From 8da5bc92001f49af8a733883a96419896f73cd04 Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Mon, 1 Jul 2024 22:10:58 +0300 Subject: [PATCH] Threat-315 Wiz Alert Passthrough (#1251) * THREAT-315 Wiz Alert passthrough * THREAT-315 Wiz Alert passthrough * THREAT-315 Wiz Alert passthrough - fix formatting * THREAT-315 Wiz Alert passthrough - fix formatting * THREAT-315 Wiz Alert passthrough - updated according to comments --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> --- packs/wiz.yml | 7 ++ rules/wiz_rules/wiz_alert_passthrough.py | 44 ++++++++ rules/wiz_rules/wiz_alert_passthrough.yml | 126 ++++++++++++++++++++++ 3 files changed, 177 insertions(+) create mode 100644 packs/wiz.yml create mode 100644 rules/wiz_rules/wiz_alert_passthrough.py create mode 100644 rules/wiz_rules/wiz_alert_passthrough.yml diff --git a/packs/wiz.yml b/packs/wiz.yml new file mode 100644 index 000000000..d04e487ca --- /dev/null +++ b/packs/wiz.yml @@ -0,0 +1,7 @@ +AnalysisType: pack +PackID: PantherManaged.Wiz +Description: Group of all Wiz detections +DisplayName: "Panther Wiz Pack" +PackDefinition: + IDs: + - Wiz.Alert.Passthrough diff --git a/rules/wiz_rules/wiz_alert_passthrough.py b/rules/wiz_rules/wiz_alert_passthrough.py new file mode 100644 index 000000000..c066530fc --- /dev/null +++ b/rules/wiz_rules/wiz_alert_passthrough.py @@ -0,0 +1,44 @@ +from panther_base_helpers import deep_get + + +def rule(event): + return event.get("status") == "OPEN" + + +def title(event): + return ( + f"[Wiz Alert]: " + f"{event.deep_get('sourceRule', 'name', default='ALERT_DESCRIPTION_NOT_FOUND')}" + ) + + +def severity(event): + return event.get("severity") + + +def dedup(event): + return event.get("id") + + +def description(event): + return event.deep_get("sourceRule", "controlDescription", default="") + + +def runbook(event): + return event.deep_get( + "sourceRule", "resolutionRecommendation", default="" + ) + + +def alert_context(event): + security_subcategories = event.deep_get("sourceRule", "securitySubCategories", default=[{}]) + return { + "id": event.get("id", ""), + "type": event.get("type", ""), + "entity_snapshot": event.get("entitySnapshot", {}), + "mitre_attack_categories": [ + subcategory + for subcategory in security_subcategories + if deep_get(subcategory, "category", "framework", "name") == "MITRE ATT&CK Matrix" + ], + } diff --git a/rules/wiz_rules/wiz_alert_passthrough.yml b/rules/wiz_rules/wiz_alert_passthrough.yml new file mode 100644 index 000000000..84cf7191d --- /dev/null +++ b/rules/wiz_rules/wiz_alert_passthrough.yml @@ -0,0 +1,126 @@ +AnalysisType: rule +RuleID: Wiz.Alert.Passthrough +Description: This rule enriches and contextualizes security alerts generated by Wiz. +DisplayName: Wiz Alert Passthrough Rule +Runbook: Review the Wiz alert details to determine what malicious behavior was detected, and whether or not it was blocked. +Reference: https://www.wiz.io/product +Enabled: true +Filename: wiz_alert_passthrough.py +Severity: Medium +LogTypes: + - Wiz.Issues +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: Open Alert + ExpectedResult: true + Log: + { + "createdAt": "2024-06-04 02:28:06.763277000", + "entitySnapshot": { + "cloudProviderURL": "", + "externalId": "someExternalId", + "id": "12345", + "name": "someName", + "nativeType": "", + "providerId": "someProviderId", + "region": "", + "resourceGroupExternalId": "", + "subscriptionExternalId": "", + "subscriptionName": "", + "tags": { }, + "type": "DATA_FINDING" + }, + "id": "54321", + "notes": [ ], + "projects": [ + { + "businessUnit": "", + "id": "45678", + "name": "Project 2", + "riskProfile": { + "businessImpact": "MBI" + }, + "slug": "project-2" + }, + ], + "serviceTickets": [ ], + "severity": "HIGH", + "sourceRule": { + "__typename": "Control", + "controlDescription": "Alert Description", + "id": "12345", + "name": "Alert Name", + "resolutionRecommendation": "Alert Resolution Recommendation", + "securitySubCategories": [ + { + "category": { + "framework": { + "name": "Wiz for Risk Assessment" + }, + "name": "High Profile Threats" + }, + "title": "High-profile vulnerability exploited in the wild" + }, + { + "category": { + "framework": { + "name": "MITRE ATT&CK Matrix" + }, + "name": "TA0001 Initial Access" + }, + "title": "T1190 Exploit Public-Facing Application" + }, + ] + }, + "status": "OPEN", + "statusChangedAt": "2024-06-04 02:28:06.597355000", + "type": "TOXIC_COMBINATION", + "updatedAt": "2024-06-04 02:28:06.763277000" + } + - Name: Resolved Alert + ExpectedResult: false + Log: + { + "createdAt": "2024-06-04 02:28:06.763277000", + "entitySnapshot": { + "cloudProviderURL": "", + "externalId": "someExternalId", + "id": "12345", + "name": "someName", + "nativeType": "", + "providerId": "someProviderId", + "region": "", + "resourceGroupExternalId": "", + "subscriptionExternalId": "", + "subscriptionName": "", + "tags": { }, + "type": "DATA_FINDING" + }, + "id": "54321", + "notes": [ ], + "projects": [ + { + "businessUnit": "", + "id": "45678", + "name": "Project 2", + "riskProfile": { + "businessImpact": "MBI" + }, + "slug": "project-2" + }, + ], + "serviceTickets": [ ], + "severity": "HIGH", + "sourceRule": { + "__typename": "Control", + "controlDescription": "Alert Description", + "id": "12345", + "name": "Alert Name", + "resolutionRecommendation": "Alert Resolution Recommendation" + }, + "status": "RESOLVED", + "statusChangedAt": "2024-06-04 02:28:06.597355000", + "type": "TOXIC_COMBINATION", + "updatedAt": "2024-06-04 02:28:06.763277000" + }