From c13c5fdbceed69d6d60675d0f957db9f7955e2a4 Mon Sep 17 00:00:00 2001 From: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> Date: Tue, 14 Jan 2025 09:07:50 -0700 Subject: [PATCH] Prepare for v3.70.0 (#1470) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com> Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Co-authored-by: geoffg-sentry <165922362+geoffg-sentry@users.noreply.github.com> --- .github/workflows/check-deprecated.yml | 2 +- .github/workflows/check-mitre.yml | 2 +- .github/workflows/check-packs.yml | 2 +- .github/workflows/docker.yml | 6 +- .github/workflows/lint.yml | 2 +- .github/workflows/pre-release-upload.yml | 2 +- .github/workflows/release.yml | 2 +- .github/workflows/test.yml | 4 +- .github/workflows/upload.yml | 2 +- .github/workflows/validate.yml | 2 +- .scripts/deleted_rules.py | 2 +- global_helpers/global_helpers_test.py | 2 +- global_helpers/panther_base_helpers.py | 139 ++++- global_helpers/panther_base_helpers_old.py | 310 ++++++++++ global_helpers/panther_base_helpers_old.yml | 7 + global_helpers/panther_default.py | 36 ++ global_helpers/panther_default.yml | 7 + global_helpers/panther_iocs.py | 13 + global_helpers/panther_oss_helpers.py | 177 ++++++ global_helpers/panther_oss_helpers.yml | 7 + lookup_tables/ipinfo/ipinfo_asn.yml | 46 +- lookup_tables/ipinfo/ipinfo_asn_datalake.yml | 46 +- lookup_tables/ipinfo/ipinfo_location.yml | 46 +- .../ipinfo/ipinfo_location_datalake.yml | 46 +- lookup_tables/ipinfo/ipinfo_privacy.yml | 46 +- .../ipinfo/ipinfo_privacy_datalake.yml | 46 +- lookup_tables/tor/tor_exit_nodes.yml | 47 +- packs/auth0.yml | 1 + packs/aws.yml | 1 + packs/aws_cis.yml | 1 + packs/azure_signin.yml | 1 + packs/box.yml | 1 + packs/cloudflare.yml | 1 + packs/credential_security.yml | 1 + packs/crowdstrike.yml | 1 + packs/crowdstrike_event_streams.yml | 1 + packs/gcp_audit.yml | 1 + packs/gcp_k8.yml | 1 + packs/github.yml | 1 + packs/gravitational_teleport.yml | 1 + packs/gsuite_reports.yml | 1 + packs/ipinfo.yml | 1 + packs/msft_graph.yml | 1 + packs/notion.yml | 1 + packs/okta.yml | 1 + packs/onelogin.yml | 1 + packs/panther_legacy_helpers.yml | 16 + packs/standard_ruleset.yml | 1 + packs/tor.yml | 1 + packs/wiz.yml | 1 + packs/zoom.yml | 1 + packs/zscaler_zia.yml | 1 + .../aws_s3_access_ip_allowlist.py | 16 +- .../aws_s3_access_ip_allowlist.yml | 3 + .../github_repo_ruleset_modified.py | 49 ++ .../github_repo_ruleset_modified.yml | 251 ++++++++ ...ta_new_behavior_accessing_admin_console.py | 16 +- ...a_new_behavior_accessing_admin_console.yml | 566 ++++++++++-------- 58 files changed, 1479 insertions(+), 511 deletions(-) create mode 100644 global_helpers/panther_base_helpers_old.py create mode 100644 global_helpers/panther_base_helpers_old.yml create mode 100644 global_helpers/panther_default.py create mode 100644 global_helpers/panther_default.yml create mode 100644 global_helpers/panther_oss_helpers.py create mode 100644 global_helpers/panther_oss_helpers.yml create mode 100644 packs/panther_legacy_helpers.yml create mode 100644 rules/github_rules/github_repo_ruleset_modified.py create mode 100644 rules/github_rules/github_repo_ruleset_modified.yml diff --git a/.github/workflows/check-deprecated.yml b/.github/workflows/check-deprecated.yml index 2500a495c..1e050ea0a 100644 --- a/.github/workflows/check-deprecated.yml +++ b/.github/workflows/check-deprecated.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + - uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 with: disable-sudo: true egress-policy: block diff --git a/.github/workflows/check-mitre.yml b/.github/workflows/check-mitre.yml index eb0b491ba..e49877ac5 100644 --- a/.github/workflows/check-mitre.yml +++ b/.github/workflows/check-mitre.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + - uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 with: disable-sudo: true egress-policy: block diff --git a/.github/workflows/check-packs.yml b/.github/workflows/check-packs.yml index 95f45b8c5..5c0f03fcf 100644 --- a/.github/workflows/check-packs.yml +++ b/.github/workflows/check-packs.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + - uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 with: disable-sudo: true egress-policy: block diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 61ecaf913..6b4282db2 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -11,7 +11,7 @@ jobs: name: Build Dockerfile runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + - uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 with: disable-sudo: true egress-policy: block @@ -28,10 +28,10 @@ jobs: www.python.org:443 - name: Checkout panther-analysis uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf #v3.2.0 + - uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a #v3.3.0 - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 #v3.7.1 + uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 #v3.8.0 - name: Build Image run: docker buildx build --load -f Dockerfile -t panther-analysis:latest . - name: Test Image diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index e6adab1f3..88d213723 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + - uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 with: disable-sudo: true egress-policy: block diff --git a/.github/workflows/pre-release-upload.yml b/.github/workflows/pre-release-upload.yml index 5592f1886..8a6c79718 100644 --- a/.github/workflows/pre-release-upload.yml +++ b/.github/workflows/pre-release-upload.yml @@ -14,7 +14,7 @@ jobs: API_HOST: ${{ secrets.GA_API_HOST }} API_TOKEN: ${{ secrets.GA_API_TOKEN }} steps: - - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + - uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 with: egress-policy: audit diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1df3dd362..e3f5fa2dd 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,7 +15,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.PANTHER_BOT_AUTOMATION_TOKEN }} steps: - - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + - uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 with: egress-policy: audit - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8ba457686..f827c7747 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -10,7 +10,7 @@ jobs: name: Test runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + - uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 with: disable-sudo: true egress-policy: audit @@ -41,7 +41,7 @@ jobs: API_HOST: ${{ secrets.API_HOST }} API_TOKEN: ${{ secrets.API_TOKEN }} steps: - - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + - uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 with: disable-sudo: true egress-policy: audit diff --git a/.github/workflows/upload.yml b/.github/workflows/upload.yml index 5ccabafb3..e4c34f5db 100644 --- a/.github/workflows/upload.yml +++ b/.github/workflows/upload.yml @@ -14,7 +14,7 @@ jobs: API_HOST: ${{ secrets.API_HOST }} API_TOKEN: ${{ secrets.API_TOKEN }} steps: - - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + - uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 with: egress-policy: audit diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 288e7caf7..4f095841d 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -14,7 +14,7 @@ jobs: API_HOST: ${{ secrets.API_HOST }} API_TOKEN: ${{ secrets.API_TOKEN }} steps: - - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + - uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 with: egress-policy: audit - name: Validate Secrets diff --git a/.scripts/deleted_rules.py b/.scripts/deleted_rules.py index c7c4d2cc7..382247e27 100644 --- a/.scripts/deleted_rules.py +++ b/.scripts/deleted_rules.py @@ -10,7 +10,7 @@ import panther_analysis_tool.command.bulk_delete as pat_delete import panther_analysis_tool.util as pat_util -diff_pattern = re.compile(r'^-(?:RuleID|PolicyID|QueryName):\s*"?([\w.]+)"?') +diff_pattern = re.compile(r'^-(?:RuleID|PolicyID|QueryName):\s*"?(.+?)["\n]') def get_deleted_ids() -> set[str]: diff --git a/global_helpers/global_helpers_test.py b/global_helpers/global_helpers_test.py index f57b725b8..099ee87f3 100755 --- a/global_helpers/global_helpers_test.py +++ b/global_helpers/global_helpers_test.py @@ -2429,7 +2429,7 @@ def test_pantherflow_investigation(self): event = ImmutableCaseInsensitiveDict(event) query = """union panther_signals.public.correlation_signals , panther_logs.public.aws_cloudtrail -| where p_event_time between datetime('2024-11-25 15:00:21.000000') - time.parse_timespan('30m') .. datetime('2024-11-25 15:00:21.000000') + time.parse_timespan('30m') +| where p_event_time between time.parse_timestamp('2024-11-25 15:00:21.000000') - time.parse_timespan('30m') .. time.parse_timestamp('2024-11-25 15:00:21.000000') + time.parse_timespan('30m') | where arrays.overlap(p_any_ip_addresses, ['12.34.56.78']) or arrays.overlap(p_any_trace_ids, ['ASIAQWERTYUIOPASDFGH']) or arrays.overlap(p_any_actor_ids, ['AROAQWERTYUIOPASDFGH', 'AROAQWERTYUIOPASDFGH:bob.ross']) diff --git a/global_helpers/panther_base_helpers.py b/global_helpers/panther_base_helpers.py index 4f3260939..e2c2b1253 100644 --- a/global_helpers/panther_base_helpers.py +++ b/global_helpers/panther_base_helpers.py @@ -9,6 +9,7 @@ from ipaddress import ip_address, ip_network from typing import Any, List, Optional, Sequence, Union +import panther_base_helpers_old from dateutil import parser # # # # # # # # # # # # # # @@ -338,7 +339,7 @@ def pantherflow_investigation(event, interval="30m"): query = f"""union panther_signals.public.correlation_signals , panther_logs.public.{logtype} -| where p_event_time between datetime('{timestamp}') - time.parse_timespan('{interval}') .. datetime('{timestamp}') + time.parse_timespan('{interval}') +| where p_event_time between time.parse_timestamp('{timestamp}') - time.parse_timespan('{interval}') .. time.parse_timestamp('{timestamp}') + time.parse_timespan('{interval}') """ first = True @@ -352,3 +353,139 @@ def pantherflow_investigation(event, interval="30m"): query += "| sort p_event_time" return query + + +# panther_base_helpers.GSUITE_PARAMETER_VALUES is DEPRECATED!!! +# Instead use panther_gsuite_helpers.GSUITE_PARAMETER_VALUES +GSUITE_PARAMETER_VALUES = panther_base_helpers_old.GSUITE_PARAMETER_VALUES + + +def gsuite_parameter_lookup(parameters, key): + """Global `gsuite_parameter_lookup` is DEPRECATED. + Instead, use `from panther_gsuite_helpers import gsuite_parameter_lookup`.""" + return panther_base_helpers_old.gsuite_parameter_lookup(parameters, key) + + +def gsuite_details_lookup(detail_type, detail_names, event): + """Global `gsuite_details_lookup` is DEPRECATED. + Instead, use `from panther_gsuite_helpers import gsuite_details_lookup`.""" + return panther_base_helpers_old.gsuite_details_lookup(detail_type, detail_names, event) + + +# panther_base_helpers.ZENDESK_CHANGE_DESCRIPTION is DEPRECATED!!! +# Instead use panther_zendesk_helpers.ZENDESK_CHANGE_DESCRIPTION +ZENDESK_CHANGE_DESCRIPTION = panther_base_helpers_old.ZENDESK_CHANGE_DESCRIPTION +# panther_base_helpers.ZENDESK_APP_ROLE_ASSIGNED is DEPRECATED!!! +# Instead use panther_zendesk_helpers.ZENDESK_APP_ROLE_ASSIGNED +ZENDESK_APP_ROLE_ASSIGNED = panther_base_helpers_old.ZENDESK_APP_ROLE_ASSIGNED +# panther_base_helpers.ZENDESK_ROLE_ASSIGNED is DEPRECATED!!! +# Instead use panther_zendesk_helpers.ZENDESK_ROLE_ASSIGNED +ZENDESK_ROLE_ASSIGNED = panther_base_helpers_old.ZENDESK_ROLE_ASSIGNED + + +def zendesk_get_roles(event): + """Global `zendesk_get_roles` is DEPRECATED. + Instead, use `from panther_zendesk_helpers import zendesk_get_roles`.""" + return panther_base_helpers_old.zendesk_get_roles(event) + + +def box_parse_additional_details(event: dict): + """Global `box_parse_additional_details` is DEPRECATED. + Instead, use `from panther_box_helpers import box_parse_additional_details`.""" + return panther_base_helpers_old.box_parse_additional_details(event) + + +def okta_alert_context(event: dict): + """Global `okta_alert_context` is DEPRECATED. + Instead, use `from panther_okta_helpers import okta_alert_context`.""" + return panther_base_helpers_old.okta_alert_context(event) + + +def crowdstrike_detection_alert_context(event: dict): + """Global `crowdstrike_detection_alert_context` is DEPRECATED. + Instead, use `from panther_crowdstrike_fdr_helpers import crowdstrike_detection_alert_context`. + """ + return panther_base_helpers_old.crowdstrike_detection_alert_context(event) + + +def crowdstrike_process_alert_context(event: dict): + """Global `crowdstrike_process_alert_context` is DEPRECATED. + Instead, use `from panther_crowdstrike_fdr_helpers import crowdstrike_process_alert_context`. + """ + return panther_base_helpers_old.crowdstrike_process_alert_context(event) + + +def crowdstrike_network_detection_alert_context(event: dict): + """Global `crowdstrike_network_detection_alert_context` is DEPRECATED. + Instead, use `from panther_crowdstrike_fdr_helpers + import crowdstrike_network_detection_alert_context`. + """ + return panther_base_helpers_old.crowdstrike_network_detection_alert_context(event) + + +def filter_crowdstrike_fdr_event_type(event, name: str) -> bool: + """Global `filter_crowdstrike_fdr_event_type` is DEPRECATED. + Instead, use `from panther_crowdstrike_fdr_helpers import filter_crowdstrike_fdr_event_type`. + """ + return panther_base_helpers_old.filter_crowdstrike_fdr_event_type(event, name) + + +def get_crowdstrike_field(event, field_name, default=None): + """Global `get_crowdstrike_field` is DEPRECATED. + Instead, use `from panther_crowdstrike_fdr_helpers import get_crowdstrike_field`. + """ + return panther_base_helpers_old.get_crowdstrike_field(event, field_name, default) + + +def slack_alert_context(event): + """Global `slack_alert_context` is DEPRECATED. + Instead, use `from panther_slack_helpers import slack_alert_context`.""" + return panther_base_helpers_old.slack_alert_context(event) + + +def github_alert_context(event): + """Global `github_alert_context` is DEPRECATED. + Instead, use `from panther_github_helpers import github_alert_context`.""" + return panther_base_helpers_old.github_alert_context(event) + + +def aws_strip_role_session_id(user_identity_arn): + """Global `aws_strip_role_session_id` is DEPRECATED. + Instead, use `from panther_aws_helpers import aws_strip_role_session_id`.""" + return panther_base_helpers_old.aws_strip_role_session_id(user_identity_arn) + + +def aws_rule_context(event: dict): + """Global `aws_rule_context` is DEPRECATED. + Instead, use `from panther_aws_helpers import aws_rule_context`.""" + return panther_base_helpers_old.aws_rule_context(event) + + +def aws_guardduty_context(event: dict): + """Global `aws_guardduty_context` is DEPRECATED. + Instead, use `from panther_aws_helpers import aws_guardduty_context`.""" + return panther_base_helpers_old.aws_guardduty_context(event) + + +def eks_panther_obj_ref(event): + """Global `eks_panther_obj_ref` is DEPRECATED. + Instead, use `from panther_aws_helpers import eks_panther_obj_ref`.""" + return panther_base_helpers_old.eks_panther_obj_ref(event) + + +def get_binding_deltas(event): + """Global `get_binding_deltas` is DEPRECATED. + Instead, use `from panther_gcp_helpers import get_binding_deltas`.""" + return panther_base_helpers_old.get_binding_deltas(event) + + +def msft_graph_alert_context(event): + """Global `msft_graph_alert_context` is DEPRECATED. + Instead, use `from panther_msft_helpers import msft_graph_alert_context`.""" + return panther_base_helpers_old.msft_graph_alert_context(event) + + +def m365_alert_context(event): + """Global `m365_alert_context` is DEPRECATED. + Instead, use `from panther_msft_helpers import m365_alert_context`.""" + return panther_base_helpers_old.m365_alert_context(event) diff --git a/global_helpers/panther_base_helpers_old.py b/global_helpers/panther_base_helpers_old.py new file mode 100644 index 000000000..d7d264844 --- /dev/null +++ b/global_helpers/panther_base_helpers_old.py @@ -0,0 +1,310 @@ +import json +import re + +# panther_base_helpers_old.GSUITE_PARAMETER_VALUES is DEPRECATED!!! +# Instead use panther_gsuite_helpers.GSUITE_PARAMETER_VALUES +GSUITE_PARAMETER_VALUES = [ + "value", + "intValue", + "boolValue", + "multiValue", + "multiIntValue", + "messageValue", + "multiMessageValue", +] + + +def gsuite_parameter_lookup(parameters, key): + """Global `gsuite_parameter_lookup` is DEPRECATED. + Instead, use `from panther_gsuite_helpers import gsuite_parameter_lookup`.""" + for param in parameters: + if param["name"] != key: + continue + for value in GSUITE_PARAMETER_VALUES: + if value in param: + return param[value] + return None + return None + + +def gsuite_details_lookup(detail_type, detail_names, event): + """Global `gsuite_details_lookup` is DEPRECATED. + Instead, use `from panther_gsuite_helpers import gsuite_details_lookup`.""" + for details in event.get("events", {}): + if details.get("type") == detail_type and details.get("name") in detail_names: + return details + # not found, return empty dict + return {} + + +# panther_base_helpers_old.ZENDESK_CHANGE_DESCRIPTION is DEPRECATED!!! +# Instead use panther_zendesk_helpers.ZENDESK_CHANGE_DESCRIPTION +ZENDESK_CHANGE_DESCRIPTION = "change_description" +# panther_base_helpers_old.ZENDESK_APP_ROLE_ASSIGNED is DEPRECATED!!! +# Instead use panther_zendesk_helpers.ZENDESK_APP_ROLE_ASSIGNED +ZENDESK_APP_ROLE_ASSIGNED = re.compile( + r"(?P.*) role changed from (?P.+) to (?P.*)", re.IGNORECASE +) +# panther_base_helpers_old.ZENDESK_ROLE_ASSIGNED is DEPRECATED!!! +# Instead use panther_zendesk_helpers.ZENDESK_ROLE_ASSIGNED +ZENDESK_ROLE_ASSIGNED = re.compile( + r"Role changed from (?P.+) to (?P[^$]+)", re.IGNORECASE +) + + +def zendesk_get_roles(event): + """Global `zendesk_get_roles` is DEPRECATED. + Instead, use `from panther_zendesk_helpers import zendesk_get_roles`.""" + old_role = "" + new_role = "" + role_change = event.get(ZENDESK_CHANGE_DESCRIPTION, "") + if "\n" in role_change: + for app_change in role_change.split("\n"): + matches = ZENDESK_APP_ROLE_ASSIGNED.match(app_change) + if matches: + if old_role: + old_role += " ; " + old_role += matches.group("app") + ":" + matches.group("old_role") + if new_role: + new_role += " ; " + new_role += matches.group("app") + ":" + matches.group("new_role") + else: + matches = ZENDESK_ROLE_ASSIGNED.match(role_change) + if matches: + old_role = matches.group("old_role") + new_role = matches.group("new_role") + if not old_role: + old_role = ":" + if not new_role: + new_role = ":" + return old_role, new_role + + +def box_parse_additional_details(event: dict): + """Global `box_parse_additional_details` is DEPRECATED. + Instead, use `from panther_box_helpers import box_parse_additional_details`.""" + additional_details = event.get("additional_details", {}) + if isinstance(additional_details, (str, bytes)): + try: + return json.loads(additional_details) + except ValueError: + return {} + return additional_details + + +def okta_alert_context(event: dict): + """Global `okta_alert_context` is DEPRECATED. + Instead, use `from panther_okta_helpers import okta_alert_context`.""" + return { + "event_type": event.get("eventtype", ""), + "severity": event.get("severity", ""), + "actor": event.get("actor", {}), + "client": event.get("client", {}), + "request": event.get("request", {}), + "outcome": event.get("outcome", {}), + "target": event.get("target", []), + "debug_context": event.get("debugcontext", {}), + "authentication_context": event.get("authenticationcontext", {}), + "security_context": event.get("securitycontext", {}), + "ips": event.get("p_any_ip_addresses", []), + } + + +def crowdstrike_detection_alert_context(event: dict): + """Global `crowdstrike_detection_alert_context` is DEPRECATED. + Instead, use `from panther_crowdstrike_fdr_helpers import crowdstrike_detection_alert_context`. + """ + return { + "aid": get_crowdstrike_field(event, "aid", default=""), + "user": get_crowdstrike_field(event, "UserName", default=""), + "console-link": get_crowdstrike_field(event, "FalconHostLink", default=""), + "commandline": get_crowdstrike_field(event, "CommandLine", default=""), + "parentcommandline": get_crowdstrike_field(event, "ParentCommandLine", default=""), + "filename": get_crowdstrike_field(event, "FileName", default=""), + "filepath": get_crowdstrike_field(event, "FilePath", default=""), + "description": get_crowdstrike_field(event, "DetectDescription", default=""), + "action": get_crowdstrike_field(event, "PatternDispositionDescription", default=""), + } + + +def crowdstrike_process_alert_context(event: dict): + """Global `crowdstrike_process_alert_context` is DEPRECATED. + Instead, use `from panther_crowdstrike_fdr_helpers import crowdstrike_process_alert_context`. + """ + return { + "aid": get_crowdstrike_field(event, "aid", default=""), + "CommandLine": get_crowdstrike_field(event, "CommandLine", default=""), + "TargetProcessId": get_crowdstrike_field(event, "TargetProcessId", default=""), + "RawProcessId": get_crowdstrike_field(event, "RawProcessId", default=""), + "ParentBaseFileName": get_crowdstrike_field(event, "ParentBaseFileName", default=""), + "ParentProcessId": get_crowdstrike_field(event, "ParentProcessId", default=""), + "ImageFileName": get_crowdstrike_field(event, "ImageFileName", default=""), + "SHA256Hash": get_crowdstrike_field(event, "SHA256HashData", default=""), + "platform": get_crowdstrike_field(event, "event_platform", default=""), + } + + +def crowdstrike_network_detection_alert_context(event: dict): + """Global `crowdstrike_network_detection_alert_context` is DEPRECATED. + Instead, use `from panther_crowdstrike_fdr_helpers + import crowdstrike_network_detection_alert_context`. + """ + return { + "LocalAddressIP4": get_crowdstrike_field(event, "LocalAddressIP4", default=""), + "LocalPort": get_crowdstrike_field(event, "LocalPort", default=""), + "RemoteAddressIP4": get_crowdstrike_field(event, "RemoteAddressIP4", default=""), + "RemotePort": get_crowdstrike_field(event, "RemotePort", default=""), + "Protocol": get_crowdstrike_field(event, "Protocol", default=""), + "event_simpleName": get_crowdstrike_field(event, "event_simpleName", default=""), + "aid": get_crowdstrike_field(event, "aid", default=""), + "ContextProcessId": get_crowdstrike_field(event, "ContextProcessId", default=""), + } + + +def filter_crowdstrike_fdr_event_type(event, name: str) -> bool: + """Global `filter_crowdstrike_fdr_event_type` is DEPRECATED. + Instead, use `from panther_crowdstrike_fdr_helpers import filter_crowdstrike_fdr_event_type`. + """ + if event.get("p_log_type") != "Crowdstrike.FDREvent": + return False + return event.get("fdr_event_type", "") != name + + +def get_crowdstrike_field(event, field_name, default=None): + """Global `get_crowdstrike_field` is DEPRECATED. + Instead, use `from panther_crowdstrike_fdr_helpers import get_crowdstrike_field`. + """ + return ( + event.deep_get(field_name) + or event.deep_get("event", field_name) + or event.deep_get("unknown_payload", field_name) + or default + ) + + +def slack_alert_context(event): + """Global `slack_alert_context` is DEPRECATED. + Instead, use `from panther_slack_helpers import slack_alert_context`.""" + return { + "actor-name": event.deep_get("actor", "user", "name", default=""), + "actor-email": event.deep_get("actor", "user", "email", default=""), + "actor-ip": event.deep_get("context", "ip_address", default=""), + "user-agent": event.deep_get("context", "ua", default=""), + } + + +def github_alert_context(event): + """Global `github_alert_context` is DEPRECATED. + Instead, use `from panther_github_helpers import github_alert_context`.""" + return { + "action": event.get("action", ""), + "actor": event.get("actor", ""), + "actor_location": event.deep_get("actor_location", "country_code"), + "org": event.get("org", ""), + "repo": event.get("repo", ""), + "user": event.get("user", ""), + } + + +def aws_strip_role_session_id(user_identity_arn): + """Global `aws_strip_role_session_id` is DEPRECATED. + Instead, use `from panther_aws_helpers import aws_strip_role_session_id`.""" + # The ARN structure is arn:aws:sts::123456789012:assumed-role/RoleName/ + arn_parts = user_identity_arn.split("/") + if arn_parts: + return "/".join(arn_parts[:2]) + return user_identity_arn + + +def aws_rule_context(event: dict): + """Global `aws_rule_context` is DEPRECATED. + Instead, use `from panther_aws_helpers import aws_rule_context`.""" + return { + "eventName": event.get("eventName", ""), + "eventSource": event.get("eventSource", ""), + "awsRegion": event.get("awsRegion", ""), + "recipientAccountId": event.get("recipientAccountId", ""), + "sourceIPAddress": event.get("sourceIPAddress", ""), + "userAgent": event.get("userAgent", ""), + "userIdentity": event.get("userIdentity", ""), + } + + +def aws_guardduty_context(event: dict): + """Global `aws_guardduty_context` is DEPRECATED. + Instead, use `from panther_aws_helpers import aws_guardduty_context`.""" + return { + "description": event.get("description", ""), + "severity": event.get("severity", ""), + "id": event.get("id", ""), + "type": event.get("type", ""), + "resource": event.get("resource", {}), + "service": event.get("service", {}), + } + + +def eks_panther_obj_ref(event): + """Global `eks_panther_obj_ref` is DEPRECATED. + Instead, use `from panther_aws_helpers import eks_panther_obj_ref`.""" + user = event.deep_get("user", "username", default="") + source_ips = event.get("sourceIPs", ["0.0.0.0"]) # nosec + verb = event.get("verb", "") + obj_name = event.deep_get("objectRef", "name", default="") + obj_ns = event.deep_get("objectRef", "namespace", default="") + obj_res = event.deep_get("objectRef", "resource", default="") + obj_subres = event.deep_get("objectRef", "subresource", default="") + p_source_label = event.get("p_source_label", "") + if obj_subres: + obj_res = "/".join([obj_res, obj_subres]) + return { + "actor": user, + "ns": obj_ns, + "object": obj_name, + "resource": obj_res, + "sourceIPs": source_ips, + "verb": verb, + "p_source_label": p_source_label, + } + + +def get_binding_deltas(event): + """Global `get_binding_deltas` is DEPRECATED. + Instead, use `from panther_gcp_helpers import get_binding_deltas`.""" + if event.get("protoPayload", {}).get("methodName") != "SetIamPolicy": + return [] + + service_data = event.get("protoPayload", {}).get("serviceData") + if not service_data: + return [] + + # Reference: bit.ly/2WsJdZS + binding_deltas = service_data.get("policyDelta", {}).get("bindingDeltas") + if not binding_deltas: + return [] + return binding_deltas + + +def msft_graph_alert_context(event): + """Global `msft_graph_alert_context` is DEPRECATED. + Instead, use `from panther_msft_helpers import msft_graph_alert_context`.""" + return { + "category": event.get("category", ""), + "description": event.get("description", ""), + "userStates": event.get("userStates", []), + "fileStates": event.get("fileStates", []), + "hostStates": event.get("hostStates", []), + } + + +def m365_alert_context(event): + """Global `m365_alert_context` is DEPRECATED. + Instead, use `from panther_msft_helpers import m365_alert_context`.""" + return { + "operation": event.get("Operation", ""), + "organization_id": event.get("OrganizationId", ""), + "client_ip": event.get("ClientIp", ""), + "extended_properties": event.get("ExtendedProperties", []), + "modified_properties": event.get("ModifiedProperties", []), + "application": event.get("Application", ""), + "actor": event.get("Actor", []), + } diff --git a/global_helpers/panther_base_helpers_old.yml b/global_helpers/panther_base_helpers_old.yml new file mode 100644 index 000000000..d3a5fa14c --- /dev/null +++ b/global_helpers/panther_base_helpers_old.yml @@ -0,0 +1,7 @@ +AnalysisType: global +Filename: panther_base_helpers_old.py +GlobalID: "panther_base_helpers_old" +Description: > + DEPRECATED!!! This helper and all its functions will be REMOVED on March 1, 2025. + Please consult the docstrings of the functions for alternatives and migrate before then. + Used to define global helpers and variables. diff --git a/global_helpers/panther_default.py b/global_helpers/panther_default.py new file mode 100644 index 000000000..965bbc3ce --- /dev/null +++ b/global_helpers/panther_default.py @@ -0,0 +1,36 @@ +from typing import List + +import panther_aws_helpers + +# panther_default.AWS_ACCOUNTS is DEPRECATED!!! Instead use panther_aws_helpers.AWS_ACCOUNTS +AWS_ACCOUNTS = panther_aws_helpers.AWS_ACCOUNTS + + +def lookup_aws_account_name(account_id): + """Global `lookup_aws_account_name` is DEPRECATED. + Instead, use `from panther_aws_helpers import lookup_aws_account_name`.""" + return panther_aws_helpers.lookup_aws_account_name(account_id) + + +def aws_cloudtrail_success(event): + """Global `aws_cloudtrail_success` is DEPRECATED. + Instead, use `from panther_aws_helpers import aws_cloudtrail_success`.""" + return panther_aws_helpers.aws_cloudtrail_success(event) + + +def aws_event_tense(event_name): + """Global `aws_event_tense` is DEPRECATED. + Instead, use `from panther_aws_helpers import aws_event_tense`.""" + return panther_aws_helpers.aws_event_tense(event_name) + + +def aws_key_account_id(aws_key: str): + """Global `aws_key_account_id` is DEPRECATED. + Instead, use `from panther_aws_helpers import aws_key_account_id`.""" + return panther_aws_helpers.aws_key_account_id(aws_key) + + +def aws_regions() -> List[str]: + """Global `aws_regions` is DEPRECATED. + Instead, use `from panther_aws_helpers import aws_regions`.""" + return panther_aws_helpers.aws_regions() diff --git a/global_helpers/panther_default.yml b/global_helpers/panther_default.yml new file mode 100644 index 000000000..f257e6453 --- /dev/null +++ b/global_helpers/panther_default.yml @@ -0,0 +1,7 @@ +AnalysisType: global +GlobalID: "panther_default" +Filename: panther_default.py +Description: > + DEPRECATED!!! This helper and all its functions will be REMOVED on March 1, 2025. + Please consult the docstrings of the functions for alternatives and migrate before then. + The default global accessible via the Panther web UI. \ No newline at end of file diff --git a/global_helpers/panther_iocs.py b/global_helpers/panther_iocs.py index 3dac3fb05..58060f909 100644 --- a/global_helpers/panther_iocs.py +++ b/global_helpers/panther_iocs.py @@ -1,5 +1,6 @@ # pylint: disable=line-too-long +import panther_base_helpers # Example sources: # - https://www.fastly.com/blog/new-data-and-insights-into-log4shell-attacks-cve-2021-44228 @@ -538,3 +539,15 @@ "ami-09b81f0f9f2acfcdf", # fedora-coreos-40.20240331.1.0-x86_64 us-west-2 "ami-083bb1ae22e9bf463", # fedora-coreos-40.20240329.10.0-aarch64 us-west-2 } + + +def ioc_match(indicators: list, known_iocs: set) -> list: + """Global `ioc_match` is DEPRECATED. + Instead, use `from panther_base_helpers import ioc_match`.""" + return panther_base_helpers.ioc_match(indicators, known_iocs) + + +def sanitize_domain(domain: str) -> str: + """Global `sanitize_domain` is DEPRECATED. + Instead, use `from panther_base_helpers import defang_ioc`.""" + return panther_base_helpers.defang_ioc(domain) diff --git a/global_helpers/panther_oss_helpers.py b/global_helpers/panther_oss_helpers.py new file mode 100644 index 000000000..a5250adee --- /dev/null +++ b/global_helpers/panther_oss_helpers.py @@ -0,0 +1,177 @@ +"""Utility functions provided to policies and rules during execution.""" + +from datetime import datetime +from typing import Any, Dict, Optional, Sequence, Set, Union + +import boto3 +import panther_aws_helpers +import panther_base_helpers +import panther_ipinfo_helpers +from panther_detection_helpers import caching + +# panther_oss_helpers.FIPS_ENABLED is DEPRECATED!!! Instead use panther_aws_helpers.FIPS_ENABLED +FIPS_ENABLED = panther_aws_helpers.FIPS_ENABLED +# panther_oss_helpers.FIPS_SUFFIX is DEPRECATED!!! Instead use panther_aws_helpers.FIPS_SUFFIX +FIPS_SUFFIX = panther_aws_helpers.FIPS_SUFFIX + +# Auto Time Resolution Parameters +# panther_oss_helpers.EPOCH_REGEX is DEPRECATED!!! Instead use panther_base_helpers.EPOCH_REGEX +EPOCH_REGEX = panther_base_helpers.EPOCH_REGEX +# panther_oss_helpers.TIME_FORMATS is DEPRECATED!!! Instead use panther_base_helpers.TIME_FORMATS +TIME_FORMATS = panther_base_helpers.TIME_FORMATS + + +def resolve_timestamp_string(timestamp: str) -> Optional[datetime]: + """Global `resolve_timestamp_string` is DEPRECATED. + Instead, use `from panther_base_helpers import resolve_timestamp_string`.""" + return panther_base_helpers.resolve_timestamp_string(timestamp) + + +def get_s3_arn_by_name(name: str) -> str: + """Global `get_s3_arn_by_name` is DEPRECATED. + Instead, use `from panther_aws_helpers import get_s3_arn_by_name`.""" + return panther_aws_helpers.get_s3_arn_by_name(name) + + +def s3_lookup_by_name(name: str) -> Dict[str, Any]: + """Global `s3_lookup_by_name` is DEPRECATED. + Instead, use `from panther_aws_helpers import s3_lookup_by_name`.""" + return panther_aws_helpers.s3_lookup_by_name(name) + + +def resource_table() -> boto3.resource: + """Global `resource_table` is DEPRECATED. + Instead, use `from panther_aws_helpers import resource_table`.""" + return panther_aws_helpers.resource_table() + + +def resource_lookup(resource_id: str) -> Dict[str, Any]: + """Global `resource_lookup` is DEPRECATED. + Instead, use `from panther_aws_helpers import resource_lookup`.""" + return panther_aws_helpers.resource_lookup(resource_id) + + +def ttl_expired(response: dict) -> bool: + """Global `ttl_expired` is DEPRECATED. + Instead, use `from panther_detection_helpers.caching import ttl_expired`.""" + return caching.ttl_expired(response) + + +def get_counter(key: str, force_ttl_check: bool = False) -> int: + """Global `get_counter` is DEPRECATED. + Instead, use `from panther_detection_helpers.caching import get_counter`.""" + return caching.get_counter(key=key, force_ttl_check=force_ttl_check) + + +def increment_counter(key: str, val: int = 1) -> int: + """Global `increment_counter` is DEPRECATED. + Instead, use `from panther_detection_helpers.caching import increment_counter`.""" + return caching.increment_counter(key=key, val=val) + + +def reset_counter(key: str) -> None: + """Global `reset_counter` is DEPRECATED. + Instead, use `from panther_detection_helpers.caching import reset_counter`.""" + return caching.reset_counter(key=key) + + +def set_key_expiration(key: str, epoch_seconds: int) -> None: + """Global `set_key_expiration` is DEPRECATED. + Instead, use `from panther_detection_helpers.caching import set_key_expiration`.""" + return caching.set_key_expiration(key=key, epoch_seconds=epoch_seconds) + + +def put_dictionary(key: str, val: dict, epoch_seconds: int = None): + """Global `put_dictionary` is DEPRECATED. + Instead, use `from panther_detection_helpers.caching import put_dictionary`.""" + return caching.put_dictionary(key=key, val=val, epoch_seconds=epoch_seconds) + + +def get_dictionary(key: str, force_ttl_check: bool = False) -> dict: + """Global `get_dictionary` is DEPRECATED. + Instead, use `from panther_detection_helpers.caching import get_dictionary`.""" + return caching.get_dictionary(key=key, force_ttl_check=force_ttl_check) + + +def get_string_set(key: str, force_ttl_check: bool = False) -> Set[str]: + """Global `get_string_set` is DEPRECATED. + Instead, use `from panther_detection_helpers.caching import get_string_set`.""" + return caching.get_string_set(key=key, force_ttl_check=force_ttl_check) + + +def put_string_set(key: str, val: Sequence[str], epoch_seconds: int = None) -> None: + """Global `put_string_set` is DEPRECATED. + Instead, use `from panther_detection_helpers.caching import put_string_set`.""" + return caching.put_string_set(key=key, val=val, epoch_seconds=epoch_seconds) + + +def add_to_string_set(key: str, val: Union[str, Sequence[str]]) -> Set[str]: + """Global `add_to_string_set` is DEPRECATED. + Instead, use `from panther_detection_helpers.caching import add_to_string_set`.""" + return caching.add_to_string_set(key=key, val=val) + + +def remove_from_string_set(key: str, val: Union[str, Sequence[str]]) -> Set[str]: + """Global `remove_from_string_set` is DEPRECATED. + Instead, use `from panther_detection_helpers.caching import remove_from_string_set`.""" + return caching.remove_from_string_set(key=key, val=val) + + +def reset_string_set(key: str) -> None: + """Global `reset_string_set` is DEPRECATED. + Instead, use `from panther_detection_helpers.caching import reset_string_set`.""" + return caching.reset_string_set(key=key) + + +def evaluate_threshold(key: str, threshold: int = 10, expiry_seconds: int = 3600) -> bool: + """Global `evaluate_threshold` is DEPRECATED. + Instead, use `from panther_detection_helpers.caching import evaluate_threshold`.""" + return caching.evaluate_threshold(key=key, threshold=threshold, expiry_seconds=expiry_seconds) + + +def check_account_age(key): + """Global `check_account_age` is DEPRECATED. + Instead, use `from panther_detection_helpers.caching import check_account_age`.""" + return caching.check_account_age(key=key) + + +def km_between_ipinfo_loc(ipinfo_loc_one: dict, ipinfo_loc_two: dict): + """Global `km_between_ipinfo_loc` is DEPRECATED. + Instead, use `from panther_ipinfo_helpers.caching import km_between_ipinfo_loc`.""" + return panther_ipinfo_helpers.km_between_ipinfo_loc(ipinfo_loc_one, ipinfo_loc_two) + + +def geoinfo_from_ip(event, match_field: str): + """Global `geoinfo_from_ip` is DEPRECATED. + Instead, use `from panther_ipinfo_helpers.caching import geoinfo_from_ip`.""" + return panther_ipinfo_helpers.geoinfo_from_ip(event, match_field) + + +def geoinfo_from_ip_formatted(event, match_field: str) -> str: + """Global `geoinfo_from_ip_formatted` is DEPRECATED. + Instead, use `from panther_ipinfo_helpers.caching import geoinfo_from_ip_formatted`.""" + return panther_ipinfo_helpers.geoinfo_from_ip_formatted(event, match_field) + + +def time_delta(time1, time2: str) -> str: + """Global `time_delta` is DEPRECATED. + Instead, use `from panther_base_helpers import time_delta`.""" + return panther_base_helpers.time_delta(time1, time2) + + +def nano_to_micro(time_str: str) -> str: + """Global `nano_to_micro` is DEPRECATED. + Instead, use `from panther_base_helpers import nano_to_micro`.""" + return panther_base_helpers.nano_to_micro(time_str) + + +def add_parse_delay(event, context: dict) -> dict: + """Global `add_parse_delay` is DEPRECATED. + Instead, use `from panther_base_helpers import add_parse_delay`.""" + return panther_base_helpers.add_parse_delay(event, context) + + +def listify(maybe_list): + """Global `listify` is DEPRECATED. + Instead, use `from panther_base_helpers import listify`.""" + return panther_base_helpers.listify(maybe_list) diff --git a/global_helpers/panther_oss_helpers.yml b/global_helpers/panther_oss_helpers.yml new file mode 100644 index 000000000..192d59c12 --- /dev/null +++ b/global_helpers/panther_oss_helpers.yml @@ -0,0 +1,7 @@ +AnalysisType: global +GlobalID: "panther_oss_helpers" +Filename: panther_oss_helpers.py +Description: > + DEPRECATED!!! This helper and all its functions will be REMOVED on March 1, 2025. + Please consult the docstrings of the functions for alternatives and migrate before then. + Used to define global helpers and variables. \ No newline at end of file diff --git a/lookup_tables/ipinfo/ipinfo_asn.yml b/lookup_tables/ipinfo/ipinfo_asn.yml index 321830067..44cf814ad 100644 --- a/lookup_tables/ipinfo/ipinfo_asn.yml +++ b/lookup_tables/ipinfo/ipinfo_asn.yml @@ -17,7 +17,7 @@ LogTypeMap: - LogType: Amazon.EKS.Audit Selectors: - "$.sourceIPs" - - "$.spec.clusterIP" + - "$.responseObject.spec.clusterIP" - "$.requestObject.spec.clusterIP" - LogType: Anomali.Indicator Selectors: @@ -435,55 +435,33 @@ LogTypeMap: Selectors: - "Session_IP_Address" - LogType: Zeek.Conn - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.DHCP Selectors: - "requested_addr" - LogType: Zeek.DNS - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.DPD - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.HTTP - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Notice - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.NTP - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.SIP - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Software Selectors: - "host" - LogType: Zeek.Ssh - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Ssl - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Tunnel - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Weird - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zendesk.Audit Selectors: - "ip_address" diff --git a/lookup_tables/ipinfo/ipinfo_asn_datalake.yml b/lookup_tables/ipinfo/ipinfo_asn_datalake.yml index 10af72c4d..73f05205a 100644 --- a/lookup_tables/ipinfo/ipinfo_asn_datalake.yml +++ b/lookup_tables/ipinfo/ipinfo_asn_datalake.yml @@ -17,7 +17,7 @@ LogTypeMap: - LogType: Amazon.EKS.Audit Selectors: - "$.sourceIPs" - - "$.spec.clusterIP" + - "$.responseObject.spec.clusterIP" - "$.requestObject.spec.clusterIP" - LogType: Anomali.Indicator Selectors: @@ -435,55 +435,33 @@ LogTypeMap: Selectors: - "Session_IP_Address" - LogType: Zeek.Conn - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.DHCP Selectors: - "requested_addr" - LogType: Zeek.DNS - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.DPD - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.HTTP - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Notice - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.NTP - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.SIP - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Software Selectors: - "host" - LogType: Zeek.Ssh - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Ssl - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Tunnel - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Weird - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zendesk.Audit Selectors: - "ip_address" diff --git a/lookup_tables/ipinfo/ipinfo_location.yml b/lookup_tables/ipinfo/ipinfo_location.yml index de6250575..5f6e41aea 100644 --- a/lookup_tables/ipinfo/ipinfo_location.yml +++ b/lookup_tables/ipinfo/ipinfo_location.yml @@ -17,7 +17,7 @@ LogTypeMap: - LogType: Amazon.EKS.Audit Selectors: - "$.sourceIPs" - - "$.spec.clusterIP" + - "$.responseObject.spec.clusterIP" - "$.requestObject.spec.clusterIP" - LogType: Anomali.Indicator Selectors: @@ -435,55 +435,33 @@ LogTypeMap: Selectors: - "Session_IP_Address" - LogType: Zeek.Conn - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.DHCP Selectors: - "requested_addr" - LogType: Zeek.DNS - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.DPD - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.HTTP - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Notice - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.NTP - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.SIP - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Software Selectors: - "host" - LogType: Zeek.Ssh - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Ssl - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Tunnel - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Weird - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zendesk.Audit Selectors: - "ip_address" diff --git a/lookup_tables/ipinfo/ipinfo_location_datalake.yml b/lookup_tables/ipinfo/ipinfo_location_datalake.yml index eca7f0ca8..39117151d 100644 --- a/lookup_tables/ipinfo/ipinfo_location_datalake.yml +++ b/lookup_tables/ipinfo/ipinfo_location_datalake.yml @@ -17,7 +17,7 @@ LogTypeMap: - LogType: Amazon.EKS.Audit Selectors: - "$.sourceIPs" - - "$.spec.clusterIP" + - "$.responseObject.spec.clusterIP" - "$.requestObject.spec.clusterIP" - LogType: Anomali.Indicator Selectors: @@ -435,55 +435,33 @@ LogTypeMap: Selectors: - "Session_IP_Address" - LogType: Zeek.Conn - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.DHCP Selectors: - "requested_addr" - LogType: Zeek.DNS - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.DPD - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.HTTP - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Notice - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.NTP - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.SIP - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Software Selectors: - "host" - LogType: Zeek.Ssh - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Ssl - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Tunnel - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Weird - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zendesk.Audit Selectors: - "ip_address" diff --git a/lookup_tables/ipinfo/ipinfo_privacy.yml b/lookup_tables/ipinfo/ipinfo_privacy.yml index 26e0e0346..d0bcb5775 100644 --- a/lookup_tables/ipinfo/ipinfo_privacy.yml +++ b/lookup_tables/ipinfo/ipinfo_privacy.yml @@ -17,7 +17,7 @@ LogTypeMap: - LogType: Amazon.EKS.Audit Selectors: - "$.sourceIPs" - - "$.spec.clusterIP" + - "$.responseObject.spec.clusterIP" - "$.requestObject.spec.clusterIP" - LogType: Anomali.Indicator Selectors: @@ -435,55 +435,33 @@ LogTypeMap: Selectors: - "Session_IP_Address" - LogType: Zeek.Conn - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.DHCP Selectors: - "requested_addr" - LogType: Zeek.DNS - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.DPD - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.HTTP - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Notice - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.NTP - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.SIP - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Software Selectors: - "host" - LogType: Zeek.Ssh - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Ssl - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Tunnel - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Weird - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zendesk.Audit Selectors: - "ip_address" diff --git a/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml b/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml index c7a55315f..72ab6ff60 100644 --- a/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml +++ b/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml @@ -17,7 +17,7 @@ LogTypeMap: - LogType: Amazon.EKS.Audit Selectors: - "$.sourceIPs" - - "$.spec.clusterIP" + - "$.responseObject.spec.clusterIP" - "$.requestObject.spec.clusterIP" - LogType: Anomali.Indicator Selectors: @@ -435,55 +435,33 @@ LogTypeMap: Selectors: - "Session_IP_Address" - LogType: Zeek.Conn - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.DHCP Selectors: - "requested_addr" - LogType: Zeek.DNS - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.DPD - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.HTTP - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Notice - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.NTP - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.SIP - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Software Selectors: - "host" - LogType: Zeek.Ssh - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Ssl - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Tunnel - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Weird - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zendesk.Audit Selectors: - "ip_address" diff --git a/lookup_tables/tor/tor_exit_nodes.yml b/lookup_tables/tor/tor_exit_nodes.yml index 705b7f5e2..37ec6272c 100644 --- a/lookup_tables/tor/tor_exit_nodes.yml +++ b/lookup_tables/tor/tor_exit_nodes.yml @@ -17,7 +17,7 @@ LogTypeMap: - LogType: Amazon.EKS.Audit Selectors: - "$.sourceIPs" - - "$.spec.clusterIP" + - "$.responseObject.spec.clusterIP" - "$.requestObject.spec.clusterIP" - LogType: Anomali.Indicator Selectors: @@ -211,7 +211,6 @@ LogTypeMap: - "$.protoPayload.requestMetadata.callerIP" - "$.httpRequest.remoteIP" - "$.httpRequest.serverIP" - - "$.requestMetadata.callerIP" - LogType: GCP.HTTPLoadBalancer Selectors: - "$.jsonPayload.removeIp" @@ -436,55 +435,33 @@ LogTypeMap: Selectors: - "Session_IP_Address" - LogType: Zeek.Conn - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.DHCP Selectors: - "requested_addr" - LogType: Zeek.DNS - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.DPD - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.HTTP - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Notice - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.NTP - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.SIP - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Software Selectors: - "host" - LogType: Zeek.Ssh - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Ssl - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Tunnel - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zeek.Weird - Selectors: - - "$.id.orig_h" - - "$.id.resp_h" + Selectors: [] - LogType: Zendesk.Audit Selectors: - "ip_address" diff --git a/packs/auth0.yml b/packs/auth0.yml index a2b2cd343..9f9fac0f2 100644 --- a/packs/auth0.yml +++ b/packs/auth0.yml @@ -18,5 +18,6 @@ PackDefinition: - panther_base_helpers - panther_auth0_helpers - global_filter_auth0 + - panther_base_helpers_old DisplayName: "Panther Auth0 Pack" diff --git a/packs/aws.yml b/packs/aws.yml index 8522ddb4f..485a16c98 100644 --- a/packs/aws.yml +++ b/packs/aws.yml @@ -206,3 +206,4 @@ PackDefinition: - panther_iocs - panther_ipinfo_helpers - panther_lookuptable_helpers + - panther_base_helpers_old diff --git a/packs/aws_cis.yml b/packs/aws_cis.yml index 98fd8cee6..a387b9f32 100644 --- a/packs/aws_cis.yml +++ b/packs/aws_cis.yml @@ -41,4 +41,5 @@ PackDefinition: - panther_config - panther_config_defaults - panther_config_overrides + - panther_base_helpers_old DisplayName: "Panther AWS CIS Pack" diff --git a/packs/azure_signin.yml b/packs/azure_signin.yml index 818964091..945c73afc 100644 --- a/packs/azure_signin.yml +++ b/packs/azure_signin.yml @@ -11,6 +11,7 @@ PackDefinition: - panther_azuresignin_helpers - panther_base_helpers - panther_event_type_helpers + - panther_base_helpers_old # Data Models - Standard.Azure.Audit.SignIn DisplayName: "Panther Azure.Audit SignIn Pack" diff --git a/packs/box.yml b/packs/box.yml index d58b9da45..e5d8ad9ee 100644 --- a/packs/box.yml +++ b/packs/box.yml @@ -16,6 +16,7 @@ PackDefinition: - panther_base_helpers - panther_box_helpers - panther_event_type_helpers + - panther_base_helpers_old # Data Models - Standard.Box.Event DisplayName: "Panther Box Pack" diff --git a/packs/cloudflare.yml b/packs/cloudflare.yml index 200b65ef3..8923ad5f3 100644 --- a/packs/cloudflare.yml +++ b/packs/cloudflare.yml @@ -11,6 +11,7 @@ PackDefinition: - panther_cloudflare_helpers - panther_lookuptable_helpers - global_filter_cloudflare + - panther_base_helpers_old # Data Models - Standard.Cloudflare.Firewall - Standard.Cloudflare.HttpReq diff --git a/packs/credential_security.yml b/packs/credential_security.yml index 457f0bf97..cf0698700 100644 --- a/packs/credential_security.yml +++ b/packs/credential_security.yml @@ -29,6 +29,7 @@ PackDefinition: - panther_msft_helpers - panther_okta_helpers - panther_slack_helpers + - panther_base_helpers_old # Rules - AWS.CloudTrail.RootPasswordChanged - AWS.IAM.AccessKeyCompromised diff --git a/packs/crowdstrike.yml b/packs/crowdstrike.yml index bcec0d772..89a6573bc 100644 --- a/packs/crowdstrike.yml +++ b/packs/crowdstrike.yml @@ -21,6 +21,7 @@ PackDefinition: # Globals used in these detections - panther_base_helpers - panther_crowdstrike_fdr_helpers + - panther_base_helpers_old # Data models - Standard.AWS.VPCDns - Standard.CiscoUmbrella.DNS diff --git a/packs/crowdstrike_event_streams.yml b/packs/crowdstrike_event_streams.yml index 6f42c54e6..17d08612e 100644 --- a/packs/crowdstrike_event_streams.yml +++ b/packs/crowdstrike_event_streams.yml @@ -5,6 +5,7 @@ PackDefinition: IDs: - panther_crowdstrike_event_streams_helpers - panther_base_helpers + - panther_base_helpers_old - Crowdstrike.AdminRoleAssigned - Crowdstrike.AllowlistRemoved - Crowdstrike.API.Key.Created diff --git a/packs/gcp_audit.yml b/packs/gcp_audit.yml index 48cd70c7e..1ee889433 100644 --- a/packs/gcp_audit.yml +++ b/packs/gcp_audit.yml @@ -51,4 +51,5 @@ PackDefinition: - panther_gcp_helpers - panther_base_helpers - panther_event_type_helpers + - panther_base_helpers_old DisplayName: "Panther GCP Audit Pack" diff --git a/packs/gcp_k8.yml b/packs/gcp_k8.yml index df3e5a8df..1286807fb 100644 --- a/packs/gcp_k8.yml +++ b/packs/gcp_k8.yml @@ -17,3 +17,4 @@ PackDefinition: # Globals - panther_gcp_helpers - panther_base_helpers + - panther_base_helpers_old diff --git a/packs/github.yml b/packs/github.yml index 65e313afb..f1c0845a9 100644 --- a/packs/github.yml +++ b/packs/github.yml @@ -16,6 +16,7 @@ PackDefinition: - Github.Repo.CollaboratorChange - Github.Repo.Created - GitHub.Repo.InitialAccess + - GitHub.Repo.RulesetModified - Github.Repo.VisibilityChange - Github.Repo.VulnerabilityDismissed - GitHub.Secret.Scanning.Alert.Created diff --git a/packs/gravitational_teleport.yml b/packs/gravitational_teleport.yml index 697408726..bd29e7651 100644 --- a/packs/gravitational_teleport.yml +++ b/packs/gravitational_teleport.yml @@ -21,4 +21,5 @@ PackDefinition: - panther_config - panther_config_defaults - panther_config_overrides + - panther_base_helpers_old DisplayName: "Panther Teleport Pack" diff --git a/packs/gsuite_reports.yml b/packs/gsuite_reports.yml index ed62291ec..2b2014049 100644 --- a/packs/gsuite_reports.yml +++ b/packs/gsuite_reports.yml @@ -39,6 +39,7 @@ PackDefinition: - panther_gsuite_helpers - panther_event_type_helpers - panther_lookuptable_helpers + - panther_base_helpers_old # Queries - GSuite Many Docs Deleted Query - GSuite Many Docs Downloaded Query diff --git a/packs/ipinfo.yml b/packs/ipinfo.yml index 007f67c76..09dac1a19 100644 --- a/packs/ipinfo.yml +++ b/packs/ipinfo.yml @@ -12,5 +12,6 @@ PackDefinition: - panther_base_helpers - panther_ipinfo_helpers - panther_lookuptable_helpers + - panther_base_helpers_old DisplayName: "IPInfo" diff --git a/packs/msft_graph.yml b/packs/msft_graph.yml index c96b38dab..caa9575e5 100644 --- a/packs/msft_graph.yml +++ b/packs/msft_graph.yml @@ -14,4 +14,5 @@ PackDefinition: - panther_config - panther_config_defaults - panther_config_overrides + - panther_base_helpers_old DisplayName: "Microsoft Graph Detection Pack" diff --git a/packs/notion.yml b/packs/notion.yml index 8eeb378d5..60823c111 100644 --- a/packs/notion.yml +++ b/packs/notion.yml @@ -30,6 +30,7 @@ PackDefinition: - panther_ipinfo_helpers - panther_lookuptable_helpers - panther_notion_helpers + - panther_base_helpers_old # Data Model - Standard.Notion.AuditLogs DisplayName: "Panther Notion Pack" diff --git a/packs/okta.yml b/packs/okta.yml index a1584be4e..a4de349d1 100644 --- a/packs/okta.yml +++ b/packs/okta.yml @@ -31,6 +31,7 @@ PackDefinition: - panther_base_helpers - panther_event_type_helpers - panther_okta_helpers + - panther_base_helpers_old # Data Model - Standard.Okta.SystemLog DisplayName: "Panther Okta Pack" diff --git a/packs/onelogin.yml b/packs/onelogin.yml index cff035e39..6def8cb4d 100644 --- a/packs/onelogin.yml +++ b/packs/onelogin.yml @@ -20,6 +20,7 @@ PackDefinition: # Globals used in these detections - panther_base_helpers - panther_event_type_helpers + - panther_base_helpers_old # Data Model - Standard.OneLogin.Events DisplayName: "Panther OneLogin Pack" diff --git a/packs/panther_legacy_helpers.yml b/packs/panther_legacy_helpers.yml new file mode 100644 index 000000000..0dd1e82b4 --- /dev/null +++ b/packs/panther_legacy_helpers.yml @@ -0,0 +1,16 @@ +AnalysisType: pack +PackID: PantherManaged.PantherLegacyHelpers +Description: Legacy helper functions and their dependencies for backwards compatibility +PackDefinition: + IDs: + - panther_base_helpers + - panther_oss_helpers + - panther_default + - panther_aws_helpers + - panther_config + - panther_config_defaults + - panther_config_overrides + - panther_ipinfo_helpers + - panther_lookuptable_helpers + - panther_base_helpers_old +DisplayName: "Panther Legacy Helpers Pack" diff --git a/packs/standard_ruleset.yml b/packs/standard_ruleset.yml index 7df4bcea6..4277a9ce3 100644 --- a/packs/standard_ruleset.yml +++ b/packs/standard_ruleset.yml @@ -38,3 +38,4 @@ PackDefinition: - panther_event_type_helpers - panther_ipinfo_helpers - panther_lookuptable_helpers + - panther_base_helpers_old diff --git a/packs/tor.yml b/packs/tor.yml index 5c9b444c2..8e9027b5b 100644 --- a/packs/tor.yml +++ b/packs/tor.yml @@ -7,4 +7,5 @@ PackDefinition: - panther_base_helpers - panther_lookuptable_helpers - panther_tor_helpers + - panther_base_helpers_old DisplayName: "Tor Lookup Tables" diff --git a/packs/wiz.yml b/packs/wiz.yml index 937befca2..5d44d448d 100644 --- a/packs/wiz.yml +++ b/packs/wiz.yml @@ -23,4 +23,5 @@ PackDefinition: - Wiz.CICD.Scan.Policy.Updated.Or.Deleted - panther_wiz_helpers - panther_base_helpers + - panther_base_helpers_old diff --git a/packs/zoom.yml b/packs/zoom.yml index 81f4cb9e0..c9d5b9e95 100644 --- a/packs/zoom.yml +++ b/packs/zoom.yml @@ -18,3 +18,4 @@ PackDefinition: - panther_base_helpers - panther_event_type_helpers - panther_zoom_helpers + - panther_base_helpers_old diff --git a/packs/zscaler_zia.yml b/packs/zscaler_zia.yml index d77e39d7e..3c26ed814 100644 --- a/packs/zscaler_zia.yml +++ b/packs/zscaler_zia.yml @@ -16,4 +16,5 @@ PackDefinition: - ZIA.Trust.Modification - panther_zscaler_helpers - panther_base_helpers + - panther_base_helpers_old diff --git a/rules/aws_s3_rules/aws_s3_access_ip_allowlist.py b/rules/aws_s3_rules/aws_s3_access_ip_allowlist.py index 7ceebb44f..64f6eba71 100644 --- a/rules/aws_s3_rules/aws_s3_access_ip_allowlist.py +++ b/rules/aws_s3_rules/aws_s3_access_ip_allowlist.py @@ -1,4 +1,4 @@ -from ipaddress import ip_network +from ipaddress import IPv4Network, IPv6Network, ip_network from panther_aws_helpers import aws_rule_context @@ -20,7 +20,9 @@ def rule(event): return False cidr_ip = ip_network(event.get("remoteip")) - return not any(cidr_ip.subnet_of(approved_ip_range) for approved_ip_range in ALLOWLIST_NETWORKS) + return not any( + is_subnet(approved_ip_range, cidr_ip) for approved_ip_range in ALLOWLIST_NETWORKS + ) def title(event): @@ -29,3 +31,13 @@ def title(event): def alert_context(event): return aws_rule_context(event) + + +def is_subnet(supernet: IPv4Network | IPv6Network, subnet: IPv4Network | IPv6Network) -> bool: + """Return true if 'subnet' is a subnet of 'supernet'""" + # We can't do a classic subnet comparison between v4 and v6 networks, so we have to explictly + # check for version mismatch first + if supernet.network_address.version != subnet.network_address.version: + return False + # Else, do the subnet calculation + return subnet.subnet_of(supernet) diff --git a/rules/aws_s3_rules/aws_s3_access_ip_allowlist.yml b/rules/aws_s3_rules/aws_s3_access_ip_allowlist.yml index 7e4661558..937c5b17d 100644 --- a/rules/aws_s3_rules/aws_s3_access_ip_allowlist.yml +++ b/rules/aws_s3_rules/aws_s3_access_ip_allowlist.yml @@ -31,3 +31,6 @@ Tests: - Name: Access From Unapproved IP ExpectedResult: true Log: { "remoteip": "11.0.0.1", "bucket": "my-test-bucket" } + - Name: Access From IPv6 + ExpectedResult: true + Log: { "remoteip": "2600:1ffe:8140::a47:a85a", "bucket": "my-test-bucket" } diff --git a/rules/github_rules/github_repo_ruleset_modified.py b/rules/github_rules/github_repo_ruleset_modified.py new file mode 100644 index 000000000..e293ff76a --- /dev/null +++ b/rules/github_rules/github_repo_ruleset_modified.py @@ -0,0 +1,49 @@ +from global_filter_github import filter_include_event +from panther_github_helpers import github_alert_context + + +def rule(event): + if not filter_include_event(event): + return False + return event.get("action").startswith("repository_ruleset.") + + +def title(event): + action = "modified" + if event.get("action").endswith("destroy"): + action = "deleted" + elif event.get("action").endswith("create"): + action = "created" + + title_str = ( + f"Github repository ruleset for [{event.get('repo', '')}]" + f" {action} by [{event.get('actor','')}]" + ) + return title_str + + +def dedup(event): + return event.get("_document_id", "") + + +def severity(event): + if event.get("action").endswith("create"): + return "INFO" + if event.get("action").endswith("update"): + return "MEDIUM" + if event.get("action").endswith("destroy"): + return "HIGH" + return "DEFAULT" + + +def alert_context(event): + ctx = github_alert_context(event) + ctx["actor_is_bot"] = event.get("actor_is_bot", "") + ctx["actor_user_agent"] = event.get("user_agent", "") + ctx["business"] = event.get("business", "") + ctx["public_repo"] = event.get("public_repo", "") + ctx["operation_type"] = event.get("operation_type", "") + ctx["ruleset_bypass_actors"] = event.deep_walk("ruleset_bypass_actors") + ctx["ruleset_conditions"] = event.deep_walk("ruleset_conditions") + ctx["ruleset_rules"] = event.deep_walk("ruleset_rules") + return ctx diff --git a/rules/github_rules/github_repo_ruleset_modified.yml b/rules/github_rules/github_repo_ruleset_modified.yml new file mode 100644 index 000000000..87e9d13e8 --- /dev/null +++ b/rules/github_rules/github_repo_ruleset_modified.yml @@ -0,0 +1,251 @@ +AnalysisType: rule +Filename: github_repo_ruleset_modified.py +RuleID: "GitHub.Repo.RulesetModified" +DisplayName: "GitHub Repository Ruleset Modified" +Enabled: true +LogTypes: + - GitHub.Audit +Tags: + - GitHub + - Defense Evasion + - Impair Defenses + - Disable or Modify Tools +Reports: + MITRE ATT&CK: + - TA0005:T1562 # Impair Defenses: Disable or Modify Tools +Reference: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets +Severity: Info +Description: Disabling repository ruleset controls could indicate malicious use of admin credentials in an attempt to hide activity. +DedupPeriodMinutes: 60 +Threshold: 1 +Runbook: Verify that ruleset modifications are intended and authorized. +Tests: + - Name: GitHub - Ruleset Created + ExpectedResult: true + Log: + { + "action": "repository_ruleset.create", + "actor": "dog", + "actor_id": "999999999", + "actor_is_bot": false, + "actor_location": { "country_code": "US" }, + "business": "bizname", + "business_id": "12345", + "created_at": "2024-12-17 00:00:00000000", + "operation_type": "create", + "org": "some-org", + "org_id": 12345678, + "public_repo": true, + "repo": "some-org/ruleset-repo", + "repo_id": 123456789, + "ruleset_bypass_actors": + [ + { + "actor_id": 123456, + "actor_type": "Integration", + "bypass_mode": "always", + "id": 123456, + }, + { + "actor_id": 123456, + "actor_type": "Team", + "bypass_mode": "always", + "id": 1234567, + }, + ], + "ruleset_conditions": + [ + { + "id": 1234567, + "parameters": { "exclude": [], "include": ["~DEFAULT_BRANCH"] }, + "target": "ref_name", + }, + ], + "ruleset_enforcement": "enabled", + "ruleset_id": "1234567", + "ruleset_name": "a-ruleset-name", + "ruleset_rules": + [ + { + "id": 12345678, + "parameters": + { + "allowed_merge_methods": ["merge", "squash", "rebase"], + "authorized_dismissal_actors_only": false, + "automatic_copilot_code_review_enabled": false, + "dismiss_stale_reviews_on_push": false, + "ignore_approvals_from_contributors": false, + "require_code_owner_review": false, + "require_last_push_approval": false, + "required_approving_review_count": 1, + "required_review_thread_resolution": false, + "required_reviewers": [], + }, + "type": "pull_request", + }, + { "id": 12345678, "parameters": {}, "type": "deletion" }, + { "id": 12345678, "parameters": {}, "type": "non_fast_forward" }, + ], + "ruleset_source_type": "Repository", + "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36", + } + - Name: GitHub - Ruleset Deleted + ExpectedResult: true + Log: + { + "action": "repository_ruleset.destroy", + "actor": "dog", + "actor_id": "999999999", + "actor_is_bot": false, + "actor_location": { "country_code": "US" }, + "business": "bizname", + "business_id": "12345", + "created_at": "2024-12-17 00:00:00000000", + "operation_type": "remove", + "org": "some-org", + "org_id": 12345678, + "public_repo": false, + "repo": "some-org/ruleset-repo", + "repo_id": 123456789, + "ruleset_bypass_actors": + [ + { + "actor_id": 123456, + "actor_type": "Integration", + "bypass_mode": "always", + "id": 123456, + }, + { + "actor_id": 123456, + "actor_type": "Team", + "bypass_mode": "always", + "id": 1234567, + }, + ], + "ruleset_conditions": + [ + { + "id": 1234567, + "parameters": { "exclude": [], "include": ["~DEFAULT_BRANCH"] }, + "target": "ref_name", + }, + ], + "ruleset_enforcement": "enabled", + "ruleset_id": "1234567", + "ruleset_name": "a-ruleset-name", + "ruleset_rules": + [ + { + "id": 10994218, + "parameters": + { + "allowed_merge_methods": ["merge", "squash", "rebase"], + "authorized_dismissal_actors_only": false, + "automatic_copilot_code_review_enabled": true, + "dismiss_stale_reviews_on_push": false, + "ignore_approvals_from_contributors": false, + "require_code_owner_review": false, + "require_last_push_approval": false, + "required_approving_review_count": 1, + "required_review_thread_resolution": false, + "required_reviewers": [], + }, + "type": "pull_request", + }, + { "id": 10994219, "parameters": {}, "type": "deletion" }, + { "id": 10994220, "parameters": {}, "type": "non_fast_forward" }, + ], + "ruleset_source_type": "Repository", + "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36", + } + + - Name: GitHub - Non Webhook Event + ExpectedResult: false + Log: + { + "actor": "cat", + "action": "org.invite_member", + "org": "my-org", + "p_log_type": "GitHub.Audit", + "repo": "my-org/my-repo", + } + - Name: Github - Ruleset Modified + ExpectedResult: true + Log: + { + "action": "repository_ruleset.update", + "actor": "dog", + "actor_id": "999999999", + "actor_is_bot": false, + "actor_location": { "country_code": "US" }, + "business": "bizname", + "business_id": "12345", + "created_at": "2024-12-17 00:00:00000000", + "operation_type": "modify", + "org": "some-org", + "org_id": 12345678, + "public_repo": false, + "repo": "some-org/ruleset-repo", + "repo_id": 123456789, + "ruleset_bypass_actors": + [ + { + "actor_id": 123456, + "actor_type": "Integration", + "bypass_mode": "always", + "id": 123456, + }, + { + "actor_id": 123456, + "actor_type": "Team", + "bypass_mode": "always", + "id": 1234567, + }, + ], + "ruleset_conditions": + [ + { + "id": 1234567, + "parameters": { "exclude": [], "include": ["~DEFAULT_BRANCH"] }, + "target": "ref_name", + }, + ], + "ruleset_enforcement": "enabled", + "ruleset_id": "1234567", + "ruleset_name": "a-ruleset-name", + "ruleset_rules_updated": + [ + { + "id": 12345678, + "old_parameters": + { + "allowed_merge_methods": ["merge", "squash", "rebase"], + "authorized_dismissal_actors_only": false, + "automatic_copilot_code_review_enabled": false, + "dismiss_stale_reviews_on_push": false, + "ignore_approvals_from_contributors": false, + "require_code_owner_review": false, + "require_last_push_approval": false, + "required_approving_review_count": 1, + "required_review_thread_resolution": false, + "required_reviewers": [], + }, + "parameters": + { + "allowed_merge_methods": ["merge", "squash", "rebase"], + "authorized_dismissal_actors_only": false, + "automatic_copilot_code_review_enabled": true, + "dismiss_stale_reviews_on_push": false, + "ignore_approvals_from_contributors": false, + "require_code_owner_review": false, + "require_last_push_approval": false, + "required_approving_review_count": 1, + "required_review_thread_resolution": false, + "required_reviewers": [], + }, + "type": "pull_request", + }, + ], + "ruleset_source_type": "Repository", + "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36", + } diff --git a/rules/okta_rules/okta_new_behavior_accessing_admin_console.py b/rules/okta_rules/okta_new_behavior_accessing_admin_console.py index 416b14539..8ef48be3e 100644 --- a/rules/okta_rules/okta_new_behavior_accessing_admin_console.py +++ b/rules/okta_rules/okta_new_behavior_accessing_admin_console.py @@ -1,3 +1,6 @@ +import json + +from panther_base_helpers import deep_get from panther_okta_helpers import okta_alert_context @@ -12,15 +15,12 @@ def rule(event): if behaviors: return "New Device=POSITIVE" in behaviors and "New IP=POSITIVE" in behaviors + log_only_security_data = event.deep_get("debugContext", "debugData", "logOnlySecurityData") + if isinstance(log_only_security_data, str): + log_only_security_data = json.loads(log_only_security_data) return ( - event.deep_get( - "debugContext", "debugData", "logOnlySecurityData", "behaviors", "New Device" - ) - == "POSITIVE" - and event.deep_get( - "debugContext", "debugData", "logOnlySecurityData", "behaviors", "New IP" - ) - == "POSITIVE" + deep_get(log_only_security_data, "behaviors", "New Device") == "POSITIVE" + and deep_get(log_only_security_data, "behaviors", "New IP") == "POSITIVE" ) diff --git a/rules/okta_rules/okta_new_behavior_accessing_admin_console.yml b/rules/okta_rules/okta_new_behavior_accessing_admin_console.yml index 6760d8c4a..87d9295b8 100644 --- a/rules/okta_rules/okta_new_behavior_accessing_admin_console.yml +++ b/rules/okta_rules/okta_new_behavior_accessing_admin_console.yml @@ -23,255 +23,329 @@ Tests: - Name: New Behavior Accessing Admin Console (behavior) ExpectedResult: true Log: - actor: - alternateId: homer.simpson@duff.com - displayName: Homer Simpson - id: 00abc123 - type: User - authenticationcontext: - authenticationStep: 0 - externalSessionId: 100-abc-9999 - client: - device: Computer - geographicalContext: - city: Springfield - country: United States - geolocation: - lat: 20 - lon: -25 - postalCode: "12345" - state: Ohio - ipAddress: 1.3.2.4 - userAgent: - browser: CHROME - os: Mac OS X - rawUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36 - zone: "null" - device: - name: Evil Computer - debugcontext: - debugData: - requestId: AbCdEf12G - requestUri: /api/v1/users/AbCdEfG/lifecycle/reset_factors - url: /api/v1/users/AbCdEfG/lifecycle/reset_factors? - behaviors: - { - New Geo-Location=NEGATIVE, - New Device=POSITIVE, - New IP=POSITIVE, - New State=NEGATIVE, - New Country=NEGATIVE, - Velocity=NEGATIVE, - New City=NEGATIVE, - } - displaymessage: Evaluation of sign-on policy - eventtype: policy.evaluate_sign_on - outcome: - reason: Sign-on policy evaluation resulted in CHALLENGE - result: CHALLENGE - published: "2022-06-22 18:18:29.015" - request: - ipChain: - - geographicalContext: - city: Springfield - country: United States - geolocation: - lat: 20 - lon: -25 - postalCode: "12345" - state: Ohio - ip: 1.3.2.4 - version: V4 - securitycontext: - asNumber: 701 - asOrg: verizon - domain: verizon.net - isProxy: false - isp: verizon - severity: INFO - target: - - alternateId: Okta Admin Console - displayName: Okta Admin Console - type: AppInstance - - alternateId: peter.griffin@company.com - displayName: Peter Griffin - id: 0002222AAAA - type: User - transaction: - detail: {} - id: ABcDeFgG - type: WEB - uuid: AbC-123-XyZ - version: "0" + { actor: + { alternateId: homer.simpson@duff.com, + displayName: Homer Simpson, + id: 00abc123, + type: User }, + authenticationcontext: + { authenticationStep: 0, + externalSessionId: 100-abc-9999 }, + client: + { device: Computer, + geographicalContext: + { city: Springfield, + country: United States, + geolocation: + { lat: 20, + lon: -25 }, + postalCode: "12345", + state: Ohio }, + ipAddress: 1.3.2.4, + userAgent: + { browser: CHROME, + os: Mac OS X, + rawUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36 }, + zone: "null" }, + device: + { name: Evil Computer }, + debugcontext: + { debugData: + { requestId: AbCdEf12G, + requestUri: /api/v1/users/AbCdEfG/lifecycle/reset_factors, + url: '/api/v1/users/AbCdEfG/lifecycle/reset_factors?', + behaviors: + [ + New Geo-Location=NEGATIVE, + New Device=POSITIVE, + New IP=POSITIVE, + New State=NEGATIVE, + New Country=NEGATIVE, + Velocity=NEGATIVE, + New City=NEGATIVE, + ] }, }, + displaymessage: Evaluation of sign-on policy, + eventtype: policy.evaluate_sign_on, + outcome: + { reason: Sign-on policy evaluation resulted in CHALLENGE, + result: CHALLENGE }, + published: "2022-06-22 18:18:29.015", + request: + { ipChain: + [ { geographicalContext: + { city: Springfield, + country: United States, + geolocation: + { lat: 20, + lon: -25 }, + postalCode: "12345", + state: Ohio, + ip: 1.3.2.4, + version: V4 }, } ] }, + securitycontext: + { asNumber: 701, + asOrg: verizon, + domain: verizon.net, + isProxy: false, + isp: verizon }, + severity: INFO, + target: + [ { alternateId: Okta Admin Console, + displayName: Okta Admin Console, + type: AppInstance }, + { alternateId: peter.griffin@company.com, + displayName: Peter Griffin, + id: 0002222AAAA, + type: User }, ], + transaction: + { detail: { }, + id: ABcDeFgG, + type: WEB }, + uuid: AbC-123-XyZ, + version: "0" } - Name: New Behavior Accessing Admin Console (logSecurityDataOnly) ExpectedResult: true Log: - actor: - alternateId: homer.simpson@duff.com - displayName: Homer Simpson - id: 00abc123 - type: User - authenticationcontext: - authenticationStep: 0 - externalSessionId: 100-abc-9999 - client: - device: Computer - geographicalContext: - city: Springfield - country: United States - geolocation: - lat: 20 - lon: -25 - postalCode: "12345" - state: Ohio - ipAddress: 1.3.2.4 - userAgent: - browser: CHROME - os: Mac OS X - rawUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36 - zone: "null" - device: - name: Evil Computer - debugcontext: - debugData: - requestId: AbCdEf12G - requestUri: /api/v1/users/AbCdEfG/lifecycle/reset_factors - url: /api/v1/users/AbCdEfG/lifecycle/reset_factors? - logOnlySecurityData: - { - "risk": { "level": "LOW" }, - "behaviors": - { - "New Geo-Location": "NEGATIVE", - "New Device": "POSITIVE", - "New IP": "POSITIVE", - "New State": "NEGATIVE", - "New Country": "NEGATIVE", - "Velocity": "NEGATIVE", - "New City": "NEGATIVE", - }, - } - displaymessage: Evaluation of sign-on policy - eventtype: policy.evaluate_sign_on - outcome: - reason: Sign-on policy evaluation resulted in CHALLENGE - result: CHALLENGE - published: "2022-06-22 18:18:29.015" - request: - ipChain: - - geographicalContext: - city: Springfield - country: United States - geolocation: - lat: 20 - lon: -25 - postalCode: "12345" - state: Ohio - ip: 1.3.2.4 - version: V4 - securitycontext: - asNumber: 701 - asOrg: verizon - domain: verizon.net - isProxy: false - isp: verizon - severity: INFO - target: - - alternateId: Okta Admin Console - displayName: Okta Admin Console - type: AppInstance - - alternateId: peter.griffin@company.com - displayName: Peter Griffin - id: 0002222AAAA - type: User - transaction: - detail: {} - id: ABcDeFgG - type: WEB - uuid: AbC-123-XyZ - version: "0" + { actor: + { alternateId: homer.simpson@duff.com, + displayName: Homer Simpson, + id: 00abc123, + type: User }, + authenticationcontext: + { authenticationStep: 0, + externalSessionId: 100-abc-9999 }, + client: + { device: Computer, + geographicalContext: + { city: Springfield, + country: United States, + geolocation: + { lat: 20, + lon: -25 }, + postalCode: "12345", + state: Ohio }, + ipAddress: 1.3.2.4, + userAgent: + { browser: CHROME, + os: Mac OS X, + rawUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36 }, + zone: "null" }, + device: + { name: Evil Computer }, + debugcontext: + { debugData: + { requestId: AbCdEf12G, + requestUri: /api/v1/users/AbCdEfG/lifecycle/reset_factors, + url: '/api/v1/users/AbCdEfG/lifecycle/reset_factors?', + logOnlySecurityData: + { + "risk": { "level": "LOW" }, + "behaviors": + { + "New Geo-Location": "NEGATIVE", + "New Device": "POSITIVE", + "New IP": "POSITIVE", + "New State": "NEGATIVE", + "New Country": "NEGATIVE", + "Velocity": "NEGATIVE", + "New City": "NEGATIVE", + }, + } } }, + displaymessage: Evaluation of sign-on policy, + eventtype: policy.evaluate_sign_on, + outcome: + { reason: Sign-on policy evaluation resulted in CHALLENGE, + result: CHALLENGE }, + published: "2022-06-22 18:18:29.015", + request: + { ipChain: + [ { geographicalContext: + { city: Springfield, + country: United States, + geolocation: + { lat: 20, + lon: -25 }, + postalCode: "12345", + state: Ohio, + ip: 1.3.2.4, + version: V4 } } ] }, + securitycontext: + { asNumber: 701, + asOrg: verizon, + domain: verizon.net, + isProxy: false, + isp: verizon }, + severity: INFO, + target: + [ { alternateId: Okta Admin Console, + displayName: Okta Admin Console, + type: AppInstance }, + { alternateId: peter.griffin@company.com, + displayName: Peter Griffin, + id: 0002222AAAA, + type: User } ], + transaction: + { detail: { }, + id: ABcDeFgG, + type: WEB }, + uuid: AbC-123-XyZ, + version: "0" } - Name: Not New Behavior ExpectedResult: false Log: - actor: - alternateId: homer.simpson@duff.com - displayName: Homer Simpson - id: 00abc123 - type: User - authenticationcontext: - authenticationStep: 0 - externalSessionId: 100-abc-9999 - client: - device: Computer - geographicalContext: - city: Springfield - country: United States - geolocation: - lat: 20 - lon: -25 - postalCode: "12345" - state: Ohio - ipAddress: 1.3.2.4 - userAgent: - browser: CHROME - os: Mac OS X - rawUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36 - zone: "null" - debugcontext: - debugData: - requestId: AbCdEf12G - requestUri: /api/v1/users/AbCdEfG/lifecycle/reset_factors - url: /api/v1/users/AbCdEfG/lifecycle/reset_factors? - logOnlySecurityData: - { - "risk": { "level": "LOW" }, - "behaviors": - { - "New Geo-Location": "NEGATIVE", - "New Device": "NEGATIVE", - "New IP": "NEGATIVE", - "New State": "NEGATIVE", - "New Country": "NEGATIVE", - "Velocity": "NEGATIVE", - "New City": "NEGATIVE", - }, - } - displaymessage: Evaluation of sign-on policy - eventtype: policy.evaluate_sign_on - outcome: - reason: Sign-on policy evaluation resulted in CHALLENGE - result: CHALLENGE - published: "2022-06-22 18:18:29.015" - request: - ipChain: - - geographicalContext: - city: Springfield - country: United States - geolocation: - lat: 20 - lon: -25 - postalCode: "12345" - state: Ohio - ip: 1.3.2.4 - version: V4 - securitycontext: - asNumber: 701 - asOrg: verizon - domain: verizon.net - isProxy: false - isp: verizon - severity: INFO - target: - - alternateId: Okta Admin Console - displayName: Okta Admin Console - type: AppInstance - - alternateId: peter.griffin@company.com - displayName: Peter Griffin - id: 0002222AAAA - type: User - transaction: - detail: {} - id: ABcDeFgG - type: WEB - uuid: AbC-123-XyZ - version: "0" + { actor: + { alternateId: homer.simpson@duff.com, + displayName: Homer Simpson, + id: 00abc123, + type: User }, + authenticationcontext: + { authenticationStep: 0, + externalSessionId: 100-abc-9999 }, + client: + { device: Computer, + geographicalContext: + { city: Springfield, + country: United States, + geolocation: + { lat: 20, + lon: -25 }, + postalCode: "12345", + state: Ohio }, + ipAddress: 1.3.2.4, + userAgent: + { browser: CHROME, + os: Mac OS X, + rawUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36 }, + zone: "null" }, + debugcontext: + { debugData: + { requestId: AbCdEf12G, + requestUri: /api/v1/users/AbCdEfG/lifecycle/reset_factors, + url: '/api/v1/users/AbCdEfG/lifecycle/reset_factors?', + logOnlySecurityData: + { + "risk": { "level": "LOW" }, + "behaviors": + { + "New Geo-Location": "NEGATIVE", + "New Device": "NEGATIVE", + "New IP": "NEGATIVE", + "New State": "NEGATIVE", + "New Country": "NEGATIVE", + "Velocity": "NEGATIVE", + "New City": "NEGATIVE", + }, + } } }, + displaymessage: Evaluation of sign-on policy, + eventtype: policy.evaluate_sign_on, + outcome: + { reason: Sign-on policy evaluation resulted in CHALLENGE, + result: CHALLENGE }, + published: "2022-06-22 18:18:29.015", + request: + { ipChain: + [ { geographicalContext: + { city: Springfield, + country: United States, + geolocation: + { lat: 20, + lon: -25 }, + postalCode: "12345", + state: Ohio, + ip: 1.3.2.4, + version: V4 } } ] }, + securitycontext: + { asNumber: 701, + asOrg: verizon, + domain: verizon.net, + isProxy: false, + isp: verizon }, + severity: INFO, + target: + [ { alternateId: Okta Admin Console, + displayName: Okta Admin Console, + type: AppInstance }, + { alternateId: peter.griffin@company.com, + displayName: Peter Griffin, + id: 0002222AAAA, + type: User } ], + transaction: + { detail: { }, + id: ABcDeFgG, + type: WEB }, + uuid: AbC-123-XyZ, + version: "0" } + - Name: New Behavior Accessing Admin Console (logSecurityDataOnly) - not jsonified string + ExpectedResult: true + Log: + { actor: + { alternateId: homer.simpson@duff.com, + displayName: Homer Simpson, + id: 00abc123, + type: User }, + authenticationcontext: + { authenticationStep: 0, + externalSessionId: 100-abc-9999 }, + client: + { device: Computer, + geographicalContext: + { city: Springfield, + country: United States, + geolocation: + { lat: 20, + lon: -25 }, + postalCode: "12345", + state: Ohio }, + ipAddress: 1.3.2.4, + userAgent: + { browser: CHROME, + os: Mac OS X, + rawUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36 }, + zone: "null" }, + device: + { name: Evil Computer }, + debugcontext: + { debugData: + { requestId: AbCdEf12G, + requestUri: /api/v1/users/AbCdEfG/lifecycle/reset_factors, + url: '/api/v1/users/AbCdEfG/lifecycle/reset_factors?', + logOnlySecurityData: "{\"risk\":{\"level\":\"LOW\"},\"behaviors\":{\"New Geo-Location\":\"NEGATIVE\",\"New Device\":\"POSITIVE\",\"New IP\":\"POSITIVE\",\"New State\":\"NEGATIVE\",\"New Country\":\"NEGATIVE\",\"Velocity\":\"NEGATIVE\",\"New City\":\"NEGATIVE\"}}" }}, + displaymessage: Evaluation of sign-on policy, + eventtype: policy.evaluate_sign_on, + outcome: + { reason: Sign-on policy evaluation resulted in CHALLENGE, + result: CHALLENGE }, + published: "2022-06-22 18:18:29.015", + request: + { ipChain: + [ { geographicalContext: + { city: Springfield, + country: United States, + geolocation: + { lat: 20, + lon: -25 }, + postalCode: "12345", + state: Ohio, + ip: 1.3.2.4, + version: V4 } } ] }, + securitycontext: + { asNumber: 701, + asOrg: verizon, + domain: verizon.net, + isProxy: false, + isp: verizon }, + severity: INFO, + target: + [ { alternateId: Okta Admin Console, + displayName: Okta Admin Console, + type: AppInstance }, + { alternateId: peter.griffin@company.com, + displayName: Peter Griffin, + id: 0002222AAAA, + type: User } ], + transaction: + { detail: { }, + id: ABcDeFgG, + type: WEB }, + uuid: AbC-123-XyZ, + version: "0" }