fix: gsuite activityevents can sometimes get a parameters key with a …

…null value. we should not error when that happens (#613)
panther-labs · Jan 4, 2023 · cfbbda7 · cfbbda7
1 parent 8c06016
commit cfbbda7
Show file tree

Hide file tree

Showing 4 changed files with 58 additions and 7 deletions.
diff --git a/rules/gsuite_activityevent_rules/google_workspace_advanced_protection_program.py b/rules/gsuite_activityevent_rules/google_workspace_advanced_protection_program.py
@@ -1,7 +1,12 @@
+from panther_base_helpers import deep_get
+
+
 def rule(event):
     # Return True to match the log event and trigger an alert.
     setting_name = (
-        event.get("parameters", {}).get("SETTING_NAME", "NO_SETTING_NAME").split("-")[0].strip()
+        deep_get(event, "parameters", "SETTING_NAME", default="NO_SETTING_NAME")
+        .split("-")[0]
+        .strip()
     )
     setting_alert_flag = "Advanced Protection Program Settings"
     return event.get("name") == "CREATE_APPLICATION_SETTING" and setting_name == setting_alert_flag

diff --git a/rules/gsuite_activityevent_rules/google_workspace_advanced_protection_program.yml b/rules/gsuite_activityevent_rules/google_workspace_advanced_protection_program.yml
@@ -6,6 +6,27 @@ Filename: google_workspace_advanced_protection_program.py
 Runbook: Confirm the changes made were authorized for your organization.
 Severity: Medium
 Tests:
+    - ExpectedResult: false
+      Name: parameters json key set to null value
+      Log:
+        {
+          "actor": {
+            "callerType": "USER",
+            "email": "user@example.io",
+            "profileId": "111111111111111111111"
+          },
+          "id": {
+            "applicationName": "user_accounts",
+            "customerId": "C00000000",
+            "time": "2022-12-29 22:42:44.467000000",
+            "uniqueQualifier": "517500000000000000"
+          },
+          "parameters": null,
+          "ipAddress": "2600:2600:2600:2600:2600:2600:2600:2600",
+          "kind": "admin#reports#activity",
+          "name": "recovery_email_edit",
+          "type": "recovery_info_change"
+        }
     - ExpectedResult: true
       Log:
         actor:

diff --git a/rules/gsuite_activityevent_rules/google_workspace_apps_marketplace_allowlist.py b/rules/gsuite_activityevent_rules/google_workspace_apps_marketplace_allowlist.py
@@ -1,8 +1,11 @@
+from panther_base_helpers import deep_get
+
+
 def rule(event):
     # Return True to match the log event and trigger an alert.
-    setting_name = event.get("parameters", {}).get("SETTING_NAME", "<NO_SETTING_NAME>")
-    old_val = event.get("parameters", {}).get("OLD_VALUE", "<NO_OLD_VALUE_FOUND>")
-    new_val = event.get("parameters", {}).get("NEW_VALUE", "<NO_NEW_VALUE_FOUND>")
+    setting_name = deep_get(event, "parameters", "SETTING_NAME", default="<NO_SETTING_NAME>")
+    old_val = deep_get(event, "parameters", "OLD_VALUE", default="<NO_OLD_VALUE_FOUND>")
+    new_val = deep_get(event, "parameters", "NEW_VALUE", default="<NO_NEW_VALUE_FOUND>")
     return setting_name == "ENABLE_G_SUITE_MARKETPLACE" and old_val != new_val
 
 
@@ -16,10 +19,11 @@ def title(event):
         "2": "Allow users to install and run any app from the Marketplace",
         "3": "Allow users to install and run only selected apps from the Marketplace",
     }
-    old_val = event.get("parameters", {}).get("OLD_VALUE", "<NO_OLD_VALUE_FOUND>")
-    new_val = event.get("parameters", {}).get("NEW_VALUE", "<NO_NEW_VALUE_FOUND>")
+    old_val = deep_get(event, "parameters", "OLD_VALUE", default="<NO_OLD_VALUE_FOUND>")
+    new_val = deep_get(event, "parameters", "NEW_VALUE", default="<NO_NEW_VALUE_FOUND>")
+    actor = deep_get(event, "actor", "email", default="<NO_EMAIL_FOUND>")
     return (
-        f"Google Workspace User [{event.get('actor',{}).get('email','<NO_EMAIL_FOUND>')}] "
+        f"Google Workspace User [{actor}] "
         f"made an application allowlist setting change from [{value_dict.get(old_val)}] "
         f"to [{value_dict.get(new_val)}]"
     )
diff --git a/rules/gsuite_activityevent_rules/google_workspace_apps_marketplace_allowlist.yml b/rules/gsuite_activityevent_rules/google_workspace_apps_marketplace_allowlist.yml
@@ -6,6 +6,27 @@ Filename: google_workspace_apps_marketplace_allowlist.py
 Runbook: Confirm with the acting user that this change was authorized.
 Severity: Medium
 Tests:
+    - ExpectedResult: false
+      Name: parameters json key set to null value
+      Log:
+        {
+          "actor": {
+            "callerType": "USER",
+            "email": "user@example.io",
+            "profileId": "111111111111111111111"
+          },
+          "id": {
+            "applicationName": "user_accounts",
+            "customerId": "C00000000",
+            "time": "2022-12-29 22:42:44.467000000",
+            "uniqueQualifier": "517500000000000000"
+          },
+          "parameters": null,
+          "ipAddress": "2600:2600:2600:2600:2600:2600:2600:2600",
+          "kind": "admin#reports#activity",
+          "name": "recovery_email_edit",
+          "type": "recovery_info_change"
+        }
     - ExpectedResult: true
       Log:
         actor: