-
Notifications
You must be signed in to change notification settings - Fork 176
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
new rule: GCP.User.Added.To.Privileged.Group (#1378)
Co-authored-by: Ariel <[email protected]> Co-authored-by: Ariel Ropek <[email protected]>
- Loading branch information
3 people
authored
Oct 15, 2024
1 parent
8e7a6f6
commit b8fbbbd
Showing
2 changed files
with
175 additions
and
0 deletions.
There are no files selected for viewing
35 changes: 35 additions & 0 deletions
35
rules/gcp_audit_rules/gcp_user_added_to_privileged_group.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| from panther_base_helpers import key_value_list_to_dict | ||
|
|
||
| PRIVILEGED_GROUPS = { | ||
| # "[email protected]" | ||
| } | ||
|
|
||
| USER_EMAIL = "" | ||
| GROUP_EMAIL = "" | ||
|
|
||
|
|
||
| def rule(event): | ||
| events = event.deep_get("protoPayload", "metadata", "event", default=[]) | ||
|
|
||
| for event_ in events: | ||
| if event_.get("eventname") != "ADD_GROUP_MEMBER": | ||
| continue | ||
| # Get the username | ||
| params = key_value_list_to_dict(event_.get("parameter", []), "name", "value") | ||
| global USER_EMAIL, GROUP_EMAIL # pylint: disable=global-statement | ||
| USER_EMAIL = params.get("USER_EMAIL") | ||
| GROUP_EMAIL = params.get("GROUP_EMAIL") | ||
| if GROUP_EMAIL in get_privileged_groups(): | ||
| return True | ||
| return False | ||
|
|
||
|
|
||
| def title(event): | ||
| actor = event.deep_get("actor", "email", default="") | ||
| global USER_EMAIL, GROUP_EMAIL | ||
| return f"{actor} has added {USER_EMAIL} to the privileged group {GROUP_EMAIL}" | ||
|
|
||
|
|
||
| def get_privileged_groups(): | ||
| # We make this a function, so we can mock it for unit tests | ||
| return PRIVILEGED_GROUPS |
140 changes: 140 additions & 0 deletions
140
rules/gcp_audit_rules/gcp_user_added_to_privileged_group.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,140 @@ | ||
| AnalysisType: rule | ||
| Filename: gcp_user_added_to_privileged_group.py | ||
| RuleID: "GCP.User.Added.To.Privileged.Group" | ||
| DisplayName: "GCP User Added to Privileged Group" | ||
| Enabled: false | ||
| LogTypes: | ||
| - GCP.AuditLog | ||
| Severity: Low | ||
| Tags: | ||
| - Configuration Required | ||
| Reports: | ||
| MITRE ATT&CK: | ||
| - TA0004:T1078.004 # Privilege Escalation: Valid Accounts: Cloud Accounts | ||
| - TA0004:T1484.001 # Privilege Escalation: Domain or Tenant Policy Modification: Group Policy Modification | ||
| Description: A user was added to a group with special previleges | ||
| DedupPeriodMinutes: 60 | ||
| Threshold: 1 | ||
| Reference: | ||
| https://github.com/GoogleCloudPlatform/security-analytics/blob/main/src/2.02/2.02.md | ||
| Runbook: Determine if the user had been added to the group for legitimate reasons. | ||
| Tests: | ||
| - Name: User Added to Privileged Group | ||
| ExpectedResult: true | ||
| Mocks: | ||
| - objectName: get_privileged_groups | ||
| returnValue: '["[email protected]"]' | ||
| Log: | ||
| { | ||
| "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Factivity", | ||
| "severity": "NOTICE", | ||
| "insertId": "285djodxlmu", | ||
| "resource": { | ||
| "type": "audited_resource", | ||
| "labels": { | ||
| "method": "google.admin.AdminService.addGroupMember", | ||
| "service": "admin.googleapis.com" | ||
| } | ||
| }, | ||
| "timestamp": "2022-03-22T22:12:58.916Z", | ||
| "receiveTimestamp": "2022-03-22T22:12:59.439766009Z", | ||
| "protoPayload": { | ||
| "@type": "type.googleapis.com/google.cloud.audit.AuditLog", | ||
| "serviceName": "admin.googleapis.com", | ||
| "methodName": "google.admin.AdminService.addGroupMember", | ||
| "resourceName": "organizations/123/groupSettings", | ||
| "authenticationInfo": { | ||
| "principalEmail": "[email protected]" | ||
| }, | ||
| "requestMetadata": { | ||
| "callerIP": "11.22.33.44", | ||
| "requestAttributes": {}, | ||
| "destinationAttributes": {} | ||
| }, | ||
| "metadata": { | ||
| "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", | ||
| "activityId": { | ||
| "timeUsec": "1647987178916000", | ||
| "uniqQualifier": "-8614641986436885296" | ||
| }, | ||
| "event": [ | ||
| { | ||
| "eventName": "ADD_GROUP_MEMBER", | ||
| "eventType": "GROUP_SETTINGS", | ||
| "parameter": [ | ||
| { | ||
| "label": "LABEL_OPTIONAL", | ||
| "value": "[email protected]", | ||
| "type": "TYPE_STRING", | ||
| "name": "USER_EMAIL" | ||
| }, | ||
| { | ||
| "type": "TYPE_STRING", | ||
| "value": "[email protected]", | ||
| "label": "LABEL_OPTIONAL", | ||
| "name": "GROUP_EMAIL" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
| } | ||
| } | ||
| - Name: User Added to Non-Privileged Group | ||
| ExpectedResult: false | ||
| Log: | ||
| { | ||
| "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Factivity", | ||
| "severity": "NOTICE", | ||
| "insertId": "285djodxlmu", | ||
| "resource": { | ||
| "type": "audited_resource", | ||
| "labels": { | ||
| "method": "google.admin.AdminService.addGroupMember", | ||
| "service": "admin.googleapis.com" | ||
| } | ||
| }, | ||
| "timestamp": "2022-03-22T22:12:58.916Z", | ||
| "receiveTimestamp": "2022-03-22T22:12:59.439766009Z", | ||
| "protoPayload": { | ||
| "@type": "type.googleapis.com/google.cloud.audit.AuditLog", | ||
| "serviceName": "admin.googleapis.com", | ||
| "methodName": "google.admin.AdminService.addGroupMember", | ||
| "resourceName": "organizations/123/groupSettings", | ||
| "authenticationInfo": { | ||
| "principalEmail": "[email protected]" | ||
| }, | ||
| "requestMetadata": { | ||
| "callerIP": "11.22.33.44", | ||
| "requestAttributes": {}, | ||
| "destinationAttributes": {} | ||
| }, | ||
| "metadata": { | ||
| "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto", | ||
| "activityId": { | ||
| "timeUsec": "1647987178916000", | ||
| "uniqQualifier": "-8614641986436885296" | ||
| }, | ||
| "event": [ | ||
| { | ||
| "eventName": "ADD_GROUP_MEMBER", | ||
| "eventType": "GROUP_SETTINGS", | ||
| "parameter": [ | ||
| { | ||
| "label": "LABEL_OPTIONAL", | ||
| "value": "[email protected]", | ||
| "type": "TYPE_STRING", | ||
| "name": "USER_EMAIL" | ||
| }, | ||
| { | ||
| "type": "TYPE_STRING", | ||
| "value": "[email protected]", | ||
| "label": "LABEL_OPTIONAL", | ||
| "name": "GROUP_EMAIL" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
| } | ||
| } |