microsoft graph passthrough (#530)

* microsoft graph passthrough * defaults Co-authored-by: Ed⁦ <ed.anderson@panther.io>
panther-labs · Oct 18, 2022 · 6941694 · 6941694
1 parent b2c68d9
commit 6941694
Show file tree

Hide file tree

Showing 4 changed files with 128 additions and 19 deletions.
diff --git a/Pipfile.lock b/Pipfile.lock
diff --git a/global_helpers/panther_base_helpers.py b/global_helpers/panther_base_helpers.py
@@ -315,3 +315,11 @@ def get_binding_deltas(event):
     if not binding_deltas:
         return []
     return binding_deltas
+
+
+def msft_graph_alert_context(event):
+    return {
+        "category": event.get("category", ""),
+        "description": event.get("description", ""),
+        "userstates": event.get("userstates", []),
+    }
diff --git a/rules/microsoft_graph/microsoft_graph_passthrough.py b/rules/microsoft_graph/microsoft_graph_passthrough.py
@@ -0,0 +1,22 @@
+def rule(event):
+    return event.get("status") == "newAlert"
+
+
+def title(event):
+    return f"Microsoft Graph Alert ({event.get('title')})"
+
+
+def dedup(event):
+    return event.get("id")
+
+
+def severity(event):
+    return event.get("severity")
+
+
+def alert_context(event):
+    return {
+        "category": event.get("category"),
+        "description": event.get("description"),
+        "userstates": event.get("userstates", []),
+    }
diff --git a/rules/microsoft_graph/microsoft_graph_passthrough.yml b/rules/microsoft_graph/microsoft_graph_passthrough.yml
@@ -0,0 +1,87 @@
+AnalysisType: rule
+Description: Microsoft Graph has detected a security event.
+DisplayName: Microsoft Graph Passthrough
+Enabled: true
+Filename: microsoft_graph_passthrough.py
+Severity: Medium
+Tests:
+    - ExpectedResult: true
+      Log:
+        azuretenantid: 12345-abcde-a1b2k3
+        category: AnonymousLogin
+        createddatetime: "2022-08-04 14:31:48.438"
+        description: Sign-in from an anonymous IP address (e.g. Tor browser, anonymizer VPNs)
+        eventdatetime: "2022-08-04 14:31:48.438"
+        id: abcd12345efghijk6789
+        lastmodifieddatetime: "2022-08-04 14:34:56.229"
+        severity: medium
+        status: newAlert
+        title: Anonymous IP address
+        userstates:
+            - aadUserId: 011d5ede-0faa-4946-a25e-b2cd0c47a52c
+              accountName: homer.simpson
+              domainName: corporation.onmicrosoft.com
+              emailRole: unknown
+              logonDateTime: "2022-08-04 14:31:48.438699700"
+              logonIp: 185.220.103.6
+              logonLocation: Brooklyn, New York, US
+              userPrincipalName: homer.simpson@corporation.onmicrosoft.com
+        vendorinformation:
+            provider: IPC
+            vendor: Microsoft
+      Name: Anonymous Login Event
+    - ExpectedResult: true
+      Log:
+        azuretenantid: abcdef-123456-ghijklmn
+        category: PasswordSpray
+        createddatetime: "2022-08-17 09:28:04.767"
+        description: Password spray attack detected
+        eventdatetime: "2022-08-16 14:22:00.698"
+        id: abcdefg-123456-hijklmno
+        lastmodifieddatetime: "2022-08-17 14:30:21.979"
+        severity: high
+        status: newAlert
+        title: Password Spray
+        userstates:
+            - aadUserId: abcdefg-123456-lmnop
+              accountName: homer.simpson
+              domainName: corporation.onmicrosoft.com
+              emailRole: unknown
+              logonDateTime: "2022-08-16 14:22:00.698619500"
+              logonIp: 109.70.100.21
+              logonLocation: San Francisco, CA
+              userPrincipalName: homer.simpson@corporation.onmicrosoft.com
+        vendorinformation:
+            provider: IPC
+            vendor: Microsoft
+      Name: Password Spray Event
+    - ExpectedResult: false
+      Log:
+        azuretenantid: abcdefg-12345
+        category: AnonymousLogin
+        createddatetime: "2022-09-12 19:54:13.725"
+        description: Sign-in from an anonymous IP address (e.g. Tor browser, anonymizer VPNs)
+        eventdatetime: "2022-09-12 19:54:13.725"
+        id: abcdefg12345hijklmnop
+        lastmodifieddatetime: "2022-09-12 19:56:57.833"
+        severity: high
+        status: resolved
+        title: Anonymous IP address
+        userstates:
+            - aadUserId: abcdefg1234
+              accountName: homer.simpson
+              domainName: corporation.onmicrosoft.com
+              emailRole: unknown
+              logonDateTime: "2022-09-12 19:54:13.725589800"
+              logonIp: 109.70.100.35
+              logonLocation: San Francisco, CA
+              userPrincipalName: homer.simpson@corporation.onmicrosoft.com
+        vendorinformation:
+            provider: IPC
+            vendor: Microsoft
+      Name: Resolved Event
+DedupPeriodMinutes: 60
+LogTypes:
+    - MicrosoftGraph.SecurityAlert
+RuleID: Microsoft.Graph.Passthrough
+Threshold: 1