AppOmni Alert passthrough #1211

jzandona · 2024-04-17T15:14:21Z

Background

AppOmni Passthrough alert for the Alerts schema. Detection has a dynamic severity to map to the severity provided by the AppOmni event.

Included all Mitre tactics/techniques that AppOmni covers as this is a passthrough detection.

Note: Log source name for this detection may change once the log source integration is shipped in Panther

Changes

Testing

* Deprecate GreyNoise detections * Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml * Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml * Update cloudflare_httpreq_bot_high_volume_greynoise.yml --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error * fix - Notion Login From New Location - NoneType error - linter fix

* fix - GCP rules - AttributeError * fix - GCP rules - AttributeError - linter fix

* added MITRE mappings for microsoft rules * fixed formatting on some helper files --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema * Add npm install in dockerfile (#1172) * add npm install in dockerfile * Remove Python optimizations; add prettier to PATH --------- Co-authored-by: egibs <keybase@egibs.xyz> * schema name: TrailDiscover.CloudTrail * Fix Dockerfile; add Workflow to test image * updated data set * Add MongoDB.2FA.Disabled rule (#1190) Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * lint and fmt * fmt * add OCSF selector * additional OCSF mappings * Fix Pipfile * Rebase changes --------- Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

arielkr256 · 2024-04-29T18:06:18Z

This is approved pending schema and PAT regex updates.

arielkr256

LGMT! Can't merge until schemas and PAT regex updates are released.

* alert passthrough * Deprecate GreyNoise detections (panther-labs#1205) * Deprecate GreyNoise detections * Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml * Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml * Update cloudflare_httpreq_bot_high_volume_greynoise.yml --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * fix - Notion Login From New Location - NoneType error (panther-labs#1206) * fix - Notion Login From New Location - NoneType error * fix - Notion Login From New Location - NoneType error - linter fix * remove codeowners (panther-labs#1208) * linting * fix - GCP rules - AttributeError (panther-labs#1210) * fix - GCP rules - AttributeError * fix - GCP rules - AttributeError - linter fix * MITRE ATT&CK Mappings for MS Rules (panther-labs#1209) * added MITRE mappings for microsoft rules * fixed formatting on some helper files --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * traildiscover enrichment with managed schema (panther-labs#1177) * traildiscover enrichment with managed schema * Add npm install in dockerfile (panther-labs#1172) * add npm install in dockerfile * Remove Python optimizations; add prettier to PATH --------- Co-authored-by: egibs <keybase@egibs.xyz> * schema name: TrailDiscover.CloudTrail * Fix Dockerfile; add Workflow to test image * updated data set * Add MongoDB.2FA.Disabled rule (panther-labs#1190) Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * lint and fmt * fmt * add OCSF selector * additional OCSF mappings * Fix Pipfile * Rebase changes --------- Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> * Update PAT to 0.46.0 (panther-labs#1216) * add file/host state to msft graph alert context (panther-labs#1220) * fix timestamps (panther-labs#1219) * Update PAT to 0.46.1 (panther-labs#1222) * pack for traildiscover LUT (panther-labs#1221) * use event.deep_get and remove InlineFilters * add pack --------- Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Evan Gibler <evan.gibler@panther.com> Co-authored-by: Nick Hakmiller <49166439+nhakmiller@users.noreply.github.com> Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>

* alert passthrough * Deprecate GreyNoise detections (#1205) * Deprecate GreyNoise detections * Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml * Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml * Update cloudflare_httpreq_bot_high_volume_greynoise.yml --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * fix - Notion Login From New Location - NoneType error (#1206) * fix - Notion Login From New Location - NoneType error * fix - Notion Login From New Location - NoneType error - linter fix * remove codeowners (#1208) * linting * fix - GCP rules - AttributeError (#1210) * fix - GCP rules - AttributeError * fix - GCP rules - AttributeError - linter fix * MITRE ATT&CK Mappings for MS Rules (#1209) * added MITRE mappings for microsoft rules * fixed formatting on some helper files --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * traildiscover enrichment with managed schema (#1177) * traildiscover enrichment with managed schema * Add npm install in dockerfile (#1172) * add npm install in dockerfile * Remove Python optimizations; add prettier to PATH --------- Co-authored-by: egibs <keybase@egibs.xyz> * schema name: TrailDiscover.CloudTrail * Fix Dockerfile; add Workflow to test image * updated data set * Add MongoDB.2FA.Disabled rule (#1190) Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * lint and fmt * fmt * add OCSF selector * additional OCSF mappings * Fix Pipfile * Rebase changes --------- Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> * Update PAT to 0.46.0 (#1216) * add file/host state to msft graph alert context (#1220) * fix timestamps (#1219) * Update PAT to 0.46.1 (#1222) * pack for traildiscover LUT (#1221) * use event.deep_get and remove InlineFilters * add pack --------- Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Evan Gibler <evan.gibler@panther.com> Co-authored-by: Nick Hakmiller <49166439+nhakmiller@users.noreply.github.com> Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>

jzandona and others added 4 commits March 19, 2024 17:07

alert passthrough

6dded77

fix - Notion Login From New Location - NoneType error (#1206)

319fd15

* fix - Notion Login From New Location - NoneType error * fix - Notion Login From New Location - NoneType error - linter fix

remove codeowners (#1208)

3fde677

jzandona requested a review from arielkr256 April 17, 2024 15:14

jzandona and others added 12 commits April 17, 2024 08:42

linting

a56d182

fix - GCP rules - AttributeError (#1210)

9239b29

* fix - GCP rules - AttributeError * fix - GCP rules - AttributeError - linter fix

MITRE ATT&CK Mappings for MS Rules (#1209)

f1180d4

* added MITRE mappings for microsoft rules * fixed formatting on some helper files --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

Update PAT to 0.46.0 (#1216)

e2e9b4f

add file/host state to msft graph alert context (#1220)

8e072a6

fix timestamps (#1219)

0658de4

Merge branch 'main' into release

3b0da17

Update PAT to 0.46.1 (#1222)

26dec05

pack for traildiscover LUT (#1221)

3a5ff83

Merge branch 'release' into jzandona_appomni_detections

6267525

use event.deep_get and remove InlineFilters

9f33dcc

arielkr256 approved these changes Apr 29, 2024

View reviewed changes

arielkr256 marked this pull request as ready for review April 29, 2024 18:07

add pack

617ecee

egibs force-pushed the release branch 2 times, most recently from e52491f to 55c4bac Compare April 30, 2024 19:24

Merge branch 'release' into jzandona_appomni_detections

4bcf3e4

jzandona requested a review from a team as a code owner May 14, 2024 14:54

arielkr256 merged commit c8b6ad9 into release May 14, 2024
6 checks passed

arielkr256 deleted the jzandona_appomni_detections branch May 14, 2024 14:56

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

AppOmni Alert passthrough #1211

AppOmni Alert passthrough #1211

jzandona commented Apr 17, 2024

arielkr256 commented Apr 29, 2024

arielkr256 left a comment

AppOmni Alert passthrough #1211

AppOmni Alert passthrough #1211

Conversation

jzandona commented Apr 17, 2024

Background

Changes

Testing

arielkr256 commented Apr 29, 2024

arielkr256 left a comment

Choose a reason for hiding this comment