tuning Wiz Alert Passthrough rule (#1326)

* tuning Wiz Alert Passthrough rule * update dedup * comment unused code --------- Co-authored-by: ben-githubs <[email protected]>
panther-labs · Aug 21, 2024 · 3ee6ad2 · 3ee6ad2
1 parent 64703f6
commit 3ee6ad2
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 3 deletions.
diff --git a/rules/wiz_rules/wiz_alert_passthrough.py b/rules/wiz_rules/wiz_alert_passthrough.py
@@ -2,7 +2,7 @@
 
 
 def rule(event):
-    return event.get("status") == "OPEN"
+    return event.get("status") == "OPEN" and event.get("severity") != "INFORMATIONAL"
 
 
 def title(event):
@@ -13,11 +13,15 @@ def title(event):
 
 
 def severity(event):
+    # if event.get("severity") == "INFORMATIONAL":
+    #     return "INFO"
     return event.get("severity")
 
 
 def dedup(event):
-    return event.get("id")
+    return event.deep_get(
+        "entitySnapshot", "externalId", default="<RESOURCE_NOT_FOUND>"
+    ) + event.get("severity", "<SEVERITY_NOT_FOUND>")
 
 
 def description(event):

diff --git a/rules/wiz_rules/wiz_alert_passthrough.yml b/rules/wiz_rules/wiz_alert_passthrough.yml
@@ -9,7 +9,7 @@ Filename: wiz_alert_passthrough.py
 Severity: Medium
 LogTypes:
   - Wiz.Issues
-DedupPeriodMinutes: 60
+DedupPeriodMinutes: 720
 Threshold: 1
 Tests:
   - Name: Open Alert