diff --git a/rules/dropbox_rules/dropbox_linked_team_application_added.py b/rules/dropbox_rules/dropbox_linked_team_application_added.py new file mode 100644 index 000000000..74dce17e4 --- /dev/null +++ b/rules/dropbox_rules/dropbox_linked_team_application_added.py @@ -0,0 +1,76 @@ +from panther_base_helpers import deep_get + + +def rule(event): + return all( + [ + deep_get(event, "event_type", "_tag", default="") == "app_link_team", + deep_get(event, "event_type", "description", default="") == "Linked app for team", + ] + ) + + +def severity(event): + # Anything involving non-team members should be High + if event.get("involve_non_team_member", False): + return "High" + return "Low" + + +def get_actor_type(): + return ( + # Admin who performed the action + "admin", + # Anonymous actor + "anonymous", + # Application that performed the action + "app", + # Action performed by Dropbox + "dropbox", + # Action performed by reseller + "reseller", + # User who performed the action + "user", + ) + + +def title(event): + # This will be one of the types returned by get_actor_type; + # find the intersection and use that for the key + actor_key = set(tuple(event.get("actor", {}).keys())).intersection(get_actor_type()) + if len(actor_key) == 1: + display_name = deep_get( + event, "actor", tuple(actor_key)[0], "display_name", default="" + ) + # Explicitly use "" if we find any length of keys != 1 + else: + display_name = "" + return f"Dropbox Team Member Linked App by [{display_name}]" + + +def user_details(event): + details = {} + for actor_key, actor_value in event.get("actor", {}).items(): + if actor_key == "_tag": + continue + for user_key, user_info in actor_value.items(): + if user_key in ("_tag", "display_name"): + continue + details[user_key] = user_info + return details + + +def alert_context(event): + additional_user_details = user_details(event) + return { + "additional_user_details": additional_user_details, + "app_display_name": deep_get( + event, "details", "app_info", "display_name", default="" + ), + "ip_address": deep_get( + event, "origin", "geo_location", "ip_address", default="" + ), + "request_id": deep_get( + event, "origin", "access_method", "request_id", default="" + ), + } diff --git a/rules/dropbox_rules/dropbox_linked_team_application_added.yml b/rules/dropbox_rules/dropbox_linked_team_application_added.yml new file mode 100644 index 000000000..912c62b61 --- /dev/null +++ b/rules/dropbox_rules/dropbox_linked_team_application_added.yml @@ -0,0 +1,123 @@ +AnalysisType: rule +Description: An application was linked to your Dropbox Account +DisplayName: Dropbox Linked Team Application Added +Enabled: true +Filename: dropbox_linked_team_application_added.py +Reference: Ensure that the application is valid and not malicious +Runbook: > + Verify that this is expected. If not, determine other actions taken by this user recently and reach out to the user. + If the event involved a non-team member, consider disabling the user's access while investigating. +Severity: Low +Tags: + - dropbox +Tests: + - ExpectedResult: true + Log: + actor: + _tag: user + user: + _tag: team_member + account_id: dbid:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx + display_name: user_name + email: user@domain.com + team_member_id: dbmid:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx + context: + _tag: team + details: + .tag: app_link_team_details + app_info: + .tag: team_linked_app + app_id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx + display_name: dropbox-app-name + event_category: + _tag: apps + event_type: + _tag: app_link_team + description: Linked app for team + involve_non_team_member: false + origin: + access_method: + .tag: api + request_id: dbarod:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx + geo_location: + city: Los Angeles + country: US + ip_address: 1.2.3.4 + region: California + timestamp: "2023-02-16 20:39:34" + Name: App linked for team is LOW severity + - ExpectedResult: false + Log: + actor: + _tag: user + user: + _tag: team_member + account_id: dbid:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx + display_name: user_name + email: user@domain.com + team_member_id: dbmid:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx + context: + _tag: team + details: + .tag: app_link_member_details + app_info: + .tag: member_linked_app + app_id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx + display_name: personal-dropbox-app-name + event_category: + _tag: apps + event_type: + _tag: app_link_member + description: Linked app for member + involve_non_team_member: false + origin: + access_method: + .tag: api + request_id: dbarod:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx + geo_location: + city: Los Angeles + country: US + ip_address: 1.2.3.4 + region: California + timestamp: "2023-02-16 20:39:34" + Name: A non-team linked event does not alert + - ExpectedResult: true + Log: + actor: + _tag: user + user: + _tag: team_member + account_id: dbid:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx + display_name: user_name + email: user@domain.com + team_member_id: dbmid:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx + context: + _tag: team + details: + .tag: app_link_team_details + app_info: + .tag: team_linked_app + app_id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx + display_name: dropbox-app-name + event_category: + _tag: apps + event_type: + _tag: app_link_team + description: Linked app for team + involve_non_team_member: true + origin: + access_method: + .tag: api + request_id: dbarod:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx + geo_location: + city: Los Angeles + country: US + ip_address: 1.2.3.4 + region: California + timestamp: "2023-02-16 20:39:34" + Name: App linked for team involving non-team member is HIGH severity +DedupPeriodMinutes: 60 +LogTypes: + - Dropbox.TeamEvent +RuleID: Dropbox.Linked.Team.Application.Added +Threshold: 1