Update Teleport Rules (#955)

* panther_config: Add a fork-friendly configuration scheme

* Apply `panther_config` to existing uses of example.com

* Teleport: Update Rules, using panther_config

---------

Co-authored-by: Ariel Ropek <[email protected]>

global_helpers/panther_config_defaults.py

@@ -12,3 +12,4 @@
 GSUITE_TRUSTED_OWNERSHIP_DOMAINS = ORGANIZATION_DOMAINS
 MS_EXCHANGE_ALLOWED_FORWARDING_DESTINATION_DOMAINS = ORGANIZATION_DOMAINS
 MS_EXCHANGE_ALLOWED_FORWARDING_DESTINATION_EMAILS = ["postmaster@" + ORGANIZATION_DOMAINS[0]]
+TELEPORT_ORGANIZATION_DOMAINS = ORGANIZATION_DOMAINS

rules/gravitational_teleport_rules/teleport_company_domain_login_without_saml.py

@@ -0,0 +1,22 @@
+import re
+
+from panther_config import config
+
+TELEPORT_ORGANIZATION_DOMAINS_REGEX = r"@(" + "|".join(config.TELEPORT_ORGANIZATION_DOMAINS) + r")$"
+
+
+def rule(event):
+    return bool(
+        event.get("event") == "user.login"
+        and event.get("success") is True
+        and bool(re.search(TELEPORT_ORGANIZATION_DOMAINS_REGEX, event.get("user")))
+        and event.get("method") != "saml"
+    )
+
+
+def title(event):
+    return (
+        f"User [{event.get('user', '<UNKNOWN_USER>')}] logged into "
+        f"[{event.get('cluster_name', '<UNNAMED_CLUSTER>')}] without "
+        f"using SAML"
+    )

rules/gravitational_teleport_rules/teleport_company_domain_login_without_saml.yml

@@ -0,0 +1,63 @@
+AnalysisType: rule
+Filename: teleport_company_domain_login_without_saml.py
+RuleID: Teleport.CompanyDomainLoginWithoutSAML
+DisplayName: "A User from the company domain(s) Logged in without SAML"
+Enabled: true
+LogTypes:
+  - Gravitational.TeleportAudit
+Tags:
+  - Teleport
+Severity: High
+Description: "A User from the company domain(s) Logged in without SAML"
+DedupPeriodMinutes: 60
+Reports:
+  MITRE ATT&CK:
+    - TA0005:T1562
+Reference: https://goteleport.com/docs/management/admin/
+Runbook: >
+  A User from the company domain(s) Logged in without SAML
+SummaryAttributes:
+  - event
+  - code
+  - user
+  - method
+  - mfa_device
+Tests:
+  -
+    Name: A User from the company domain(s) logged in with SAML
+    ExpectedResult: false
+    Log:
+      {
+        "attributes": {
+          "firstName": [
+            ""
+          ],
+          "groups": [
+            "employees"
+          ]
+        },
+        "cluster_name": "teleport.example.com",
+        "code": "T1001I",
+        "ei": 0,
+        "event": "user.login",
+        "method": "saml",
+        "success": true,
+        "time": "2023-09-18 00:00:00",
+        "uid": "88888888-4444-4444-4444-222222222222",
+        "user": "[email protected]"
+      }
+  -
+    Name: A User from the company domain(s) logged in without SAML
+    ExpectedResult: true
+    Log:
+      {
+        "cluster_name": "teleport.example.com",
+        "code": "T1001I",
+        "ei": 0,
+        "event": "user.login",
+        "method": "local",
+        "success": true,
+        "time": "2023-09-18 00:00:00",
+        "uid": "88888888-4444-4444-4444-222222222222",
+        "user": "[email protected]"
+      }

rules/gravitational_teleport_rules/teleport_saml_login_not_company_domain.py

@@ -0,0 +1,23 @@
+import re
+
+from panther_config import config
+
+TELEPORT_COMPANY_DOMAINS_REGEX = r"@(" + "|".join(config.TELEPORT_ORGANIZATION_DOMAINS) + r")$"
+
+
+def rule(event):
+    return (
+        event.get("event") == "user.login"
+        and event.get("success") is True
+        and event.get("method") == "saml"
+        and not re.search(TELEPORT_COMPANY_DOMAINS_REGEX, event.get("user"))
+    )
+
+
+def title(event):
+    return (
+        f"User [{event.get('user', '<UNKNOWN_USER>')}] logged into "
+        f"[{event.get('cluster_name', '<UNNAMED_CLUSTER>')}] using "
+        f"SAML, but not from a known company domain in "
+        f"({','.join(config.TELEPORT_ORGANIZATION_DOMAINS)})"
+    )

rules/gravitational_teleport_rules/teleport_saml_login_not_company_domain.yml

@@ -0,0 +1,63 @@
+AnalysisType: rule
+Filename: teleport_saml_login_not_company_domain.py
+RuleID: Teleport.SAMLLoginWithoutCompanyDomain
+DisplayName: "A user authenticated with SAML, but from an unknown company domain"
+Enabled: true
+LogTypes:
+  - Gravitational.TeleportAudit
+Tags:
+  - Teleport
+Severity: High
+Description: "A user authenticated with SAML, but from an unknown company domain"
+DedupPeriodMinutes: 60
+Reports:
+  MITRE ATT&CK:
+    - TA0003:T1098
+Reference: https://goteleport.com/docs/management/admin/
+Runbook: >
+  A user authenticated with SAML, but from an unknown company domain
+SummaryAttributes:
+  - event
+  - code
+  - user
+  - method
+  - mfa_device
+Tests:
+  -
+    Name: A user authenticated with SAML, but from a known company domain
+    ExpectedResult: false
+    Log:
+      {
+        "attributes": {
+          "firstName": [
+            ""
+          ],
+          "groups": [
+            "employees"
+          ]
+        },
+        "cluster_name": "teleport.example.com",
+        "code": "T1001I",
+        "ei": 0,
+        "event": "user.login",
+        "method": "saml",
+        "success": true,
+        "time": "2023-09-18 00:00:00",
+        "uid": "88888888-4444-4444-4444-222222222222",
+        "user": "[email protected]"
+      }
+  -
+    Name: A user authenticated with SAML, but not from a company domain
+    ExpectedResult: true
+    Log:
+      {
+        "cluster_name": "teleport.example.com",
+        "code": "T1001I",
+        "ei": 0,
+        "event": "user.login",
+        "method": "saml",
+        "success": true,
+        "time": "2023-09-18 00:00:00",
+        "uid": "88888888-4444-4444-4444-222222222222",
+        "user": "[email protected]"
+      }