dynamic severity

panther-labs · Dec 4, 2024 · 24780ef · 24780ef
1 parent b1059e2
commit 24780ef
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 3 deletions.
diff --git a/rules/aws_eks_rules/anonymous_api_access.py b/rules/aws_eks_rules/anonymous_api_access.py
@@ -2,8 +2,6 @@
 
 
 def rule(event):
-    if event.deep_get("annotations", "authorization.k8s.io/decision") != "allow":
-        return False
     src_ip = event.get("sourceIPs", ["0.0.0.0"])  # nosec
     if src_ip == ["127.0.0.1"]:
         return False
@@ -25,6 +23,14 @@ def title(event):
     )
 
 
+def severity(event):
+    if event.deep_get("annotations", "authorization.k8s.io/decision") != "allow":
+        return "INFO"
+    if event.get("requestURI") == "/version":
+        return "INFO"
+    return "DEFAULT"
+
+
 def dedup(event):
     p_eks = eks_panther_obj_ref(event)
     return f"anonymous_access_{p_eks.get('p_source_label')}_{event.get('userAgent')}"

diff --git a/rules/aws_eks_rules/anonymous_api_access.yml b/rules/aws_eks_rules/anonymous_api_access.yml
@@ -162,7 +162,7 @@ Tests:
         "verb": "get"
       }
   - Name: Anonymous API Access Web Scanner Denied
-    ExpectedResult: false
+    ExpectedResult: true
     Log:
       {
         "annotations": {