panther-labs · arielkr256 · Aug 15, 2024
@@ -6,6 +6,7 @@ Tags:
  - AWS
  - DEPRECATED
 Severity: Info
+CreateAlert: false
 Reports:
  MITRE ATT&CK:
  - T1528 # Steal Application Access Token

@@ -8,6 +8,7 @@ Enabled: false
 ScheduledQueries:
  - Query.Snowflake.UserCreated
 Severity: Info
+CreateAlert: false
 Tags:
  - Snowflake
  - Persistence:Create Account

@@ -8,6 +8,7 @@ Enabled: false
 ScheduledQueries:
  - Query.Snowflake.UserEnabled
 Severity: Info
+CreateAlert: false
 Tags:
  - Snowflake
  - Persistence:Create Account

@@ -6,6 +6,7 @@ Filename: auth0_integration_installed.py
 Runbook: Assess if this was done by the user for a valid business reason. Be vigilant to re-enable this setting as it's in the best security interest for your organization's security posture.
 Reference: https://auth0.com/blog/actions-integrations-are-now-ga/
 Severity: Info
+CreateAlert: false
 Tests:
  - ExpectedResult: true
  Log:

@@ -6,6 +6,7 @@ Filename: auth0_mfa_factor_setting_enabled.py
 Runbook: Assess if this was done by the user for a valid business reason. Be vigilant to re-enable this setting as it's in the best security interest for your organization's security posture.
 Reference: https://auth0.com/docs/secure/multi-factor-authentication/multi-factor-authentication-factors
 Severity: Info
+CreateAlert: false
 Tests:
  - ExpectedResult: true
  Log:

@@ -6,6 +6,7 @@ Filename: auth0_mfa_risk_assessment_enabled.py
 Runbook: Assess if this was done by the user for a valid business reason. Be vigilant when enabling this setting as it's in the best security interest for your organization's security posture.
 Reference: https://auth0.com/docs/secure/multi-factor-authentication/enable-mfa#:~:text=Always%20policy%2C%20the-,MFA%20Risk%20Assessors,-section%20appears.%20By
 Severity: Info
+CreateAlert: false
 Tests:
  - ExpectedResult: false
  Log:

@@ -4,6 +4,7 @@ Enabled: true
 Filename: auth0_user_invitation_created.py
 Reference: https://auth0.com/docs/manage-users/organizations/configure-organizations/invite-members
 Severity: Info
+CreateAlert: false
 Tests:
  - ExpectedResult: true
  Log:

@@ -6,6 +6,7 @@ Filename: auth0_user_joined_tenant.py
 RuleID: Auth0.User.Joined.Tenant
 Reference: https://auth0.com/docs/manage-users/organizations/configure-organizations/invite-members#send-membership-invitations:~:text=.-,Send%20membership%20invitations,-You%20can
 Severity: Info
+CreateAlert: false
 LogTypes:
  - Auth0.Events
 Tests:

@@ -8,6 +8,7 @@ Reports:
  MITRE ATT&CK:
  - TA0007:T1087
 Severity: Info
+CreateAlert: false
 Tests:
  - ExpectedResult: true
  Log:

@@ -15,6 +15,7 @@ Reports:
  MITRE ATT&CK:
  - TA0007:T1538
 Severity: Info
+CreateAlert: false
 Description: >
  A CloudTrail Trail was created, updated, or enabled.
 Runbook: https://docs.runpanther.io/alert-runbooks/built-in-rules/aws-cloudtrail-modified

@@ -8,6 +8,7 @@ Reports:
  - TA0007:T1201
 Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html
 Severity: Info
+CreateAlert: false
 Tests:
  - ExpectedResult: false
  Log:

@@ -6,10 +6,9 @@ Enabled: true
 LogTypes:
  - AWS.CloudTrail
 Severity: Info
+CreateAlert: false
 DedupPeriodMinutes: 60
 Threshold: 1
-InlineFilters:
- - All: []
 Tests:
  - Name: Access Key Action Failed
  ExpectedResult: false
@@ -275,4 +274,3 @@ Tests:
  type: lambda
  webIdFederationData: {}
  type: AssumedRole
-CreateAlert: false
@@ -15,6 +15,7 @@ Reports:
  MITRE ATT&CK:
  - TA0007:T1526
 Severity: Info
+CreateAlert: false
 Description: >
  An AWS Config Recorder or Delivery Channel was created
 Runbook: >

@@ -6,6 +6,6 @@ Enabled: true
 LogTypes:
  - AWS.CloudTrail
 Severity: Info
-DedupPeriodMinutes: 60
-Threshold: 1
 CreateAlert: false
+DedupPeriodMinutes: 60
+Threshold: 1
@@ -3,10 +3,10 @@ Filename: aws_console_signin.py
 RuleID: "AWS.Console.Sign-In"
 DisplayName: "SIGNAL - AWS Console SSO Sign-In"
 Enabled: true
-CreateAlert: false
 LogTypes:
  - AWS.CloudTrail
 Severity: Info
+CreateAlert: false
 DedupPeriodMinutes: 60
 Threshold: 1
 Tests:

@@ -15,6 +15,7 @@ Reports:
  MITRE ATT&CK:
  - TA0005:T1562
 Severity: Info
+CreateAlert: false
 Description: An EC2 Network Gateway was modified.
 Runbook: https://docs.runpanther.io/alert-runbooks/built-in-rules/aws-ec2-gateway-modified
 Reference: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html

@@ -9,6 +9,7 @@ Reports:
 Runbook: Verify that the action was not taken by a malicious actor.
 Reference: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2imagebuilder.html#amazonec2imagebuilder-actions-as-permissions
 Severity: Info
+CreateAlert: false
 Tags:
  - ec2
 Tests:

@@ -15,6 +15,7 @@ Reports:
  MITRE ATT&CK:
  - TA0005:T1562
 Severity: Info
+CreateAlert: false
 Description: An EC2 Network ACL was modified.
 Runbook: https://docs.runpanther.io/alert-runbooks/built-in-rules/aws-ec2-network-acl-modified
 Reference: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-tasks

@@ -14,6 +14,7 @@ Reports:
  MITRE ATT&CK:
  - TA0010:T1048
 Severity: Info
+CreateAlert: false
 Description: An EC2 Route Table was modified.
 Runbook: https://docs.runpanther.io/alert-runbooks/built-in-rules/aws-ec2-route-table-modified
 Reference: https://docs.aws.amazon.com/vpc/latest/userguide/WorkWithRouteTables.html

@@ -15,6 +15,7 @@ Reports:
  MITRE ATT&CK:
  - TA0005:T1562
 Severity: Info
+CreateAlert: false
 DedupPeriodMinutes: 720 # 12 hours
 Description: >
  An EC2 Security Group was modified.

@@ -2,13 +2,13 @@ AnalysisType: rule
 RuleID: "AWS.EC2.StopInstances"
 DisplayName: "CloudTrail EC2 StopInstances"
 Enabled: true
-CreateAlert: false
 Filename: aws_ec2_stopinstances.py
 LogTypes:
  - AWS.CloudTrail
 Tags:
  - panther-signal
 Severity: Info
+CreateAlert: false
 Description: >
  A CloudTrail instances were stopped. It makes further changes of instances possible
 Reference: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-examples.html

@@ -15,6 +15,7 @@ Reports:
  MITRE ATT&CK:
  - TA0005:T1562
 Severity: Info
+CreateAlert: false
 DedupPeriodMinutes: 720 # 12 hours
 Description: An EC2 VPC was modified.
 Runbook: https://docs.runpanther.io/alert-runbooks/built-in-rules/aws-ec2-vpc-modified

@@ -9,6 +9,7 @@ Tags:
  - AWS
  - Identity and Access Management
 Severity: Info
+CreateAlert: false
 DedupPeriodMinutes: 720 # 12 hours
 Description: >
  A change occurred in the IAM configuration. This could be a resource being created, deleted, or modified. This is a high level view of changes, helfpul to indicate how dynamic a certain IAM environment is.

@@ -6,6 +6,7 @@ Filename: aws_iam_group_read_only_events.py
 Reference: https://attack.mitre.org/techniques/T1069/
 Runbook: Examine other activities done by this user to determine whether or not activity is suspicious.
 Severity: Info
+CreateAlert: false
 Tags:
  - AWS
  - Cloudtrail

@@ -15,6 +15,7 @@ Reports:
  MITRE ATT&CK:
  - TA0004:T1548
 Severity: Info
+CreateAlert: false
 DedupPeriodMinutes: 720 # 12 hours
 Description: >
  An IAM Policy was changed.

@@ -12,6 +12,7 @@ Reports:
  MITRE ATT&CK:
  - TA0007:T1526
 Severity: Info
+CreateAlert: false
 Threshold: 15
 DedupPeriodMinutes: 10
 Description: An IAM user has a high volume of access denied API calls.

@@ -15,6 +15,7 @@ Reports:
  MITRE ATT&CK:
  - TA0040:T1485
 Severity: Info
+CreateAlert: false
 Description: >
  A KMS Customer Managed Key was disabled or scheduled for deletion. This could potentially lead to permanent loss of encrypted data.
 Runbook: https://docs.runpanther.io/alert-runbooks/built-in-rules/aws-kms-cmk-loss

@@ -12,6 +12,7 @@ Reports:
  MITRE ATT&CK:
  - TA0040:T1485
 Severity: Info
+CreateAlert: false
 Description: A S3 Bucket, Policy, or Website was deleted
 Runbook: Explore if this bucket deletion was potentially destructive
 Reference: https://docs.aws.amazon.com/AmazonS3/latest/userguide/DeletingObjects.html

@@ -15,6 +15,7 @@ Reports:
  MITRE ATT&CK:
  - TA0010:T1567
 Severity: Info
+CreateAlert: false
 DedupPeriodMinutes: 720 # 12 hours
 Description: >
  An S3 Bucket was modified.

@@ -10,6 +10,7 @@ Reports:
  MITRE ATT&CK:
  - TA0007:T1518
 Severity: Info
+CreateAlert: false
 Tests:
  - ExpectedResult: true
  Log:

@@ -15,6 +15,7 @@ Reports:
  MITRE ATT&CK:
  - TA0007:T1526
 Severity: Info
+CreateAlert: false
 Description: An unauthorized AWS API call was made
 Runbook: https://docs.runpanther.io/alert-runbooks/built-in-rules/aws-unauthorized-api-call
 Reference: https://amzn.to/3aOukaA

@@ -13,6 +13,7 @@ Tags:
  - Identity & Access Management
  - Persistence:Account Manipulation
 Severity: Info
+CreateAlert: false
 Description: A console password, access key, or user has been created.
 Runbook: This rule is purely informational, there is no action needed.
 Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html

@@ -3,10 +3,10 @@ Filename: retrieve_sso_access_token.py
 RuleID: "Retrieve.SSO.access.token"
 DisplayName: "SIGNAL - Retrieve SSO access token"
 Enabled: true
-CreateAlert: false
 LogTypes:
  - AWS.CloudTrail
 Severity: Info
+CreateAlert: false
 DedupPeriodMinutes: 60
 Threshold: 1
 Tests:

@@ -3,10 +3,10 @@ Filename: role_assumed_by_aws_service.py
 RuleID: "Role.Assumed.by.AWS.Service"
 DisplayName: "SIGNAL - Role Assumed by AWS Service"
 Enabled: false
-CreateAlert: false
 LogTypes:
  - AWS.CloudTrail
 Severity: Info
+CreateAlert: false
 DedupPeriodMinutes: 60
 Threshold: 1
 Tests:

@@ -3,10 +3,10 @@ Filename: role_assumed_by_user.py
 RuleID: "Role.Assumed.by.User"
 DisplayName: "SIGNAL - Role Assumed by User"
 Enabled: false
-CreateAlert: false
 LogTypes:
  - AWS.CloudTrail
 Severity: Info
+CreateAlert: false
 DedupPeriodMinutes: 60
 Threshold: 1
 Tests:

@@ -3,10 +3,10 @@ Filename: signin_with_aws_cli_prompt.py
 RuleID: "Sign-in.with.AWS.CLI.prompt"
 DisplayName: "SIGNAL - Sign-in with AWS CLI prompt"
 Enabled: true
-CreateAlert: false
 LogTypes:
  - AWS.CloudTrail
 Severity: Info
+CreateAlert: false
 DedupPeriodMinutes: 60
 Threshold: 1
 Tests:

@@ -12,6 +12,7 @@ Reports:
  - "TA0007:T1613"
 Reference: https://aws.github.io/aws-eks-best-practices/security/docs/detective/
 Severity: Info
+CreateAlert: false
 Description: > # (Optional)
  This detection identifies if a public sourceIP is generating multiple 403s
  with the Kubernetes API server.

@@ -12,6 +12,7 @@ Reports:
  - "TA0027:T1475" # Tactic ID:Technique ID (https://attack.mitre.org/tactics/enterprise/)
 Reference: https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html
 Severity: Info
+CreateAlert: false
 Description: >
  This detection identifies if an activity is recorded in the Kubernetes audit log where
  the user:username attribute begins with "system:" or "eks:" and the requests originating

@@ -15,6 +15,7 @@ Reports:
  MITRE ATT&CK:
  - TA0007:T1619
 Severity: Info
+CreateAlert: false
 Description: >
  Checks for errors during S3 Object access.
  This could be due to insufficient access permissions, non-existent buckets, or other reasons.

@@ -12,6 +12,7 @@ Reports:
  MITRE ATT&CK:
  - TA0001:T1078
 Severity: Info
+CreateAlert: false
 Description: >
  A user logged in from a new device.
 Reference: https://support.box.com/hc/en-us/articles/360043691914-Controlling-Devices-Used-to-Access-Box

@@ -12,6 +12,7 @@ Reports:
  MITRE ATT&CK:
  - TA0001:T1078
 Severity: Info
+CreateAlert: false
 Description: >
  A user attempted to login from an untrusted device.
 Reference: https://support.box.com/hc/en-us/articles/360044194993-Setting-Up-Device-Trust-Security-Requirements

@@ -10,6 +10,7 @@ Tags:
  - GreyNoise
  - Deprecated
 Severity: Info
+CreateAlert: false
 Description: Monitors high volume events blocked from the same IP enriched with GreyNoise
 Runbook: Inspect and monitor internet-facing services for potential outages
 Reference: https://docs.greynoise.io/docs/understanding-greynoise-enrichments

@@ -10,6 +10,7 @@ DedupPeriodMinutes: 1440
 Enabled: false
 Filename: crowdstrike_lolbas.py
 Severity: Info
+CreateAlert: false
 Tags:
  - Configuration Required
 Tests:

@@ -5,6 +5,7 @@ Enabled: true
 Filename: gcp_bigquery_large_scan.py
 Reference: https://cloud.google.com/bigquery/docs/running-queries
 Severity: Info
+CreateAlert: false
 Tests:
  - ExpectedResult: false
  Log:

@@ -5,6 +5,7 @@ Enabled: true
 Filename: gcp_destructive_queries.py
 Reference: https://cloud.google.com/bigquery/docs/managing-tables
 Severity: Info
+CreateAlert: false
 Tests:
  - ExpectedResult: true
  Log: