Wiz audit rules (#1323)

* traildiscover enrichment with managed schema (#1177) * traildiscover enrichment with managed schema * Add npm install in dockerfile (#1172) * add npm install in dockerfile * Remove Python optimizations; add prettier to PATH --------- Co-authored-by: egibs <[email protected]> * schema name: TrailDiscover.CloudTrail * Fix Dockerfile; add Workflow to test image * updated data set * Add MongoDB.2FA.Disabled rule (#1190) Co-authored-by: Ariel Ropek <[email protected]> * lint and fmt * fmt * add OCSF selector * additional OCSF mappings * Fix Pipfile * Rebase changes --------- Co-authored-by: Panos Sakkos <[email protected]> Co-authored-by: egibs <[email protected]> Co-authored-by: Oleh Melenevskyi <[email protected]> * Update PAT to 0.46.0 (#1216) * sample_logs * Wiz Audit rules (without Mitre mappings, Severities and Runbooks) * Wiz Audit rules (updated Mitre mappings, Severities and Runbooks) * Validate on PR approval (#1354) * more correlation rules from AWS re:inforce (#1289) * more correlation rules from AWS re:inforce * unit tests * MITRE ATT&CK and severity * packs * pipfile update * update * pipfile * fix upload --------- Co-authored-by: Ariel Ropek <[email protected]> Co-authored-by: Panos Sakkos <[email protected]> Co-authored-by: egibs <[email protected]> Co-authored-by: Oleh Melenevskyi <[email protected]> Co-authored-by: Evan Gibler <[email protected]> Co-authored-by: Ariel Ropek <[email protected]>
panther-labs · Sep 16, 2024 · a39d69c · a39d69c
1 parent 6404644
commit a39d69c
Show file tree

Hide file tree

Showing 39 changed files with 2,494 additions and 420 deletions.
diff --git a/Pipfile b/Pipfile
@@ -19,7 +19,7 @@ wrapt = "~=1.15"
 [packages]
 policyuniverse = "==1.5.1.20230817"
 requests = "==2.31.0"
-panther-analysis-tool = "~=0.52.1"
+panther-analysis-tool = "~=0.52.2"
 panther-detection-helpers = "==0.4.0"
 
 [requires]

diff --git a/Pipfile.lock b/Pipfile.lock
diff --git a/correlation_rules/aws_sso_access_token_retrieved_by_unauthenticated_ip.yml b/correlation_rules/aws_sso_access_token_retrieved_by_unauthenticated_ip.yml
@@ -32,19 +32,19 @@ Tests:
     RuleOutputs:
     - ID: Absent CLI Prompt
       Matches:
-        p_udm.user.id:
-          igor.stravinsky:
+        sourceIPAddress:
+          "1.2.3.4":
             - 0
     - ID: SSO Access Token Retrieved
       Matches:
-        p_udm.user.id:
-          igor.stravinsky:
+        sourceIPAddress:
+          "1.2.3.4":
             - 2
   - Name: AWS SSO Access Token Retrieved by Unauthenticated IP
     ExpectedResult: true
     RuleOutputs:
     - ID: SSO Access Token Retrieved
       Matches:
-        p_udm.user.id:
-          igor.stravinsky:
+        sourceIPAddress:
+          "1.2.3.4":
             - 2
diff --git a/global_helpers/panther_wiz_helpers.py b/global_helpers/panther_wiz_helpers.py
@@ -0,0 +1,15 @@
+def wiz_success(event):
+    if event.get("status", "") == "SUCCESS":
+        return True
+    return False
+
+
+def wiz_alert_context(event):
+    return {
+        "action": event.get("action", ""),
+        "user": event.get("user", ""),
+        "source_ip": event.get("sourceip", ""),
+        "event_id": event.get("id", ""),
+        "service_account": event.get("serviceaccount", ""),
+        "action_parameters": event.get("actionparameters", ""),
+    }
diff --git a/global_helpers/panther_wiz_helpers.yml b/global_helpers/panther_wiz_helpers.yml
@@ -0,0 +1,5 @@
+AnalysisType: global
+Filename: panther_wiz_helpers.py
+GlobalID: "panther_wiz_helpers"
+Description: >
+  Used to define global helpers for Wiz events
diff --git a/packs/github.yml b/packs/github.yml
@@ -18,6 +18,7 @@ PackDefinition:
     #- GitHub.Repo.HookModified
     - GitHub.Repo.InitialAccess
     - Github.Repo.VisibilityChange
+    - Github.Repo.VulnerabilityDismissed
     - GitHub.Secret.Scanning.Alert.Created
     - GitHub.Team.Modified
     - GitHub.Webhook.Modified

diff --git a/packs/wiz.yml b/packs/wiz.yml
@@ -5,6 +5,23 @@ DisplayName: "Panther Wiz Pack"
 PackDefinition:
   IDs:
     - Wiz.Alert.Passthrough
+    - Wiz.Update.IP.Restrictions
+    - Wiz.Update.Support.Contact.List
+    - Wiz.SAML.Identity.Provider.Change
+    - Wiz.Data.Classifier.Updated.Or.Deleted
+    - Wiz.Update.Login.Settings
+    - Wiz.Image.Integrity.Validator.Updated.Or.Deleted
+    - Wiz.Update.Scanner.Settings
+    - Wiz.User.Created.Or.Deleted
+    - Wiz.Rotate.Service.Account.Secret
+    - Wiz.Connector.Updated.Or.Deleted
+    - Wiz.Service.Account.Change
+    - Wiz.Revoke.User.Sessions
+    - Wiz.User.Role.Updated.Or.Deleted
+    - Wiz.Integration.Updated.Or.Deleted
+    - Wiz.Rule.Change
+    - Wiz.CICD.Scan.Policy.Updated.Or.Deleted
+    - panther_wiz_helpers
     - panther_base_helpers
     - panther_config
     - panther_config_defaults

diff --git a/rules/wiz_rules/wiz_cicd_scan_policy_updated_or_deleted.py b/rules/wiz_rules/wiz_cicd_scan_policy_updated_or_deleted.py
@@ -0,0 +1,24 @@
+from panther_wiz_helpers import wiz_alert_context, wiz_success
+
+SUSPICIOUS_ACTIONS = ["DeleteCICDScanPolicy", "UpdateCICDScanPolicy"]
+
+
+def rule(event):
+    if not wiz_success(event):
+        return False
+    return event.get("action", "ACTION_NOT_FOUND") in SUSPICIOUS_ACTIONS
+
+
+def title(event):
+    return (
+        f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action "
+        f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]"
+    )
+
+
+def dedup(event):
+    return event.get("id")
+
+
+def alert_context(event):
+    return wiz_alert_context(event)
diff --git a/rules/wiz_rules/wiz_cicd_scan_policy_updated_or_deleted.yml b/rules/wiz_rules/wiz_cicd_scan_policy_updated_or_deleted.yml
@@ -0,0 +1,92 @@
+AnalysisType: rule
+RuleID: Wiz.CICD.Scan.Policy.Updated.Or.Deleted
+Description: This rule detects updates and deletions of CICD scan policies.
+DisplayName: Wiz CICD Scan Policy Updated Or Deleted
+Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again.
+Reference: https://www.wiz.io/academy/ci-cd-security-best-practices
+Enabled: true
+Filename: wiz_cicd_scan_policy_updated_or_deleted.py
+Severity: Medium
+Reports:
+  MITRE ATT&CK:
+    - TA0005:T1562.001  # Impair Defenses: Disable or Modify Tools
+LogTypes:
+  - Wiz.Audit
+DedupPeriodMinutes: 60
+Threshold: 1
+Tests:
+  - Name: DeleteCICDScanPolicy
+    ExpectedResult: true
+    Log:
+      {
+        "action": "DeleteCICDScanPolicy",
+        "actionparameters": {
+          "input": {
+            "id": "12345-cd1f-4a4b-b3e4-12345"
+          }
+        },
+        "id": "12345-de20-4e00-b958-12345",
+        "log_type": null,
+        "requestid": "12345-284b-4166-aea7-12345",
+        "serviceaccount": null,
+        "sourceip": "8.8.8.8",
+        "status": "SUCCESS",
+        "timestamp": "2023-09-01 14:27:42.694",
+        "user": {
+          "id": "[email protected]",
+          "name": "[email protected]"
+        }
+      }
+  - Name: CreateUser
+    ExpectedResult: false
+    Log:
+      {
+        "id": "220d23be-f07c-4d97-b4a6-87ad04eddb14",
+        "action": "CreateUser",
+        "requestId": "0d9521b2-c3f8-4a73-bf7c-20257788752e",
+        "status": "SUCCESS",
+        "timestamp": "2024-07-29T09:40:15.66643Z",
+        "actionParameters": {
+          "input": {
+            "assignedProjectIds": null,
+            "email": "[email protected]",
+            "expiresAt": null,
+            "name": "Test User",
+            "role": "GLOBAL_ADMIN"
+          },
+          "selection": [
+            "__typename",
+            {
+              "user": [
+                "__typename",
+                "id"
+              ]
+            }
+          ]
+        },
+        "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36",
+        "sourceIP": "8.8.8.8",
+        "serviceAccount": null,
+        "user": {
+          "id": "[email protected]",
+          "name": "[email protected]"
+        }
+      }
+  - Name: DeleteCICDScanPolicy - Fail
+    ExpectedResult: false
+    Log:
+      {
+        "action": "DeleteCICDScanPolicy",
+        "actionparameters": { },
+        "id": "12345-de20-4e00-b958-12345",
+        "log_type": null,
+        "requestid": "12345-284b-4166-aea7-12345",
+        "serviceaccount": null,
+        "sourceip": "8.8.8.8",
+        "status": "FAILED",
+        "timestamp": "2023-09-01 14:27:42.694",
+        "user": {
+          "id": "[email protected]",
+          "name": "[email protected]"
+        }
+      }
diff --git a/rules/wiz_rules/wiz_connector_updated_or_deleted.py b/rules/wiz_rules/wiz_connector_updated_or_deleted.py
@@ -0,0 +1,24 @@
+from panther_wiz_helpers import wiz_alert_context, wiz_success
+
+SUSPICIOUS_ACTIONS = ["DeleteConnector", "UpdateConnector"]
+
+
+def rule(event):
+    if not wiz_success(event):
+        return False
+    return event.get("action", "ACTION_NOT_FOUND") in SUSPICIOUS_ACTIONS
+
+
+def title(event):
+    return (
+        f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action "
+        f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]"
+    )
+
+
+def dedup(event):
+    return event.get("id")
+
+
+def alert_context(event):
+    return wiz_alert_context(event)
diff --git a/rules/wiz_rules/wiz_connector_updated_or_deleted.yml b/rules/wiz_rules/wiz_connector_updated_or_deleted.yml
@@ -0,0 +1,96 @@
+AnalysisType: rule
+RuleID: Wiz.Connector.Updated.Or.Deleted
+Description: This rule detects updates and deletions of connectors.
+DisplayName: Wiz Connector Updated Or Deleted
+Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again.
+Reference: https://help.vulcancyber.com/en/articles/6735270-wiz-connector  # article about integration with Vulcan
+Enabled: true
+Filename: wiz_connector_updated_or_deleted.py
+Severity: Medium
+Reports:
+  MITRE ATT&CK:
+    - TA0005:T1562.001  # Impair Defenses: Disable or Modify Tools
+LogTypes:
+  - Wiz.Audit
+DedupPeriodMinutes: 60
+Threshold: 1
+Tests:
+  - Name: DeleteConnector
+    ExpectedResult: true
+    Log:
+      {
+        "id": "c4fe1656-23a3-4b60-a689-d59a337c5551",
+        "action": "DeleteConnector",
+        "requestId": "471b9148-887a-49ff-ad83-162d7e38cf4e",
+        "status": "SUCCESS",
+        "timestamp": "2024-07-09T08:03:09.825336Z",
+        "actionParameters": {
+          "input": {
+            "id": "7a55031b-98f4-4a64-b77c-ad0bc9d7b54b"
+          },
+          "selection": [
+            "__typename",
+            "_stub"
+          ]
+        },
+        "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36",
+        "sourceIP": "12.34.56.78",
+        "serviceAccount": null,
+        "user": {
+          "id": "[email protected]",
+          "name": "[email protected]"
+        }
+      }
+  - Name: CreateUser
+    ExpectedResult: false
+    Log:
+      {
+        "id": "220d23be-f07c-4d97-b4a6-87ad04eddb14",
+        "action": "CreateUser",
+        "requestId": "0d9521b2-c3f8-4a73-bf7c-20257788752e",
+        "status": "SUCCESS",
+        "timestamp": "2024-07-29T09:40:15.66643Z",
+        "actionParameters": {
+          "input": {
+            "assignedProjectIds": null,
+            "email": "[email protected]",
+            "expiresAt": null,
+            "name": "Test User",
+            "role": "GLOBAL_ADMIN"
+          },
+          "selection": [
+            "__typename",
+            {
+              "user": [
+                "__typename",
+                "id"
+              ]
+            }
+          ]
+        },
+        "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36",
+        "sourceIP": "8.8.8.8",
+        "serviceAccount": null,
+        "user": {
+          "id": "[email protected]",
+          "name": "[email protected]"
+        }
+      }
+  - Name: DeleteConnector - Fail
+    ExpectedResult: false
+    Log:
+      {
+        "id": "c4fe1656-23a3-4b60-a689-d59a337c5551",
+        "action": "DeleteConnector",
+        "requestId": "471b9148-887a-49ff-ad83-162d7e38cf4e",
+        "status": "FAILED",
+        "timestamp": "2024-07-09T08:03:09.825336Z",
+        "actionParameters": { },
+        "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36",
+        "sourceIP": "12.34.56.78",
+        "serviceAccount": null,
+        "user": {
+          "id": "[email protected]",
+          "name": "[email protected]"
+        }
+      }
diff --git a/rules/wiz_rules/wiz_data_classifier_updated_or_deleted.py b/rules/wiz_rules/wiz_data_classifier_updated_or_deleted.py
@@ -0,0 +1,24 @@
+from panther_wiz_helpers import wiz_alert_context, wiz_success
+
+SUSPICIOUS_ACTIONS = ["DeleteDataClassifier", "UpdateDataClassifier"]
+
+
+def rule(event):
+    if not wiz_success(event):
+        return False
+    return event.get("action", "ACTION_NOT_FOUND") in SUSPICIOUS_ACTIONS
+
+
+def title(event):
+    return (
+        f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action "
+        f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]"
+    )
+
+
+def dedup(event):
+    return event.get("id")
+
+
+def alert_context(event):
+    return wiz_alert_context(event)