Skip to content

Commit

Permalink
Wiz audit rules (panther-labs#1323)
Browse files Browse the repository at this point in the history
* traildiscover enrichment with managed schema (panther-labs#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (panther-labs#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <keybase@egibs.xyz>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (panther-labs#1190)

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>

* Update PAT to 0.46.0 (panther-labs#1216)

* sample_logs

* Wiz Audit rules (without Mitre mappings, Severities and Runbooks)

* Wiz Audit rules (updated Mitre mappings, Severities and Runbooks)

* Validate on PR approval (panther-labs#1354)

* more correlation rules from AWS re:inforce (panther-labs#1289)

* more correlation rules from AWS re:inforce

* unit tests

* MITRE ATT&CK and severity

* packs

* pipfile update

* update

* pipfile

* fix upload

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: egibs <keybase@egibs.xyz>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>
  • Loading branch information
7 people authored Sep 16, 2024
1 parent 6404644 commit a39d69c
Show file tree
Hide file tree
Showing 39 changed files with 2,494 additions and 420 deletions.
2 changes: 1 addition & 1 deletion Pipfile
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ wrapt = "~=1.15"
[packages]
policyuniverse = "==1.5.1.20230817"
requests = "==2.31.0"
panther-analysis-tool = "~=0.52.1"
panther-analysis-tool = "~=0.52.2"
panther-detection-helpers = "==0.4.0"

[requires]
Expand Down
845 changes: 432 additions & 413 deletions Pipfile.lock

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
Expand Up @@ -32,19 +32,19 @@ Tests:
RuleOutputs:
- ID: Absent CLI Prompt
Matches:
p_udm.user.id:
igor.stravinsky:
sourceIPAddress:
"1.2.3.4":
- 0
- ID: SSO Access Token Retrieved
Matches:
p_udm.user.id:
igor.stravinsky:
sourceIPAddress:
"1.2.3.4":
- 2
- Name: AWS SSO Access Token Retrieved by Unauthenticated IP
ExpectedResult: true
RuleOutputs:
- ID: SSO Access Token Retrieved
Matches:
p_udm.user.id:
igor.stravinsky:
sourceIPAddress:
"1.2.3.4":
- 2
15 changes: 15 additions & 0 deletions global_helpers/panther_wiz_helpers.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
def wiz_success(event):
if event.get("status", "") == "SUCCESS":
return True
return False


def wiz_alert_context(event):
return {
"action": event.get("action", ""),
"user": event.get("user", ""),
"source_ip": event.get("sourceip", ""),
"event_id": event.get("id", ""),
"service_account": event.get("serviceaccount", ""),
"action_parameters": event.get("actionparameters", ""),
}
5 changes: 5 additions & 0 deletions global_helpers/panther_wiz_helpers.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
AnalysisType: global
Filename: panther_wiz_helpers.py
GlobalID: "panther_wiz_helpers"
Description: >
Used to define global helpers for Wiz events
1 change: 1 addition & 0 deletions packs/github.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ PackDefinition:
#- GitHub.Repo.HookModified
- GitHub.Repo.InitialAccess
- Github.Repo.VisibilityChange
- Github.Repo.VulnerabilityDismissed
- GitHub.Secret.Scanning.Alert.Created
- GitHub.Team.Modified
- GitHub.Webhook.Modified
Expand Down
17 changes: 17 additions & 0 deletions packs/wiz.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,23 @@ DisplayName: "Panther Wiz Pack"
PackDefinition:
IDs:
- Wiz.Alert.Passthrough
- Wiz.Update.IP.Restrictions
- Wiz.Update.Support.Contact.List
- Wiz.SAML.Identity.Provider.Change
- Wiz.Data.Classifier.Updated.Or.Deleted
- Wiz.Update.Login.Settings
- Wiz.Image.Integrity.Validator.Updated.Or.Deleted
- Wiz.Update.Scanner.Settings
- Wiz.User.Created.Or.Deleted
- Wiz.Rotate.Service.Account.Secret
- Wiz.Connector.Updated.Or.Deleted
- Wiz.Service.Account.Change
- Wiz.Revoke.User.Sessions
- Wiz.User.Role.Updated.Or.Deleted
- Wiz.Integration.Updated.Or.Deleted
- Wiz.Rule.Change
- Wiz.CICD.Scan.Policy.Updated.Or.Deleted
- panther_wiz_helpers
- panther_base_helpers
- panther_config
- panther_config_defaults
Expand Down
24 changes: 24 additions & 0 deletions rules/wiz_rules/wiz_cicd_scan_policy_updated_or_deleted.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
from panther_wiz_helpers import wiz_alert_context, wiz_success

SUSPICIOUS_ACTIONS = ["DeleteCICDScanPolicy", "UpdateCICDScanPolicy"]


def rule(event):
if not wiz_success(event):
return False
return event.get("action", "ACTION_NOT_FOUND") in SUSPICIOUS_ACTIONS


def title(event):
return (
f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action "
f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]"
)


def dedup(event):
return event.get("id")


def alert_context(event):
return wiz_alert_context(event)
92 changes: 92 additions & 0 deletions rules/wiz_rules/wiz_cicd_scan_policy_updated_or_deleted.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
AnalysisType: rule
RuleID: Wiz.CICD.Scan.Policy.Updated.Or.Deleted
Description: This rule detects updates and deletions of CICD scan policies.
DisplayName: Wiz CICD Scan Policy Updated Or Deleted
Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again.
Reference: https://www.wiz.io/academy/ci-cd-security-best-practices
Enabled: true
Filename: wiz_cicd_scan_policy_updated_or_deleted.py
Severity: Medium
Reports:
MITRE ATT&CK:
- TA0005:T1562.001 # Impair Defenses: Disable or Modify Tools
LogTypes:
- Wiz.Audit
DedupPeriodMinutes: 60
Threshold: 1
Tests:
- Name: DeleteCICDScanPolicy
ExpectedResult: true
Log:
{
"action": "DeleteCICDScanPolicy",
"actionparameters": {
"input": {
"id": "12345-cd1f-4a4b-b3e4-12345"
}
},
"id": "12345-de20-4e00-b958-12345",
"log_type": null,
"requestid": "12345-284b-4166-aea7-12345",
"serviceaccount": null,
"sourceip": "8.8.8.8",
"status": "SUCCESS",
"timestamp": "2023-09-01 14:27:42.694",
"user": {
"id": "test@company.com",
"name": "test@company.com"
}
}
- Name: CreateUser
ExpectedResult: false
Log:
{
"id": "220d23be-f07c-4d97-b4a6-87ad04eddb14",
"action": "CreateUser",
"requestId": "0d9521b2-c3f8-4a73-bf7c-20257788752e",
"status": "SUCCESS",
"timestamp": "2024-07-29T09:40:15.66643Z",
"actionParameters": {
"input": {
"assignedProjectIds": null,
"email": "testy@company.com",
"expiresAt": null,
"name": "Test User",
"role": "GLOBAL_ADMIN"
},
"selection": [
"__typename",
{
"user": [
"__typename",
"id"
]
}
]
},
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36",
"sourceIP": "8.8.8.8",
"serviceAccount": null,
"user": {
"id": "someuser@company.com",
"name": "someuser@company.com"
}
}
- Name: DeleteCICDScanPolicy - Fail
ExpectedResult: false
Log:
{
"action": "DeleteCICDScanPolicy",
"actionparameters": { },
"id": "12345-de20-4e00-b958-12345",
"log_type": null,
"requestid": "12345-284b-4166-aea7-12345",
"serviceaccount": null,
"sourceip": "8.8.8.8",
"status": "FAILED",
"timestamp": "2023-09-01 14:27:42.694",
"user": {
"id": "test@company.com",
"name": "test@company.com"
}
}
24 changes: 24 additions & 0 deletions rules/wiz_rules/wiz_connector_updated_or_deleted.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
from panther_wiz_helpers import wiz_alert_context, wiz_success

SUSPICIOUS_ACTIONS = ["DeleteConnector", "UpdateConnector"]


def rule(event):
if not wiz_success(event):
return False
return event.get("action", "ACTION_NOT_FOUND") in SUSPICIOUS_ACTIONS


def title(event):
return (
f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action "
f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]"
)


def dedup(event):
return event.get("id")


def alert_context(event):
return wiz_alert_context(event)
96 changes: 96 additions & 0 deletions rules/wiz_rules/wiz_connector_updated_or_deleted.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
AnalysisType: rule
RuleID: Wiz.Connector.Updated.Or.Deleted
Description: This rule detects updates and deletions of connectors.
DisplayName: Wiz Connector Updated Or Deleted
Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again.
Reference: https://help.vulcancyber.com/en/articles/6735270-wiz-connector # article about integration with Vulcan
Enabled: true
Filename: wiz_connector_updated_or_deleted.py
Severity: Medium
Reports:
MITRE ATT&CK:
- TA0005:T1562.001 # Impair Defenses: Disable or Modify Tools
LogTypes:
- Wiz.Audit
DedupPeriodMinutes: 60
Threshold: 1
Tests:
- Name: DeleteConnector
ExpectedResult: true
Log:
{
"id": "c4fe1656-23a3-4b60-a689-d59a337c5551",
"action": "DeleteConnector",
"requestId": "471b9148-887a-49ff-ad83-162d7e38cf4e",
"status": "SUCCESS",
"timestamp": "2024-07-09T08:03:09.825336Z",
"actionParameters": {
"input": {
"id": "7a55031b-98f4-4a64-b77c-ad0bc9d7b54b"
},
"selection": [
"__typename",
"_stub"
]
},
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36",
"sourceIP": "12.34.56.78",
"serviceAccount": null,
"user": {
"id": "test.user@company.com",
"name": "user@company.com"
}
}
- Name: CreateUser
ExpectedResult: false
Log:
{
"id": "220d23be-f07c-4d97-b4a6-87ad04eddb14",
"action": "CreateUser",
"requestId": "0d9521b2-c3f8-4a73-bf7c-20257788752e",
"status": "SUCCESS",
"timestamp": "2024-07-29T09:40:15.66643Z",
"actionParameters": {
"input": {
"assignedProjectIds": null,
"email": "testy@company.com",
"expiresAt": null,
"name": "Test User",
"role": "GLOBAL_ADMIN"
},
"selection": [
"__typename",
{
"user": [
"__typename",
"id"
]
}
]
},
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36",
"sourceIP": "8.8.8.8",
"serviceAccount": null,
"user": {
"id": "someuser@company.com",
"name": "someuser@company.com"
}
}
- Name: DeleteConnector - Fail
ExpectedResult: false
Log:
{
"id": "c4fe1656-23a3-4b60-a689-d59a337c5551",
"action": "DeleteConnector",
"requestId": "471b9148-887a-49ff-ad83-162d7e38cf4e",
"status": "FAILED",
"timestamp": "2024-07-09T08:03:09.825336Z",
"actionParameters": { },
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36",
"sourceIP": "12.34.56.78",
"serviceAccount": null,
"user": {
"id": "test.user@company.com",
"name": "user@company.com"
}
}
24 changes: 24 additions & 0 deletions rules/wiz_rules/wiz_data_classifier_updated_or_deleted.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
from panther_wiz_helpers import wiz_alert_context, wiz_success

SUSPICIOUS_ACTIONS = ["DeleteDataClassifier", "UpdateDataClassifier"]


def rule(event):
if not wiz_success(event):
return False
return event.get("action", "ACTION_NOT_FOUND") in SUSPICIOUS_ACTIONS


def title(event):
return (
f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action "
f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]"
)


def dedup(event):
return event.get("id")


def alert_context(event):
return wiz_alert_context(event)
Loading

0 comments on commit a39d69c

Please sign in to comment.