panther-labs · egibs · Feb 8, 2024 · Feb 8, 2024 · Feb 8, 2024
@@ -19,7 +19,7 @@ wrapt = "~=1.15"
 [packages]
 policyuniverse = "==1.5.1.20230817"
 requests = "==2.31.0"
-panther-analysis-tool = "~=0.38"
+panther-analysis-tool = "~=0.39"
 panther-detection-helpers = "==0.2.0"
 
 [requires]

@@ -5,7 +5,6 @@ PackDefinition:
   IDs:
     - Auth0.Custom.Role.Created
     - Auth0.Integration.Installed
-    - Auth0.MFA.Factor.Setting.Enabled
     - Auth0.MFA.Policy.Disabled
     - Auth0.MFA.Policy.Enabled
     - Auth0.MFA.Risk.Assessment.Disabled

@@ -49,7 +49,6 @@ PackDefinition:
     # Root Activity
     - AWS.CloudTrail.RootAccessKeyCreated
     - AWS.CloudTrail.RootPasswordChanged
-    - AWS.Console.RootLogin
     - AWS.Console.RootLoginFailed
     - AWS.EC2.Instance.DetailedMonitoring
     - AWS.Root.Activity
@@ -60,7 +59,6 @@ PackDefinition:
     - AWS.CloudTrail.IAMCompromisedKeyQuarantine
     - AWS.CloudTrail.Password.Policy.Discovery
     - AWS.Console.LoginWithoutMFA
-    - AWS.Console.LoginWithoutSAML
     - AWS.EC2.SecurityGroupModified
     - AWS.IAM.Backdoor.User.Keys
     - AWS.IAM.CredentialsUpdated
@@ -112,97 +110,52 @@ PackDefinition:
     - AWS.GuardDuty.MediumSeverityFinding
     - AWS.IAM.Policy.AdministrativePrivileges
     - AWS.RDS.InstanceHighAvailability
-    - AWS.RDS.ManualSnapshotCreated
     - AWS.RDS.MasterPasswordUpdated
     - AWS.RDS.PublicRestore
     - AWS.RDS.SnapshotShared
     - AWS.Redshift.Cluster.Logging
     - AWS.Redshift.Cluster.SnapshotRetention
     - AWS.Redshift.Cluster.VersionUpgrade
     - AWS.S3.Bucket.ActionRestrictions
-    - AWS.S3.Bucket.LifecycleConfiguration
     - AWS.S3.Bucket.Logging
     - AWS.S3.Bucket.MFADelete
     - AWS.S3.Bucket.NameDNSCompliance
     - AWS.S3.BucketDeleted
     - AWS.S3.BucketPolicyModified
     - AWS.S3.GreyNoiseActivity
     - AWS.S3.ServerAccess.Error
-    - AWS.S3.ServerAccess.Insecure
     - AWS.SecurityHub.Finding.Evasion
     - AWS.VPC.FlowLogs
     - AWS.WAF.Disassociation
     - AWS.WAF.HasXSSPredicate
     # Other rules
-    - AWS.ACM.HasSecureAlgorithms
-    - AWS.ApplicationLoadBalancer.WebACL
     - AWS.Authentication.From.CrowdStrike.Unmanaged.Device
     - AWS.CMK.KeyRotation
     - AWS.CloudTrail.Account.Discovery
     - AWS.CloudTrail.CloudWatchLogs
-    - AWS.CloudTrail.IAMAssumeRoleBlacklistIgnored
-    - AWS.CloudTrail.IAMEntityCreatedWithoutCloudFormation
-    - AWS.CloudTrail.LeastPrivilege
     - AWS.CloudTrail.LogEncryption
     - AWS.CloudTrail.LogValidation
     - AWS.CloudTrail.S3Bucket.AccessLogging
-    - AWS.CloudWatchLogs.SensitiveLogGroup.Encryption
-    - AWS.DynamoDB.AutoscalingConfiguration
     - AWS.DynamoDB.TableTTLEnabled
-    - AWS.EC2.AMI.ApprovedHost
-    - AWS.EC2.AMI.ApprovedInstanceType
-    - AWS.EC2.AMI.ApprovedTenancy
-    - AWS.EC2.CDEVolumeEncrypted
-    - AWS.EC2.Instance.ApprovedAMI
-    - AWS.EC2.Instance.ApprovedHost
-    - AWS.EC2.Instance.ApprovedInstanceType
-    - AWS.EC2.Instance.ApprovedTenancy
-    - AWS.EC2.Instance.ApprovedVPC
-    - AWS.EC2.ManualSecurityGroupChange
-    - AWS.ECR.CRUD
-    - AWS.ECR.EVENTS
-    - AWS.GuardDuty.MasterAccount
-    - AWS.IAM.Group.Read.Only.Events
-    - AWS.IAM.Policy.Blacklist
     - AWS.IAM.Policy.DoesNotGrantAdminAccess
     - AWS.IAM.Policy.DoesNotGrantNetworkAdminAccess
-    - AWS.IAM.Policy.RoleMapping
     - AWS.IAM.Resource.DoesNotHaveInlinePolicy
-    - AWS.IAM.Role.ExternalPermission
     - AWS.IAM.Role.RestrictsUsage
-    - AWS.IAM.User.NotInConflictingGroups
-    - AWS.LAMBDA.CRUD
-    - AWS.Modify.Cloud.Compute.Infrastructure
     - AWS.NetworkACL.RestrictedSSH
     - AWS.NetworkACL.RestrictsInsecureProtocols
     - AWS.NetworkACL.RestrictsOutboundTraffic
     - AWS.RDS.Instance.AutoMinorVersionUpgradeEnabled
     - AWS.RDS.InstanceBackup
     - AWS.RDS.InstanceBackupRetentionAcceptable
-    - AWS.Redshift.Cluster.MaintenanceWindow
     - AWS.Redshift.Cluster.SnapshotRetentionAcceptable
-    - AWS.Resource.MinimumTags
-    - AWS.Resource.RequiredTags
     - AWS.RootAccount.HardwareMFA
     - AWS.S3.BucketObjectLockConfigured
-    - AWS.S3.ServerAccess.IPWhitelist
-    - AWS.S3.ServerAccess.Unauthenticated
-    - AWS.S3.ServerAccess.UnknownRequester
-    - AWS.SecurityGroup.RestrictsAccessToCDE
     - AWS.SecurityGroup.RestrictsInterSecurityGroupTraffic
     - AWS.SecurityGroup.RestrictsOutboundTraffic
-    - AWS.SecurityGroup.RestrictsTrafficLeavingCDE
     - AWS.SecurityGroup.TightlyRestrictsInboundTraffic
     - AWS.SecurityGroup.TightlyRestrictsOutboundTraffic
-    - AWS.Software.Discovery
-    - AWS.Unsuccessful.MFA.attempt
-    - AWS.UnusedRegion
     - AWS.VPC.DefaultNetworkACLRestrictsAllTraffic
     - AWS.VPC.DefaultSecurityGroup.Restrictions
-    - AWS.VPC.InboundPortBlacklist
-    - AWS.VPC.InboundPortWhitelist
-    - AWS.VPC.UnapprovedOutboundDNS
-    - AWS.WAF.RuleOrdering
     - CloudTrail.Password.Spraying
     - VPC.DNS.Tunneling
     - VPCFlow.Port.Scanning

@@ -12,8 +12,6 @@ PackDefinition:
     - Box.Untrusted.Device
     - Box.Large.Number.Downloads
     - Box.Large.Number.Permission.Updates
-    - Box.Item.Shared.Externally
-    - Box.Event.Triggered.Externally
     # Globals used in these detections
     - panther_base_helpers
     - panther_box_helpers

@@ -3,11 +3,10 @@ PackID: PantherManaged.CarbonBlack
 Description: Group of all Carbon Black detections
 PackDefinition:
   IDs:
-    - CarbonBlack.AlertV2.Passthrough
     - CarbonBlack.Audit.Admin.Grant
     - CarbonBlack.Audit.API.Key.Created.Retrieved
     - CarbonBlack.Audit.Data.Forwarder.Stopped
     - CarbonBlack.Audit.Flagged
     - CarbonBlack.Audit.User.Added.Outside.Org
     # Globals used in these detections
-DisplayName: "Panther Carbon Black Pack"
+DisplayName: "Panther Carbon Black Pack"
@@ -4,7 +4,5 @@ Description: Group of all Cisco Umbrella detections
 PackDefinition:
   IDs:
     - CiscoUmbrella.DNS.Blocked
-    - CiscoUmbrella.DNS.FuzzyMatching
-    - CiscoUmbrella.DNS.Suspicious
     # Globals used in these detections
 DisplayName: "Panther Cisco Umbrella Pack"
@@ -6,8 +6,6 @@ PackDefinition:
   IDs:
     - Cloudflare.Firewall.L7DDoS
     - Cloudflare.Firewall.SuspiciousEventGreyNoise
-    - Cloudflare.HttpRequest.BotHighVolume
-    - Cloudflare.HttpRequest.BotHighVolumeGreyNoise
     # Globals used in these rules/policies
     - panther_base_helpers
     - panther_cloudflare_helpers

@@ -19,10 +19,6 @@ PackDefinition:
     - Crowdstrike.Macos.Add.Trusted.Cert
     - Crowdstrike.Macos.Plutil.Usage
     - Crowdstrike.Macos.Osascript.Administrator
-    - Crowdstrike.DNS.Request
-    - OnePassword.Login.From.CrowdStrike.Unmanaged.Device
-    - Okta.Login.From.CrowdStrike.Unmanaged.Device
-    - AWS.Authentication.From.CrowdStrike.Unmanaged.Device
     # Globals used in these detections
     - panther_base_helpers
     - panther_config

@@ -9,8 +9,6 @@ PackDefinition:
     - Dropbox.Ownership.Transfer
     - Dropbox.User.Disabled.2FA
     - Dropbox.Admin.sign.in.as.Session
-    - Dropbox.Many.Deletes
-    - Dropbox.Many.Downloads
     # Globals used in these detections
     - panther_base_helpers
     - panther_config

@@ -17,14 +17,12 @@ PackDefinition:
     - GCP.Firewall.Rule.Modified
     - GCP.GCS.IAMChanges
     - GCP.GCS.Public
-    - GCP.IAM.AdminRoleAssigned
     - GCP.IAM.CorporateEmail
     - GCP.IAM.CustomRoleChanges
     - GCP.IAM.OrgFolderIAMChanges
     - GCP.iam.roles.update.Privilege.Escalation
     - GCP.iam.serviceAccountKeys.create
     - GCP.Inbound.SSO.Profile.Created
-    - GCP.K8s.ExecIntoPod
     - GCP.Log.Bucket.Or.Sink.Deleted
     - GCP.Logging.Settings.Modified
     - GCP.Logging.Sink.Modified
@@ -34,7 +32,6 @@ PackDefinition:
     - GCP.Service.Account.or.Keys.Created
     - GCP.serviceusage.apiKeys.create.Privilege.Escalation
     - GCP.SQL.ConfigChanges
-    - GCP.UnusedRegions
     - GCP.User.Added.to.IAP.Protected.Service
     - GCP.VPC.Flow.Logs.Disabled
     - GCP.Workforce.Pool.Created.or.Updated

@@ -23,7 +23,6 @@ PackDefinition:
     - Github.Organization.App.Integration.Installed
     - Github.Public.Repository.Created
     - Github.Repository.Transfer
-    - GitHub.Action.Failed
     # Data model
     - Standard.Github.Audit
     # Globals

@@ -9,22 +9,17 @@ PackDefinition:
     - Google.Workspace.Apps.Marketplace.New.Domain.Application
     - Google.Workspace.Apps.New.Mobile.App.Installed
     - GSuite.AdvancedProtection
-    - GSuite.BruteForceLogin
     - GSuite.CalendarMadePublic
-    - GSuite.DocOwnershipTransfer
     - GSuite.Drive.Many.Documents.Deleted
     - Google.Drive.High.Download.Count
-    - GSuite.ExternalMailForwarding
     - GSuite.GoogleAccess
     - GSuite.GovernmentBackedAttack
     - GSuite.GroupBannedUser
     - GSuite.LeakedPassword
-    - GSuite.LoginType
     - GSuite.DeviceCompromise
     - GSuite.DeviceUnlockFailure
     - GSuite.DeviceSuspiciousActivity
     - GSuite.Rule
-    - GSuite.PermisssionsDelegated
     - GSuite.SuspiciousLogins
     - GSuite.TwoStepVerification
     - GSuite.UserSuspended
@@ -36,9 +31,7 @@ PackDefinition:
     - GSuite.Workspace.PasswordEnforceStrongDisabled
     - GSuite.Workspace.PasswordReuseEnabled
     - GSuite.Workspace.TrustedDomainsAllowlist
-    - GSuite.Drive.ExternalFileShare
     - GSuite.DriveOverlyVisible
-    - GSuite.DriveVisibilityChanged
     # Data Models used in these detections
     - Standard.GSuite.Reports 
     # Globals used in these detections

@@ -5,7 +5,6 @@ DisplayName: "Panther MongoDB Atlas Pack"
 PackDefinition:
   IDs:
     - MongoDB.Atlas.ApiKeyCreated
-    - MongoDB.External.UserInvited
     # Globals
     - panther_base_helpers
     - panther_config

@@ -5,7 +5,5 @@ PackDefinition:
   IDs:
     - Netskope.AdminLoggedOutLoginFailures
     - Netskope.AdminUserChange
-    - Netskope.ManyDeletes
     - Netskope.NetskopePersonnelActivity
-    - Netskope.UnauthorizedAPICalls
 DisplayName: "Panther Netskope Pack"
@@ -15,7 +15,6 @@ PackDefinition:
     - Notion.Workspace.Exported
     - Notion.Workspace.SCIM.Token.Generated
     - Notion.Workspace.Public.Page.Added
-    - Notion.LoginFromBlockedIP
     - Notion.SharingSettingsUpdated
     - Notion.TeamspaceOwnerAdded
     # Globals used in these detections