Push Security rules (#1207)

* Deprecate GreyNoise detections (#1205) * Deprecate GreyNoise detections * Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml * Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml * Update cloudflare_httpreq_bot_high_volume_greynoise.yml --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * fix - Notion Login From New Location - NoneType error (#1206) * fix - Notion Login From New Location - NoneType error * fix - Notion Login From New Location - NoneType error - linter fix * Push Security rules * remove codeowners (#1208) * fix - GCP rules - AttributeError (#1210) * fix - GCP rules - AttributeError * fix - GCP rules - AttributeError - linter fix * MITRE ATT&CK Mappings for MS Rules (#1209) * added MITRE mappings for microsoft rules * fixed formatting on some helper files --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * traildiscover enrichment with managed schema (#1177) * traildiscover enrichment with managed schema * Add npm install in dockerfile (#1172) * add npm install in dockerfile * Remove Python optimizations; add prettier to PATH --------- Co-authored-by: egibs <keybase@egibs.xyz> * schema name: TrailDiscover.CloudTrail * Fix Dockerfile; add Workflow to test image * updated data set * Add MongoDB.2FA.Disabled rule (#1190) Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * lint and fmt * fmt * add OCSF selector * additional OCSF mappings * Fix Pipfile * Rebase changes --------- Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> * Update PAT to 0.46.0 (#1216) * add file/host state to msft graph alert context (#1220) * fix timestamps (#1219) * Update PAT to 0.46.1 (#1222) * pack for traildiscover LUT (#1221) * pack, fmt lint, event.deep_get * pack update --------- Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com> Co-authored-by: egibs <keybase@egibs.xyz> Co-authored-by: Evan Gibler <evan.gibler@panther.com> Co-authored-by: Nick Hakmiller <49166439+nhakmiller@users.noreply.github.com> Co-authored-by: Ariel Ropek <ariel.ropek@panther.com>
panther-labs · May 21, 2024 · 8012f11 · 8012f11
1 parent c8b6ad9
commit 8012f11
Show file tree

Hide file tree

Showing 16 changed files with 970 additions and 0 deletions.
diff --git a/rules/push_security_rules/push_security_app_banner_acknowledged.py b/rules/push_security_rules/push_security_app_banner_acknowledged.py
@@ -0,0 +1,26 @@
+from panther_base_helpers import deep_get
+
+
+def rule(event):
+    if event.get("object") != "APP_BANNER":
+        return False
+
+    if deep_get(event, "new", "action") == "ACKNOWLEDGED":
+        return True
+
+    return False
+
+
+def title(event):
+    app_type = deep_get(event, "new", "appType")
+    employee_email = deep_get(event, "new", "employee", "email")
+    return f"{app_type} accessed by {employee_email}"
+
+
+def alert_context(event):
+    return {
+        "Push Security app banner": deep_get(event, "new", "appBanner", "mode"),
+        "Title": deep_get(event, "new", "appBanner", "title"),
+        "Subtext": deep_get(event, "new", "appBanner", "subtext"),
+        "Button": deep_get(event, "new", "appBanner", "buttonText"),
+    }
diff --git a/rules/push_security_rules/push_security_app_banner_acknowledged.yml b/rules/push_security_rules/push_security_app_banner_acknowledged.yml
@@ -0,0 +1,98 @@
+AnalysisType: rule
+Filename: push_security_app_banner_acknowledged.py
+RuleID: "Push.Security.App.Banner.Acknowledged"
+DisplayName: "Push Security App Banner Acknowledged"
+Enabled: true
+LogTypes:
+  - Custom.PushSecurity.Activity
+Severity: Low
+DedupPeriodMinutes: 60
+Threshold: 1
+Tests:
+  - Name: App Banner Acknowledged
+    ExpectedResult: true
+    Log:
+      id: c478966c-f927-411c-b919-179832d3d50c
+      new:
+        action: ACKNOWLEDGED
+        appBanner:
+          buttonText: Proceed anyway
+          mode: ACKNOWLEDGE
+          subtext: This app is not approved, please use Google Drive instead.
+          title: This app is not approved for use
+        appType: DROPBOX
+        browser: CHROME
+        employee:
+          chatopsEnabled: true
+          creationTimestamp: 1.698669223e+09
+          department: Security Engineering
+          email: john.hill@example.com
+          firstName: John
+          id: 2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0
+          lastName: Hill
+          licensed: true
+          location: New York
+        os: WINDOWS
+        sourceIpAddress: 8.158.25.38
+        userAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299
+      object: APP_BANNER
+      timestamp: 1.698604061e+09
+      version: "1"
+  - Name: App Banner Displayed
+    ExpectedResult: false
+    Log:
+      id: c478966c-f927-411c-b919-179832d3d50c
+      new:
+        action: DISPLAYED
+        appBanner:
+          buttonText: Proceed anyway
+          mode: ACKNOWLEDGE
+          subtext: This app is not approved, please use Google Drive instead.
+          title: This app is not approved for use
+        appType: DROPBOX
+        browser: CHROME
+        employee:
+          chatopsEnabled: true
+          creationTimestamp: 1.698669223e+09
+          department: Security Engineering
+          email: john.hill@example.com
+          firstName: John
+          id: 2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0
+          lastName: Hill
+          licensed: true
+          location: New York
+        os: WINDOWS
+        sourceIpAddress: 8.158.25.38
+        userAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299
+      object: APP_BANNER
+      timestamp: 1.698604061e+09
+      version: "1"
+  - Name: App Banner Inform Mode
+    ExpectedResult: false
+    Log:
+      id: c478966c-f927-411c-b919-179832d3d50c
+      new:
+        action: DISPLAYED
+        appBanner:
+          buttonText: null
+          mode: INFORM
+          subtext: This app is not approved, please use Google Drive instead.
+          title: This app is not approved for use
+        appType: DROPBOX
+        browser: CHROME
+        employee:
+          chatopsEnabled: true
+          creationTimestamp: 1.698669223e+09
+          department: Security Engineering
+          email: john.hill@example.com
+          firstName: John
+          id: 2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0
+          lastName: Hill
+          licensed: true
+          location: New York
+        os: WINDOWS
+        sourceIpAddress: 8.158.25.38
+        userAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299
+      object: APP_BANNER
+      timestamp: 1.698604061e+09
+      version: "1"
diff --git a/rules/push_security_rules/push_security_mfa_method_changed.py b/rules/push_security_rules/push_security_mfa_method_changed.py
@@ -0,0 +1,33 @@
+from panther_base_helpers import deep_get
+
+
+def rule(event):
+    if event.get("object") != "ACCOUNT":
+        return False
+
+    if event.get("old") is None:
+        return False
+
+    new_mfa_methods = set(deep_get(event, "new", "mfaMethods"))
+    old_mfa_methods = set(deep_get(event, "old", "mfaMethods", default=[]))
+
+    if new_mfa_methods != old_mfa_methods:
+        return True
+
+    return False
+
+
+def severity(event):
+    if deep_get(event, "new", "mfaMethods") == []:
+        return "HIGH"
+    return "LOW"
+
+
+def title(event):
+    mfa_methods = ", ".join(deep_get(event, "new", "mfaMethods", default="No MFA"))
+    new_email = deep_get(event, "new", "email")
+    new_apptype = deep_get(event, "new", "appType")
+
+    if mfa_methods == "":
+        return f"{new_email} removed all MFA methods on {new_apptype}"
+    return f"{new_email} changed MFA method to {mfa_methods} on {new_apptype}"
diff --git a/rules/push_security_rules/push_security_mfa_method_changed.yml b/rules/push_security_rules/push_security_mfa_method_changed.yml
@@ -0,0 +1,167 @@
+AnalysisType: rule
+Filename: push_security_mfa_method_changed.py
+RuleID: "Push.Security.MFA.Method.Changed"
+DisplayName: "Push Security SaaS App MFA Method Changed"
+Enabled: true
+LogTypes:
+  - Custom.PushSecurity.Entities
+Severity: Info
+Description: MFA method on SaaS app changed
+DedupPeriodMinutes: 60
+Threshold: 1
+Tests:
+  - Name: All MFA methods removed
+    ExpectedResult: true
+    Log:
+      id: d1e5794f-666d-4cba-abae-c6d889ca1903
+      new:
+        appId: 67ef5c13-b5e6-4945-af7b-c11ac98f630f
+        appType: CONTENTFUL
+        creationTimestamp: 1.707775048e+09
+        email: jet.black@issp.com
+        employeeId: ca6cf7ce-90e6-4eb5-a262-7899bc48c39c
+        id: 5e15ce4c-6b93-4fbf-aed9-1890775efa90
+        lastUsedTimestamp: null
+        loginMethods:
+          oidcLogin: null
+          oktaSwaLogin: false
+          passwordLogin: false
+          samlLogin: null
+        mfaMethods: []
+        mfaRegistered: false
+        passwordId: null
+      object: ACCOUNT
+      old:
+        appId: 67ef5c13-b5e6-4945-af7b-c11ac98f630f
+        appType: CONTENTFUL
+        creationTimestamp: 1.707775048e+09
+        email: jet.black@issp.com
+        employeeId: ca6cf7ce-90e6-4eb5-a262-7899bc48c39c
+        id: 5e15ce4c-6b93-4fbf-aed9-1890775efa90
+        lastUsedTimestamp: null
+        loginMethods:
+          oidcLogin: null
+          oktaSwaLogin: false
+          passwordLogin: false
+          samlLogin: null
+        mfaMethods:
+          - SMS
+        mfaRegistered: false
+        passwordId: null
+      timestamp: 1.707775049e+09
+      type: CREATE
+      version: "1"
+  - Name: First seen
+    ExpectedResult: false
+    Log:
+      id: d1e5794f-666d-4cba-abae-c6d889ca1903
+      new:
+        appId: 67ef5c13-b5e6-4945-af7b-c11ac98f630f
+        appType: CONTENTFUL
+        creationTimestamp: 1.707775048e+09
+        email: jet.black@issp.com
+        employeeId: ca6cf7ce-90e6-4eb5-a262-7899bc48c39c
+        id: 5e15ce4c-6b93-4fbf-aed9-1890775efa90
+        lastUsedTimestamp: null
+        loginMethods:
+          oidcLogin: null
+          oktaSwaLogin: false
+          passwordLogin: false
+          samlLogin: null
+        mfaMethods:
+          - SMS
+          - APP_OTP
+        mfaRegistered: false
+        passwordId: null
+      object: ACCOUNT
+      old: null
+      timestamp: 1.707775049e+09
+      type: CREATE
+      version: "1"
+  - Name: MFA method added
+    ExpectedResult: true
+    Log:
+      id: d1e5794f-666d-4cba-abae-c6d889ca1903
+      new:
+        appId: 67ef5c13-b5e6-4945-af7b-c11ac98f630f
+        appType: CONTENTFUL
+        creationTimestamp: 1.707775048e+09
+        email: jet.black@issp.com
+        employeeId: ca6cf7ce-90e6-4eb5-a262-7899bc48c39c
+        id: 5e15ce4c-6b93-4fbf-aed9-1890775efa90
+        lastUsedTimestamp: null
+        loginMethods:
+          oidcLogin: null
+          oktaSwaLogin: false
+          passwordLogin: false
+          samlLogin: null
+        mfaMethods:
+          - SMS
+          - APP_OTP
+        mfaRegistered: false
+        passwordId: null
+      object: ACCOUNT
+      old:
+        appId: 67ef5c13-b5e6-4945-af7b-c11ac98f630f
+        appType: CONTENTFUL
+        creationTimestamp: 1.707775048e+09
+        email: jet.black@issp.com
+        employeeId: ca6cf7ce-90e6-4eb5-a262-7899bc48c39c
+        id: 5e15ce4c-6b93-4fbf-aed9-1890775efa90
+        lastUsedTimestamp: null
+        loginMethods:
+          oidcLogin: null
+          oktaSwaLogin: false
+          passwordLogin: false
+          samlLogin: null
+        mfaMethods:
+          - SMS
+        mfaRegistered: false
+        passwordId: null
+      timestamp: 1.707775049e+09
+      type: CREATE
+      version: "1"
+  - Name: No MFA method change
+    ExpectedResult: false
+    Log:
+      id: d1e5794f-666d-4cba-abae-c6d889ca1903
+      new:
+        appId: 67ef5c13-b5e6-4945-af7b-c11ac98f630f
+        appType: CONTENTFUL
+        creationTimestamp: 1.707775048e+09
+        email: jet.black@issp.com
+        employeeId: ca6cf7ce-90e6-4eb5-a262-7899bc48c39c
+        id: 5e15ce4c-6b93-4fbf-aed9-1890775efa90
+        lastUsedTimestamp: null
+        loginMethods:
+          oidcLogin: null
+          oktaSwaLogin: false
+          passwordLogin: false
+          samlLogin: null
+        mfaMethods:
+          - SMS
+          - APP_OTP
+        mfaRegistered: false
+        passwordId: null
+      object: ACCOUNT
+      old:
+        appId: 67ef5c13-b5e6-4945-af7b-c11ac98f630f
+        appType: CONTENTFUL
+        creationTimestamp: 1.707775048e+09
+        email: jet.black@issp.com
+        employeeId: ca6cf7ce-90e6-4eb5-a262-7899bc48c39c
+        id: 5e15ce4c-6b93-4fbf-aed9-1890775efa90
+        lastUsedTimestamp: null
+        loginMethods:
+          oidcLogin: null
+          oktaSwaLogin: false
+          passwordLogin: false
+          samlLogin: null
+        mfaMethods:
+          - SMS
+          - APP_OTP
+        mfaRegistered: false
+        passwordId: null
+      timestamp: 1.707775049e+09
+      type: CREATE
+      version: "1"
diff --git a/rules/push_security_rules/push_security_new_app_detected.py b/rules/push_security_rules/push_security_new_app_detected.py
@@ -0,0 +1,16 @@
+from panther_base_helpers import deep_get
+
+
+def rule(event):
+    if event.get("object") != "APP":
+        return False
+
+    if event.get("type") == "CREATE":
+        return True
+
+    return False
+
+
+def title(event):
+    new_type = deep_get(event, "new", "type")
+    return f"New app in use: {new_type}"
diff --git a/rules/push_security_rules/push_security_new_app_detected.yml b/rules/push_security_rules/push_security_new_app_detected.yml
@@ -0,0 +1,54 @@
+AnalysisType: rule
+Filename: push_security_new_app_detected.py
+RuleID: "Push.Security.New.App.Detected"
+DisplayName: "Push Security New App Detected"
+Enabled: true
+LogTypes:
+  - Custom.PushSecurity.Entities
+Severity: Info
+DedupPeriodMinutes: 60
+Threshold: 1
+Tests:
+  - Name: New App
+    ExpectedResult: true
+    Log:
+      id: c478966c-f927-411c-b919-179832d3d50c
+      new:
+        approvalStatus: null
+        creationTimestamp: 1.698064423e+09
+        id: 2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0
+        notes: ""
+        ownerId: null
+        sensitivityLevel: null
+        type: ZAPIER
+      object: APP
+      old: null
+      timestamp: 1.698604061e+09
+      type: CREATE
+      version: "1"
+  - Name: App Updated
+    ExpectedResult: false
+    Log:
+      id: c478966c-f927-411c-b919-179832d3d50c
+      new:
+        approvalStatus: APPROVED
+        creationTimestamp: 1.698064423e+09
+        id: 2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0
+        notes: |
+          Last security audit: 16 January 2023.
+        ownerId: 87569da6-fb7a-4df7-8ce2-246c14044911
+        sensitivityLevel: HIGH
+        type: ZAPIER
+      object: APP
+      old:
+        approvalStatus: UNDER_REVIEW
+        creationTimestamp: 1.698064423e+09
+        id: 2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0
+        notes: |
+          Initial submission for review.
+        ownerId: 87569da6-fb7a-4df7-8ce2-246c14044911
+        sensitivityLevel: MEDIUM
+        type: ZAPIER
+      timestamp: 1.698604061e+09
+      type: UPDATE
+      version: "1"