Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Using GITHUB_OUTPUT env var instead of old ::set-output shorthand #1255

Merged
merged 1 commit into from
Jun 10, 2024

Conversation

c0nfleis
Copy link
Contributor

Background

Relates to: https://panther-labs.atlassian.net/browse/EPD-437

Changes

Testing

@c0nfleis c0nfleis requested a review from a team as a code owner June 10, 2024 14:34
Copy link

😱
looks like some things could be wrong with the packs

[INFO][root]: ignoring file dependabot.yml

@arielkr256 arielkr256 merged commit 2f8c64f into release Jun 10, 2024
6 checks passed
@arielkr256 arielkr256 deleted the beezy-EPD-437-set-output-is-deprecated branch June 10, 2024 15:12
JPhenglavong added a commit that referenced this pull request Jun 10, 2024
* Prepare for `3.53.0` (#1232)

* Replace panther_analysis_tool import with updated import (#1230)

* Update Action versions; use SHAs (#1231)

* Update Action versions; use SHAs

* Add dependabot.yml to keep Actions updated

* Update PAT to 0.49.0

* auth0-cic-credential-stuffing rule and query (#1246)

* Add saved queries for ongoing Snowflake threats (#1248)

* Add saved queries for ongoing Snowflake threats

* Add limits

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* snowflake pack

* Add scheduled queries and rules

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* pack update

* ruleID fix

* make fmt

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Fix merge conflicts

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Turn off by default

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>

* Update panther-core to 0.10.1 via PAT (#1249)

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Tweak Snowflake queries (#1250)

* Tweak Snowflake queries

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Remove configuration drift query from Pack

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Threat Hunting queries are okay

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Fix comment Workflow

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* 12 hours -> 1 day

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Update queries/snowflake_queries/snowflake_0108977_configuration_drift.yml

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* Fixed typo in README.md (#1253)

fixed 'unintall' typo to 'npm uninstall prettier'

* build(deps): bump step-security/harden-runner from 2.8.0 to 2.8.1 (#1254)

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.8.0 to 2.8.1.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@f086349...17d0e2b)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Using GITHUB_OUTPUT env var instead of old ::set-output shorthand (#1255)

* OCSF data model, VPC/DNS (#1214)

* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (#1216)

* THREAT-278 OCSF data model, VPC

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>

* fix: consider deny rules for ssh network acl policy (#1236)

* fix: consider deny rules for ssh network acl policy

* Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py

* Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* AWS Honeypot Detections threat-306 (#1252)

* AWS Honeypot Detections threat-306

AWS Security Finding rules on decoy AWS resources:
https://aws.amazon.com/blogs/security/how-to-detect-suspicious-activity-in-your-aws-account-by-using-private-decoy-resources/

* Update decoy_dynamodb_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_s3_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_dynamodb_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_s3_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_s3_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_dynamodb_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* reformatted and linted

* removed unused methods

* fixed trailing lines

* add decoy rules as a pack

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: BJ Maldonado <bj.maldonado-miranda@panther.com>
Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Eli Skeggs <1348991+skeggse@users.noreply.github.com>
arielkr256 added a commit that referenced this pull request Jun 10, 2024
* Update aws_console_login_without_mfa.py

is_new_account has been checking with only recipientAccountId but our new aws account indicator creation rule has been checking for "new_account - recipientAccountId"

* Update aws_console_login_without_mfa.py

Casted str to account for NoneType

* Update new_user_account_logging.py

Added an alternative string in the case udm user is empty

* Update new_user_account_logging.yml

add mock test

* Standard user creation fixes (#1256)

* Prepare for `3.53.0` (#1232)

* Replace panther_analysis_tool import with updated import (#1230)

* Update Action versions; use SHAs (#1231)

* Update Action versions; use SHAs

* Add dependabot.yml to keep Actions updated

* Update PAT to 0.49.0

* auth0-cic-credential-stuffing rule and query (#1246)

* Add saved queries for ongoing Snowflake threats (#1248)

* Add saved queries for ongoing Snowflake threats

* Add limits

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* snowflake pack

* Add scheduled queries and rules

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* pack update

* ruleID fix

* make fmt

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Fix merge conflicts

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Turn off by default

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>

* Update panther-core to 0.10.1 via PAT (#1249)

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Tweak Snowflake queries (#1250)

* Tweak Snowflake queries

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Remove configuration drift query from Pack

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Threat Hunting queries are okay

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Fix comment Workflow

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* 12 hours -> 1 day

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Update queries/snowflake_queries/snowflake_0108977_configuration_drift.yml

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* Fixed typo in README.md (#1253)

fixed 'unintall' typo to 'npm uninstall prettier'

* build(deps): bump step-security/harden-runner from 2.8.0 to 2.8.1 (#1254)

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.8.0 to 2.8.1.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@f086349...17d0e2b)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Using GITHUB_OUTPUT env var instead of old ::set-output shorthand (#1255)

* OCSF data model, VPC/DNS (#1214)

* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (#1216)

* THREAT-278 OCSF data model, VPC

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>

* fix: consider deny rules for ssh network acl policy (#1236)

* fix: consider deny rules for ssh network acl policy

* Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py

* Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* AWS Honeypot Detections threat-306 (#1252)

* AWS Honeypot Detections threat-306

AWS Security Finding rules on decoy AWS resources:
https://aws.amazon.com/blogs/security/how-to-detect-suspicious-activity-in-your-aws-account-by-using-private-decoy-resources/

* Update decoy_dynamodb_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_s3_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_dynamodb_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_s3_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_s3_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_dynamodb_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* reformatted and linted

* removed unused methods

* fixed trailing lines

* add decoy rules as a pack

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: BJ Maldonado <bj.maldonado-miranda@panther.com>
Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Eli Skeggs <1348991+skeggse@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: BJ Maldonado <bj.maldonado-miranda@panther.com>
Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Eli Skeggs <1348991+skeggse@users.noreply.github.com>
ben-githubs added a commit that referenced this pull request Jun 27, 2024
* Update aws_console_login_without_mfa.py

is_new_account has been checking with only recipientAccountId but our new aws account indicator creation rule has been checking for "new_account - recipientAccountId"

* Update aws_console_login_without_mfa.py

Casted str to account for NoneType

* Update new_user_account_logging.py

Added an alternative string in the case udm user is empty

* Update new_user_account_logging.yml

add mock test

* Standard user creation fixes (#1256)

* Prepare for `3.53.0` (#1232)

* Replace panther_analysis_tool import with updated import (#1230)

* Update Action versions; use SHAs (#1231)

* Update Action versions; use SHAs

* Add dependabot.yml to keep Actions updated

* Update PAT to 0.49.0

* auth0-cic-credential-stuffing rule and query (#1246)

* Add saved queries for ongoing Snowflake threats (#1248)

* Add saved queries for ongoing Snowflake threats

* Add limits

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* snowflake pack

* Add scheduled queries and rules

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* pack update

* ruleID fix

* make fmt

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Fix merge conflicts

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Turn off by default

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>

* Update panther-core to 0.10.1 via PAT (#1249)

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Tweak Snowflake queries (#1250)

* Tweak Snowflake queries

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Remove configuration drift query from Pack

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Threat Hunting queries are okay

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Fix comment Workflow

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* 12 hours -> 1 day

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Update queries/snowflake_queries/snowflake_0108977_configuration_drift.yml

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* Fixed typo in README.md (#1253)

fixed 'unintall' typo to 'npm uninstall prettier'

* build(deps): bump step-security/harden-runner from 2.8.0 to 2.8.1 (#1254)

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.8.0 to 2.8.1.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@f086349...17d0e2b)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Using GITHUB_OUTPUT env var instead of old ::set-output shorthand (#1255)

* OCSF data model, VPC/DNS (#1214)

* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (#1216)

* THREAT-278 OCSF data model, VPC

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>

* fix: consider deny rules for ssh network acl policy (#1236)

* fix: consider deny rules for ssh network acl policy

* Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py

* Update policies/aws_vpc_policies/aws_network_acl_restricted_ssh.py

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* AWS Honeypot Detections threat-306 (#1252)

* AWS Honeypot Detections threat-306

AWS Security Finding rules on decoy AWS resources:
https://aws.amazon.com/blogs/security/how-to-detect-suspicious-activity-in-your-aws-account-by-using-private-decoy-resources/

* Update decoy_dynamodb_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_s3_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_dynamodb_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_s3_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* Update decoy_secret_accessed.py

* Update decoy_s3_accessed.py

* Update decoy_iam_assumed.py

* Update decoy_dynamodb_accessed.py

* Update decoy_systems_manager_parameter_accessed.py

* reformatted and linted

* removed unused methods

* fixed trailing lines

* add decoy rules as a pack

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: BJ Maldonado <bj.maldonado-miranda@panther.com>
Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Eli Skeggs <1348991+skeggse@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: BJ Maldonado <bj.maldonado-miranda@panther.com>
Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Eli Skeggs <1348991+skeggse@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants