forked from panther-labs/panther-analysis
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathonepassword_sensitive_item_access.py
33 lines (23 loc) · 1.16 KB
/
onepassword_sensitive_item_access.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
"""
This rule detects access to high sensitivity items in your 1Password account. 1Password references
these items by their UUID so the SENSITIVE_ITEM_WATCHLIST below allows for the mapping of UUID to
meaningful name.
There is an alternative method for creating this rule that uses Panther's lookup table feature,
(currently in beta). That rule can be found in the 1Password detection pack with the name
BETA - Sensitive 1Password Item Accessed (onepassword_lut_sensitive_item_access.py)
"""
from panther_base_helpers import deep_get
SENSITIVE_ITEM_WATCHLIST = {"ecd1d435c26440dc930ddfbbef201a11": "demo_item"}
def rule(event):
return event.get("item_uuid") in SENSITIVE_ITEM_WATCHLIST.keys()
def title(event):
return f"A Sensitive 1Password Item was Accessed by user {deep_get(event, 'user', 'name')}"
def alert_context(event):
context = {
"user": deep_get(event, "user", "name"),
"item_name": deep_get(event, "p_enrichment", "1Password Translation", "item_uuid", "title"),
"client": deep_get(event, "client", "app_name"),
"ip_address": event.udm("source_ip"),
"event_time": event.get("timestamp"),
}
return context