Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove codeowners #1208

Merged
merged 1 commit into from
Apr 16, 2024
Merged

Remove codeowners #1208

merged 1 commit into from
Apr 16, 2024

Conversation

le4ker
Copy link
Member

@le4ker le4ker commented Apr 16, 2024
edited
Loading

Background

Removes codeowners.

@le4ker le4ker requested review from a team April 16, 2024 09:41
@le4ker le4ker enabled auto-merge (squash) April 16, 2024 09:44
@le4ker le4ker force-pushed the panos/chore-remove-codeowners branch from 8f86891 to dbdc211 Compare April 16, 2024 10:54
@le4ker le4ker merged commit 3fde677 into release Apr 16, 2024
5 checks passed
@le4ker le4ker deleted the panos/chore-remove-codeowners branch April 16, 2024 10:56
egibs pushed a commit that referenced this pull request Apr 23, 2024
@melenevskyi @arielkr256
@akozlovets098 @le4ker @ben-githubs
Prepare for 3.50.0 (#1217)
ecf74bf 
* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (#1216)

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
arielkr256 added a commit that referenced this pull request May 14, 2024
@jzandona @melenevskyi
@arielkr256 @akozlovets098 @le4ker @ben-githubs @nhakmiller
AppOmni Alert passthrough (#1211)
c8b6ad9 
* alert passthrough

* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* linting

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (#1216)

* add file/host state to msft graph alert context (#1220)

* fix timestamps (#1219)

* Update PAT to 0.46.1 (#1222)

* pack for traildiscover LUT (#1221)

* use event.deep_get and remove InlineFilters

* add pack

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Nick Hakmiller <49166439+nhakmiller@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>
egibs pushed a commit to jstanulis-push/panther-analysis that referenced this pull request May 21, 2024
@le4ker @egibs
remove codeowners (panther-labs#1208)
78d077b
egibs pushed a commit to jstanulis-push/panther-analysis that referenced this pull request May 21, 2024
@jzandona @melenevskyi
@arielkr256 @akozlovets098 @le4ker @ben-githubs @nhakmiller @egibs
AppOmni Alert passthrough (panther-labs#1211)
4cca997 
* alert passthrough

* Deprecate GreyNoise detections (panther-labs#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (panther-labs#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (panther-labs#1208)

* linting

* fix - GCP rules - AttributeError (panther-labs#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (panther-labs#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (panther-labs#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (panther-labs#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (panther-labs#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (panther-labs#1216)

* add file/host state to msft graph alert context (panther-labs#1220)

* fix timestamps (panther-labs#1219)

* Update PAT to 0.46.1 (panther-labs#1222)

* pack for traildiscover LUT (panther-labs#1221)

* use event.deep_get and remove InlineFilters

* add pack

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Nick Hakmiller <49166439+nhakmiller@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>
arielkr256 added a commit that referenced this pull request May 21, 2024
@jstanulis-push @melenevskyi
@arielkr256 @akozlovets098 @le4ker @ben-githubs @nhakmiller
Push Security rules (#1207)
8012f11 
* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* Push Security rules

* remove codeowners (#1208)

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (#1216)

* add file/host state to msft graph alert context (#1220)

* fix timestamps (#1219)

* Update PAT to 0.46.1 (#1222)

* pack for traildiscover LUT (#1221)

* pack, fmt lint, event.deep_get

* pack update

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Nick Hakmiller <49166439+nhakmiller@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>
arielkr256 added a commit that referenced this pull request May 30, 2024
@akozlovets098 @melenevskyi
@arielkr256 @le4ker @ben-githubs @egibs
Threat 319 Replace geoinfo_from_ip with new version (#1242)
736c250 
* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (#1216)

* THREAT-319 Replace geoinfo_from_ip with new version

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com>
arielkr256 added a commit that referenced this pull request Jun 10, 2024
@akozlovets098 @melenevskyi
@arielkr256 @le4ker @ben-githubs
OCSF data model, VPC/DNS (#1214)
41e0c46 
* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (#1216)

* THREAT-278 OCSF data model, VPC

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
JPhenglavong added a commit that referenced this pull request Jun 10, 2024
@JPhenglavong @arielkr256
@egibs @dependabot @c0nfleis @akozlovets098 @melenevskyi @le4ker @ben-githubs @skeggse
Standard user creation fixes (#1256)
56e014b 
* Prepare for `3.53.0` (#1232)

* Replace panther_analysis_tool import with updated import (#1230)

* Update Action versions; use SHAs (#1231)

* Update Action versions; use SHAs

* Add dependabot.yml to keep Actions updated

* Update PAT to 0.49.0

* auth0-cic-credential-stuffing rule and query (#1246)

* Add saved queries for ongoing Snowflake threats (#1248)

* Add saved queries for ongoing Snowflake threats

* Add limits

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* snowflake pack

* Add scheduled queries and rules

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* pack update

* ruleID fix

* make fmt

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Fix merge conflicts

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Turn off by default

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>

* Update panther-core to 0.10.1 via PAT (#1249)

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Tweak Snowflake queries (#1250)

* Tweak Snowflake queries

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Remove configuration drift query from Pack

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Threat Hunting queries are okay

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Fix comment Workflow

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* 12 hours -> 1 day

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Update queries/snowflake_queries/snowflake_0108977_configuration_drift.yml

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* Fixed typo in README.md (#1253)

fixed 'unintall' typo to 'npm uninstall prettier'

* build(deps): bump step-security/harden-runner from 2.8.0 to 2.8.1 (#1254)

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.8.0 to 2.8.1.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@f086349...17d0e2b)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Using GITHUB_OUTPUT env var instead of old ::set-output shorthand (#1255)

* OCSF data model, VPC/DNS (#1214)

* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (#1216)

* THREAT-278 OCSF data model, VPC

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>

* fix: consider deny rules for ssh network acl policy (#1236)

* fix: consider deny rules for ssh network acl policy

* Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py

* Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* AWS Honeypot Detections threat-306 (#1252)

* AWS Honeypot Detections threat-306

AWS Security Finding rules on decoy AWS resources:
https://aws.amazon.com/blogs/security/how-to-detect-suspicious-activity-in-your-aws-account-by-using-private-decoy-resources/

* Update decoy_dynamodb_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_s3_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_dynamodb_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_s3_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_s3_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_dynamodb_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* reformatted and linted

* removed unused methods

* fixed trailing lines

* add decoy rules as a pack

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: BJ Maldonado <bj.maldonado-miranda@panther.com>
Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Eli Skeggs <1348991+skeggse@users.noreply.github.com>
arielkr256 added a commit that referenced this pull request Jun 10, 2024
@JPhenglavong @arielkr256
@egibs @dependabot @c0nfleis @akozlovets098 @melenevskyi @le4ker @ben-githubs @skeggse
Update aws_console_login_without_mfa.py (#1237)
a15c5e6 
* Update aws_console_login_without_mfa.py

is_new_account has been checking with only recipientAccountId but our new aws account indicator creation rule has been checking for "new_account - recipientAccountId"

* Update aws_console_login_without_mfa.py

Casted str to account for NoneType

* Update new_user_account_logging.py

Added an alternative string in the case udm user is empty

* Update new_user_account_logging.yml

add mock test

* Standard user creation fixes (#1256)

* Prepare for `3.53.0` (#1232)

* Replace panther_analysis_tool import with updated import (#1230)

* Update Action versions; use SHAs (#1231)

* Update Action versions; use SHAs

* Add dependabot.yml to keep Actions updated

* Update PAT to 0.49.0

* auth0-cic-credential-stuffing rule and query (#1246)

* Add saved queries for ongoing Snowflake threats (#1248)

* Add saved queries for ongoing Snowflake threats

* Add limits

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* snowflake pack

* Add scheduled queries and rules

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* pack update

* ruleID fix

* make fmt

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Fix merge conflicts

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Turn off by default

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>

* Update panther-core to 0.10.1 via PAT (#1249)

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Tweak Snowflake queries (#1250)

* Tweak Snowflake queries

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Remove configuration drift query from Pack

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Threat Hunting queries are okay

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Fix comment Workflow

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* 12 hours -> 1 day

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Update queries/snowflake_queries/snowflake_0108977_configuration_drift.yml

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* Fixed typo in README.md (#1253)

fixed 'unintall' typo to 'npm uninstall prettier'

* build(deps): bump step-security/harden-runner from 2.8.0 to 2.8.1 (#1254)

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.8.0 to 2.8.1.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@f086349...17d0e2b)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Using GITHUB_OUTPUT env var instead of old ::set-output shorthand (#1255)

* OCSF data model, VPC/DNS (#1214)

* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (#1216)

* THREAT-278 OCSF data model, VPC

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>

* fix: consider deny rules for ssh network acl policy (#1236)

* fix: consider deny rules for ssh network acl policy

* Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py

* Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* AWS Honeypot Detections threat-306 (#1252)

* AWS Honeypot Detections threat-306

AWS Security Finding rules on decoy AWS resources:
https://aws.amazon.com/blogs/security/how-to-detect-suspicious-activity-in-your-aws-account-by-using-private-decoy-resources/

* Update decoy_dynamodb_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_s3_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_dynamodb_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_s3_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_s3_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_dynamodb_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* reformatted and linted

* removed unused methods

* fixed trailing lines

* add decoy rules as a pack

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: BJ Maldonado <bj.maldonado-miranda@panther.com>
Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Eli Skeggs <1348991+skeggse@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: BJ Maldonado <bj.maldonado-miranda@panther.com>
Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Eli Skeggs <1348991+skeggse@users.noreply.github.com>
ben-githubs added a commit that referenced this pull request Jun 27, 2024
@jzandona @melenevskyi
@arielkr256 @akozlovets098 @le4ker @ben-githubs @nhakmiller
AppOmni Alert passthrough (#1211)
9b9aaf4 
* alert passthrough

* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* linting

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (#1216)

* add file/host state to msft graph alert context (#1220)

* fix timestamps (#1219)

* Update PAT to 0.46.1 (#1222)

* pack for traildiscover LUT (#1221)

* use event.deep_get and remove InlineFilters

* add pack

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Nick Hakmiller <49166439+nhakmiller@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>
ben-githubs added a commit that referenced this pull request Jun 27, 2024
@jstanulis-push @melenevskyi
@arielkr256 @akozlovets098 @le4ker @ben-githubs @nhakmiller
Push Security rules (#1207)
2e917d8 
* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* Push Security rules

* remove codeowners (#1208)

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (#1216)

* add file/host state to msft graph alert context (#1220)

* fix timestamps (#1219)

* Update PAT to 0.46.1 (#1222)

* pack for traildiscover LUT (#1221)

* pack, fmt lint, event.deep_get

* pack update

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Nick Hakmiller <49166439+nhakmiller@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>
ben-githubs added a commit that referenced this pull request Jun 27, 2024
@akozlovets098 @melenevskyi
@arielkr256 @le4ker @ben-githubs @egibs
Threat 319 Replace geoinfo_from_ip with new version (#1242)
12a88b2 
* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (#1216)

* THREAT-319 Replace geoinfo_from_ip with new version

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com>
ben-githubs added a commit that referenced this pull request Jun 27, 2024
@akozlovets098 @melenevskyi
@arielkr256 @le4ker @ben-githubs
OCSF data model, VPC/DNS (#1214)
f715e86 
* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (#1216)

* THREAT-278 OCSF data model, VPC

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
ben-githubs added a commit that referenced this pull request Jun 27, 2024
@JPhenglavong @arielkr256
@egibs @dependabot @c0nfleis @akozlovets098 @melenevskyi @le4ker @ben-githubs @skeggse
Update aws_console_login_without_mfa.py (#1237)
a1e9c1f 
* Update aws_console_login_without_mfa.py

is_new_account has been checking with only recipientAccountId but our new aws account indicator creation rule has been checking for "new_account - recipientAccountId"

* Update aws_console_login_without_mfa.py

Casted str to account for NoneType

* Update new_user_account_logging.py

Added an alternative string in the case udm user is empty

* Update new_user_account_logging.yml

add mock test

* Standard user creation fixes (#1256)

* Prepare for `3.53.0` (#1232)

* Replace panther_analysis_tool import with updated import (#1230)

* Update Action versions; use SHAs (#1231)

* Update Action versions; use SHAs

* Add dependabot.yml to keep Actions updated

* Update PAT to 0.49.0

* auth0-cic-credential-stuffing rule and query (#1246)

* Add saved queries for ongoing Snowflake threats (#1248)

* Add saved queries for ongoing Snowflake threats

* Add limits

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* snowflake pack

* Add scheduled queries and rules

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* pack update

* ruleID fix

* make fmt

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Fix merge conflicts

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Turn off by default

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>

* Update panther-core to 0.10.1 via PAT (#1249)

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Tweak Snowflake queries (#1250)

* Tweak Snowflake queries

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Remove configuration drift query from Pack

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Threat Hunting queries are okay

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Fix comment Workflow

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* 12 hours -> 1 day

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Update queries/snowflake_queries/snowflake_0108977_configuration_drift.yml

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* Fixed typo in README.md (#1253)

fixed 'unintall' typo to 'npm uninstall prettier'

* build(deps): bump step-security/harden-runner from 2.8.0 to 2.8.1 (#1254)

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.8.0 to 2.8.1.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@f086349...17d0e2b)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Using GITHUB_OUTPUT env var instead of old ::set-output shorthand (#1255)

* OCSF data model, VPC/DNS (#1214)

* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (#1216)

* THREAT-278 OCSF data model, VPC

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>

* fix: consider deny rules for ssh network acl policy (#1236)

* fix: consider deny rules for ssh network acl policy

* Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py

* Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* AWS Honeypot Detections threat-306 (#1252)

* AWS Honeypot Detections threat-306

AWS Security Finding rules on decoy AWS resources:
https://aws.amazon.com/blogs/security/how-to-detect-suspicious-activity-in-your-aws-account-by-using-private-decoy-resources/

* Update decoy_dynamodb_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_s3_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_dynamodb_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_s3_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_s3_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_dynamodb_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* reformatted and linted

* removed unused methods

* fixed trailing lines

* add decoy rules as a pack

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: BJ Maldonado <bj.maldonado-miranda@panther.com>
Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Eli Skeggs <1348991+skeggse@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: BJ Maldonado <bj.maldonado-miranda@panther.com>
Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Eli Skeggs <1348991+skeggse@users.noreply.github.com>
egibs pushed a commit that referenced this pull request Jun 28, 2024
@le4ker @egibs
remove codeowners (#1208)
62a5c55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@le4ker