50:23"
+        eventtype: AwsApiCall
+        eventversion: "1.08"
+        p_any_aws_instance_ids:
+            - testinstanceid
+        p_event_time: "2022-07-17 04:50:23"
+        p_log_type: AWS.CloudTrail
+        p_parse_time: "2022-07-17 04:55:11.788"
+      Name: NotIPSet
+DedupPeriodMinutes: 60
+LogTypes:
+    - AWS.CloudTrail
+RuleID: AWS.IPSet.Modified
+Threshold: 1

rules/aws_cloudtrail_rules/aws_rds_master_pass_updated.py

@@ -0,0 +1,15 @@
+from panther_base_helpers import deep_get
+
+
+def rule(event):
+    return (
+        event.get("eventName") == "ModifyDBInstance"
+        and event.get("eventSource") == "rds.amazonaws.com"
+        and bool(deep_get(event, "responseElements", "pendingModifiedValues", "masterUserPassword"))
+    )
+
+
+def title(event):
+    return (
+        f"RDS Master Password Updated on [{deep_get(event, 'responseElements', 'dBInstanceArn')}]"
+    )