Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AppOmni Alert passthrough #1211

Merged
merged 18 commits into from
May 14, 2024
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Deprecate GreyNoise detections (#1205)
* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
melenevskyi and arielkr256 authored Apr 11, 2024
commit 8b4be2052026a26ddb8c19d637072f0ae30d4f61
2 changes: 0 additions & 2 deletions packs/aws.yml
Original file line number Diff line number Diff line change
@@ -124,7 +124,6 @@ PackDefinition:
- AWS.S3.Bucket.NameDNSCompliance
- AWS.S3.BucketDeleted
- AWS.S3.BucketPolicyModified
- AWS.S3.GreyNoiseActivity
- AWS.S3.ServerAccess.Error
- AWS.SecurityHub.Finding.Evasion
- AWS.VPC.FlowLogs
@@ -175,7 +174,6 @@ PackDefinition:
- panther_config_overrides
- panther_default
- panther_event_type_helpers
- panther_greynoise_helpers
- panther_iocs
- panther_lookuptable_helpers
- panther_oss_helpers
3 changes: 0 additions & 3 deletions packs/cloudflare.yml
Original file line number Diff line number Diff line change
@@ -5,13 +5,10 @@ Description: Group of all Cloudflare detections
PackDefinition:
IDs:
- Cloudflare.Firewall.L7DDoS
- Cloudflare.Firewall.SuspiciousEventGreyNoise
- Cloudflare.HttpRequest.BotHighVolume
- Cloudflare.HttpRequest.BotHighVolumeGreyNoise
# Globals used in these rules/policies
- panther_base_helpers
- panther_cloudflare_helpers
- panther_greynoise_helpers
- panther_lookuptable_helpers
- global_filter_cloudflare
- panther_config
14 changes: 0 additions & 14 deletions packs/greynoise_advanced.yml

This file was deleted.

14 changes: 0 additions & 14 deletions packs/greynoise_basic.yml

This file was deleted.

5 changes: 3 additions & 2 deletions rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
AnalysisType: rule
Description: S3 operations from known malicious GreyNoise classifications. Note that this rule will only work with S3 object-level logging enabled for a given bucket.
DisplayName: "GreyNoise Malicious AWS S3 Get/List Object"
Enabled: true
DisplayName: "--DEPRECATED-- GreyNoise Malicious AWS S3 Get/List Object"
Enabled: false
Filename: aws_s3_activity_greynoise.py
Reference: https://attack.mitre.org/techniques/T1530/
Reports:
@@ -25,6 +25,7 @@ Tags:
- AWS
- GreyNoise
- Collection:Data From Cloud Storage Object
- Deprecated
Tests:
- ExpectedResult: true
Name: GetObject from Malicious GreyNoise finding
Original file line number Diff line number Diff line change
@@ -8,6 +8,7 @@ LogTypes:
Tags:
- Cloudflare
- GreyNoise
- Deprecated
Severity: Info
Description: Monitors high volume events blocked from the same IP enriched with GreyNoise
Runbook: Inspect and monitor internet-facing services for potential outages
Original file line number Diff line number Diff line change
@@ -1,13 +1,14 @@
AnalysisType: rule
Filename: cloudflare_firewall_suspicious_event_greynoise.py
RuleID: "Cloudflare.Firewall.SuspiciousEventGreyNoise"
DisplayName: "Cloudflare Suspicious Event - GreyNoise"
Enabled: true
DisplayName: "--DEPRECATED-- Cloudflare Suspicious Event - GreyNoise"
Enabled: false
LogTypes:
- Cloudflare.Firewall
Tags:
- Cloudflare
- GreyNoise
- Deprecated
Severity: Medium
Description: Monitors for non-blocked requests from Greynoise identified malicious IP Addresses
Runbook: Inspect resources accessed for malicious behavior
Original file line number Diff line number Diff line change
@@ -1,13 +1,14 @@
AnalysisType: rule
Filename: cloudflare_httpreq_bot_high_volume_greynoise.py
RuleID: "Cloudflare.HttpRequest.BotHighVolumeGreyNoise"
DisplayName: "Cloudflare Bot High Volume GreyNoise"
DisplayName: "--DEPRECATED-- Cloudflare Bot High Volume GreyNoise"
Enabled: false
LogTypes:
- Cloudflare.HttpRequest
Tags:
- Cloudflare
- GreyNoise
- Deprecated
Severity: Low
Description: Monitors for high volume of likely automated HTTP Requests with GreyNoise enrichment
Runbook: Inspect and monitor internet-facing services for potential outages