Skip to content

Commit

Permalink
AppOmni Alert passthrough (#1211)
Browse files Browse the repository at this point in the history
* alert passthrough

* Deprecate GreyNoise detections (#1205)

* Deprecate GreyNoise detections

* Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml

* Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml

* Update cloudflare_httpreq_bot_high_volume_greynoise.yml

---------

Co-authored-by: Ariel Ropek <[email protected]>

* fix - Notion Login From New Location - NoneType error (#1206)

* fix - Notion Login From New Location - NoneType error

* fix - Notion Login From New Location - NoneType error - linter fix

* remove codeowners (#1208)

* linting

* fix - GCP rules - AttributeError (#1210)

* fix - GCP rules - AttributeError

* fix - GCP rules - AttributeError - linter fix

* MITRE ATT&CK Mappings for MS Rules (#1209)

* added MITRE mappings for microsoft rules

* fixed formatting on some helper files

---------

Co-authored-by: Ariel Ropek <[email protected]>

* traildiscover enrichment with managed schema (#1177)

* traildiscover enrichment with managed schema

* Add npm install in dockerfile (#1172)

* add npm install in dockerfile

* Remove Python optimizations; add prettier to PATH

---------

Co-authored-by: egibs <[email protected]>

* schema name: TrailDiscover.CloudTrail

* Fix Dockerfile; add Workflow to test image

* updated data set

* Add MongoDB.2FA.Disabled rule (#1190)

Co-authored-by: Ariel Ropek <[email protected]>

* lint and fmt

* fmt

* add OCSF selector

* additional OCSF mappings

* Fix Pipfile

* Rebase changes

---------

Co-authored-by: Panos Sakkos <[email protected]>
Co-authored-by: egibs <[email protected]>
Co-authored-by: Oleh Melenevskyi <[email protected]>

* Update PAT to 0.46.0 (#1216)

* add file/host state to msft graph alert context (#1220)

* fix timestamps (#1219)

* Update PAT to 0.46.1 (#1222)

* pack for traildiscover LUT (#1221)

* use event.deep_get and remove InlineFilters

* add pack

---------

Co-authored-by: Oleh Melenevskyi <[email protected]>
Co-authored-by: Ariel Ropek <[email protected]>
Co-authored-by: akozlovets098 <[email protected]>
Co-authored-by: Panos Sakkos <[email protected]>
Co-authored-by: ben-githubs <[email protected]>
Co-authored-by: egibs <[email protected]>
Co-authored-by: Evan Gibler <[email protected]>
Co-authored-by: Nick Hakmiller <[email protected]>
Co-authored-by: Ariel Ropek <[email protected]>
  • Loading branch information
10 people authored May 14, 2024
1 parent 575cf47 commit c8b6ad9
Show file tree
Hide file tree
Showing 3 changed files with 274 additions and 0 deletions.
7 changes: 7 additions & 0 deletions packs/appomni.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
AnalysisType: pack
PackID: PantherManaged.AppOmni
Description: Group of all AppOmni detections
PackDefinition:
IDs:
- AppOmni.Alert.Passthrough
DisplayName: "Panther AppOmni Pack"
35 changes: 35 additions & 0 deletions rules/appomni_rules/appomni_alert_passthrough.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
def rule(event):
# Only alert where event.kind == "alert"
if event.deep_get("event", "kind") == "alert":
return True
return False


def title(event):
# Create title that includes severity and message
sev_dict = {0: "Critical", 1: "High", 2: "Medium", 3: "Low", 4: "Informational"}
sev = sev_dict[event.deep_get("event", "severity")]

# Use type service in title if only one field, label as 'Multiple Services' if more than one.
if len(event.deep_get("related", "services", "type")) == 1:
service = event.deep_get("related", "services", "type")[0]
else:
service = "Multiple Services"

return f'[{sev}] - {service} - {event.get("message")}'


def severity(event):
# Update Panther alert severity based on severity from AppOmni Alert
sev = {0: "Critical", 1: "High", 2: "Medium", 3: "Low", 4: "Informational"}
return sev[event.deep_get("event", "severity")]


def dedup(event):
# Dedup by the events alert id, make sure we alert each time a new AppOmni alert is logged
return f'Event ID: {event.deep_get("appomni", "event", "id")}'


def alert_context(event):
# 'Threat' and 'related' data to be included in the alert sent to the alert destination
return {"threat": event.deep_get("rule", "threat"), "related": event.deep_get("related")}
232 changes: 232 additions & 0 deletions rules/appomni_rules/appomni_alert_passthrough.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,232 @@
AnalysisType: rule
Filename: appomni_alert_passthrough.py
RuleID: "AppOmni.Alert.Passthrough"
DisplayName: "AppOmni Alert Passthrough"
Enabled: true
LogTypes:
- AppOmni.Alerts
Severity: Medium
Reports:
MITRE ATT&CK:
- TA0001:T1566
- TA0001:T1528
- TA0001:T1190
- TA0001:T1078
- TA0001:T1199
- TA0004:T1548
- TA0005:T1562
- TA0005:T1090
- TA0005:T1564
- TA0005:T1556
- TA0005:T1550
- TA0005:T1078
- TA0006:T1110
- TA0006:T1111
- TA0006:T1550
- TA0006:T1528
- TA0006:T1552
- TA0006:T1539
- TA0040:T1486
- TA0040:T1565
- TA0040:T1485
- TA0040:T1531
- TA0002:T1204
- TA0003:T1114
- TA0003:T1098
- TA0003:T1556
- TA0003:T1078
- TA0003:T1136
- TA0004:T1484
- TA0007:T1518
- TA0007:T1087
- TA0008:T1550
- TA0042:T1608
- TA0009:T1530
- TA0009:T1213
- TA0009:T1114
- TA0004:T1078
- TA0010:T1537
- TA0010:T1567
DedupPeriodMinutes: 60
Threshold: 1
Tests:
- Name: Alert Type Severity 2
ExpectedResult: true
Log:
appomni:
alert:
channel: prod
event:
dataset: appomni_alert
id: 2ae1e281-4df1-5d26-81e2-7b75589e5dd4
sortable_event_id: 01HQ6JKJ5VE68CAT71JM27Z1D2
sortable_ingest_id: 01HQ6KGT23SN874A9ATHZCM1JH
organization:
id: 285
event:
created: "2024-02-21T19:50:42.499Z"
kind: alert
severity: 2
message: Security issue detected in GitHub repository 'appomni/ao_factory_interfaces'
related:
event:
- cf8e782f-1657-5a4e-bdc2-cff1d147c912
services:
id:
- 12477
type:
- github
rule:
name: Repository Security Issue Detected
ruleset: 1423ff39-3250-4d53-aafb-142e740668bd
threat:
framework: MITRE ATT&CK
tactic:
id:
- TA0001
name:
- Initial Access
technique:
id:
- T1195
name:
- Supply Chain Compromise
uuid: 6d873f19-4847-4412-9b70-6dca598ee64c
version: "1"
timestamp: "2024-02-21T19:34:44.155Z"
version: 2.0.0
- Name: Event Type
ExpectedResult: false
Log:
appomni:
event:
collected_time: "2024-02-28T19:53:34.266Z"
dataset: ao_auditlogs
id: e4431a54-e57d-5cab-8b24-af194d49ebec
ingestion_time: "2024-02-28T19:53:34.298Z"
organization:
id: 6
service:
account_id: "6"
id: 0
name: AppOmni
type: appomni
event:
action: update_token
category:
- authentication
code: access_token_refreshed_refreshtoken
created: "2024-02-28T19:53:34.266Z"
dataset: ao_auditlogs
id: b90b4447-ae6a-4257-95fe-a3f9c5577158
ingested: "2024-02-28T19:53:34.298Z"
kind: event
module: appomni
original: '{"action_at":"2024-02-28T19:53:34.256900+00:00","action_data":{"md_kind":"core.aoaudit.auditdata","md_version":1},"action_type":"access_token_refreshed_refreshtoken","log_id":"b90b4447-ae6a-4257-95fe-a3f9c5577158","org_id":6,"perspective_id":1487,"service_id":34,"service_type":"workday"}'
type:
- change
timestamp: "2024-02-28T19:53:34.256Z"
version: 2.0.0
- Name: External App Install - Severity 3
ExpectedResult: true
Log:
"@timestamp": "2024-02-26T18:02:09.044Z"
appomni:
alert:
channel: prod
event:
dataset: appomni_alert
id: e927e832-bfb1-55d7-9159-0e5cd84dcc65
sortable_event_id: 01HQK99M8MZKWGZG24B5WV4JDK
sortable_ingest_id: 01HQK9DFC5DS5MYM0YEFFW7PF8
organization:
id: 6
event:
created: "2024-02-26T18:04:15.109Z"
kind: alert
severity: 3
message: An external application has been installed by appomni_int_justinz in Workday
related:
event:
- cb786453-a105-5438-97a6-903d15e0cb7e
ip:
- 71.218.228.62
services:
id:
- 34
type:
- workday
user:
- appomni_int_justinz
rule:
name: External Application Installed
ruleset: 1423ff39-3250-4d53-aafb-142e740668bd
threat:
framework: MITRE ATT&CK
tactic:
id:
- TA0005
- TA0008
- TA0010
name:
- Defense Evasion
- Lateral Movement
- Exfiltration
technique:
id:
- T1550
- T1550
- T1567
name:
- Use Alternate Authentication Material
- Use Alternate Authentication Material
- Exfiltration Over Web Service
uuid: 2aadaafd-4ec5-4a09-be6e-c2d70b555d19
version: "1"
version: 2.0.0
- Name: Multiple Services
ExpectedResult: true
Log:
appomni:
alert:
channel: prod
event:
dataset: appomni_alert
id: 2ae1e281-4df1-5d26-81e2-7b75589e5dd4
sortable_event_id: 01HQ6JKJ5VE68CAT71JM27Z1D2
sortable_ingest_id: 01HQ6KGT23SN874A9ATHZCM1JH
organization:
id: 285
event:
created: "2024-02-21T19:50:42.499Z"
kind: alert
severity: 2
message: Security issue detected in GitHub repository 'appomni/ao_factory_interfaces'
related:
event:
- cf8e782f-1657-5a4e-bdc2-cff1d147c912
services:
id:
- 12477
type:
- github
- workday
rule:
name: Repository Security Issue Detected
ruleset: 1423ff39-3250-4d53-aafb-142e740668bd
threat:
framework: MITRE ATT&CK
tactic:
id:
- TA0001
name:
- Initial Access
technique:
id:
- T1195
name:
- Supply Chain Compromise
uuid: 6d873f19-4847-4412-9b70-6dca598ee64c
version: "1"
timestamp: "2024-02-21T19:34:44.155Z"
version: 2.0.0

0 comments on commit c8b6ad9

Please sign in to comment.