Merge branch 'main' into egibs-sync-slack-references

rules/aws_cloudtrail_rules/aws_cloudtrail_created.yml

@@ -18,7 +18,7 @@ Severity: Info
 Description: >
   A CloudTrail Trail was created, updated, or enabled.
 Runbook: https://docs.runpanther.io/alert-runbooks/built-in-rules/aws-cloudtrail-modified
-Reference: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html
+Reference: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html
 SummaryAttributes:
   - eventName
   - userAgent

rules/aws_cloudtrail_rules/aws_cloudtrail_stopped.yml

@@ -19,7 +19,7 @@ Severity: Medium
 Description: >
   A CloudTrail Trail was modified.
 Runbook: https://docs.runpanther.io/alert-runbooks/built-in-rules/aws-cloudtrail-modified
-Reference: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html
+Reference: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-delete-trails-console.html
 SummaryAttributes:
   - eventName
   - userAgent

rules/aws_cloudtrail_rules/aws_iam_user_recon_denied.yml

@@ -16,7 +16,7 @@ Threshold: 15
 DedupPeriodMinutes: 10
 Description: An IAM user has a high volume of access denied API calls.
 Runbook: Analyze the IP they came from, and other actions taken before/after.
-Reference: https://runpanther.io
+Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_access-denied.html
 SummaryAttributes:
   - eventName
   - userAgent

rules/aws_cloudtrail_rules/aws_s3_bucket_deleted.yml

@@ -14,7 +14,7 @@ Reports:
 Severity: Info
 Description: A S3 Bucket, Policy, or Website was deleted
 Runbook: Explore if this bucket deletion was potentially destructive
-Reference: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucket.html
+Reference: https://docs.aws.amazon.com/AmazonS3/latest/userguide/DeletingObjects.html
 SummaryAttributes:
   - sourceIpAddress
   - userAgent

rules/box_rules/box_access_granted.yml

@@ -10,7 +10,7 @@ Tags:
 Severity: Low
 Description: >
   A user granted access to their box account to Box technical support from account settings.
-Reference: https://developer.box.com/reference/resources/event/
+Reference: https://support.box.com/hc/en-us/articles/7039943421715-Enabling-and-Disabling-Access-for-Box-Support
 Runbook: >
   Investigate whether the user purposefully granted access to their account. 
 SummaryAttributes:

rules/box_rules/box_brute_force_login.yml

@@ -12,7 +12,7 @@ Description: >
   A Box user was denied access more times than the configured threshold.
 Threshold: 10
 DedupPeriodMinutes: 10
-Reference: https://developer.box.com/reference/resources/event/
+Reference: https://support.box.com/hc/en-us/articles/360043695174-Logging-in-to-Box
 Runbook: >
   Analyze the IP they came from, and other actions taken before/after.  Check if this user eventually authenticated successfully. 
 SummaryAttributes:

rules/box_rules/box_event_triggered_externally.yml

@@ -15,7 +15,7 @@ Reports:
 Severity: Medium
 Description: >
   An external user has triggered a box enterprise event.
-Reference: https://developer.box.com/reference/resources/event/
+Reference: https://support.box.com/hc/en-us/articles/8391393127955-Using-the-Enterprise-Event-Stream
 Runbook: >
   Investigate whether this user's activity is expected. 
 SummaryAttributes:

rules/box_rules/box_item_shared_externally.yml

@@ -15,7 +15,7 @@ Reports:
 Severity: Medium
 Description: >
   A user has shared an item and it is accessible to anyone with the share link (internal or external to the company). This rule requires that the boxsdk[jwt] be installed in the environment.
-Reference: https://developer.box.com/reference/resources/event/
+Reference: https://support.box.com/hc/en-us/articles/4404822772755-Enterprise-Settings-Content-Sharing-Tab
 Runbook: >
   Investigate whether this user's activity is expected. 
 SummaryAttributes:

rules/box_rules/box_malicious_content.yml

@@ -15,8 +15,7 @@ Severity: High
 Description: >
   Box has detect malicious content, such as a virus. 
 Reference: >
-  https://developer.box.com/guides/events/shield-alert-events/, 
-  https://developer.box.com/reference/resources/event/
+  https://developer.box.com/guides/events/shield-alert-events/
 Runbook: >
   Investigate whether this is a false positive or if the virus needs to be contained appropriately.
 SummaryAttributes:

rules/box_rules/box_new_login.yml

@@ -14,7 +14,7 @@ Reports:
 Severity: Info
 Description: >
   A user logged in from a new device. 
-Reference: https://developer.box.com/reference/resources/event/
+Reference: https://support.box.com/hc/en-us/articles/360043691914-Controlling-Devices-Used-to-Access-Box
 Runbook: >
   Investigate whether this is a valid user login. 
 SummaryAttributes:

rules/box_rules/box_policy_violation.yml

@@ -10,7 +10,7 @@ Tags:
 Severity: Low
 Description: >
   A user violated the content workflow policy. 
-Reference: https://developer.box.com/reference/resources/event/
+Reference: https://support.box.com/hc/en-us/articles/360043692594-Creating-a-Security-Policy
 Runbook: >
   Investigate whether the user continues to violate the policy and take measure to ensure they understand policy. 
 SummaryAttributes:

rules/box_rules/box_untrusted_device.yml

@@ -14,7 +14,7 @@ Reports:
 Severity: Info
 Description: >
   A user attempted to login from an untrusted device. 
-Reference: https://developer.box.com/reference/resources/event/
+Reference: https://support.box.com/hc/en-us/articles/360044194993-Setting-Up-Device-Trust-Security-Requirements
 Runbook: >
   Investigate whether this is a valid user attempting to login to box. 
 SummaryAttributes:

rules/box_rules/box_user_downloads.yml

@@ -14,7 +14,7 @@ Reports:
 Severity: Low
 Description: >
   A user has exceeded the threshold for number of downloads within a single time frame. 
-Reference: https://developer.box.com/reference/resources/event/
+Reference: https://support.box.com/hc/en-us/articles/360043697134-Download-Files-and-Folders-from-Box
 Runbook: >
   Investigate whether this user's download activity is expected.  Investigate the cause of this download activity. 
 SummaryAttributes:

rules/box_rules/box_user_permission_updates.yml

@@ -14,7 +14,7 @@ Reports:
 Severity: Low
 Description: >
   A user has exceeded the threshold for number of folder permission changes within a single time frame. 
-Reference: https://developer.box.com/reference/resources/event/
+Reference: https://support.box.com/hc/en-us/articles/360043697254-Understanding-Folder-Permissions
 Runbook: >
   Investigate whether this user's activity is expected. 
 SummaryAttributes:

rules/gsuite_activityevent_rules/gsuite_advanced_protection.yml

@@ -14,7 +14,7 @@ Reports:
 Severity: Low
 Description: >
   A user disabled advanced protection for themselves.
-Reference: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/user-accounts#titanium_change
+Reference: https://support.google.com/a/answer/9378686?hl=en&sjid=864417124752637253-EU
 Runbook: >
   Have the user re-enable Google Advanced Protection
 SummaryAttributes:

rules/gsuite_activityevent_rules/gsuite_brute_force_login.yml

@@ -11,7 +11,7 @@ Severity: Medium
 Threshold: 10
 DedupPeriodMinutes: 10
 Description: A GSuite user was denied login access several times
-Reference: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#login_failure
+Reference: https://support.google.com/a/answer/7281227?hl=en&sjid=864417124752637253-EU
 Runbook: Analyze the IP they came from and actions taken before/after.
 Tests:
   -

rules/gsuite_activityevent_rules/gsuite_calendar_made_public.yml

@@ -13,7 +13,7 @@ Reports:
 Severity: Medium
 Description: >
   A User or Admin Has Modified A Calendar To Be Public
-Reference: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/calendar#change_calendar_acls
+Reference: https://support.google.com/calendar/answer/37083?hl=en&sjid=864417124752637253-EU
 Runbook: >
   Follow up with user about this calendar share. 
 SummaryAttributes:

rules/gsuite_activityevent_rules/gsuite_doc_ownership_transfer.yml

@@ -15,7 +15,7 @@ Reports:
 Severity: Low
 Description: >
   A GSuite document's ownership was transferred to an external party.
-Reference: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-docs-settings#TRANSFER_DOCUMENT_OWNERSHIP
+Reference: https://support.google.com/drive/answer/2494892?hl=en&co=GENIE.Platform%3DDesktop&sjid=864417124752637253-EU
 Runbook: >
   Verify that this document did not contain sensitive or private company information.
 SummaryAttributes:

rules/gsuite_activityevent_rules/gsuite_external_forwarding.yml

@@ -15,7 +15,7 @@ Reports:
 Severity: High
 Description: >
   A user has configured mail forwarding to an external domain
-Reference: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#email_forwarding_out_of_domain
+Reference: https://support.google.com/mail/answer/10957?hl=en&sjid=864417124752637253-EU
 Runbook: >
   Follow up with user to remove this forwarding rule if not allowed.
 SummaryAttributes:

rules/gsuite_activityevent_rules/gsuite_google_access.yml

@@ -10,7 +10,7 @@ Tags:
 Severity: Low
 Description: >
   Google accessed one of your GSuite resources directly, most likely in response to a support incident.
-Reference: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/access-transparency
+Reference: https://support.google.com/a/answer/9230474?hl=en
 Runbook: >
   Your GSuite Super Admin can visit the Access Transparency report in the GSuite Admin Dashboard to see more details about the access.
 SummaryAttributes:

rules/gsuite_activityevent_rules/gsuite_gov_attack.yml

@@ -10,7 +10,7 @@ Tags:
 Severity: Critical
 Description: >
   GSuite reported that it detected a government backed attack against your account.
-Reference: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#gov_attack_warning
+Reference: https://support.google.com/a/answer/9007870?hl=en
 Runbook: >
   Followup with GSuite support for more details.
 SummaryAttributes:

rules/gsuite_activityevent_rules/gsuite_group_banned_user.yml

@@ -10,7 +10,7 @@ Tags:
 Severity: Low
 Description: >
   A GSuite user was banned from an enterprise group by moderator action.
-Reference: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups-enterprise#ban_user_with_moderation
+Reference: https://support.google.com/a/users/answer/9303224?hl=en&sjid=864417124752637253-EU
 Runbook: >
   Investigate the banned user to see if further disciplinary action needs to be taken.
 SummaryAttributes:

rules/gsuite_activityevent_rules/gsuite_leaked_password.yml

@@ -14,7 +14,7 @@ Reports:
 Severity: High
 Description: >
   GSuite reported a user's password has been compromised, so they disabled the account.
-Reference: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_password_leak
+Reference: https://support.google.com/a/answer/2984349?hl=en#zippy=%2Cstep-temporarily-suspend-the-suspected-compromised-user-account%2Cstep-investigate-the-account-for-unauthorized-activity%2Cstep-revoke-access-to-the-affected-account%2Cstep-return-access-to-the-user-again%2Cstep-enroll-in--step-verification-with-security-keys%2Cstep-add-secure-or-update-recovery-options%2Cstep-enable-account-activity-alerts
 Runbook: >
   GSuite has already disabled the compromised user's account. Consider investigating how the user's account was compromised, and reset their account and password. Advise the user to change any other passwords in use that are the sae as the compromised password.
 SummaryAttributes:

rules/gsuite_activityevent_rules/gsuite_login_type.yml

@@ -15,7 +15,7 @@ Reports:
 Severity: Medium
 Description: >
   A login of a non-approved type was detected for this user.
-Reference: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#login
+Reference: https://support.google.com/a/answer/9039184?hl=en&sjid=864417124752637253-EU
 Runbook: >
   Correct the user account settings so that only logins of approved types are available.
 SummaryAttributes:

rules/gsuite_activityevent_rules/gsuite_mobile_device_compromise.yml

@@ -10,7 +10,7 @@ Tags:
 Severity: Medium
 Description: >
   GSuite reported a user's device has been compromised.
-Reference: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/mobile#DEVICE_COMPROMISED_EVENT
+Reference: https://support.google.com/a/answer/7562165?hl=en&sjid=864417124752637253-EU
 Runbook: >
   Have the user change their passwords and reset the device.
 SummaryAttributes:

rules/gsuite_activityevent_rules/gsuite_mobile_device_screen_unlock_fail.yml

@@ -14,7 +14,7 @@ Reports:
 Severity: Medium
 Description: >
   Someone failed to unlock a user's device multiple times in quick succession.
-Reference: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/mobile#FAILED_PASSWORD_ATTEMPTS_EVENT
+Reference: https://support.google.com/a/answer/6350074?hl=en
 Runbook: >
   Verify that these unlock attempts came from the user, and not a malicious actor which has acquired the user's device.
 SummaryAttributes:

rules/gsuite_activityevent_rules/gsuite_mobile_device_suspicious_activity.yml

@@ -10,7 +10,7 @@ Tags:
 Severity: Low
 Description: >
   GSuite reported a suspicious activity on a user's device.
-Reference: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/mobile#SUSPICIOUS_ACTIVITY_EVENT
+Reference: https://support.google.com/a/answer/7562460?hl=en&sjid=864417124752637253-EU
 Runbook: >
   Validate that the suspicious activity was expected by the user.
 SummaryAttributes:

rules/gsuite_activityevent_rules/gsuite_permissions_delegated.yml

@@ -10,7 +10,7 @@ Tags:
 Severity: Low
 Description: >
   A GSuite user was granted new administrator privileges.
-Reference: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings#ASSIGN_ROLE
+Reference: https://support.google.com/a/answer/167094?hl=en&sjid=864417124752637253-EU
 Runbook: >
   Valdiate that this users should have these permissions and they are not the result of a privilege escalation attack.
 SummaryAttributes:

rules/gsuite_activityevent_rules/gsuite_suspicious_logins.yml

@@ -10,7 +10,7 @@ Tags:
 Severity: Medium
 Description: >
   GSuite reported a suspicious login for this user.
-Reference: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#suspicious_login
+Reference: https://support.google.com/a/answer/7102416?hl=en
 Runbook: >
   Checkout the details of the login and verify this behavior with the user to ensure the account wasn't compromised.
 SummaryAttributes:

rules/gsuite_activityevent_rules/gsuite_two_step_verification.yml

@@ -14,7 +14,7 @@ Reports:
 Severity: Low
 Description: >
   A user disabled two step verification for themselves.
-Reference: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/user-accounts
+Reference: https://support.google.com/mail/answer/185839?hl=en&co=GENIE.Platform%3DDesktop&sjid=864417124752637253-EU
 Runbook: >
   Depending on company policy, either suggest or require the user re-enable two step verification.
 SummaryAttributes:

rules/gsuite_activityevent_rules/gsuite_user_suspended.yml

@@ -10,7 +10,7 @@ Tags:
 Severity: High
 Description: >
   A GSuite user was suspended, the account may have been compromised by a spam network.
-Reference: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_generic
+Reference: https://support.google.com/drive/answer/40695?hl=en&sjid=864417124752637253-EU
 Runbook: >
   Investigate the behavior that got the account suspended. Verify with the user that this intended behavior. If not, the account may have been compromised.
 SummaryAttributes:

rules/gsuite_activityevent_rules/gsuite_workspace_calendar_external_sharing.yml

@@ -13,7 +13,7 @@ Reports:
 Severity: Medium
 Description: >
   A Workspace Admin Changed The Sharing Settings for Primary Calendars
-Reference: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-calendar-settings#CHANGE_CALENDAR_SETTING
+Reference: https://support.google.com/a/answer/60765?hl=en
 Runbook: >
   Restore the calendar sharing setting to the previous value.
   If unplanned, use indicator search to identify other activity from this administrator.

rules/gsuite_activityevent_rules/gsuite_workspace_data_export_created.yml

@@ -10,7 +10,7 @@ Tags:
 Severity: Medium
 Description: >
   A Workspace Admin Has Created a Data Export
-Reference: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/data-studio#DATA_EXPORT
+Reference: https://support.google.com/a/answer/100458?hl=en&sjid=864417124752637253-EU
 Runbook: >
   Verify the intent of this Data Export. If intent cannot be verified, then
   a search on the actor's other activities is advised.

rules/gsuite_activityevent_rules/gsuite_workspace_trusted_domains_allowlist.yml

@@ -10,7 +10,7 @@ Tags:
 Severity: Medium
 Description: >
   A Workspace Admin Has Modified The Trusted Domains List
-Reference: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#ADD_TRUSTED_DOMAINS
+Reference: https://support.google.com/a/answer/6160020?hl=en&sjid=864417124752637253-EU
 Runbook: >
   Verify the intent of this modification. If intent cannot be verified, then
   an indicator search on the actor is advised.

rules/gsuite_reports_rules/gsuite_drive_external_share.yml

@@ -18,7 +18,7 @@ Description: An employee shared a sensitive file externally with another organiz
 Runbook: >
   Contact the employee who made the share and make sure they redact the access.
   If the share was legitimate, add to the EXCEPTION_PATTERNS in the detection.
-Reference: https://developers.google.com/admin-sdk/reports/v1/appendix/usage/user/drive#visibility-parameters
+Reference: https://support.google.com/docs/answer/2494822?hl=en&co=GENIE.Platform%3DiOS&sjid=864417124752637253-EU
 Tests:
   -
     Name: Dangerous Share of Known Document with a Missing User

rules/gsuite_reports_rules/gsuite_drive_overly_visible.yml

@@ -14,7 +14,7 @@ Reports:
 Severity: Info
 Description: >
   A Google drive resource that is overly visible has been modified.
-Reference: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive#access
+Reference: https://support.google.com/docs/answer/2494822?hl=en&co=GENIE.Platform%3DDesktop&sjid=864417124752637253-EU
 Runbook: >
   Investigate whether the drive document is appropriate to be this visible.
 SummaryAttributes:

rules/gsuite_reports_rules/gsuite_drive_visibility_change.yml

@@ -15,7 +15,7 @@ Reports:
 Severity: Low
 Description: >
   A Google drive resource became externally accessible.
-Reference: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive#acl_change
+Reference: https://support.google.com/a/users/answer/12380484?hl=en&sjid=864417124752637253-EU
 Runbook: >
   Investigate whether the drive document is appropriate to be publicly accessible.
 SummaryAttributes:

rules/okta_rules/okta_admin_disabled_mfa.yml

@@ -15,7 +15,7 @@ Reports:
     - TA0005:T1556
 Severity: High
 Description: An admin user has disabled the MFA requirement for your Okta account
-Reference: https://developer.okta.com/docs/reference/api/event-types/?q=system.mfa.factor.deactivate
+Reference: https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/about-authenticators.htm
 Runbook: Contact Admin to ensure this was sanctioned activity
 DedupPeriodMinutes: 15
 SummaryAttributes:

rules/okta_rules/okta_brute_force_logins.yml

@@ -10,7 +10,7 @@ Tags:
   - Okta
 Severity: Medium
 Description: A user has failed to login more than 5 times in 15 minutes
-Reference: https://developer.okta.com/docs/reference/api/system-log/#user-events
+Reference: https://support.okta.com/help/s/article/How-to-Configure-the-Number-of-Failed-Login-Attempts-Before-User-Lockout?language=en_US
 Runbook: Reach out to the user if needed to validate the activity, and then block the IP
 Threshold: 5
 DedupPeriodMinutes: 15

rules/okta_rules/okta_password_accessed.yml

@@ -14,7 +14,7 @@ Reports:
 Severity: Medium
 Description: >
   User accessed another user's application password
-Reference: https://developer.okta.com/docs/reference/api/event-types/#catalog
+Reference: https://help.okta.com/en-us/content/topics/apps/apps_revealing_the_password.htm
 Runbook: >
   Investigate whether this was authorized access.
 Tests:

rules/okta_rules/okta_rate_limits.yml

@@ -13,7 +13,7 @@ Reports:
   MITRE ATT&CK:
     - TA0006:T1110
     - TA0040:T1498
-Reference: https://developer.okta.com/docs/reference/rate-limits/
+Reference: https://help.okta.com/en-us/content/topics/security/api-rate-limits.htm
 Tests:
     - ExpectedResult: true
       Log:

rules/onelogin_rules/onelogin_active_login_activity.yml

@@ -13,7 +13,7 @@ Reports:
   MITRE ATT&CK:
     - TA0008:T1550
 Description: Multiple user accounts logged in from the same ip address.
-Reference: https://developers.onelogin.com/api-docs/1/events/event-resource 
+Reference: https://support.onelogin.com/kb/4271392/user-policies
 Runbook: Investigate whether multiple user's logging in from the same ip address is expected. Determine if this ip address should be added to the SHARED_IP_SPACE array.
 SummaryAttributes:
   - account_id

rules/onelogin_rules/onelogin_brute_force_by_ip.yml

@@ -15,7 +15,7 @@ Reports:
 Description: A single ip address was denied access to OneLogin more times than the configured threshold.
 Threshold: 10
 DedupPeriodMinutes: 10
-Reference: https://developers.onelogin.com/api-docs/1/events/event-resource
+Reference: https://www.fortinet.com/resources/cyberglossary/brute-force-attack#:~:text=A%20brute%20force%20attack%20is,and%20organizations'%20systems%20and%20networks.
 Runbook: Analyze the IP they came from, and other actions taken before/after. Check if a user from this ip eventually authenticated successfully.
 SummaryAttributes:
   - account_id

rules/onelogin_rules/onelogin_brute_force_by_username.yml

@@ -15,7 +15,7 @@ Reports:
 Description: A OneLogin user was denied access more times than the configured threshold.
 Threshold: 10
 DedupPeriodMinutes: 10
-Reference: https://developers.onelogin.com/api-docs/1/events/event-resource
+Reference: https://www.fortinet.com/resources/cyberglossary/brute-force-attack#:~:text=A%20brute%20force%20attack%20is,and%20organizations'%20systems%20and%20networks.
 Runbook: Analyze the IP they came from, and other actions taken before/after.  Check if this user eventually authenticated successfully.
 SummaryAttributes:
   - account_id