Merge branch 'main' into egibs-exfiltration-rules

Author: Evan Gibler

global_helpers/panther_base_helpers.py

@@ -7,6 +7,7 @@
 from functools import reduce
 from ipaddress import ip_address, ip_network
 from typing import Any, List, Optional, Sequence, Union
+from panther_config import config
 
 # # # # # # # # # # # # # #
 #       Exceptions        #
@@ -35,47 +36,36 @@ def in_pci_scope_tags(resource):
     return resource["Tags"].get(CDE_TAG_KEY) == CDE_TAG_VALUE
 
 
+PCI_NETWORKS = config.PCI_NETWORKS
 # Expects a string in cidr notation (e.g. '10.0.0.0/24') indicating the ip range being checked
 # Returns True if any ip in the range is marked as in scope
-PCI_NETWORKS = [
-    ip_network("10.0.0.0/24"),
-]
-
-
 def is_pci_scope_cidr(ip_range):
     return any(ip_network(ip_range).overlaps(pci_network) for pci_network in PCI_NETWORKS)
 
 
+DMZ_NETWORKS = config.DMZ_NETWORKS
 # Expects a string in cidr notation (e.g. '10.0.0.0/24') indicating the ip range being checked
 # Returns True if any ip in the range is marked as DMZ space.
-DMZ_NETWORKS = [
-    ip_network("10.1.0.0/24"),
-    ip_network("100.1.0.0/24"),
-]
-
-
 def is_dmz_cidr(ip_range):
     """This function determines whether a given IP range is within the defined DMZ IP range."""
     return any(ip_network(ip_range).overlaps(dmz_network) for dmz_network in DMZ_NETWORKS)
 
 
-DMZ_TAG_KEY = "environment"
-DMZ_TAG_VALUE = "dmz"
-
-
 # Defaults to False to assume something is not a DMZ if it is not tagged
-def is_dmz_tags(resource):
+def is_dmz_tags(resource, dmz_tags):
     """This function determines whether a given resource is tagged as existing in a DMZ."""
     if resource["Tags"] is None:
         return False
-    return resource["Tags"].get(DMZ_TAG_KEY) == DMZ_TAG_VALUE
+    for key, value in dmz_tags:
+        if resource["Tags"].get(key) == value:
+            return True
+    return False
 
 
 # Function variables here so that implementation details of these functions can be changed without
 # having to rename the function in all locations its used, or having an outdated name on the actual
 # function being used, etc.
 IN_PCI_SCOPE = in_pci_scope_tags
-IS_DMZ = is_dmz_tags
 
 # # # # # # # # # # # # # #
 #      GSuite Helpers     #

global_helpers/panther_config_defaults.py

@@ -13,3 +13,17 @@
 MS_EXCHANGE_ALLOWED_FORWARDING_DESTINATION_DOMAINS = ORGANIZATION_DOMAINS
 MS_EXCHANGE_ALLOWED_FORWARDING_DESTINATION_EMAILS = ["postmaster@" + ORGANIZATION_DOMAINS[0]]
 TELEPORT_ORGANIZATION_DOMAINS = ORGANIZATION_DOMAINS
+
+DMZ_NETWORKS = [
+    # ip_network("10.1.0.0/24"),
+]
+
+DMZ_TAGS = set(
+    [
+        ("environment", "dmz"),
+    ]
+)
+
+PCI_NETWORKS = [
+    # ip_network("10.0.0.0/24"),
+]

policies/aws_vpc_policies/aws_only_dmz_security_groups_publicly_accessible.py

@@ -1,6 +1,11 @@
+import json
 from ipaddress import ip_network
+from unittest.mock import MagicMock
 
-from panther_base_helpers import IS_DMZ
+from panther_base_helpers import is_dmz_tags
+from panther_config import config
+
+DMZ_TAGS = config.DMZ_TAGS
 
 
 def policy(resource):
@@ -9,7 +14,10 @@ def policy(resource):
         return True
 
     # DMZ security groups can have inbound permissions from the internet
-    if IS_DMZ(resource):
+    global DMZ_TAGS  # pylint: disable=global-statement
+    if isinstance(DMZ_TAGS, MagicMock):
+        DMZ_TAGS = {tuple(kv) for kv in json.loads(DMZ_TAGS())}
+    if is_dmz_tags(resource, DMZ_TAGS):
         return True
 
     for permission in resource["IpPermissions"]:

policies/aws_vpc_policies/aws_only_dmz_security_groups_publicly_accessible.yml

@@ -25,6 +25,9 @@ Tests:
   -
     Name: DMZ Security Group Does Allows Public Access
     ExpectedResult: true
+    Mocks:
+      - objectName: DMZ_TAGS
+        returnValue: '[["environment", "dmz"]]'
     Resource:
       {
         "Description": "example VPC security group",
@@ -88,6 +91,9 @@ Tests:
   -
     Name: Non DMZ Security Group Allows Public Access
     ExpectedResult: false
+    Mocks:
+      - objectName: DMZ_TAGS
+        returnValue: '[["environment", "dmz"]]'
     Resource:
       {
         "Description": "example VPC security group",
@@ -151,6 +157,9 @@ Tests:
   -
     Name: Non DMZ Security Group Does Not Allow Public Access
     ExpectedResult: true
+    Mocks:
+      - objectName: DMZ_TAGS
+        returnValue: '[["environment", "dmz"]]'
     Resource:
       {
         "Description": "example VPC security group",

rules/okta_rules/okta_app_unauthorized_access_attempt.yml

@@ -4,6 +4,7 @@ DisplayName: "Okta App Unauthorized Access Attempt"
 Enabled: true
 Filename: okta_app_unauthorized_access_attempt.py
 Severity: Low
+Reference: https://support.okta.com/help/s/article/App-Sign-on-Error-403-User-attempted-unauthorized-access-to-app?language=en_US
 Tests:
     - ExpectedResult: true
       Log:

rules/okta_rules/okta_geo_improbable_access.yml

@@ -15,6 +15,7 @@ Reports:
 Severity: High
 Description: A user has subsequent logins from two geographic locations that are very far apart
 Runbook: Reach out to the user if needed to validate the activity, then lock the account
+Reference: https://www.blinkops.com/blog/how-to-detect-and-remediate-okta-impossible-traveler-alerts
 SummaryAttributes:
   - eventType
   - severity

rules/okta_rules/okta_group_admin_role_assigned.yml

@@ -3,6 +3,7 @@ Description: Detect when an admin role is assigned to a group
 DisplayName: "Okta Group Admin Role Assigned"
 Enabled: true
 Filename: okta_group_admin_role_assigned.py
+Reference: https://support.okta.com/help/s/article/How-to-assign-Administrator-roles-to-groups?language=en_US#:~:text=Log%20in%20to%20the%20Admin,user%20and%20click%20Save%20changes
 Severity: High
 Tests:
     - ExpectedResult: true

rules/okta_rules/okta_user_account_locked.yml

@@ -3,6 +3,7 @@ Description: An Okta user has locked their account.
 DisplayName: "Okta User Account Locked"
 Enabled: true
 Filename: okta_user_account_locked.py
+Reference: https://support.okta.com/help/s/article/How-to-Configure-the-Number-of-Failed-Login-Attempts-Before-User-Lockout?language=en_US
 Severity: Low
 Tests:
     - ExpectedResult: true

rules/okta_rules/okta_user_mfa_factor_suspend.yml

@@ -3,6 +3,7 @@ Description: Suspend factor or authenticator enrollment method for user.
 DisplayName: "Okta User MFA Factor Suspend"
 Enabled: true
 Filename: okta_user_mfa_factor_suspend.py
+Reference: https://help.okta.com/en-us/content/topics/security/mfa/mfa-factors.htm
 Severity: High
 Tests:
     - ExpectedResult: true

rules/okta_rules/okta_user_mfa_reset.yml

@@ -4,6 +4,7 @@ DisplayName: "Okta User MFA Own Reset"
 RuleID: "Okta.User.MFA.Reset.Single"
 Enabled: true
 Filename: okta_user_mfa_reset.py
+Reference: https://support.okta.com/help/s/article/How-to-avoid-lockouts-and-reset-your-Multifactor-Authentication-MFA-for-Okta-Admins?language=en_US
 Severity: Info
 Tests:
     - 

rules/okta_rules/okta_user_mfa_reset_all.yml

@@ -3,6 +3,7 @@ Description: 'All MFA factors have been reset for a user.'
 DisplayName: "Okta User MFA Reset All"
 Enabled: true
 Filename: okta_user_mfa_reset_all.py
+Reference: https://help.okta.com/en-us/content/topics/security/mfa/mfa-reset-users.htm#:~:text=the%20Admin%20Console%3A-,In%20the%20Admin%20Console%2C%20go%20to%20DirectoryPeople.,Selected%20Factors%20or%20Reset%20All
 Severity: Low
 Tests:
     - ExpectedResult: true

rules/osquery_rules/osquery_mac_enable_auto_update.yml

@@ -21,6 +21,7 @@ Description: >
   Verifies that MacOS has automatic software updates enabled.
 Runbook: >
   Enable the auto updates on the host.
+Reference: https://support.apple.com/en-gb/guide/mac-help/mchlpx1065/mac
 SummaryAttributes:
   - name
   - action

rules/osquery_rules/osquery_mac_unwanted_chrome_extensions.yml

@@ -17,6 +17,7 @@ Severity: Medium
 Description: >
   Monitor for chrome extensions that could lead to a credential compromise.
 Runbook: Uninstall the unwanted extension
+Reference: https://securelist.com/threat-in-your-browser-extensions/107181/
 SummaryAttributes:
   - action
   - hostIdentifier

rules/osquery_rules/osquery_ossec.yml

@@ -17,6 +17,7 @@ Description: >
   Checks if any results are returned for the Osquery OSSEC Rootkit pack.
 Runbook: >
   Verify the presence of the rootkit and re-image the machine.
+Reference: https://panther.com/blog/osquery-log-analysis/
 SummaryAttributes:
   - name
   - hostIdentifier

rules/osquery_rules/osquery_outdated.py

@@ -1,6 +1,6 @@
 from panther_base_helpers import deep_get
 
-LATEST_VERSION = "4.2.0"
+LATEST_VERSION = "5.10.2"
 
 
 def rule(event):

rules/osquery_rules/osquery_outdated.yml

@@ -9,8 +9,9 @@ Tags:
   - Osquery
   - Compliance
 Severity: Info
-Description: Keep track of osquery versions, current is 4.1.2.
+Description: Keep track of osquery versions, current is 5.10.2.
 Runbook: Update the osquery agent.
+Reference: https://www.osquery.io/downloads/official/5.10.2
 SummaryAttributes:
   - name
   - hostIdentifier
@@ -74,7 +75,7 @@ Tests:
               "system_time": "12472",
               "user_time": "31800",
               "uuid": "37821E12-CC8A-5AA3-A90C-FAB28A5BF8F9",
-              "version": "4.2.0",
+              "version": "5.10.2",
               "watcher": "92"
           },
           "counter": "255",

rules/osquery_rules/osquery_outdated_macos.yml

@@ -12,6 +12,7 @@ Severity: Low
 Description: >
   Check that all laptops on the corporate environment are on a version of MacOS supported by IT.
 Runbook: Update the MacOs version
+Reference: https://support.apple.com/en-eg/HT201260
 SummaryAttributes:
   - name
   - hostIdentifier

rules/osquery_rules/osquery_ssh_listener.yml

@@ -16,6 +16,7 @@ Description: >
   Check if SSH is listening in a non-production environment. This could be an indicator of persistent access within an environment.
 Runbook: >
   Terminate the SSH daemon, investigate for signs of compromise.
+Reference: https://medium.com/uptycs/osquery-what-it-is-how-it-works-and-how-to-use-it-ce4e81e60dfc
 SummaryAttributes:
   - action
   - hostIdentifier

rules/standard_rules/admin_assigned.yml

@@ -18,8 +18,9 @@ Severity: Medium
 Reports:
   MITRE ATT&CK:
     - TA0004:T1078
-Description: Attaching an audit role manually could be a sign of privilege escalation
+Description: Assigning an admin role manually could be a sign of privilege escalation
 Runbook: Verify with the user who attached the role or add to a allowlist
+Reference: https://medium.com/@gokulelango1040/privilege-escalation-attacks-28a9ef226abb
 SummaryAttributes:
   - p_any_ip_addresses
 Tests:

rules/standard_rules/brute_force_by_ip.yml

@@ -23,6 +23,7 @@ Reports:
     - TA0006:T1110
 Description: An actor user was denied login access more times than the configured threshold.
 Runbook: Analyze the IP they came from, and other actions taken before/after. Check if a user from this ip eventually authenticated successfully.
+Reference: https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks
 SummaryAttributes:
   - p_any_ip_addresses
 Tests:

rules/standard_rules/impossible_travel_login.yml

@@ -21,6 +21,7 @@ Runbook: >
 
   If the user responds that the geolocation on the new location is incorrect, you can directly
   report the inaccuracy via  https://ipinfo.io/corrections
+Reference: https://expertinsights.com/insights/what-are-impossible-travel-logins/#:~:text=An%20impossible%20travel%20login%20is,of%20the%20logins%20is%20fraudulent
 SummaryAttributes:
   - p_any_usernames
   - p_any_ip_addresses

rules/standard_rules/malicious_sso_dns_lookup.yml

@@ -19,6 +19,7 @@ Reports:
     - TA0001:T1566
 Description: The rule looks for DNS requests to sites potentially posing as SSO domains.
 Runbook: Verify if the destination domain is owned by your organization.
+Reference: https://www.cloudns.net/wiki/article/254/#:~:text=A%20DNS%20query%20(also%20known,associated%20with%20a%20domain%20name
 SummaryAttributes:
   - p_any_ip_addresses
 Tests:

rules/standard_rules/mfa_disabled.yml

@@ -15,6 +15,7 @@ Tags:
 Reports:
   MITRE ATT&CK:
     - TA0005:T1556
+Reference: https://en.wikipedia.org/wiki/Multi-factor_authentication
 Severity: High
 Description: Detects when Multi-Factor Authentication (MFA) is disabled
 SummaryAttributes:

rules/standard_rules/standard_dns_base64.yml

@@ -4,6 +4,7 @@ Description: Detects DNS queries with Base64 encoded subdomains, which could ind
 RuleID: "Standard.DNSBase64"
 Enabled: false
 Filename: standard_dns_base64.py
+Reference: https://zofixer.com/what-is-base64-disclosure-vulnerability/
 Severity: Medium
 DedupPeriodMinutes: 60
 Threshold: 1

rules/standard_rules/unusual_login_deprecated.yml

@@ -29,6 +29,7 @@ Runbook: >
   Reach out to the user to ensure the login was legitimate.  Be sure to use a means outside the one the unusual login originated from, if one is available. CC an individual that works with the user for visibility, usually the user’s manager if they’re available. The second user is not expected to respond, unless they find the response unusual or the location unexpected.
 
   To reduce noise, geolocation history length can be configured in the rule body to increase the number of allowed locations per user.
+Reference: https://d3fend.mitre.org/technique/d3f:UserGeolocationLogonPatternAnalysis/
 SummaryAttributes:
   - p_any_ip_addresses
 Tests:

rules/zendesk_rules/zendesk_mobile_app_access.yml

@@ -14,6 +14,7 @@ Reports:
     - TA0003:T1078
 Severity: Medium
 Description: A user updated account setting that enabled or disabled mobile app access.
+Reference: https://support.zendesk.com/hc/en-us/articles/4408846407066-About-the-Zendesk-Support-mobile-app#:~:text=More%20settings.-,Configuring%20the%20mobile%20app,-Activate%20the%20new
 SummaryAttributes:
   - p_any_ip_addresses
 Tests:

rules/zendesk_rules/zendesk_new_api_token.yml

@@ -15,6 +15,7 @@ Reports:
     - TA0006:T1528
 Description: A user created a new API token to be used with Zendesk.
 Runbook: Validate the api token was created for valid use case, otherwise delete the token immediately.
+Reference: https://support.zendesk.com/hc/en-us/articles/4408889192858-Managing-access-to-the-Zendesk-API#topic_bsw_lfg_mmb:~:text=enable%20token%20access.-,Generating%20API%20tokens,-To%20generate%20an
 SummaryAttributes:
   - p_any_ip_addresses
 Tests:

rules/zendesk_rules/zendesk_new_owner.yml

@@ -14,6 +14,7 @@ Reports:
   MITRE ATT&CK:
     - TA0004:T1078
 Description: Only one admin user can be the account owner. Ensure the change in ownership is expected.
+Reference: https://support.zendesk.com/hc/en-us/articles/4408822084634-Changing-the-account-owner
 SummaryAttributes:
   - p_any_ip_addresses
 Tests:

rules/zendesk_rules/zendesk_sensitive_data_redaction.yml

@@ -15,6 +15,7 @@ Reports:
 Severity: High
 Description: A user updated account setting that disabled credit card redaction.
 Runbook: Re-enable credit card redaction.
+Reference: https://support.zendesk.com/hc/en-us/articles/4408822124314-Automatically-redacting-credit-card-numbers-from-tickets
 SummaryAttributes:
   - p_any_ip_addresses
 Tests:

rules/zendesk_rules/zendesk_user_assumption.yml

@@ -15,6 +15,7 @@ Severity: Medium
 Description: User enabled or disabled zendesk support user assumption.
 Runbook: >
   Investigate whether allowing zendesk support to assume users is necessary. If not, disable the feature.
+Reference: https://support.zendesk.com/hc/en-us/articles/4408894200474-Assuming-end-users#:~:text=In%20Support%2C%20click%20the%20Customers,user%20in%20the%20information%20dialog
 SummaryAttributes:
   - p_any_ip_addresses
 Tests:

rules/zendesk_rules/zendesk_user_role.yml

@@ -8,6 +8,7 @@ LogTypes:
   - Zendesk.Audit
 Severity: Info
 Description: A user's Zendesk role was changed
+Reference: https://support.zendesk.com/hc/en-us/articles/4408824375450-Setting-roles-and-access-in-Zendesk-Admin-Center
 SummaryAttributes:
   - p_any_ip_addresses
 Tests:

rules/zendesk_rules/zendesk_user_suspension.yml

@@ -15,6 +15,7 @@ Reports:
 Severity: High
 Description: A user's Zendesk suspension status was changed.
 Runbook: Ensure the user's suspension status is appropriate.
+Reference: https://support.zendesk.com/hc/en-us/articles/4408889293978-Suspending-a-user#:~:text=select%20Unsuspend%20access.-,Identifying%20suspended%20users,name%20on%20the%20Customers%20page
 SummaryAttributes:
   - p_any_ip_addresses
 Tests:

rules/zoom_operation_rules/zoom_all_meetings_secured_with_one_option_disabled.yml

@@ -4,6 +4,7 @@ DisplayName: "Zoom All Meetings Secured With One Option Disabled"
 Enabled: true
 Filename: zoom_all_meetings_secured_with_one_option_disabled.py
 Runbook: Confirm this user acted with valid business intent and determine whether this activity was authorized.
+Reference: https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0059862
 Severity: Medium
 Tests:
     - ExpectedResult: true

rules/zoom_operation_rules/zoom_new_meeting_passcode_required_disabled.yml

@@ -4,6 +4,7 @@ DisplayName: "Zoom New Meeting Passcode Required Disabled"
 Enabled: true
 Filename: zoom_new_meeting_passcode_required_disabled.py
 Runbook: Confirm this user acted with valid business intent and determine whether this activity was authorized.
+Reference: https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0063160#:~:text=Since%20September%202022%2C%20Zoom%20requires,enforced%20for%20all%20free%20accounts
 Severity: Medium
 Tests:
     - ExpectedResult: true

rules/zoom_operation_rules/zoom_sign_in_method_modified.yml

@@ -4,6 +4,7 @@ DisplayName: "Zoom Sign In Method Modified"
 Enabled: true
 Filename: zoom_sign_in_method_modified.py
 Runbook: Confirm this user acted with valid business intent and determine whether this activity was authorized.
+Reference: https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0067602#:~:text=Go%20to%20the%20Zoom%20site,click%20Link%20and%20Sign%20In
 Severity: Medium
 Tests:
     - ExpectedResult: true