MongoDB - org membership restriction disabled (rule) (#1200)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
panther-labs · Apr 9, 2024 · 1a2458b · 1a2458b
1 parent 9d6e10e
commit 1a2458b
Show file tree

Hide file tree

Showing 3 changed files with 80 additions and 0 deletions.
diff --git a/packs/mongodb.yml b/packs/mongodb.yml
@@ -5,6 +5,7 @@ DisplayName: "Panther MongoDB Atlas Pack"
 PackDefinition:
   IDs:
     - MongoDB.Atlas.ApiKeyCreated
+    - MongoDB.org.Membership.Restriction.Disabled
     - MongoDB.Access.Allowed.From.Anywhere
     - MongoDB.Alerting.Disabled.Or.Deleted
     - MongoDB.User.Created.Or.Deleted

diff --git a/rules/mongodb_rules/mongodb_org_membership_restriction_disabled.py b/rules/mongodb_rules/mongodb_org_membership_restriction_disabled.py
@@ -0,0 +1,14 @@
+from panther_mongodb_helpers import mongodb_alert_context
+
+
+def rule(event):
+    return event.deep_get("eventTypeName", default="") == "ORG_PUBLIC_API_ACCESS_LIST_NOT_REQUIRED"
+
+
+def title(event):
+    user = event.deep_get("username", default="<USER_NOT_FOUND>")
+    return f"MongoDB: [{user}] has disabled IP access list for the Atlas Administration API"
+
+
+def alert_context(event):
+    return mongodb_alert_context(event)
diff --git a/rules/mongodb_rules/mongodb_org_membership_restriction_disabled.yml b/rules/mongodb_rules/mongodb_org_membership_restriction_disabled.yml
@@ -0,0 +1,65 @@
+AnalysisType: rule
+Description:
+  You can configure Atlas to require API access lists at the organization level.
+  When you enable IP access list for the Atlas Administration API, all API calls in that organization must originate
+  from a valid entry in the associated Atlas Administration API key access list.
+  This rule detects when IP access list is disabled
+DisplayName: "MongoDB org membership restriction disabled"
+Enabled: true
+LogTypes:
+  - MongoDB.OrganizationEvent
+RuleID: "MongoDB.org.Membership.Restriction.Disabled"
+Filename: mongodb_org_membership_restriction_disabled.py
+Severity: High
+Reports:
+  MITRE ATT&CK:
+    - T1556 # Modify Authentication Process
+Reference: https://www.mongodb.com/docs/atlas/tutorial/manage-organizations/
+Runbook: Check if this activity is legitimate. If not, re-enable IP access list for the Atlas Administration API
+Tests:
+  - Name: Restriction disabled
+    ExpectedResult: true
+    Log:
+      {
+        "created": "2024-04-03 15:03:51.000000000",
+        "currentValue": {},
+        "eventTypeName": "ORG_PUBLIC_API_ACCESS_LIST_NOT_REQUIRED",
+        "id": "alert_id",
+        "isGlobalAdmin": false,
+        "orgId": "some_org_id",
+        "remoteAddress": "1.2.3.4",
+        "userId": "user_id",
+        "username": "some_user@company.com",
+      }
+  - Name: Restriction enabled
+    ExpectedResult: false
+    Log:
+      {
+        "created": "2024-04-03 15:03:51.000000000",
+        "currentValue": {},
+        "eventTypeName": "ORG_PUBLIC_API_ACCESS_LIST_REQUIRED",
+        "id": "alert_id",
+        "isGlobalAdmin": false,
+        "orgId": "some_org_id",
+        "remoteAddress": "1.2.3.4",
+        "userId": "user_id",
+        "username": "some_user@company.com",
+      }
+  - Name: Other activity
+    ExpectedResult: false
+    Log:
+      {
+        "alertConfigId": "alert_id",
+        "created": "2024-04-01 11:58:52.000000000",
+        "currentValue": {},
+        "eventTypeName": "ALERT_CONFIG_DELETED_AUDIT",
+        "id": "alert_id",
+        "isGlobalAdmin": false,
+        "links": [],
+        "orgId": "some_org_id",
+        "remoteAddress": "1.2.3.4",
+        "userId": "user_id",
+        "username": "some_user@company.com",
+      }
+DedupPeriodMinutes: 60
+Threshold: 1