THREAT-321 Auth0 CIC Credential Stuffing #1246
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
egibs
approved these changes
May 30, 2024
JPhenglavong
added a commit
that referenced
this pull request
Jun 10, 2024
* Prepare for `3.53.0` (#1232) * Replace panther_analysis_tool import with updated import (#1230) * Update Action versions; use SHAs (#1231) * Update Action versions; use SHAs * Add dependabot.yml to keep Actions updated * Update PAT to 0.49.0 * auth0-cic-credential-stuffing rule and query (#1246) * Add saved queries for ongoing Snowflake threats (#1248) * Add saved queries for ongoing Snowflake threats * Add limits Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * snowflake pack * Add scheduled queries and rules Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * pack update * ruleID fix * make fmt Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Fix merge conflicts Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Turn off by default Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --------- Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> Co-authored-by: Ariel Ropek <ariel.ropek@panther.com> * Update panther-core to 0.10.1 via PAT (#1249) Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Tweak Snowflake queries (#1250) * Tweak Snowflake queries Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Remove configuration drift query from Pack Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Threat Hunting queries are okay Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Fix comment Workflow Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * 12 hours -> 1 day Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Update queries/snowflake_queries/snowflake_0108977_configuration_drift.yml --------- Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * Fixed typo in README.md (#1253) fixed 'unintall' typo to 'npm uninstall prettier' * build(deps): bump step-security/harden-runner from 2.8.0 to 2.8.1 (#1254) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.8.0 to 2.8.1. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@f086349...17d0e2b) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Using GITHUB_OUTPUT env var instead of old ::set-output shorthand (#1255) * OCSF data model, VPC/DNS (#1214) * Deprecate GreyNoise detections (#1205) * Deprecate GreyNoise detections * Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml * Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml * Update cloudflare_httpreq_bot_high_volume_greynoise.yml --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * fix - Notion Login From New Location - NoneType error (#1206) * fix - Notion Login From New Location - NoneType error * fix - Notion Login From New Location - NoneType error - linter fix * remove codeowners (#1208) * fix - GCP rules - AttributeError (#1210) * fix - GCP rules - AttributeError * fix - GCP rules - AttributeError - linter fix * MITRE ATT&CK Mappings for MS Rules (#1209) * added MITRE mappings for microsoft rules * fixed formatting on some helper files --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * traildiscover enrichment with managed schema (#1177) * traildiscover enrichment with managed schema * Add npm install in dockerfile (#1172) * add npm install in dockerfile * Remove Python optimizations; add prettier to PATH --------- Co-authored-by: egibs <keybase@egibs.xyz> * schema name: TrailDiscover.CloudTrail * Fix Dockerfile; add Workflow to test image * updated data set * Add MongoDB.2FA.Disabled rule (#1190) Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * lint and fmt * fmt * add OCSF selector * additional OCSF mappings * Fix Pipfile * Rebase changes --------- Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> * Update PAT to 0.46.0 (#1216) * THREAT-278 OCSF data model, VPC --------- Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Evan Gibler <evan.gibler@panther.com> * fix: consider deny rules for ssh network acl policy (#1236) * fix: consider deny rules for ssh network acl policy * Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py * Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * AWS Honeypot Detections threat-306 (#1252) * AWS Honeypot Detections threat-306 AWS Security Finding rules on decoy AWS resources: https://aws.amazon.com/blogs/security/how-to-detect-suspicious-activity-in-your-aws-account-by-using-private-decoy-resources/ * Update decoy_dynamodb_accessed.py * Update decoy_iam_assumed.py * Update decoy_s3_accessed.py * Update decoy_secret_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_dynamodb_accessed.py * Update decoy_iam_assumed.py * Update decoy_s3_accessed.py * Update decoy_secret_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_secret_accessed.py * Update decoy_s3_accessed.py * Update decoy_iam_assumed.py * Update decoy_dynamodb_accessed.py * Update decoy_systems_manager_parameter_accessed.py * reformatted and linted * removed unused methods * fixed trailing lines * add decoy rules as a pack --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> --------- Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Evan Gibler <evan.gibler@panther.com> Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com> Co-authored-by: Ariel Ropek <ariel.ropek@panther.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: BJ Maldonado <bj.maldonado-miranda@panther.com> Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Eli Skeggs <1348991+skeggse@users.noreply.github.com>
arielkr256
added a commit
that referenced
this pull request
Jun 10, 2024
* Update aws_console_login_without_mfa.py is_new_account has been checking with only recipientAccountId but our new aws account indicator creation rule has been checking for "new_account - recipientAccountId" * Update aws_console_login_without_mfa.py Casted str to account for NoneType * Update new_user_account_logging.py Added an alternative string in the case udm user is empty * Update new_user_account_logging.yml add mock test * Standard user creation fixes (#1256) * Prepare for `3.53.0` (#1232) * Replace panther_analysis_tool import with updated import (#1230) * Update Action versions; use SHAs (#1231) * Update Action versions; use SHAs * Add dependabot.yml to keep Actions updated * Update PAT to 0.49.0 * auth0-cic-credential-stuffing rule and query (#1246) * Add saved queries for ongoing Snowflake threats (#1248) * Add saved queries for ongoing Snowflake threats * Add limits Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * snowflake pack * Add scheduled queries and rules Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * pack update * ruleID fix * make fmt Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Fix merge conflicts Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Turn off by default Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --------- Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> Co-authored-by: Ariel Ropek <ariel.ropek@panther.com> * Update panther-core to 0.10.1 via PAT (#1249) Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Tweak Snowflake queries (#1250) * Tweak Snowflake queries Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Remove configuration drift query from Pack Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Threat Hunting queries are okay Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Fix comment Workflow Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * 12 hours -> 1 day Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Update queries/snowflake_queries/snowflake_0108977_configuration_drift.yml --------- Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * Fixed typo in README.md (#1253) fixed 'unintall' typo to 'npm uninstall prettier' * build(deps): bump step-security/harden-runner from 2.8.0 to 2.8.1 (#1254) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.8.0 to 2.8.1. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@f086349...17d0e2b) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Using GITHUB_OUTPUT env var instead of old ::set-output shorthand (#1255) * OCSF data model, VPC/DNS (#1214) * Deprecate GreyNoise detections (#1205) * Deprecate GreyNoise detections * Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml * Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml * Update cloudflare_httpreq_bot_high_volume_greynoise.yml --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * fix - Notion Login From New Location - NoneType error (#1206) * fix - Notion Login From New Location - NoneType error * fix - Notion Login From New Location - NoneType error - linter fix * remove codeowners (#1208) * fix - GCP rules - AttributeError (#1210) * fix - GCP rules - AttributeError * fix - GCP rules - AttributeError - linter fix * MITRE ATT&CK Mappings for MS Rules (#1209) * added MITRE mappings for microsoft rules * fixed formatting on some helper files --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * traildiscover enrichment with managed schema (#1177) * traildiscover enrichment with managed schema * Add npm install in dockerfile (#1172) * add npm install in dockerfile * Remove Python optimizations; add prettier to PATH --------- Co-authored-by: egibs <keybase@egibs.xyz> * schema name: TrailDiscover.CloudTrail * Fix Dockerfile; add Workflow to test image * updated data set * Add MongoDB.2FA.Disabled rule (#1190) Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * lint and fmt * fmt * add OCSF selector * additional OCSF mappings * Fix Pipfile * Rebase changes --------- Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> * Update PAT to 0.46.0 (#1216) * THREAT-278 OCSF data model, VPC --------- Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Evan Gibler <evan.gibler@panther.com> * fix: consider deny rules for ssh network acl policy (#1236) * fix: consider deny rules for ssh network acl policy * Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py * Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * AWS Honeypot Detections threat-306 (#1252) * AWS Honeypot Detections threat-306 AWS Security Finding rules on decoy AWS resources: https://aws.amazon.com/blogs/security/how-to-detect-suspicious-activity-in-your-aws-account-by-using-private-decoy-resources/ * Update decoy_dynamodb_accessed.py * Update decoy_iam_assumed.py * Update decoy_s3_accessed.py * Update decoy_secret_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_dynamodb_accessed.py * Update decoy_iam_assumed.py * Update decoy_s3_accessed.py * Update decoy_secret_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_secret_accessed.py * Update decoy_s3_accessed.py * Update decoy_iam_assumed.py * Update decoy_dynamodb_accessed.py * Update decoy_systems_manager_parameter_accessed.py * reformatted and linted * removed unused methods * fixed trailing lines * add decoy rules as a pack --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> --------- Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Evan Gibler <evan.gibler@panther.com> Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com> Co-authored-by: Ariel Ropek <ariel.ropek@panther.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: BJ Maldonado <bj.maldonado-miranda@panther.com> Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Eli Skeggs <1348991+skeggse@users.noreply.github.com> --------- Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Evan Gibler <evan.gibler@panther.com> Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com> Co-authored-by: Ariel Ropek <ariel.ropek@panther.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: BJ Maldonado <bj.maldonado-miranda@panther.com> Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Eli Skeggs <1348991+skeggse@users.noreply.github.com>
ben-githubs
pushed a commit
that referenced
this pull request
Jun 27, 2024
ben-githubs
added a commit
that referenced
this pull request
Jun 27, 2024
* Update aws_console_login_without_mfa.py is_new_account has been checking with only recipientAccountId but our new aws account indicator creation rule has been checking for "new_account - recipientAccountId" * Update aws_console_login_without_mfa.py Casted str to account for NoneType * Update new_user_account_logging.py Added an alternative string in the case udm user is empty * Update new_user_account_logging.yml add mock test * Standard user creation fixes (#1256) * Prepare for `3.53.0` (#1232) * Replace panther_analysis_tool import with updated import (#1230) * Update Action versions; use SHAs (#1231) * Update Action versions; use SHAs * Add dependabot.yml to keep Actions updated * Update PAT to 0.49.0 * auth0-cic-credential-stuffing rule and query (#1246) * Add saved queries for ongoing Snowflake threats (#1248) * Add saved queries for ongoing Snowflake threats * Add limits Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * snowflake pack * Add scheduled queries and rules Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * pack update * ruleID fix * make fmt Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Fix merge conflicts Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Turn off by default Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --------- Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> Co-authored-by: Ariel Ropek <ariel.ropek@panther.com> * Update panther-core to 0.10.1 via PAT (#1249) Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Tweak Snowflake queries (#1250) * Tweak Snowflake queries Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Remove configuration drift query from Pack Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Threat Hunting queries are okay Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Fix comment Workflow Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * 12 hours -> 1 day Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Update queries/snowflake_queries/snowflake_0108977_configuration_drift.yml --------- Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * Fixed typo in README.md (#1253) fixed 'unintall' typo to 'npm uninstall prettier' * build(deps): bump step-security/harden-runner from 2.8.0 to 2.8.1 (#1254) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.8.0 to 2.8.1. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@f086349...17d0e2b) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Using GITHUB_OUTPUT env var instead of old ::set-output shorthand (#1255) * OCSF data model, VPC/DNS (#1214) * Deprecate GreyNoise detections (#1205) * Deprecate GreyNoise detections * Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml * Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml * Update cloudflare_httpreq_bot_high_volume_greynoise.yml --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * fix - Notion Login From New Location - NoneType error (#1206) * fix - Notion Login From New Location - NoneType error * fix - Notion Login From New Location - NoneType error - linter fix * remove codeowners (#1208) * fix - GCP rules - AttributeError (#1210) * fix - GCP rules - AttributeError * fix - GCP rules - AttributeError - linter fix * MITRE ATT&CK Mappings for MS Rules (#1209) * added MITRE mappings for microsoft rules * fixed formatting on some helper files --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * traildiscover enrichment with managed schema (#1177) * traildiscover enrichment with managed schema * Add npm install in dockerfile (#1172) * add npm install in dockerfile * Remove Python optimizations; add prettier to PATH --------- Co-authored-by: egibs <keybase@egibs.xyz> * schema name: TrailDiscover.CloudTrail * Fix Dockerfile; add Workflow to test image * updated data set * Add MongoDB.2FA.Disabled rule (#1190) Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * lint and fmt * fmt * add OCSF selector * additional OCSF mappings * Fix Pipfile * Rebase changes --------- Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> * Update PAT to 0.46.0 (#1216) * THREAT-278 OCSF data model, VPC --------- Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Evan Gibler <evan.gibler@panther.com> * fix: consider deny rules for ssh network acl policy (#1236) * fix: consider deny rules for ssh network acl policy * Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py * Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * AWS Honeypot Detections threat-306 (#1252) * AWS Honeypot Detections threat-306 AWS Security Finding rules on decoy AWS resources: https://aws.amazon.com/blogs/security/how-to-detect-suspicious-activity-in-your-aws-account-by-using-private-decoy-resources/ * Update decoy_dynamodb_accessed.py * Update decoy_iam_assumed.py * Update decoy_s3_accessed.py * Update decoy_secret_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_dynamodb_accessed.py * Update decoy_iam_assumed.py * Update decoy_s3_accessed.py * Update decoy_secret_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_systems_manager_parameter_accessed.py * Update decoy_secret_accessed.py * Update decoy_s3_accessed.py * Update decoy_iam_assumed.py * Update decoy_dynamodb_accessed.py * Update decoy_systems_manager_parameter_accessed.py * reformatted and linted * removed unused methods * fixed trailing lines * add decoy rules as a pack --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> --------- Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Evan Gibler <evan.gibler@panther.com> Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com> Co-authored-by: Ariel Ropek <ariel.ropek@panther.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: BJ Maldonado <bj.maldonado-miranda@panther.com> Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Eli Skeggs <1348991+skeggse@users.noreply.github.com> --------- Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Evan Gibler <evan.gibler@panther.com> Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com> Co-authored-by: Ariel Ropek <ariel.ropek@panther.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: BJ Maldonado <bj.maldonado-miranda@panther.com> Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Eli Skeggs <1348991+skeggse@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Goal
Okta has determined that the cross-origin authentication feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks. Okta has observed suspicious activity that started on April 15. Review tenant logs for unexpected fcoa, scoa, and pwd_leak events.
Categorization
https://attack.mitre.org/techniques/T1110/004/
Strategy Abstract
Log Events to Review:
fcoa - Failed cross-origin authentication
scoa - Successful cross-origin authentication
pwd_leak - Someone attempted to login with a leaked password
Technical Context
In this type of attack, adversaries attempt to sign-in to online services using large lists of usernames and passwords potentially obtained from previous data breaches or unrelated entities, or from phishing or malware campaigns.
Blind Spots and Assumptions
Assumes use of Customer Identity Cloud (CIC) feature and proper logging.
False Positives
If your tenant does use cross-origin authentication, there could be false positives for normal fcoa/scoa activity.
Validation
If your tenant does not use cross-origin authentication, but scoa or fcoa events are present in event logs, then it is likely your tenant has been targeted in a credential stuffing attack.
If your tenant does use cross-origin authentication and either saw a spike of scoa events in April or an increase in the ratio of failure-to-success events (fcoa/scoa), then it is likely your tenant has been targeted in a credential stuffing attack.
Priority
High
Response
If a user password was compromised in a credential stuffing attack, the user’s credentials should be rotated immediately out of an abundance of caution.
Additional Resources
https://sec.okta.com/articles/2024/05/detecting-cross-origin-authentication-credential-stuffing-attacks
https://auth0.com/docs/authenticate/login/cross-origin-authentication
https://auth0.com/docs/deploy-monitor/logs/log-event-type-codes