Skip to content

Commit

Permalink
replacing set_key_expiration with epoch_seconds field (#892)
Browse files Browse the repository at this point in the history
* using caching module in detections instead of globals

* disabling broad exception since that is old code but a new error

* replacing set_key_expiration with new epoch seconds field

* updates

* updating PDH version

---------

Co-authored-by: maxrichie5 <[email protected]>
  • Loading branch information
maxrichie5 and maxrichie5 authored Oct 23, 2023
1 parent d82494d commit 91f5b1d
Show file tree
Hide file tree
Showing 5 changed files with 12 additions and 23 deletions.
4 changes: 1 addition & 3 deletions rules/okta_rules/okta_geo_improbable_access.py
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@
from panther_detection_helpers.caching import (
get_string_set,
put_string_set,
set_key_expiration,
)

PANTHER_TIME_FORMAT = "%Y-%m-%d %H:%M:%S.%f"
Expand Down Expand Up @@ -98,9 +97,8 @@ def store_login_info(key, event):
}
)
],
epoch_seconds=event.event_time_epoch() + timedelta(days=7).total_seconds(),
)
# Expire the entry after a week so the table doesn't fill up with past users
set_key_expiration(key, int((datetime.now() + timedelta(days=7)).timestamp()))


def title(event):
Expand Down
13 changes: 6 additions & 7 deletions rules/onelogin_rules/onelogin_active_login_activity.py
Original file line number Diff line number Diff line change
@@ -1,15 +1,14 @@
import time
from datetime import timedelta

from panther_base_helpers import is_ip_in_network
from panther_detection_helpers.caching import (
add_to_string_set,
get_string_set,
put_string_set,
set_key_expiration,
)

THRESH = 2
THRESH_TTL = 43200 # 1/2 day
THRESH_TTL = timedelta(hours=12).total_seconds()

# Safelist for IP Subnets to ignore in this ruleset
# Each entry in the list should be in CIDR notation
Expand Down Expand Up @@ -41,13 +40,13 @@ def rule(event):
user_id = str(event.get("user_id"))
if not user_ids:
# store this as the first user login from this ip address
put_string_set(event_key, [user_id])
set_key_expiration(event_key, int(time.time()) + THRESH_TTL)
put_string_set(event_key, [user_id], epoch_seconds=event.event_time_epoch() + THRESH_TTL)
return False
# add a new username if this is a unique user from this ip address
if user_id not in user_ids:
user_ids = add_to_string_set(event_key, user_id)
set_key_expiration(event_key, int(time.time()) + THRESH_TTL)
user_ids = add_to_string_set(
event_key, user_id, epoch_seconds=event.event_time_epoch() + THRESH_TTL
)
return len(user_ids) > THRESH


Expand Down
8 changes: 3 additions & 5 deletions rules/onelogin_rules/onelogin_high_risk_login.py
Original file line number Diff line number Diff line change
@@ -1,13 +1,12 @@
import time
from datetime import timedelta

from panther_detection_helpers.caching import (
get_counter,
increment_counter,
reset_counter,
set_key_expiration,
)

THRESH_TTL = 600
THRESH_TTL = timedelta(minutes=10).total_seconds()


def rule(event):
Expand All @@ -21,8 +20,7 @@ def rule(event):
# a failed authentication attempt with high risk score
if str(event.get("event_type_id")) == "6":
# update a counter for this user's failed login attempts with a high risk score
increment_counter(event_key)
set_key_expiration(event_key, int(time.time()) + THRESH_TTL)
increment_counter(event_key, event.event_time_epoch() + THRESH_TTL)

# Trigger alert if this user recently
# failed a high risk login
Expand Down
6 changes: 2 additions & 4 deletions rules/slack_rules/slack_application_dos.py
Original file line number Diff line number Diff line change
@@ -1,11 +1,10 @@
from datetime import datetime, timedelta
from datetime import timedelta
from json import dumps

from panther_base_helpers import deep_get, slack_alert_context
from panther_detection_helpers.caching import (
get_string_set,
put_string_set,
set_key_expiration,
)

DENIAL_OF_SERVICE_ACTIONS = [
Expand Down Expand Up @@ -55,6 +54,5 @@ def store_reset_info(key, event):
}
)
],
epoch_seconds=event.event_time_epoch() + timedelta(days=1).total_seconds(),
)
# Expire the entry after 24 hours
set_key_expiration(key, int((datetime.now() + timedelta(days=1)).timestamp()))
4 changes: 0 additions & 4 deletions rules/slack_rules/slack_application_dos.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,6 @@ Tests:
returnValue: ""
- objectName: put_string_set
returnValue: ""
- objectName: set_key_expiration
returnValue: ""
Log:
{
"action": "user_session_reset_by_admin",
Expand Down Expand Up @@ -58,8 +56,6 @@ Tests:
returnValue: "{\"time\":\"2021-06-08 22:24:43\"}"
- objectName: put_string_set
returnValue: ""
- objectName: set_key_expiration
returnValue: ""
Log:
{
"action": "user_session_reset_by_admin",
Expand Down

0 comments on commit 91f5b1d

Please sign in to comment.