Service Packs & AWS CIS Pack #252
Conversation
wey-chiang
requested review from
alxarch,
jacknagz,
kostaspap,
lindsey-w and
nhakmiller
as code owners
| PackDefinition: | ||
| IDs: | ||
| - Osquery.Linux.AWSCommandExecuted | ||
| - Osquery.Linux.LoginFromNonOffice |
There was a problem hiding this comment.
Wondering how will we deal with "configuration required" detections? We want to manage them via packs, but should they be enabled with the non-configuration required detections?
There was a problem hiding this comment.
Huh, that's a good point -- had not considered the case for configuration required.
It'd be slick if we had a thing in the UI that specifically alerts users to detections requiring configuration
There was a problem hiding this comment.
It's a good question, typically we disabled by default detections that had the configuration required tag, but that doesn't make as much sense in the packs world. I think for now we should just include them, and customers will need to know to search for that tag. In the future we might have some CTAs in the UI for these.
| - CiscoUmbrella.DNS.Blocked | ||
| - CiscoUmbrella.DNS.FuzzyMatching | ||
| - CiscoUmbrella.DNS.Suspicious | ||
| # Globals used in these detections |
There was a problem hiding this comment.
missing a global or copied comment?
There was a problem hiding this comment.
Copy pasta, left in if we ever add in detections that require globals
Co-authored-by: Lindsey Whitehurst <43453975+lindsey-w@users.noreply.github.com>
| PackDefinition: | ||
| IDs: | ||
| - Osquery.Linux.AWSCommandExecuted | ||
| - Osquery.Linux.LoginFromNonOffice |
There was a problem hiding this comment.
It's a good question, typically we disabled by default detections that had the configuration required tag, but that doesn't make as much sense in the packs world. I think for now we should just include them, and customers will need to know to search for that tag. In the future we might have some CTAs in the UI for these.
* Sorted testing (#1) Add command-line argument sort-test-results to panther_analysis_tool When set,sort-test-results will bucket test results output by passed/errored status, and will sort test cases by Rule ID * Minor updates - rename variable, conditional print (#2) * Print passed tests first, followed by failed * Sort tests by Rule ID * Add container * Add container * Add container * Add logic to print organized output when a results container is passed. * Add container * Update version * Update version * Update version * Update version * Update version * Update version * Update version * Update version * Update version * Update version * Update version * Update version * Update version * Update version * Update version * Update version * Update version * Update version * Update version * Update version * Update version * Update version * rename variable. Only print detection ID in setup_run_tests when not sorting test results * Conditionally print blank lines (#3) * Conditionally print blank line * Conditionally print blank line * Use implied bool arg (#4) * Conditionally print blank line * Conditionally print blank line * Update arg implementation * Update arg implementation * Apply diff from Panther (#5) * Apply diff from panther * Lint with black (#6) * lint with black --------- Co-authored-by: Chris Dzombak <chris@chrisdzombak.net> Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Closes https://app.asana.com/0/1199940726973121/1200101326773347/f
Background
This PR adds new packs based on the service provider as well as an AWS CIS pack
Changes
Testing