forked from panther-labs/panther-analysis
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* traildiscover enrichment with managed schema (panther-labs#1177) * traildiscover enrichment with managed schema * Add npm install in dockerfile (panther-labs#1172) * add npm install in dockerfile * Remove Python optimizations; add prettier to PATH --------- Co-authored-by: egibs <keybase@egibs.xyz> * schema name: TrailDiscover.CloudTrail * Fix Dockerfile; add Workflow to test image * updated data set * Add MongoDB.2FA.Disabled rule (panther-labs#1190) Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * lint and fmt * fmt * add OCSF selector * additional OCSF mappings * Fix Pipfile * Rebase changes --------- Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> * Update PAT to 0.46.0 (panther-labs#1216) * sample_logs * Wiz Audit rules (without Mitre mappings, Severities and Runbooks) * Wiz Audit rules (updated Mitre mappings, Severities and Runbooks) * Validate on PR approval (panther-labs#1354) * more correlation rules from AWS re:inforce (panther-labs#1289) * more correlation rules from AWS re:inforce * unit tests * MITRE ATT&CK and severity * packs * pipfile update * update * pipfile * fix upload --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> Co-authored-by: Evan Gibler <evan.gibler@panther.com> Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>
- Loading branch information
1 parent
6404644
commit a39d69c
Showing
39 changed files
with
2,494 additions
and
420 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
def wiz_success(event): | ||
if event.get("status", "") == "SUCCESS": | ||
return True | ||
return False | ||
|
||
|
||
def wiz_alert_context(event): | ||
return { | ||
"action": event.get("action", ""), | ||
"user": event.get("user", ""), | ||
"source_ip": event.get("sourceip", ""), | ||
"event_id": event.get("id", ""), | ||
"service_account": event.get("serviceaccount", ""), | ||
"action_parameters": event.get("actionparameters", ""), | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
AnalysisType: global | ||
Filename: panther_wiz_helpers.py | ||
GlobalID: "panther_wiz_helpers" | ||
Description: > | ||
Used to define global helpers for Wiz events |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
24 changes: 24 additions & 0 deletions
24
rules/wiz_rules/wiz_cicd_scan_policy_updated_or_deleted.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
from panther_wiz_helpers import wiz_alert_context, wiz_success | ||
|
||
SUSPICIOUS_ACTIONS = ["DeleteCICDScanPolicy", "UpdateCICDScanPolicy"] | ||
|
||
|
||
def rule(event): | ||
if not wiz_success(event): | ||
return False | ||
return event.get("action", "ACTION_NOT_FOUND") in SUSPICIOUS_ACTIONS | ||
|
||
|
||
def title(event): | ||
return ( | ||
f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " | ||
f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" | ||
) | ||
|
||
|
||
def dedup(event): | ||
return event.get("id") | ||
|
||
|
||
def alert_context(event): | ||
return wiz_alert_context(event) |
92 changes: 92 additions & 0 deletions
92
rules/wiz_rules/wiz_cicd_scan_policy_updated_or_deleted.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,92 @@ | ||
AnalysisType: rule | ||
RuleID: Wiz.CICD.Scan.Policy.Updated.Or.Deleted | ||
Description: This rule detects updates and deletions of CICD scan policies. | ||
DisplayName: Wiz CICD Scan Policy Updated Or Deleted | ||
Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again. | ||
Reference: https://www.wiz.io/academy/ci-cd-security-best-practices | ||
Enabled: true | ||
Filename: wiz_cicd_scan_policy_updated_or_deleted.py | ||
Severity: Medium | ||
Reports: | ||
MITRE ATT&CK: | ||
- TA0005:T1562.001 # Impair Defenses: Disable or Modify Tools | ||
LogTypes: | ||
- Wiz.Audit | ||
DedupPeriodMinutes: 60 | ||
Threshold: 1 | ||
Tests: | ||
- Name: DeleteCICDScanPolicy | ||
ExpectedResult: true | ||
Log: | ||
{ | ||
"action": "DeleteCICDScanPolicy", | ||
"actionparameters": { | ||
"input": { | ||
"id": "12345-cd1f-4a4b-b3e4-12345" | ||
} | ||
}, | ||
"id": "12345-de20-4e00-b958-12345", | ||
"log_type": null, | ||
"requestid": "12345-284b-4166-aea7-12345", | ||
"serviceaccount": null, | ||
"sourceip": "8.8.8.8", | ||
"status": "SUCCESS", | ||
"timestamp": "2023-09-01 14:27:42.694", | ||
"user": { | ||
"id": "test@company.com", | ||
"name": "test@company.com" | ||
} | ||
} | ||
- Name: CreateUser | ||
ExpectedResult: false | ||
Log: | ||
{ | ||
"id": "220d23be-f07c-4d97-b4a6-87ad04eddb14", | ||
"action": "CreateUser", | ||
"requestId": "0d9521b2-c3f8-4a73-bf7c-20257788752e", | ||
"status": "SUCCESS", | ||
"timestamp": "2024-07-29T09:40:15.66643Z", | ||
"actionParameters": { | ||
"input": { | ||
"assignedProjectIds": null, | ||
"email": "testy@company.com", | ||
"expiresAt": null, | ||
"name": "Test User", | ||
"role": "GLOBAL_ADMIN" | ||
}, | ||
"selection": [ | ||
"__typename", | ||
{ | ||
"user": [ | ||
"__typename", | ||
"id" | ||
] | ||
} | ||
] | ||
}, | ||
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", | ||
"sourceIP": "8.8.8.8", | ||
"serviceAccount": null, | ||
"user": { | ||
"id": "someuser@company.com", | ||
"name": "someuser@company.com" | ||
} | ||
} | ||
- Name: DeleteCICDScanPolicy - Fail | ||
ExpectedResult: false | ||
Log: | ||
{ | ||
"action": "DeleteCICDScanPolicy", | ||
"actionparameters": { }, | ||
"id": "12345-de20-4e00-b958-12345", | ||
"log_type": null, | ||
"requestid": "12345-284b-4166-aea7-12345", | ||
"serviceaccount": null, | ||
"sourceip": "8.8.8.8", | ||
"status": "FAILED", | ||
"timestamp": "2023-09-01 14:27:42.694", | ||
"user": { | ||
"id": "test@company.com", | ||
"name": "test@company.com" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
from panther_wiz_helpers import wiz_alert_context, wiz_success | ||
|
||
SUSPICIOUS_ACTIONS = ["DeleteConnector", "UpdateConnector"] | ||
|
||
|
||
def rule(event): | ||
if not wiz_success(event): | ||
return False | ||
return event.get("action", "ACTION_NOT_FOUND") in SUSPICIOUS_ACTIONS | ||
|
||
|
||
def title(event): | ||
return ( | ||
f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " | ||
f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" | ||
) | ||
|
||
|
||
def dedup(event): | ||
return event.get("id") | ||
|
||
|
||
def alert_context(event): | ||
return wiz_alert_context(event) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,96 @@ | ||
AnalysisType: rule | ||
RuleID: Wiz.Connector.Updated.Or.Deleted | ||
Description: This rule detects updates and deletions of connectors. | ||
DisplayName: Wiz Connector Updated Or Deleted | ||
Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again. | ||
Reference: https://help.vulcancyber.com/en/articles/6735270-wiz-connector # article about integration with Vulcan | ||
Enabled: true | ||
Filename: wiz_connector_updated_or_deleted.py | ||
Severity: Medium | ||
Reports: | ||
MITRE ATT&CK: | ||
- TA0005:T1562.001 # Impair Defenses: Disable or Modify Tools | ||
LogTypes: | ||
- Wiz.Audit | ||
DedupPeriodMinutes: 60 | ||
Threshold: 1 | ||
Tests: | ||
- Name: DeleteConnector | ||
ExpectedResult: true | ||
Log: | ||
{ | ||
"id": "c4fe1656-23a3-4b60-a689-d59a337c5551", | ||
"action": "DeleteConnector", | ||
"requestId": "471b9148-887a-49ff-ad83-162d7e38cf4e", | ||
"status": "SUCCESS", | ||
"timestamp": "2024-07-09T08:03:09.825336Z", | ||
"actionParameters": { | ||
"input": { | ||
"id": "7a55031b-98f4-4a64-b77c-ad0bc9d7b54b" | ||
}, | ||
"selection": [ | ||
"__typename", | ||
"_stub" | ||
] | ||
}, | ||
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", | ||
"sourceIP": "12.34.56.78", | ||
"serviceAccount": null, | ||
"user": { | ||
"id": "test.user@company.com", | ||
"name": "user@company.com" | ||
} | ||
} | ||
- Name: CreateUser | ||
ExpectedResult: false | ||
Log: | ||
{ | ||
"id": "220d23be-f07c-4d97-b4a6-87ad04eddb14", | ||
"action": "CreateUser", | ||
"requestId": "0d9521b2-c3f8-4a73-bf7c-20257788752e", | ||
"status": "SUCCESS", | ||
"timestamp": "2024-07-29T09:40:15.66643Z", | ||
"actionParameters": { | ||
"input": { | ||
"assignedProjectIds": null, | ||
"email": "testy@company.com", | ||
"expiresAt": null, | ||
"name": "Test User", | ||
"role": "GLOBAL_ADMIN" | ||
}, | ||
"selection": [ | ||
"__typename", | ||
{ | ||
"user": [ | ||
"__typename", | ||
"id" | ||
] | ||
} | ||
] | ||
}, | ||
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", | ||
"sourceIP": "8.8.8.8", | ||
"serviceAccount": null, | ||
"user": { | ||
"id": "someuser@company.com", | ||
"name": "someuser@company.com" | ||
} | ||
} | ||
- Name: DeleteConnector - Fail | ||
ExpectedResult: false | ||
Log: | ||
{ | ||
"id": "c4fe1656-23a3-4b60-a689-d59a337c5551", | ||
"action": "DeleteConnector", | ||
"requestId": "471b9148-887a-49ff-ad83-162d7e38cf4e", | ||
"status": "FAILED", | ||
"timestamp": "2024-07-09T08:03:09.825336Z", | ||
"actionParameters": { }, | ||
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", | ||
"sourceIP": "12.34.56.78", | ||
"serviceAccount": null, | ||
"user": { | ||
"id": "test.user@company.com", | ||
"name": "user@company.com" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
from panther_wiz_helpers import wiz_alert_context, wiz_success | ||
|
||
SUSPICIOUS_ACTIONS = ["DeleteDataClassifier", "UpdateDataClassifier"] | ||
|
||
|
||
def rule(event): | ||
if not wiz_success(event): | ||
return False | ||
return event.get("action", "ACTION_NOT_FOUND") in SUSPICIOUS_ACTIONS | ||
|
||
|
||
def title(event): | ||
return ( | ||
f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " | ||
f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" | ||
) | ||
|
||
|
||
def dedup(event): | ||
return event.get("id") | ||
|
||
|
||
def alert_context(event): | ||
return wiz_alert_context(event) |
Oops, something went wrong.