OCSF data model, VPC/DNS (#1214)

* Deprecate GreyNoise detections (#1205) * Deprecate GreyNoise detections * Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml * Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml * Update cloudflare_httpreq_bot_high_volume_greynoise.yml --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * fix - Notion Login From New Location - NoneType error (#1206) * fix - Notion Login From New Location - NoneType error * fix - Notion Login From New Location - NoneType error - linter fix * remove codeowners (#1208) * fix - GCP rules - AttributeError (#1210) * fix - GCP rules - AttributeError * fix - GCP rules - AttributeError - linter fix * MITRE ATT&CK Mappings for MS Rules (#1209) * added MITRE mappings for microsoft rules * fixed formatting on some helper files --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * traildiscover enrichment with managed schema (#1177) * traildiscover enrichment with managed schema * Add npm install in dockerfile (#1172) * add npm install in dockerfile * Remove Python optimizations; add prettier to PATH --------- Co-authored-by: egibs <keybase@egibs.xyz> * schema name: TrailDiscover.CloudTrail * Fix Dockerfile; add Workflow to test image * updated data set * Add MongoDB.2FA.Disabled rule (#1190) Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * lint and fmt * fmt * add OCSF selector * additional OCSF mappings * Fix Pipfile * Rebase changes --------- Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> * Update PAT to 0.46.0 (#1216) * THREAT-278 OCSF data model, VPC --------- Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Evan Gibler <evan.gibler@panther.com>
panther-labs · Jun 10, 2024 · 41e0c46 · 41e0c46
1 parent 2f8c64f
commit 41e0c46
Show file tree

Hide file tree

Showing 14 changed files with 434 additions and 186 deletions.
diff --git a/data_models/aws_vpcflow_data_model.yml b/data_models/aws_vpcflow_data_model.yml
@@ -15,3 +15,5 @@ Mappings:
     Path: srcPort
   - Name: user_agent
     Path: userAgent
+  - Name: log_status
+    Path: log-status
diff --git a/data_models/ocsf_dnsactivity_data_model.yml b/data_models/ocsf_dnsactivity_data_model.yml
@@ -0,0 +1,13 @@
+AnalysisType: datamodel
+LogTypes:
+  - OCSF.DnsActivity
+DataModelID: "Standard.OCSF.DnsActivity"
+DisplayName: "OCSF DNS Activity"
+Enabled: true
+Mappings:
+  - Name: source_ip
+    Path: $.src_endpoint.ip
+  - Name: source_port
+    Path: $.src_endpoint.port
+  - Name: dns_query
+    Path: $.query.hostname
diff --git a/data_models/ocsf_networkactivity_data_model.yml b/data_models/ocsf_networkactivity_data_model.yml
@@ -0,0 +1,17 @@
+AnalysisType: datamodel
+LogTypes:
+  - OCSF.NetworkActivity
+DataModelID: "Standard.OCSF.NetworkActivity"
+DisplayName: "OCSF Network Activity"
+Enabled: true
+Mappings:
+  - Name: destination_ip
+    Path: $.dst_endpoint.ip
+  - Name: destination_port
+    Path: $.dst_endpoint.port
+  - Name: source_ip
+    Path: $.src_endpoint.ip
+  - Name: source_port
+    Path: $.src_endpoint.port
+  - Name: log_status
+    Path: status_code
diff --git a/packs/aws.yml b/packs/aws.yml
@@ -167,6 +167,8 @@ PackDefinition:
     - Standard.AWS.CloudTrail
     - Standard.AWS.S3ServerAccess
     - Standard.AWS.VPCFlow
+    - Standard.OCSF.NetworkActivity
+    - Standard.OCSF.DnsActivity
     # Globals used in these rules/policies
     - panther_base_helpers
     - panther_config

diff --git a/rules/aws_vpc_flow_rules/aws_dns_crypto_domain.py b/rules/aws_vpc_flow_rules/aws_dns_crypto_domain.py
@@ -2,7 +2,9 @@
 
 
 def rule(event):
-    query_name = event.get("query_name")
+    query_name = event.udm("dns_query")
+    if not query_name:
+        return False
     for domain in CRYPTO_MINING_DOMAINS:
         if query_name.rstrip(".").endswith(domain):
             return True
@@ -11,11 +13,11 @@ def rule(event):
 
 def title(event):
     return (
-        f"[{event.get('srcaddr')}:{event.get('srcport')}] "
+        f"[{event.udm('source_ip')}:{event.udm('source_port')}] "
         "made a DNS query for crypto mining domain: "
-        f"[{event.get('query_name')}]."
+        f"[{event.udm('dns_query')}]."
     )
 
 
 def dedup(event):
-    return f"{event.get('srcaddr')}"
+    return f"{event.udm('source_ip')}"