Skip to content

Commit

Permalink
Fix Wiz Audit Log Titles for Service Account Actors (#1414)
Browse files Browse the repository at this point in the history
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
  • Loading branch information
jpts and arielkr256 authored Nov 4, 2024
1 parent bdc7a6c commit 4b6e485
Show file tree
Hide file tree
Showing 17 changed files with 90 additions and 34 deletions.
28 changes: 26 additions & 2 deletions global_helpers/panther_wiz_helpers.py
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,33 @@ def wiz_success(event):
def wiz_alert_context(event):
return {
"action": event.get("action", ""),
"user": event.get("user", ""),
"actor": wiz_actor(event),
"source_ip": event.get("sourceip", ""),
"event_id": event.get("id", ""),
"service_account": event.get("serviceaccount", ""),
"action_parameters": event.get("actionparameters", ""),
}


def wiz_actor(event):
user = event.get("user")
serviceaccount = event.get("serviceAccount")

if user is not None:
return {
"type": "user",
"id": user.get("id"),
"name": user.get("name"),
}

if serviceaccount is not None:
return {
"type": "serviceaccount",
"id": serviceaccount.get("id"),
"name": serviceaccount.get("name"),
}

return {
"type": "unknown",
"id": "<Unknown ID>",
"name": "<Unknown Name>",
}
6 changes: 4 additions & 2 deletions rules/wiz_rules/wiz_cicd_scan_policy_updated_or_deleted.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
from panther_wiz_helpers import wiz_alert_context, wiz_success
from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success

SUSPICIOUS_ACTIONS = ["DeleteCICDScanPolicy", "UpdateCICDScanPolicy"]

Expand All @@ -10,9 +10,11 @@ def rule(event):


def title(event):
actor = wiz_actor(event)

return (
f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action "
f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]"
f"performed by {actor.get('type')} [{actor.get('name')}]"
)


Expand Down
6 changes: 4 additions & 2 deletions rules/wiz_rules/wiz_connector_updated_or_deleted.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
from panther_wiz_helpers import wiz_alert_context, wiz_success
from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success

SUSPICIOUS_ACTIONS = ["DeleteConnector", "UpdateConnector"]

Expand All @@ -10,9 +10,11 @@ def rule(event):


def title(event):
actor = wiz_actor(event)

return (
f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action "
f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]"
f"performed by {actor.get('type')} [{actor.get('name')}]"
)


Expand Down
6 changes: 4 additions & 2 deletions rules/wiz_rules/wiz_data_classifier_updated_or_deleted.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
from panther_wiz_helpers import wiz_alert_context, wiz_success
from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success

SUSPICIOUS_ACTIONS = ["DeleteDataClassifier", "UpdateDataClassifier"]

Expand All @@ -10,9 +10,11 @@ def rule(event):


def title(event):
actor = wiz_actor(event)

return (
f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action "
f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]"
f"performed by {actor.get('type')} [{actor.get('name')}]"
)


Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
from panther_wiz_helpers import wiz_alert_context, wiz_success
from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success

SUSPICIOUS_ACTIONS = ["DeleteImageIntegrityValidator", "UpdateImageIntegrityValidator"]

Expand All @@ -10,9 +10,11 @@ def rule(event):


def title(event):
actor = wiz_actor(event)

return (
f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action "
f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]"
f"performed by {actor.get('type')} [{actor.get('name')}]"
)


Expand Down
6 changes: 4 additions & 2 deletions rules/wiz_rules/wiz_integration_updated_or_deleted.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
from panther_wiz_helpers import wiz_alert_context, wiz_success
from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success

SUSPICIOUS_ACTIONS = ["DeleteIntegration", "UpdateIntegration"]

Expand All @@ -10,9 +10,11 @@ def rule(event):


def title(event):
actor = wiz_actor(event)

return (
f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action "
f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]"
f"performed by {actor.get('type')} [{actor.get('name')}]"
)


Expand Down
6 changes: 4 additions & 2 deletions rules/wiz_rules/wiz_revoke_user_sessions.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
from panther_wiz_helpers import wiz_alert_context, wiz_success
from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success


def rule(event):
Expand All @@ -8,9 +8,11 @@ def rule(event):


def title(event):
actor = wiz_actor(event)

return (
f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action "
f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]"
f"performed by {actor.get('type')} [{actor.get('name')}]"
)


Expand Down
6 changes: 4 additions & 2 deletions rules/wiz_rules/wiz_rotate_service_account_secret.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
from panther_wiz_helpers import wiz_alert_context, wiz_success
from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success


def rule(event):
Expand All @@ -8,9 +8,11 @@ def rule(event):


def title(event):
actor = wiz_actor(event)

return (
f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action "
f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]"
f"performed by {actor.get('type')} [{actor.get('name')}]"
)


Expand Down
6 changes: 4 additions & 2 deletions rules/wiz_rules/wiz_rule_change.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
from panther_wiz_helpers import wiz_alert_context, wiz_success
from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success

SUSPICIOUS_ACTIONS = [
"DeleteAutomationRule",
Expand All @@ -24,9 +24,11 @@ def rule(event):


def title(event):
actor = wiz_actor(event)

return (
f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action "
f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]"
f"performed by {actor.get('type')} [{actor.get('name')}]"
)


Expand Down
6 changes: 4 additions & 2 deletions rules/wiz_rules/wiz_saml_identity_provider_change.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
from panther_wiz_helpers import wiz_alert_context, wiz_success
from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success

SUSPICIOUS_ACTIONS = [
"UpdateSAMLIdentityProvider",
Expand All @@ -15,9 +15,11 @@ def rule(event):


def title(event):
actor = wiz_actor(event)

return (
f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action "
f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]"
f"performed by {actor.get('type')} [{actor.get('name')}]"
)


Expand Down
6 changes: 4 additions & 2 deletions rules/wiz_rules/wiz_service_account_change.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
from panther_wiz_helpers import wiz_alert_context, wiz_success
from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success

SUSPICIOUS_ACTIONS = [
"CreateServiceAccount",
Expand All @@ -14,9 +14,11 @@ def rule(event):


def title(event):
actor = wiz_actor(event)

return (
f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action "
f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]"
f"performed by {actor.get('type')} [{actor.get('name')}]"
)


Expand Down
6 changes: 4 additions & 2 deletions rules/wiz_rules/wiz_update_ip_restrictions.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
from panther_wiz_helpers import wiz_alert_context, wiz_success
from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success


def rule(event):
Expand All @@ -8,9 +8,11 @@ def rule(event):


def title(event):
actor = wiz_actor(event)

return (
f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action "
f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]"
f"performed by {actor.get('type')} [{actor.get('name')}]"
)


Expand Down
6 changes: 4 additions & 2 deletions rules/wiz_rules/wiz_update_login_settings.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
from panther_wiz_helpers import wiz_alert_context, wiz_success
from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success


def rule(event):
Expand All @@ -8,9 +8,11 @@ def rule(event):


def title(event):
actor = wiz_actor(event)

return (
f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action "
f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]"
f"performed by {actor.get('type')} [{actor.get('name')}]"
)


Expand Down
6 changes: 4 additions & 2 deletions rules/wiz_rules/wiz_update_scanner_settings.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
from panther_wiz_helpers import wiz_alert_context, wiz_success
from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success


def rule(event):
Expand All @@ -8,9 +8,11 @@ def rule(event):


def title(event):
actor = wiz_actor(event)

return (
f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action "
f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]"
f"performed by {actor.get('type')} [{actor.get('name')}]"
)


Expand Down
6 changes: 4 additions & 2 deletions rules/wiz_rules/wiz_update_support_contact_list.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
from panther_wiz_helpers import wiz_alert_context, wiz_success
from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success


def rule(event):
Expand All @@ -8,9 +8,11 @@ def rule(event):


def title(event):
actor = wiz_actor(event)

return (
f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action "
f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]"
f"performed by {actor.get('type')} [{actor.get('name')}]"
)


Expand Down
6 changes: 4 additions & 2 deletions rules/wiz_rules/wiz_user_created_or_deleted.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
from panther_wiz_helpers import wiz_alert_context, wiz_success
from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success

SUSPICIOUS_ACTIONS = ["CreateUser", "DeleteUser"]

Expand All @@ -10,9 +10,11 @@ def rule(event):


def title(event):
actor = wiz_actor(event)

return (
f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action "
f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]"
f"performed by {actor.get('type')} [{actor.get('name')}]"
)


Expand Down
6 changes: 4 additions & 2 deletions rules/wiz_rules/wiz_user_role_updated_or_deleted.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
from panther_wiz_helpers import wiz_alert_context, wiz_success
from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success

SUSPICIOUS_ACTIONS = ["DeleteUserRole", "UpdateUserRole"]

Expand All @@ -10,9 +10,11 @@ def rule(event):


def title(event):
actor = wiz_actor(event)

return (
f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action "
f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]"
f"performed by {actor.get('type')} [{actor.get('name')}]"
)


Expand Down

0 comments on commit 4b6e485

Please sign in to comment.