Merge branch 'main' into dependabot/pip/cryptography-41.0.6

.bandit

@@ -0,0 +1,2 @@
+[bandit]
+skips = B101

.gitattributes

@@ -1 +1,2 @@
 .github/CODEOWNERS merge=ours
+global_helpers/panther_config_overrides.py merge=ours

.pylintrc

@@ -0,0 +1,15 @@
+[MAIN]
+disable=
+    missing-docstring,
+    duplicate-code,
+    import-error,
+    fixme,
+    consider-iterating-dictionary,
+    global-variable-not-assigned,
+    broad-exception-raised
+
+load-plugins=
+    pylint.extensions.mccabe,
+    pylint_print
+
+max-line-length=100

.vscode/example_settings.json

@@ -1,8 +1,18 @@
 {
     "python.defaultInterpreterPath": "XXX_pipenv_py_output_XXX",
     "yaml.schemas": {
-        "https://panther-community-us-east-1.s3.amazonaws.com/latest/logschema/schema.json": [ "schemas/*.yml", "schemas/*.yaml", "schemas/**/*yaml", "schemas/**/*.yaml"],
-        ".vscode/rule_jsonschema.json": [ "rules/*.yml", "rules/*.yaml", "rules/**/*.yaml", "rules/**/*.yml"]
+        "https://panther-community-us-east-1.s3.amazonaws.com/latest/logschema/schema.json": [
+            "schemas/*.yml",
+            "schemas/*.yaml",
+            "schemas/**/*yaml",
+            "schemas/**/*.yaml"
+        ],
+        ".vscode/rule_jsonschema.json": [
+            "rules/*.yml",
+            "rules/*.yaml",
+            "rules/**/*.yaml",
+            "rules/**/*.yml"
+        ]
     },
     "python.analysis.extraPaths": [
         "global_helpers"
@@ -11,10 +21,21 @@
         "**/__pycache": true,
         "**/*pyc": true
     },
-    //"python.analysis.logLevel": "Trace",
-    //"files.autoSave": "afterDelay",
-    //"makefile.extensionOutputFolder": "./.vscode",
     "files.associations": {
         "panther_analysis_tool": "python"
-    }
-}
+    },
+    "[python]": {
+        "editor.defaultFormatter": "ms-python.black-formatter",
+        "editor.formatOnSave": true,
+        "editor.codeActionsOnSave": {
+            "source.organizeImports": true
+        },
+    },
+    // Add pylint.lintOnChange to your User (not Workspace) settings
+    // Cmd+Shift+P -> Preferences: Open Settings (JSON)
+    "pylint.lintOnChange": true,
+    "bandit.args": [
+        "-r",
+        "."
+    ]
+}

Makefile

@@ -35,11 +35,8 @@ global-helpers-unit-test:
 lint: lint-pylint lint-fmt
 
 lint-pylint:
-	pipenv run bandit -r $(dirs) --skip B101  # allow assert statements in tests
-	pipenv run pylint $(dirs) \
-	  --disable=missing-docstring,duplicate-code,import-error,fixme,consider-iterating-dictionary,global-variable-not-assigned,broad-exception-raised \
-	  --load-plugins=pylint.extensions.mccabe,pylint_print \
-	  --max-line-length=100
+	pipenv run bandit -r $(dirs)
+	pipenv run pylint $(dirs)
 
 lint-fmt:
 	@echo Checking python file formatting with the black code style checker

README.md

@@ -119,7 +119,10 @@ If you are comfortable using the Visual Studio Code IDE, the `make vscode-config
 In addition to this command, you will need to install these vscode add-ons:
 
 1. [Python](https://marketplace.visualstudio.com/items?itemName=ms-python.python)
-2. [YAML](https://marketplace.visualstudio.com/items?itemName=redhat.vscode-yaml)
+2. [Black Formatter](https://marketplace.visualstudio.com/items?itemName=ms-python.black-formatter)
+3. [Pylint](https://marketplace.visualstudio.com/items?itemName=ms-python.pylint)
+4  [Bandit](https://marketplace.visualstudio.com/items?itemName=nwgh.bandit)
+5. [YAML](https://marketplace.visualstudio.com/items?itemName=redhat.vscode-yaml)
 
 You will also need Visual Studio's [code](https://code.visualstudio.com/docs/setup/mac#_launching-from-the-command-line) configured to open Visual Studio from your CLI.
 
@@ -130,6 +133,10 @@ You will also need Visual Studio's [code](https://code.visualstudio.com/docs/set
 1. Creates two debugging targets, which will give you single-button push support for running `panther_analysis_tool test` through the debugger.
 1. Installs JSONSchema support for your custom panther-analysis schemas in the `schemas/` directory. This brings IDE hints about which fields are necessary for schemas/custom-schema.yml files.
 1. Installs JSONSchema support for panther-analysis rules in the `rules/` directory. This brings IDE hints about which fields are necessary for rules/my-rule.yml files.
+1. Configures `Black` and `isort` settings for auto-formatting on save (thus reducing the need to run `make fmt` on all files)
+1. Configures `pylint` settings for linting when changes are made
+    - Ensure that `"pylint.lintOnChange": true` is present in the User-level VSCode settings (`Cmd+Shift+P` -> `Preferences: Open Settings (JSON)`)
+1. Configures `Bandit` settings for linting when files are opened
 
 ```shell
 user@computer:panther-analysis: make vscode-config

data_models/github_data_model.py

@@ -1,14 +1,20 @@
 import panther_event_type_helpers as event_type
 
+ADMIN_EVENTS = {
+    "business.add_admin",
+    "business.invite_admin",
+    "team.promote_maintainer",
+}
 
-def get_admin_role(_):
-    # github doesn't record the admin role in the event
-    return "<UNKNOWN_ROLE>"
+
+def get_admin_role(event):
+    action = event.get("action", "")
+    return action if action in ADMIN_EVENTS else "<UNKNOWN_ADMIN_ROLE>"
 
 
 def get_event_type(event):
-    if event.get("action") == "team.promote_maintainer":
+    if event.get("action", "") in ADMIN_EVENTS:
         return event_type.ADMIN_ROLE_ASSIGNED
-    if event.get("action") == "org.disable_two_factor_requirement":
+    if event.get("action", "") == "org.disable_two_factor_requirement":
         return event_type.MFA_DISABLED
     return None

global_helpers/panther_config.py

@@ -0,0 +1,14 @@
+from typing import Any
+
+import panther_config_defaults
+import panther_config_overrides
+
+
+class Config:  # pylint: disable=too-few-public-methods
+    def __getattr__(self, name) -> Any:
+        if hasattr(panther_config_overrides, name):
+            return getattr(panther_config_overrides, name)
+        return getattr(panther_config_defaults, name, None)
+
+
+config = Config()

global_helpers/panther_config.yml

@@ -0,0 +1,4 @@
+AnalysisType: global
+GlobalID: "panther_config"
+Filename: panther_config.py
+Description: Configuration values for Panther

global_helpers/panther_config_defaults.py

@@ -0,0 +1,15 @@
+"""
+Here, default values for `panther_config.config` are defined
+"""
+
+# A list of public DNS domain names that fall under the administrative domain of
+# the Panther installation
+ORGANIZATION_DOMAINS = ["example.com"]
+
+DROPBOX_ALLOWED_SHARE_DOMAINS = ORGANIZATION_DOMAINS
+DROPBOX_TRUSTED_OWNERSHIP_DOMAINS = ORGANIZATION_DOMAINS
+GSUITE_TRUSTED_FORWARDING_DESTINATION_DOMAINS = ORGANIZATION_DOMAINS
+GSUITE_TRUSTED_OWNERSHIP_DOMAINS = ORGANIZATION_DOMAINS
+MS_EXCHANGE_ALLOWED_FORWARDING_DESTINATION_DOMAINS = ORGANIZATION_DOMAINS
+MS_EXCHANGE_ALLOWED_FORWARDING_DESTINATION_EMAILS = ["postmaster@" + ORGANIZATION_DOMAINS[0]]
+TELEPORT_ORGANIZATION_DOMAINS = ORGANIZATION_DOMAINS

global_helpers/panther_config_defaults.yml

@@ -0,0 +1,4 @@
+AnalysisType: global
+GlobalID: "panther_config_defaults"
+Filename: panther_config_defaults.py
+Description: Default Configuration values for Panther

global_helpers/panther_config_overrides.py

@@ -0,0 +1,43 @@
+"""
+Here, you can override the default, example configuration values from `panther_config_defaults`
+
+Any attribute found to be defined in here will take precedence at lookup time.
+For example, we can totally re-define a value:
+
+# Total Override
+panther_config_defaults.py
+```
+SUSPICIOUS_DOMAINS = [ "evil.example.com" ]
+```
+
+panther_config_overrides.py
+```
+SUSPICIOUS_DOMAINS = [ "betrug.example.com" ]
+```
+
+and at lookup-time:
+```
+from panther_config import config
+print(config.SUSPICIOUS_DOMAINS)
+```
+prints ["betrug.example.com"]
+
+# Mixing Values
+panther_config_defaults.py
+```
+INTERNAL_NETWORKS = [ "10.0.0.0/8" ]
+```
+
+panther_config_overrides.py
+```
+import panther_config_defaults
+INTERNAL_NETWORKS = panther_config_defaults.INTERNAL_NETWORKS + [ "192.0.2.0/24" ]
+```
+
+and at lookup-time:
+```
+from panther_config import config
+print(config.INTERNAL_NETWORKS)
+```
+prints ["10.0.0.0/8", "192.0.2.0/24" ]
+"""

global_helpers/panther_config_overrides.yml

@@ -0,0 +1,4 @@
+AnalysisType: global
+GlobalID: "panther_config_overrides"
+Filename: panther_config_overrides.py
+Description: Overridden Configuration values for Panther

packs/box.yml

@@ -15,4 +15,7 @@ PackDefinition:
     # Globals used in these detections
     - panther_base_helpers
     - panther_box_helpers
+    - panther_config
+    - panther_config_defaults
+    - panther_config_overrides
 DisplayName: "Panther Box Pack"

packs/dropbox.yml

@@ -11,4 +11,7 @@ PackDefinition:
     - Dropbox.Admin.sign.in.as.Session
     # Globals used in these detections
     - panther_base_helpers
+    - panther_config
+    - panther_config_defaults
+    - panther_config_overrides
 DisplayName: "Panther Dropbox Pack"

packs/gcp_audit.yml

@@ -8,16 +8,26 @@ PackDefinition:
     - GCP.BigQuery.Large.Scan
     - GCP.Cloud.Storage.Buckets.Modified.Or.Deleted
     - GCP.Destructive.Queries
+    - GCP.DNS.Zone.Modified.or.Deleted
+    - GCP.Firewall.Rule.Created
+    - GCP.Firewall.Rule.Deleted
+    - GCP.Firewall.Rule.Modified
     - GCP.GCS.IAMChanges
     - GCP.GCS.Public
+    - GCP.IAM.AdminRoleAssigned
     - GCP.IAM.CorporateEmail
     - GCP.IAM.CustomRoleChanges
     - GCP.IAM.OrgFolderIAMChanges
     - GCP.Inbound.SSO.Profile.Created
+    - GCP.K8s.ExecIntoPod
+    - GCP.Log.Bucket.Or.Sink.Deleted
     - GCP.Logging.Settings.Modified
+    - GCP.Logging.Sink.Modified
     - GCP.Permissions.Granted.to.Create.or.Manage.Service.Account.Key
+    - GCP.Service.Account.Access.Denied
     - GCP.Service.Account.or.Keys.Created
     - GCP.SQL.ConfigChanges
+    - GCP.UnusedRegions
     - GCP.User.Added.to.IAP.Protected.Service
     - GCP.VPC.Flow.Logs.Disabled
     - GCP.Workforce.Pool.Created.or.Updated

packs/gsuite_reports.yml

@@ -3,27 +3,48 @@ PackID: PantherManaged.GSuite.Reports
 Description: Panther GSuite Detections
 PackDefinition:
   IDs:
+    - Google.Workspace.Admin.Custom.Role
+    - Google.Workspace.Advanced.Protection.Program
+    - Google.Workspace.Apps.Marketplace.Allowlist
+    - Google.Workspace.Apps.Marketplace.New.Domain.Application
+    - Google.Workspace.Apps.New.Mobile.App.Installed
     - GSuite.AdvancedProtection
-    - GSuite.DriveOverlyVisible
+    - GSuite.BruteForceLogin
+    - GSuite.CalendarMadePublic
+    - GSuite.DocOwnershipTransfer
+    - GSuite.Drive.Many.Documents.Deleted
+    - Google.Drive.High.Download.Count
+    - GSuite.ExternalMailForwarding
     - GSuite.GoogleAccess
     - GSuite.GovernmentBackedAttack
     - GSuite.GroupBannedUser
     - GSuite.LeakedPassword
     - GSuite.LoginType
-    - GSuite.Rule
     - GSuite.DeviceCompromise
     - GSuite.DeviceUnlockFailure
     - GSuite.DeviceSuspiciousActivity
+    - GSuite.Rule
+    - GSuite.PermisssionsDelegated
     - GSuite.SuspiciousLogins
     - GSuite.TwoStepVerification
     - GSuite.UserSuspended
-    - Google.Workspace.Admin.Custom.Role
-    - Google.Workspace.Advanced.Protection.Program
-    - Google.Workspace.Apps.Marketplace.New.Domain.Application
-    - Google.Workspace.Apps.Marketplace.Allowlist
-    - Google.Workspace.Apps.New.Mobile.App.Installed
+    - GSuite.Workspace.CalendarExternalSharingSetting
+    - GSuite.Workspace.DataExportCreated
+    - GSuite.Workspace.GmailDefaultRoutingRuleModified
+    - GSuite.Workspace.GmailPredeliveryScanningDisabled
+    - GSuite.Workspace.GmailSecuritySandboxDisabled
+    - GSuite.Workspace.PasswordEnforceStrongDisabled
+    - GSuite.Workspace.PasswordReuseEnabled
+    - GSuite.Workspace.TrustedDomainsAllowlist
+    - GSuite.Drive.ExternalFileShare
+    - GSuite.DriveOverlyVisible
+    - GSuite.DriveVisibilityChanged
+    - GSuite.DriveVisiblityChanged
     # Data Models used in these detections
     - Standard.GSuite.Reports 
     # Globals used in these detections
     - panther_base_helpers
+    - panther_config
+    - panther_config_defaults
+    - panther_config_overrides
 DisplayName: "Panther GSuite Pack"

packs/msft_graph.yml

@@ -10,4 +10,7 @@ PackDefinition:
     - Microsoft365.Exchange.External.Forwarding
     # Globals
     - panther_base_helpers
+    - panther_config
+    - panther_config_defaults
+    - panther_config_overrides
 DisplayName: "Microsoft Graph Detection Pack"

pyproject.toml

@@ -0,0 +1,8 @@
+[tool.black]
+line-length = 100
+target-version = ['py39']
+include = '\.pyi?$'
+
+[tool.isort]
+line_length = 100
+profile = "black"

queries/kubernetes_queries/kubernetes_pod_create_or_modify_host_path_vol_mount_query.yml

@@ -14,7 +14,7 @@ Query: >
                  WHERE
                  verb IN ('create', 'update', 'patch')
                  AND objectRef:resource = 'pods'
-                 AND request_object:spec:volumes[0]:hostPath:path ilike ANY (/var/run/docker.sock','/var/run/crio/crio.sock','/var/lib/kubelet','/var/lib/kubelet/pki','/var/lib/docker/overlay2','/etc/kubernetes','/etc/kubernetes/manifests','/etc/kubernetes/pki','/home/admin')                  
+                 AND request_object:spec:volumes[0]:hostPath:path ilike ANY ('/var/run/docker.sock','/var/run/crio/crio.sock','/var/lib/kubelet','/var/lib/kubelet/pki','/var/lib/docker/overlay2','/etc/kubernetes','/etc/kubernetes/manifests','/etc/kubernetes/pki','/home/admin')                  
                  AND p_occurs_since('30 minutes')
                  --insert allow-list for expected workloads that require a sensitive mount
                  LIMIT 10

rules/box_rules/box_event_triggered_externally.py

@@ -1,8 +1,7 @@
 from panther_base_helpers import deep_get
+from panther_config import config
 
-DOMAINS = {
-    "@example.com",
-}
+DOMAINS = {"@" + domain for domain in config.ORGANIZATION_DOMAINS}
 
 
 def rule(event):