panther-labs · egibs · Apr 23, 2024 · Apr 11, 2024 · Apr 15, 2024 · Apr 16, 2024
@@ -19,7 +19,7 @@ wrapt = "~=1.15"
 [packages]
 policyuniverse = "==1.5.1.20230817"
 requests = "==2.31.0"
-panther-analysis-tool = "~=0.45"
+panther-analysis-tool = "~=0.46"
 panther-detection-helpers = "==0.3.0"
 
 [requires]

@@ -0,0 +1,25 @@
+AnalysisType: lookup_table
+LookupName: TrailDiscover
+Enabled: true
+Description: An evolving repository of CloudTrail events with detailed descriptions, MITRE ATT&CK insights, real-world incidents references, other research references and security implications.
+Filename: traildiscover_data.jsonl
+Reference: https://github.com/adanalvarez/TrailDiscover
+Schema: TrailDiscover.CloudTrail
+LogTypeMap:
+  PrimaryKey: eventName
+  AssociatedLogTypes:
+    - LogType: AWS.CloudTrail
+      Selectors:
+        - "eventName"
+    - LogType: OCSF.AccountChange
+      Selectors:
+        - "$.api.operation"
+    - LogType: OCSF.ApiActivity
+      Selectors:
+        - "$.api.operation"
+    - LogType: OCSF.Authentication
+      Selectors:
+        - "$.api.operation"
+    - LogType: OCSF.UserAccess
+      Selectors:
+        - "$.api.operation"
@@ -124,7 +124,6 @@ PackDefinition:
     - AWS.S3.Bucket.NameDNSCompliance
     - AWS.S3.BucketDeleted
     - AWS.S3.BucketPolicyModified
-    - AWS.S3.GreyNoiseActivity
     - AWS.S3.ServerAccess.Error
     - AWS.SecurityHub.Finding.Evasion
     - AWS.VPC.FlowLogs
@@ -175,7 +174,6 @@ PackDefinition:
     - panther_config_overrides
     - panther_default
     - panther_event_type_helpers
-    - panther_greynoise_helpers
     - panther_iocs
     - panther_lookuptable_helpers
     - panther_oss_helpers
@@ -5,13 +5,10 @@ Description: Group of all Cloudflare detections
 PackDefinition:
   IDs:
     - Cloudflare.Firewall.L7DDoS
-    - Cloudflare.Firewall.SuspiciousEventGreyNoise
     - Cloudflare.HttpRequest.BotHighVolume
-    - Cloudflare.HttpRequest.BotHighVolumeGreyNoise
     # Globals used in these rules/policies
     - panther_base_helpers
     - panther_cloudflare_helpers
-    - panther_greynoise_helpers
     - panther_lookuptable_helpers
     - global_filter_cloudflare
     - panther_config

@@ -1,7 +1,7 @@
 AnalysisType: rule
 Description: S3 operations from known malicious GreyNoise classifications. Note that this rule will only work with S3 object-level logging enabled for a given bucket.
-DisplayName: "GreyNoise Malicious AWS S3 Get/List Object"
-Enabled: true
+DisplayName: "--DEPRECATED-- GreyNoise Malicious AWS S3 Get/List Object"
+Enabled: false
 Filename: aws_s3_activity_greynoise.py
 Reference: https://attack.mitre.org/techniques/T1530/
 Reports:
@@ -25,6 +25,7 @@ Tags:
   - AWS
   - GreyNoise
   - Collection:Data From Cloud Storage Object
+  - Deprecated
 Tests:
   - ExpectedResult: true
     Name: GetObject from Malicious GreyNoise finding

@@ -8,6 +8,7 @@ LogTypes:
 Tags:
   - Cloudflare
   - GreyNoise
+  - Deprecated
 Severity: Info
 Description: Monitors high volume events blocked from the same IP enriched with GreyNoise
 Runbook: Inspect and monitor internet-facing services for potential outages

@@ -1,13 +1,14 @@
 AnalysisType: rule
 Filename: cloudflare_firewall_suspicious_event_greynoise.py
 RuleID: "Cloudflare.Firewall.SuspiciousEventGreyNoise"
-DisplayName: "Cloudflare Suspicious Event - GreyNoise"
-Enabled: true
+DisplayName: "--DEPRECATED-- Cloudflare Suspicious Event - GreyNoise"
+Enabled: false
 LogTypes:
   - Cloudflare.Firewall
 Tags:
   - Cloudflare
   - GreyNoise
+  - Deprecated
 Severity: Medium
 Description: Monitors for non-blocked requests from Greynoise identified malicious IP Addresses
 Runbook: Inspect resources accessed for malicious behavior

@@ -1,13 +1,14 @@
 AnalysisType: rule
 Filename: cloudflare_httpreq_bot_high_volume_greynoise.py
 RuleID: "Cloudflare.HttpRequest.BotHighVolumeGreyNoise"
-DisplayName: "Cloudflare Bot High Volume GreyNoise"
+DisplayName: "--DEPRECATED-- Cloudflare Bot High Volume GreyNoise"
 Enabled: false
 LogTypes:
   - Cloudflare.HttpRequest
 Tags:
   - Cloudflare
   - GreyNoise
+  - Deprecated
 Severity: Low
 Description: Monitors for high volume of likely automated HTTP Requests with GreyNoise enrichment
 Runbook: Inspect and monitor internet-facing services for potential outages

@@ -3,7 +3,9 @@
 
 
 def rule(event):
-    if not deep_get(event, "protoPayload", "methodName").endswith("CloudBuild.CreateBuild"):
+    if not deep_get(event, "protoPayload", "methodName", default="METHOD_NOT_FOUND").endswith(
+        "CloudBuild.CreateBuild"
+    ):
         return False
 
     authorization_info = deep_walk(event, "protoPayload", "authorizationInfo")

@@ -3,7 +3,9 @@
 
 
 def rule(event):
-    if not deep_get(event, "protoPayload", "methodName").endswith("ApiKeys.CreateKey"):
+    if not deep_get(event, "protoPayload", "methodName", default="METHOD_NOT_FOUND").endswith(
+        "ApiKeys.CreateKey"
+    ):
         return False
 
     authorization_info = deep_walk(event, "protoPayload", "authorizationInfo")

@@ -3,6 +3,9 @@ Description: A Microsoft365 user was denied login access several times
 DisplayName: "Microsoft365 Brute Force Login by User"
 Enabled: true
 Filename: microsoft365_brute_force_login_by_user.py
+Reports:
+  MITRE ATT&CK:
+    - TA0006:T1110 # Credential Access - Brute Force
 Runbook: Analyze the IP they came from and actions taken before/after.
 Reference: https://learn.microsoft.com/en-us/microsoft-365/troubleshoot/authentication/access-denied-when-connect-to-office-365
 Severity: Medium

@@ -3,6 +3,9 @@ Description: Document shared externally
 DisplayName: "Microsoft365 External Document Sharing"
 Enabled: true
 Filename: microsoft365_external_sharing.py
+Reports:
+  MITRE ATT&CK:
+    - TA0009:T1039 # Collection - Data from Network Shared Drive
 Runbook: Check the document metadata to ensure it is not a sensitive document.
 Reference: https://support.microsoft.com/en-us/topic/manage-sharing-with-external-users-in-microsoft-365-small-business-2951a85f-c970-4375-aa4f-6b0d7035fe35#:~:text=Top%20of%20Page-,Turn%20external%20sharing%20on%20or%20off,-The%20ability%20to
 Severity: Low

@@ -3,6 +3,11 @@ Description: A user's MFA has been removed
 DisplayName: "Microsoft365 MFA Disabled"
 Enabled: true
 Filename: microsoft365_mfa_disabled.py
+Reports:
+  MITRE ATT&CK:
+    - TA003:T1556 # Persistence - Modify Authentication Process
+    - TA005:T1556 # Defense Evansion - Modify Authentication Process
+    - TA006:T1556 # Credential Access - Modify Authentication Process
 Runbook: Depending on company policy, either suggest or require the user re-enable two step verification.
 Reference: https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide
 Severity: Low

@@ -3,6 +3,9 @@ Description: Detects creation of forwarding rule to external domains
 DisplayName: "Microsoft Exchange External Forwarding"
 Enabled: true
 Filename: microsoft_exchange_external_forwarding.py
+Reports:
+  MITRE ATT&CK:
+    - TA0009:T1114 # Collection - Email Collection
 Reference: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/outbound-spam-policies-external-email-forwarding?view=o365-worldwide
 Severity: High
 Tests:

@@ -27,9 +27,9 @@ def rule(event):
     global IPINFO_LOC
     IPINFO_LOC = IPInfoLocation(event)
     path_to_ip = "event.ip_address"
-    city = IPINFO_LOC.city(path_to_ip)
-    region = IPINFO_LOC.region(path_to_ip)
-    country = IPINFO_LOC.country(path_to_ip)
+    city = IPINFO_LOC.city(path_to_ip) or ""
+    region = IPINFO_LOC.region(path_to_ip) or ""
+    country = IPINFO_LOC.country(path_to_ip) or ""
     loc_string = "_".join((city, region, country))
 
     # Store the login location. The premise is to create a new entry for each combimation of user

@@ -245,3 +245,53 @@ Tests:
         "p_source_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
         "p_source_label": "Notion Logs",
       }
+  - Name: Login from different location - no region
+    ExpectedResult: true
+    Mocks:
+      - objectName: get_dictionary
+        returnValue: '{ "Minas Tirith_Pellenor_Gondor": 1686542031 }'
+      - objectName: put_dictionary
+        returnValue: False
+    Log:
+      {
+        "event":
+          {
+            "actor":
+              {
+                "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+                "object": "user",
+                "person": { "email": "aragorn.elessar@lotr.com" },
+                "type": "person",
+              },
+            "details": { "authType": "email" },
+            "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+            "ip_address": "192.168.100.100",
+            "platform": "web",
+            "timestamp": "2023-06-12 21:40:28.690000000",
+            "type": "user.login",
+            "workspace_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+          },
+        "p_enrichment":
+          {
+            "ipinfo_location":
+              {
+                "event.ip_address":
+                  {
+                    "city": "Barad-Dur",
+                    "lat": "0.00000",
+                    "lng": "0.00000",
+                    "country": "Mordor",
+                    "postal_code": "55555",
+                    "region_code": "MD",
+                    "timezone": "Middle Earth/Mordor",
+                  },
+              },
+          },
+        "p_event_time": "2023-06-12 21:40:28.690000000",
+        "p_log_type": "Notion.AuditLogs",
+        "p_parse_time": "2023-06-12 22:53:51.602223297",
+        "p_row_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+        "p_schema_version": 0,
+        "p_source_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+        "p_source_label": "Notion Logs",
+      }