Merge branch 'develop' into panos/revert-noisy-rule

Author: arielkr256

Pipfile

@@ -21,6 +21,7 @@ policyuniverse = "==1.5.1.20230817"
 requests = "==2.31.0"
 panther-analysis-tool = "~=0.54.0"
 panther-detection-helpers = "==0.4.0"
+pycountry = "==24.6.1"
 
 [requires]
 python_version = "3.11"

Pipfile.lock

@@ -3,12 +3,13 @@
 
 def get_event_type(event):
     # currently, only tracking a handful of event types
-    if event.get("event_type_id") == 72 and event.get("privilege_name") == "Super user":
+    event_type_id = str(event.get("event_type_id"))
+    if event_type_id == "72" and event.get("privilege_name") == "Super user":
         return event_type.ADMIN_ROLE_ASSIGNED
-    if event.get("event_type_id") == 6:
+    if event_type_id == "6":
         return event_type.FAILED_LOGIN
-    if event.get("event_type_id") == 5:
+    if event_type_id == "5":
         return event_type.SUCCESSFUL_LOGIN
-    if event.get("event_type_id") == 13:
+    if event_type_id == "13":
         return event_type.USER_ACCOUNT_CREATED
     return None

data_models/onelogin_data_model.py

@@ -9,8 +9,7 @@ PackDefinition:
     # Globals used in these detections
     - global_filter_azuresignin
     - panther_azuresignin_helpers
-
-
+    - panther_base_helpers
     - panther_event_type_helpers
     # Data Models
     - Standard.Azure.Audit.SignIn

packs/azure_signin.yml

@@ -26,6 +26,7 @@ PackDefinition:
     - Standard.MFADisabled
     - Standard.NewAWSAccountCreated
     - Standard.NewUserAccountCreated
+    - Standard.SignInFromRogueState
     # Global Helpers
     - panther_base_helpers
     - panther_aws_helpers

packs/standard_ruleset.yml

@@ -0,0 +1,62 @@
+import panther_event_type_helpers as event_type
+import pycountry
+
+# Configuration Required:
+#   Configure the below list of rogue states according to your needs/experience
+#   Refer to the link below to find the alpha-2 code corresponding to your country
+#   https://www.iban.com/country-codes
+ROGUE_STATES = {"CN", "IR", "RU"}
+
+
+def rule(event):
+    # Only evaluate successful logins
+    if event.udm("event_type") != event_type.SUCCESSFUL_LOGIN:
+        return False
+
+    # Ignore events with no IP data
+    if not event.udm("source_ip"):
+        return False
+
+    # Get contry of request origin and compare to identified rogue state list
+    return bool(is_rogue_state(get_country(event).alpha_2))
+
+
+def title(event):
+    log_type = event.get("p_log_type")
+    country = get_country(event)
+    account_name = get_account_name(event)
+    return f"{log_type}: Sign-In for account {account_name} from Rogue State '{country.name}'"
+
+
+def alert_context(event):
+    return {
+        "source_ip": event.udm("source_ip"),
+        "country": get_country(event).name,
+        "account_name": get_account_name(event),
+    }
+
+
+def get_country(event) -> str:
+    """Returns the country code from an event's IPinfo data."""
+    location_data = event.deep_get("p_enrichment", "ipinfo_location", event.udm_path("source_ip"))
+    if not location_data:
+        return ""  # Ignore event if we have no enrichment to analyze
+    return pycountry.countries.get(alpha_2=location_data.get("country").upper())
+
+
+def get_account_name(event) -> str:
+    """Returns the account name."""
+    if account_name := event.deep_get("p_udm", "user", "email"):
+        return account_name
+    if account_name := event.deep_get("p_udm", "user", "name"):
+        return account_name
+    if account_name := event.udm("actor_user"):
+        return account_name
+    return "UNKNWON ACCOUNT"
+
+
+def is_rogue_state(country_code: str) -> bool:
+    """Returns whether the country code provided belongs to an identified rogue state."""
+    # This function makes it easy for us to use unit test mocks to ensure altering the ROGUE_STATES
+    #   dict doesn't break our test suite.
+    return country_code in ROGUE_STATES