From 5ca4f1df981cdca7e7552a65b6a88011ee996ce9 Mon Sep 17 00:00:00 2001 From: Evan Gibler Date: Thu, 8 Feb 2024 17:03:48 -0600 Subject: [PATCH] Remove Rules that require configuration or aren't enabled; update PAT (#74) Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> --- Pipfile | 2 +- Pipfile.lock | 40 +++++++++++++++--------------- packs/auth0.yml | 1 - packs/aws.yml | 47 ------------------------------------ packs/box.yml | 2 -- packs/carbonblack.yml | 3 +-- packs/cisco_umbrella_dns.yml | 2 -- packs/cloudflare.yml | 2 -- packs/crowdstrike.yml | 4 --- packs/dropbox.yml | 2 -- packs/gcp_audit.yml | 3 --- packs/github.yml | 1 - packs/gsuite_reports.yml | 7 ------ packs/mongodb.yml | 1 - packs/netskope.yml | 2 -- packs/notion.yml | 1 - packs/okta.yml | 1 - packs/onepassword.yml | 2 -- packs/osquery.yml | 1 - 19 files changed, 22 insertions(+), 102 deletions(-) diff --git a/Pipfile b/Pipfile index f85f0d792..7fc86308c 100644 --- a/Pipfile +++ b/Pipfile @@ -19,7 +19,7 @@ wrapt = "~=1.15" [packages] policyuniverse = "==1.5.1.20230817" requests = "==2.31.0" -panther-analysis-tool = "~=0.38" +panther-analysis-tool = "~=0.39" panther-detection-helpers = "==0.2.0" [requires] diff --git a/Pipfile.lock b/Pipfile.lock index 316629695..f22df0f43 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "921cee686a656395a30aae8ac6069cf3197b1b4aa1a350c7874af1ca98b70c3e" + "sha256": "d2d43cb0e38e6667b7f9fc5f22dc91cfe095a2e0c7825c2e9105a18dbfeae942" }, "pipfile-spec": 6, "requires": { @@ -147,19 +147,19 @@ }, "boto3": { "hashes": [ - "sha256:65acfe7f1cf2a9b7df3d4edb87c8022e02685825bd1957e7bb678cc0d09f5e5f", - "sha256:73f5ec89cb3ddb3ed577317889fd2f2df783f66b6502a9a4239979607e33bf74" + "sha256:7c70c6ceb2706c7fad6466a5de174fe6d0d6f5f8f1e052bfaad9cbe4e53b64cd", + "sha256:e74fbad79bc921a74a9a276ef9f38e1e31153f76690fe9bc5ec790007de36572" ], "markers": "python_version >= '3.8'", - "version": "==1.34.37" + "version": "==1.34.38" }, "botocore": { "hashes": [ - "sha256:2a5bf33aacd2d970afd3d492e179e06ea98a5469030d5cfe7a2ad9995f7bb2ef", - "sha256:3c46ddb1679e6ef45ca78b48665398636bda532a07cd476e4b500697d13d9a99" + "sha256:773e49f5bf596191e796b2a15096ff381e61778cbe7c982b381bb9f6bfe5fef3", + "sha256:da9754a8e1798706427ede9c9c0a55263bd8e57f217c021807b2946eb4a0c2d8" ], "markers": "python_version >= '3.8'", - "version": "==1.34.37" + "version": "==1.34.38" }, "certifi": { "hashes": [ @@ -668,10 +668,10 @@ }, "panther-analysis-tool": { "hashes": [ - "sha256:b6bca3d55fd68a9b754e3a9dfb19af28f36070bc74ed8e55554faacfc84ee89a" + "sha256:70bea9cbadd820ae2e77361e966320e058d5d16ebbc8d730298b0606844e934c" ], "index": "pypi", - "version": "==0.38.2" + "version": "==0.39.0" }, "panther-core": { "hashes": [ @@ -738,7 +738,7 @@ "sha256:0123cacc1627ae19ddf3c27a5de5bd67ee4586fbdd6440d9748f8abb483d3e86", "sha256:961d03dc3453ebbc59dbdea9e4e11c5651520a876d0f4db161e8674aae935da9" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2'", "version": "==2.8.2" }, "pyyaml": { @@ -1079,7 +1079,7 @@ "sha256:f481f16baec5290e45aebdc2a5168ebc6d35189ae6fea7a58787613a25f6e875", "sha256:fff3573c2db359f091e1589c3d7c5fc2f86f5bdb6f24252c2d8e539d4e45f412" ], - "markers": "python_version < '3.13' and platform_python_implementation == 'CPython'", + "markers": "platform_python_implementation == 'CPython' and python_version < '3.13'", "version": "==0.2.8" }, "s3transfer": { @@ -1110,7 +1110,7 @@ "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926", "sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2'", "version": "==1.16.0" }, "sniffio": { @@ -1311,19 +1311,19 @@ }, "boto3": { "hashes": [ - "sha256:65acfe7f1cf2a9b7df3d4edb87c8022e02685825bd1957e7bb678cc0d09f5e5f", - "sha256:73f5ec89cb3ddb3ed577317889fd2f2df783f66b6502a9a4239979607e33bf74" + "sha256:7c70c6ceb2706c7fad6466a5de174fe6d0d6f5f8f1e052bfaad9cbe4e53b64cd", + "sha256:e74fbad79bc921a74a9a276ef9f38e1e31153f76690fe9bc5ec790007de36572" ], "markers": "python_version >= '3.8'", - "version": "==1.34.37" + "version": "==1.34.38" }, "botocore": { "hashes": [ - "sha256:2a5bf33aacd2d970afd3d492e179e06ea98a5469030d5cfe7a2ad9995f7bb2ef", - "sha256:3c46ddb1679e6ef45ca78b48665398636bda532a07cd476e4b500697d13d9a99" + "sha256:773e49f5bf596191e796b2a15096ff381e61778cbe7c982b381bb9f6bfe5fef3", + "sha256:da9754a8e1798706427ede9c9c0a55263bd8e57f217c021807b2946eb4a0c2d8" ], "markers": "python_version >= '3.8'", - "version": "==1.34.37" + "version": "==1.34.38" }, "certifi": { "hashes": [ @@ -1823,7 +1823,7 @@ "sha256:0123cacc1627ae19ddf3c27a5de5bd67ee4586fbdd6440d9748f8abb483d3e86", "sha256:961d03dc3453ebbc59dbdea9e4e11c5651520a876d0f4db161e8674aae935da9" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2'", "version": "==2.8.2" }, "pyyaml": { @@ -1920,7 +1920,7 @@ "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926", "sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2'", "version": "==1.16.0" }, "stevedore": { diff --git a/packs/auth0.yml b/packs/auth0.yml index 5ffb82d9d..820572892 100644 --- a/packs/auth0.yml +++ b/packs/auth0.yml @@ -5,7 +5,6 @@ PackDefinition: IDs: - Auth0.Custom.Role.Created - Auth0.Integration.Installed - - Auth0.MFA.Factor.Setting.Enabled - Auth0.MFA.Policy.Disabled - Auth0.MFA.Policy.Enabled - Auth0.MFA.Risk.Assessment.Disabled diff --git a/packs/aws.yml b/packs/aws.yml index 4e348db7a..4731a9f09 100644 --- a/packs/aws.yml +++ b/packs/aws.yml @@ -49,7 +49,6 @@ PackDefinition: # Root Activity - AWS.CloudTrail.RootAccessKeyCreated - AWS.CloudTrail.RootPasswordChanged - - AWS.Console.RootLogin - AWS.Console.RootLoginFailed - AWS.EC2.Instance.DetailedMonitoring - AWS.Root.Activity @@ -60,7 +59,6 @@ PackDefinition: - AWS.CloudTrail.IAMCompromisedKeyQuarantine - AWS.CloudTrail.Password.Policy.Discovery - AWS.Console.LoginWithoutMFA - - AWS.Console.LoginWithoutSAML - AWS.EC2.SecurityGroupModified - AWS.IAM.Backdoor.User.Keys - AWS.IAM.CredentialsUpdated @@ -112,7 +110,6 @@ PackDefinition: - AWS.GuardDuty.MediumSeverityFinding - AWS.IAM.Policy.AdministrativePrivileges - AWS.RDS.InstanceHighAvailability - - AWS.RDS.ManualSnapshotCreated - AWS.RDS.MasterPasswordUpdated - AWS.RDS.PublicRestore - AWS.RDS.SnapshotShared @@ -120,7 +117,6 @@ PackDefinition: - AWS.Redshift.Cluster.SnapshotRetention - AWS.Redshift.Cluster.VersionUpgrade - AWS.S3.Bucket.ActionRestrictions - - AWS.S3.Bucket.LifecycleConfiguration - AWS.S3.Bucket.Logging - AWS.S3.Bucket.MFADelete - AWS.S3.Bucket.NameDNSCompliance @@ -128,81 +124,38 @@ PackDefinition: - AWS.S3.BucketPolicyModified - AWS.S3.GreyNoiseActivity - AWS.S3.ServerAccess.Error - - AWS.S3.ServerAccess.Insecure - AWS.SecurityHub.Finding.Evasion - AWS.VPC.FlowLogs - AWS.WAF.Disassociation - AWS.WAF.HasXSSPredicate # Other rules - - AWS.ACM.HasSecureAlgorithms - - AWS.ApplicationLoadBalancer.WebACL - AWS.Authentication.From.CrowdStrike.Unmanaged.Device - AWS.CMK.KeyRotation - AWS.CloudTrail.Account.Discovery - AWS.CloudTrail.CloudWatchLogs - - AWS.CloudTrail.IAMAssumeRoleBlacklistIgnored - - AWS.CloudTrail.IAMEntityCreatedWithoutCloudFormation - - AWS.CloudTrail.LeastPrivilege - AWS.CloudTrail.LogEncryption - AWS.CloudTrail.LogValidation - AWS.CloudTrail.S3Bucket.AccessLogging - - AWS.CloudWatchLogs.SensitiveLogGroup.Encryption - - AWS.DynamoDB.AutoscalingConfiguration - AWS.DynamoDB.TableTTLEnabled - - AWS.EC2.AMI.ApprovedHost - - AWS.EC2.AMI.ApprovedInstanceType - - AWS.EC2.AMI.ApprovedTenancy - - AWS.EC2.CDEVolumeEncrypted - - AWS.EC2.Instance.ApprovedAMI - - AWS.EC2.Instance.ApprovedHost - - AWS.EC2.Instance.ApprovedInstanceType - - AWS.EC2.Instance.ApprovedTenancy - - AWS.EC2.Instance.ApprovedVPC - - AWS.EC2.ManualSecurityGroupChange - - AWS.ECR.CRUD - - AWS.ECR.EVENTS - - AWS.GuardDuty.MasterAccount - - AWS.IAM.Group.Read.Only.Events - - AWS.IAM.Policy.Blacklist - AWS.IAM.Policy.DoesNotGrantAdminAccess - AWS.IAM.Policy.DoesNotGrantNetworkAdminAccess - - AWS.IAM.Policy.RoleMapping - AWS.IAM.Resource.DoesNotHaveInlinePolicy - - AWS.IAM.Role.ExternalPermission - AWS.IAM.Role.RestrictsUsage - - AWS.IAM.User.NotInConflictingGroups - - AWS.LAMBDA.CRUD - - AWS.Modify.Cloud.Compute.Infrastructure - AWS.NetworkACL.RestrictedSSH - AWS.NetworkACL.RestrictsInsecureProtocols - AWS.NetworkACL.RestrictsOutboundTraffic - AWS.RDS.Instance.AutoMinorVersionUpgradeEnabled - AWS.RDS.InstanceBackup - AWS.RDS.InstanceBackupRetentionAcceptable - - AWS.Redshift.Cluster.MaintenanceWindow - AWS.Redshift.Cluster.SnapshotRetentionAcceptable - - AWS.Resource.MinimumTags - - AWS.Resource.RequiredTags - AWS.RootAccount.HardwareMFA - AWS.S3.BucketObjectLockConfigured - - AWS.S3.ServerAccess.IPWhitelist - - AWS.S3.ServerAccess.Unauthenticated - - AWS.S3.ServerAccess.UnknownRequester - - AWS.SecurityGroup.RestrictsAccessToCDE - AWS.SecurityGroup.RestrictsInterSecurityGroupTraffic - AWS.SecurityGroup.RestrictsOutboundTraffic - - AWS.SecurityGroup.RestrictsTrafficLeavingCDE - AWS.SecurityGroup.TightlyRestrictsInboundTraffic - AWS.SecurityGroup.TightlyRestrictsOutboundTraffic - - AWS.Software.Discovery - - AWS.Unsuccessful.MFA.attempt - - AWS.UnusedRegion - AWS.VPC.DefaultNetworkACLRestrictsAllTraffic - AWS.VPC.DefaultSecurityGroup.Restrictions - - AWS.VPC.InboundPortBlacklist - - AWS.VPC.InboundPortWhitelist - - AWS.VPC.UnapprovedOutboundDNS - - AWS.WAF.RuleOrdering - CloudTrail.Password.Spraying - VPC.DNS.Tunneling - VPCFlow.Port.Scanning diff --git a/packs/box.yml b/packs/box.yml index 6868d0e05..2b0b593eb 100644 --- a/packs/box.yml +++ b/packs/box.yml @@ -12,8 +12,6 @@ PackDefinition: - Box.Untrusted.Device - Box.Large.Number.Downloads - Box.Large.Number.Permission.Updates - - Box.Item.Shared.Externally - - Box.Event.Triggered.Externally # Globals used in these detections - panther_base_helpers - panther_box_helpers diff --git a/packs/carbonblack.yml b/packs/carbonblack.yml index 6216e7270..dbdba1d36 100644 --- a/packs/carbonblack.yml +++ b/packs/carbonblack.yml @@ -3,11 +3,10 @@ PackID: PantherManaged.CarbonBlack Description: Group of all Carbon Black detections PackDefinition: IDs: - - CarbonBlack.AlertV2.Passthrough - CarbonBlack.Audit.Admin.Grant - CarbonBlack.Audit.API.Key.Created.Retrieved - CarbonBlack.Audit.Data.Forwarder.Stopped - CarbonBlack.Audit.Flagged - CarbonBlack.Audit.User.Added.Outside.Org # Globals used in these detections -DisplayName: "Panther Carbon Black Pack" \ No newline at end of file +DisplayName: "Panther Carbon Black Pack" diff --git a/packs/cisco_umbrella_dns.yml b/packs/cisco_umbrella_dns.yml index 527f45088..55cae731c 100644 --- a/packs/cisco_umbrella_dns.yml +++ b/packs/cisco_umbrella_dns.yml @@ -4,7 +4,5 @@ Description: Group of all Cisco Umbrella detections PackDefinition: IDs: - CiscoUmbrella.DNS.Blocked - - CiscoUmbrella.DNS.FuzzyMatching - - CiscoUmbrella.DNS.Suspicious # Globals used in these detections DisplayName: "Panther Cisco Umbrella Pack" diff --git a/packs/cloudflare.yml b/packs/cloudflare.yml index 332d00808..003d30f21 100644 --- a/packs/cloudflare.yml +++ b/packs/cloudflare.yml @@ -6,8 +6,6 @@ PackDefinition: IDs: - Cloudflare.Firewall.L7DDoS - Cloudflare.Firewall.SuspiciousEventGreyNoise - - Cloudflare.HttpRequest.BotHighVolume - - Cloudflare.HttpRequest.BotHighVolumeGreyNoise # Globals used in these rules/policies - panther_base_helpers - panther_cloudflare_helpers diff --git a/packs/crowdstrike.yml b/packs/crowdstrike.yml index 5aa1ee6ce..273913382 100644 --- a/packs/crowdstrike.yml +++ b/packs/crowdstrike.yml @@ -19,10 +19,6 @@ PackDefinition: - Crowdstrike.Macos.Add.Trusted.Cert - Crowdstrike.Macos.Plutil.Usage - Crowdstrike.Macos.Osascript.Administrator - - Crowdstrike.DNS.Request - - OnePassword.Login.From.CrowdStrike.Unmanaged.Device - - Okta.Login.From.CrowdStrike.Unmanaged.Device - - AWS.Authentication.From.CrowdStrike.Unmanaged.Device # Globals used in these detections - panther_base_helpers - panther_config diff --git a/packs/dropbox.yml b/packs/dropbox.yml index acd02b37a..3ad8e3845 100644 --- a/packs/dropbox.yml +++ b/packs/dropbox.yml @@ -9,8 +9,6 @@ PackDefinition: - Dropbox.Ownership.Transfer - Dropbox.User.Disabled.2FA - Dropbox.Admin.sign.in.as.Session - - Dropbox.Many.Deletes - - Dropbox.Many.Downloads # Globals used in these detections - panther_base_helpers - panther_config diff --git a/packs/gcp_audit.yml b/packs/gcp_audit.yml index 74a7ffc46..bbd68c422 100644 --- a/packs/gcp_audit.yml +++ b/packs/gcp_audit.yml @@ -17,14 +17,12 @@ PackDefinition: - GCP.Firewall.Rule.Modified - GCP.GCS.IAMChanges - GCP.GCS.Public - - GCP.IAM.AdminRoleAssigned - GCP.IAM.CorporateEmail - GCP.IAM.CustomRoleChanges - GCP.IAM.OrgFolderIAMChanges - GCP.iam.roles.update.Privilege.Escalation - GCP.iam.serviceAccountKeys.create - GCP.Inbound.SSO.Profile.Created - - GCP.K8s.ExecIntoPod - GCP.Log.Bucket.Or.Sink.Deleted - GCP.Logging.Settings.Modified - GCP.Logging.Sink.Modified @@ -34,7 +32,6 @@ PackDefinition: - GCP.Service.Account.or.Keys.Created - GCP.serviceusage.apiKeys.create.Privilege.Escalation - GCP.SQL.ConfigChanges - - GCP.UnusedRegions - GCP.User.Added.to.IAP.Protected.Service - GCP.VPC.Flow.Logs.Disabled - GCP.Workforce.Pool.Created.or.Updated diff --git a/packs/github.yml b/packs/github.yml index 137a18d56..bb5de9948 100644 --- a/packs/github.yml +++ b/packs/github.yml @@ -23,7 +23,6 @@ PackDefinition: - Github.Organization.App.Integration.Installed - Github.Public.Repository.Created - Github.Repository.Transfer - - GitHub.Action.Failed # Data model - Standard.Github.Audit # Globals diff --git a/packs/gsuite_reports.yml b/packs/gsuite_reports.yml index c38835dda..373d13dfd 100644 --- a/packs/gsuite_reports.yml +++ b/packs/gsuite_reports.yml @@ -9,22 +9,17 @@ PackDefinition: - Google.Workspace.Apps.Marketplace.New.Domain.Application - Google.Workspace.Apps.New.Mobile.App.Installed - GSuite.AdvancedProtection - - GSuite.BruteForceLogin - GSuite.CalendarMadePublic - - GSuite.DocOwnershipTransfer - GSuite.Drive.Many.Documents.Deleted - Google.Drive.High.Download.Count - - GSuite.ExternalMailForwarding - GSuite.GoogleAccess - GSuite.GovernmentBackedAttack - GSuite.GroupBannedUser - GSuite.LeakedPassword - - GSuite.LoginType - GSuite.DeviceCompromise - GSuite.DeviceUnlockFailure - GSuite.DeviceSuspiciousActivity - GSuite.Rule - - GSuite.PermisssionsDelegated - GSuite.SuspiciousLogins - GSuite.TwoStepVerification - GSuite.UserSuspended @@ -36,9 +31,7 @@ PackDefinition: - GSuite.Workspace.PasswordEnforceStrongDisabled - GSuite.Workspace.PasswordReuseEnabled - GSuite.Workspace.TrustedDomainsAllowlist - - GSuite.Drive.ExternalFileShare - GSuite.DriveOverlyVisible - - GSuite.DriveVisibilityChanged # Data Models used in these detections - Standard.GSuite.Reports # Globals used in these detections diff --git a/packs/mongodb.yml b/packs/mongodb.yml index 7188ae8d3..3aeafa8e2 100644 --- a/packs/mongodb.yml +++ b/packs/mongodb.yml @@ -5,7 +5,6 @@ DisplayName: "Panther MongoDB Atlas Pack" PackDefinition: IDs: - MongoDB.Atlas.ApiKeyCreated - - MongoDB.External.UserInvited # Globals - panther_base_helpers - panther_config diff --git a/packs/netskope.yml b/packs/netskope.yml index 45758b437..bb4754f02 100644 --- a/packs/netskope.yml +++ b/packs/netskope.yml @@ -5,7 +5,5 @@ PackDefinition: IDs: - Netskope.AdminLoggedOutLoginFailures - Netskope.AdminUserChange - - Netskope.ManyDeletes - Netskope.NetskopePersonnelActivity - - Netskope.UnauthorizedAPICalls DisplayName: "Panther Netskope Pack" diff --git a/packs/notion.yml b/packs/notion.yml index a7bbf222a..c0b683634 100644 --- a/packs/notion.yml +++ b/packs/notion.yml @@ -15,7 +15,6 @@ PackDefinition: - Notion.Workspace.Exported - Notion.Workspace.SCIM.Token.Generated - Notion.Workspace.Public.Page.Added - - Notion.LoginFromBlockedIP - Notion.SharingSettingsUpdated - Notion.TeamspaceOwnerAdded # Globals used in these detections diff --git a/packs/okta.yml b/packs/okta.yml index 1df658a97..49f2fae72 100644 --- a/packs/okta.yml +++ b/packs/okta.yml @@ -19,7 +19,6 @@ PackDefinition: - Okta.Rate.Limits - Okta.Anonymizing.VPN.Login - Okta.Identity.Provider.Created.Modified - - Okta.Identity.Provider.SignIn - Okta.New.Behavior.Accessing.Admin.Console - Okta.Org2org.Creation.Modification - Okta.Password.Extraction.via.SCIM diff --git a/packs/onepassword.yml b/packs/onepassword.yml index 2149c2075..386645dc0 100644 --- a/packs/onepassword.yml +++ b/packs/onepassword.yml @@ -8,8 +8,6 @@ PackDefinition: - Standard.OnePassword.SignInAttempt # 1Password Specific Rules - OnePassword.Unusual.Client - - OnePassword.Lut.Sensitive.Item - - OnePassword.Sensitive.Item - OnePassword.Login.From.CrowdStrike.Unmanaged.Device # Supporting Global Helpers - panther_base_helpers diff --git a/packs/osquery.yml b/packs/osquery.yml index 32ab36f22..adac2b24d 100644 --- a/packs/osquery.yml +++ b/packs/osquery.yml @@ -14,7 +14,6 @@ PackDefinition: - Osquery.UnsupportedMacOS - Osquery.SSHListener - Osquery.SuspiciousCron - - Osquery.Linux.LoginFromNonOffice # Globals used in these detections - panther_base_helpers - panther_config