Merge branch 'main' into KNO-358

JupiterOne · Apr 11, 2024 · 34f7e52 · 34f7e52
2 parents a9a5585 + dbf6990
commit 34f7e52
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 2 deletions.
diff --git a/rule-packs/aws-config.json b/rule-packs/aws-config.json
@@ -661,7 +661,7 @@
     "queries": [
       {
         "name": "query0",
-        "query": "FIND aws_iam_group AS group THAT !HAS aws_iam_user AS user RETURN user.accountId, user.name,user.displayName, group.name,group.displayName, group.id",
+        "query": "FIND aws_iam_user AS user THAT !HAS aws_iam_group RETURN user.displayName, user.name, user.accountId AS \"AWS Account ID\", user.arn",
         "version": "v1"
       }
     ],
@@ -841,7 +841,7 @@
     "queries": [
       {
         "name": "query0",
-        "query": "FIND aws_security_group AS fw THAT !ALLOWS AS rule (Host|Network) WITH internal != true AS src WHERE (rule.ingress = true AND rule.ipProtocol = 'tcp' AND rule.fromPort <= 20 AND rule.toPort >= 20) OR (rule.ingress = true AND rule.ipProtocol = 'tcp' AND rule.fromPort <= 21 AND rule.toPort >= 21) OR (rule.ingress = true AND rule.ipProtocol = 'tcp' AND rule.fromPort <= 3306 AND rule.toPort >= 3306) OR (rule.ingress = true AND rule.ipProtocol = 'tcp' AND rule.fromPort <= 3389 AND rule.toPort >= 3389) OR (rule.ingress = true AND rule.ipProtocol = 'tcp' AND rule.fromPort <= 4333 AND rule.toPort >= 4333) RETURN fw.displayName, rule.ipProtocol, rule.fromPort, rule.toPort, src.displayName, src.ipAddress, src.CIDR",
+        "query": "FIND aws_security_group WITH ingressRules ~= '/0\"' AS fw THAT ALLOWS AS rule (Host|Network) WITH internal != true AS src WHERE (rule.ingress = true AND rule.ipProtocol = 'tcp' AND rule.fromPort <= 20 AND rule.toPort >= 20) OR (rule.ingress = true AND rule.ipProtocol = 'tcp' AND rule.fromPort <= 21 AND rule.toPort >= 21) OR (rule.ingress = true AND rule.ipProtocol = 'tcp' AND rule.fromPort <= 3306 AND rule.toPort >= 3306) OR (rule.ingress = true AND rule.ipProtocol = 'tcp' AND rule.fromPort <= 3389 AND rule.toPort >= 3389) OR (rule.ingress = true AND rule.ipProtocol = 'tcp' AND rule.fromPort <= 4333 AND rule.toPort >= 4333) RETURN fw.displayName, rule.ipProtocol, rule.fromPort, rule.toPort, src.displayName, src.ipAddress, src.CIDR, fw.accountId AS \"AWS Account ID\"",
         "version": "v1"
       }
     ],

diff --git a/rule-packs/cyberark-epm-misconfigurations.json b/rule-packs/cyberark-epm-misconfigurations.json
@@ -0,0 +1,50 @@
+[
+  {
+    "name": "cyberark-epm-blocked-applications",
+    "description": "This query will look for applications that have an unsatisfactory status.",
+    "queries": [
+      {
+        "name": "query0",
+        "query": "FIND cyberark_epm_applicationgroup with status != 'OK'",
+        "version": "v1"
+      }
+    ],
+    "alertLevel": "MEDIUM"
+  },
+  {
+    "name": "cyberark-epm-application-groups-with-no-policy",
+    "description": "This query will look for application groups that have no policy associated.",
+    "queries": [
+      {
+        "name": "query0",
+        "query": "FIND cyberark_epm_applicationgroup THAT !ENFORCES << cyberark_epm_policy",
+        "version": "v1"
+      }
+    ],
+    "alertLevel": "MEDIUM"
+  },
+    {
+    "name": "cyberark-epm-service-with-no-policy",
+    "description": "This query will look for services that have no policy associated.",
+    "queries": [
+      {
+        "name": "query0",
+        "query": "FIND cyberark_epm_service THAT !ENFORCES << cyberark_epm_policy",
+        "version": "v1"
+      }
+    ],
+    "alertLevel": "MEDIUM"
+  },
+  {
+    "name": "cyberark-epm-ensure-regular-backups",
+    "description": "This query will look for accounts that do not have backups enabled.",
+    "queries": [
+      {
+        "name": "query0",
+        "query": "FIND cyberark_epm_account with backupIsEnabled != true",
+        "version": "v1"
+      }
+    ],
+    "alertLevel": "MEDIUM"
+  }
+]
diff --git a/rule-packs/index.js b/rule-packs/index.js
@@ -16,3 +16,4 @@ module.exports.SophosEndpointSecurity = require("./sophos-endpoint-security.json
 module.exports.ArmisEndpointSecurity = require("./armis-endpoint-security.json");
 module.exports.TrellixEndpointSecurity = require("./trellix-endpoint-security.json");
 module.exports.CyberarkIdaptiveMisconfigurations = require("./cyberark-idaptive-misconfigurations.json");
+module.exports.CyberarkEPMMisconfigurations = require("./cyberark-epm-misconfigurations.json");