From 37548857b6b23a8c08d4517f57e4135343727a32 Mon Sep 17 00:00:00 2001
From: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Date: Mon, 8 Apr 2024 20:09:49 +0300
Subject: [PATCH] Add MongoDB.Identity.Provider.Activity rule (#1202)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
---
 packs/mongodb.yml                             |  1 +
 .../mongodb_identity_provider_activity.py     | 30 +++++++++++++++++++
 .../mongodb_identity_provider_activity.yml    | 25 ++++++++++++++++
 3 files changed, 56 insertions(+)
 create mode 100644 rules/mongodb_rules/mongodb_identity_provider_activity.py
 create mode 100644 rules/mongodb_rules/mongodb_identity_provider_activity.yml

diff --git a/packs/mongodb.yml b/packs/mongodb.yml
index a0bab9927..b7843c4a5 100644
--- a/packs/mongodb.yml
+++ b/packs/mongodb.yml
@@ -11,6 +11,7 @@ PackDefinition:
     - MongoDB.User.Created.Or.Deleted
     - MongoDB.User.Roles.Changed
     - MongoDB.2FA.Disabled
+    - MongoDB.Identity.Provider.Activity
     - MongoDB.External.UserInvited.NoConfig
     # Globals
     - panther_base_helpers
diff --git a/rules/mongodb_rules/mongodb_identity_provider_activity.py b/rules/mongodb_rules/mongodb_identity_provider_activity.py
new file mode 100644
index 000000000..62e39c16d
--- /dev/null
+++ b/rules/mongodb_rules/mongodb_identity_provider_activity.py
@@ -0,0 +1,30 @@
+from panther_mongodb_helpers import mongodb_alert_context
+
+
+def rule(event):
+    important_event_types = {
+        "FEDERATION_SETTINGS_CREATED",
+        "FEDERATION_SETTINGS_DELETED",
+        "FEDERATION_SETTINGS_UPDATED",
+        "IDENTITY_PROVIDER_CREATED",
+        "IDENTITY_PROVIDER_UPDATED",
+        "IDENTITY_PROVIDER_DELETED",
+        "IDENTITY_PROVIDER_ACTIVATED",
+        "IDENTITY_PROVIDER_DEACTIVATED",
+        "IDENTITY_PROVIDER_JWKS_REVOKED",
+        "OIDC_IDENTITY_PROVIDER_UPDATED",
+        "OIDC_IDENTITY_PROVIDER_ENABLED",
+        "OIDC_IDENTITY_PROVIDER_DISABLED",
+    }
+    return event.deep_get("eventTypeName") in important_event_types
+
+
+def title(event):
+    target_username = event.get("targetUsername", "<USER_NOT_FOUND>")
+    org_id = event.get("orgId", "<ORG_NOT_FOUND>")
+
+    return f"MongoDB Atlas: User [{target_username}] roles changed in org [{org_id}]"
+
+
+def alert_context(event):
+    return mongodb_alert_context(event)
diff --git a/rules/mongodb_rules/mongodb_identity_provider_activity.yml b/rules/mongodb_rules/mongodb_identity_provider_activity.yml
new file mode 100644
index 000000000..28bc7c899
--- /dev/null
+++ b/rules/mongodb_rules/mongodb_identity_provider_activity.yml
@@ -0,0 +1,25 @@
+AnalysisType: rule
+Description: "Changes to identity provider settings are privileged activities that should be carefully audited.  Attackers may add or change IDP integrations to gain persistence to environments"
+DisplayName: "MongoDB Identity Provider Activity"
+Enabled: true
+Filename: mongodb_identity_provider_activity.py
+Severity: Medium
+Reference: https://attack.mitre.org/techniques/T1556/007/
+Tests:
+  - ExpectedResult: false
+    Log:
+      eventTypeName: cat_jumped
+    Name: Random event
+  - ExpectedResult: true
+    Log:
+      eventTypeName: FEDERATION_SETTINGS_CREATED
+    Name: FEDERATION_SETTINGS_CREATED
+  - ExpectedResult: true
+    Log:
+      eventTypeName: IDENTITY_PROVIDER_CREATED
+    Name: IDENTITY_PROVIDER_CREATED
+DedupPeriodMinutes: 60
+LogTypes:
+  - MongoDB.OrganizationEvent
+RuleID: "MongoDB.Identity.Provider.Activity"
+Threshold: 1