From 207b0fc9f94371e2abeada04021a036aa121e2fc Mon Sep 17 00:00:00 2001
From: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Date: Mon, 8 Apr 2024 20:05:54 +0300
Subject: [PATCH] Add MongoDB.External.UserInvited.NoConfig rule (#1191)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
---
 packs/mongodb.yml                             |  1 +
 ...mongodb_external_user_invited_no_config.py | 24 ++++++++
 ...ongodb_external_user_invited_no_config.yml | 59 +++++++++++++++++++
 3 files changed, 84 insertions(+)
 create mode 100644 rules/mongodb_rules/mongodb_external_user_invited_no_config.py
 create mode 100644 rules/mongodb_rules/mongodb_external_user_invited_no_config.yml

diff --git a/packs/mongodb.yml b/packs/mongodb.yml
index 990e2fcb2..a0bab9927 100644
--- a/packs/mongodb.yml
+++ b/packs/mongodb.yml
@@ -11,6 +11,7 @@ PackDefinition:
     - MongoDB.User.Created.Or.Deleted
     - MongoDB.User.Roles.Changed
     - MongoDB.2FA.Disabled
+    - MongoDB.External.UserInvited.NoConfig
     # Globals
     - panther_base_helpers
     - panther_mongodb_helpers
diff --git a/rules/mongodb_rules/mongodb_external_user_invited_no_config.py b/rules/mongodb_rules/mongodb_external_user_invited_no_config.py
new file mode 100644
index 000000000..c84ebd315
--- /dev/null
+++ b/rules/mongodb_rules/mongodb_external_user_invited_no_config.py
@@ -0,0 +1,24 @@
+from panther_mongodb_helpers import mongodb_alert_context
+
+
+def rule(event):
+    if event.deep_get("eventTypeName", default="") != "INVITED_TO_ORG":
+        return False
+
+    user_who_sent_an_invitation = event.deep_get("username", default="")
+    user_who_was_invited = event.deep_get("targetUsername", default="")
+    domain = user_who_sent_an_invitation.split("@")[-1]
+
+    email_domains_are_different = not user_who_was_invited.endswith(domain)
+    return email_domains_are_different
+
+
+def title(event):
+    actor = event.get("username", "<USER_NOT_FOUND>")
+    target = event.get("targetUsername", "<USER_NOT_FOUND>")
+    org_id = event.get("orgId", "<ORG_NOT_FOUND>")
+    return f"MongoDB Atlas: [{actor}] invited external user [{target}] to the org [{org_id}]"
+
+
+def alert_context(event):
+    return mongodb_alert_context(event)
diff --git a/rules/mongodb_rules/mongodb_external_user_invited_no_config.yml b/rules/mongodb_rules/mongodb_external_user_invited_no_config.yml
new file mode 100644
index 000000000..f914aab16
--- /dev/null
+++ b/rules/mongodb_rules/mongodb_external_user_invited_no_config.yml
@@ -0,0 +1,59 @@
+AnalysisType: rule
+Description: "An external user has been invited to a MongoDB org (no config)."
+DisplayName: "MongoDB External User Invited (no config)"
+Enabled: true
+Filename: mongodb_external_user_invited_no_config.py
+Severity: High
+Reference: https://www.mongodb.com/docs/v4.2/tutorial/create-users/
+Tests:
+  - ExpectedResult: false
+    Log:
+      created: "2023-06-07 16:57:55"
+      currentValue: {}
+      eventTypeName: INVITED_TO_ORG
+      id: 6480b7139bd8a012345ABCDE
+      isGlobalAdmin: false
+      links:
+        - href: https://cloud.mongodb.com/api/atlas/v1.0/orgs/12345xyzlmnce4f17d6e8e130/events/6480b7139bd8a012345ABCDE
+          rel: self
+      orgId: 12345xyzlmnce4f17d6e8e130
+      p_event_time: "2023-06-07 16:57:55"
+      p_log_type: MongoDB.OrganizationEvent
+      p_parse_time: "2023-06-07 17:04:42.59"
+      p_row_id: ea276b16216684d9e198c0d0188a3d
+      p_schema_version: 0
+      p_source_id: 7c3cb124-9c30-492c-99e6-46518c232d73
+      p_source_label: MongoDB
+      remoteAddress: 1.2.3.4
+      targetUsername: insider@company.com
+      userId: 647f654f93bebc69123abc1
+      username: user@company.com
+    Name: Internal Invite
+  - ExpectedResult: true
+    Log:
+      created: "2023-06-07 16:57:55"
+      currentValue: {}
+      eventTypeName: INVITED_TO_ORG
+      id: 6480b7139bd8a012345ABCDE
+      isGlobalAdmin: false
+      links:
+        - href: https://cloud.mongodb.com/api/atlas/v1.0/orgs/12345xyzlmnce4f17d6e8e130/events/6480b7139bd8a012345ABCDE
+          rel: self
+      orgId: 12345xyzlmnce4f17d6e8e130
+      p_event_time: "2023-06-07 16:57:55"
+      p_log_type: MongoDB.OrganizationEvent
+      p_parse_time: "2023-06-07 17:04:42.59"
+      p_row_id: ea276b16216684d9e198c0d0188a3d
+      p_schema_version: 0
+      p_source_id: 7c3cb124-9c30-492c-99e6-46518c232d73
+      p_source_label: MongoDB
+      remoteAddress: 1.2.3.4
+      targetUsername: outsider@other.com
+      userId: 647f654f93bebc69123abc1
+      username: user@company.com
+    Name: External User Invite
+DedupPeriodMinutes: 60
+LogTypes:
+  - MongoDB.OrganizationEvent
+RuleID: "MongoDB.External.UserInvited.NoConfig"
+Threshold: 1