cleanup

rules/gcp_audit_rules/gcp_user_added_to_privileged_group.py

@@ -9,21 +9,19 @@
 
 
 def rule(event):
-    events = event.deep_get("protoPayload", "metadata", "event")
-    if len(events) != 1:
-        return False
-
-    event_ = events[0]
-    if event_.get("eventname") != "ADD_GROUP_MEMBER":
-        return False
-
-    # Get the username
-    params = key_value_list_to_dict(event_.get("parameter", []), "name", "value")
-    global USER_EMAIL, GROUP_EMAIL  # pylint: disable=global-statement
-    USER_EMAIL = params.get("USER_EMAIL", "<UNKNOWN USER>")
-    GROUP_EMAIL = params.get("GROUP_EMAIL", "<UNKNOWN GROUP>")
-
-    return GROUP_EMAIL in get_privileged_groups()
+    events = event.deep_get("protoPayload", "metadata", "event", default=[])
+
+    for event_ in events:
+        if event_.get("eventname") != "ADD_GROUP_MEMBER":
+            continue
+        # Get the username
+        params = key_value_list_to_dict(event_.get("parameter", []), "name", "value")
+        global USER_EMAIL, GROUP_EMAIL  # pylint: disable=global-statement
+        USER_EMAIL = params.get("USER_EMAIL")
+        GROUP_EMAIL = params.get("GROUP_EMAIL")
+        if GROUP_EMAIL in get_privileged_groups():
+            return True
+    return False
 
 
 def title(event):

rules/gcp_audit_rules/gcp_user_added_to_privileged_group.yml

@@ -1,13 +1,15 @@
 AnalysisType: rule
 Filename: gcp_user_added_to_privileged_group.py
 RuleID: "GCP.User.Added.To.Privileged.Group"
-DisplayName: "GCP VPC Flow Logs Disabled"
-Enabled: true
+DisplayName: "GCP User Added to Privileged Group"
+Enabled: false
 LogTypes:
   - GCP.AuditLog
 Severity: Low
+Tags:
+  - Configuration Required
 Reports:
-  MITRA ATT&CK:
+  MITRE ATT&CK:
     - TA0004:T1078.004 # Privilege Escalation: Valid Accounts: Cloud Accounts
     - TA0004:T1484.001 # Privilege Escalation: Domain or Tenant Policy Modification: Group Policy Modification
 Description: A user was added to a group with special previleges