Merge branch 'develop' into add-alerttitle-to-rule-jsonschema

panther-labs · Oct 15, 2024 · d2d9cc4 · d2d9cc4
2 parents 29719d1 + b8fbbbd
commit d2d9cc4
Show file tree

Hide file tree

Showing 9 changed files with 186 additions and 53 deletions.
diff --git a/.github/workflows/check-packs.yml b/.github/workflows/check-packs.yml
@@ -42,7 +42,7 @@ jobs:
           panther_analysis_tool check-packs || echo "errors=`cat errors.txt`" >> $GITHUB_OUTPUT
 
       - name: Comment PR
-        uses: thollander/actions-comment-pull-request@fabd468d3a1a0b97feee5f6b9e499eab0dd903f6
+        uses: thollander/actions-comment-pull-request@e2c37e53a7d2227b61585343765f73a9ca57eda9
         if: ${{ steps.check-packs.outputs.errors }}
         with:
           mode: upsert
@@ -54,7 +54,7 @@ jobs:
             ```
           comment_tag: check-packs
       - name: Delete comment
-        uses: thollander/actions-comment-pull-request@fabd468d3a1a0b97feee5f6b9e499eab0dd903f6
+        uses: thollander/actions-comment-pull-request@e2c37e53a7d2227b61585343765f73a9ca57eda9
         if: ${{ !steps.check-packs.outputs.errors }}
         with:
           mode: delete

diff --git a/.scripts/mitre_mapping_check.py b/.scripts/mitre_mapping_check.py
@@ -13,8 +13,13 @@
 
 
 def main(path: Path) -> bool:
+    # Ignore any schema test files
+    #   Schema tests can't be loaded by panther_analysis_tool because each file contains multiple
+    #   YAML documents.
+    ignore_files = list(path.glob("**/*_tests.y*ml"))
+
     # Load Repo
-    analysis_items = load_analysis_specs([path], ignore_files=[])
+    analysis_items = load_analysis_specs([path], ignore_files=ignore_files)
 
     items_with_invalid_mappings = []  # Record all items with bad tags
     for analysis_item in analysis_items:

diff --git a/deprecated.txt b/deprecated.txt
@@ -31,4 +31,6 @@ AWS.CloudTrail.RootFailedConsoleLogin
 AWS.S3.GreyNoiseActivity
 AWS.CloudTrail.RootConsoleLogin
 Okta.GeographicallyImprobableAccess
-Okta.BruteForceLogins
+Okta.BruteForceLogins
+Query.Snowflake.PublicRoleGrant
+Snowflake.PublicRoleGrant
diff --git a/packs/snowflake.yml b/packs/snowflake.yml
@@ -20,7 +20,6 @@ PackDefinition:
     - Query.Snowflake.KeyUserPasswordLogin
     - Query.Snowflake.MFALogin
     - Query.Snowflake.Multiple.Logins.Followed.By.Success
-    - Query.Snowflake.PublicRoleGrant
     - Query.Snowflake.SuspectedUserAccess
     - Query.Snowflake.TempStageCreated
     - Query.Snowflake.UserCreated
@@ -38,7 +37,6 @@ PackDefinition:
     - Snowflake.KeyUserPasswordLogin
     - Snowflake.LoginWithoutMFA
     - Snowflake.Multiple.Failed.Logins.Followed.By.Success
-    - Snowflake.PublicRoleGrant
     - Snowflake.TempStageCreated
     - Snowflake.User.Access
     - Snowflake.UserCreated

diff --git a/queries/snowflake_queries/snowflake_public_role_grant.py b/queries/snowflake_queries/snowflake_public_role_grant.py
diff --git a/queries/snowflake_queries/snowflake_public_role_grant.yml b/queries/snowflake_queries/snowflake_public_role_grant.yml
diff --git a/queries/snowflake_queries/snowflake_public_role_grant_query.yml b/queries/snowflake_queries/snowflake_public_role_grant_query.yml
diff --git a/rules/gcp_audit_rules/gcp_user_added_to_privileged_group.py b/rules/gcp_audit_rules/gcp_user_added_to_privileged_group.py
@@ -0,0 +1,35 @@
+from panther_base_helpers import key_value_list_to_dict
+
+PRIVILEGED_GROUPS = {
+    # "[email protected]"
+}
+
+USER_EMAIL = ""
+GROUP_EMAIL = ""
+
+
+def rule(event):
+    events = event.deep_get("protoPayload", "metadata", "event", default=[])
+
+    for event_ in events:
+        if event_.get("eventname") != "ADD_GROUP_MEMBER":
+            continue
+        # Get the username
+        params = key_value_list_to_dict(event_.get("parameter", []), "name", "value")
+        global USER_EMAIL, GROUP_EMAIL  # pylint: disable=global-statement
+        USER_EMAIL = params.get("USER_EMAIL")
+        GROUP_EMAIL = params.get("GROUP_EMAIL")
+        if GROUP_EMAIL in get_privileged_groups():
+            return True
+    return False
+
+
+def title(event):
+    actor = event.deep_get("actor", "email", default="")
+    global USER_EMAIL, GROUP_EMAIL
+    return f"{actor} has added {USER_EMAIL} to the privileged group {GROUP_EMAIL}"
+
+
+def get_privileged_groups():
+    # We make this a function, so we can mock it for unit tests
+    return PRIVILEGED_GROUPS
diff --git a/rules/gcp_audit_rules/gcp_user_added_to_privileged_group.yml b/rules/gcp_audit_rules/gcp_user_added_to_privileged_group.yml
@@ -0,0 +1,140 @@
+AnalysisType: rule
+Filename: gcp_user_added_to_privileged_group.py
+RuleID: "GCP.User.Added.To.Privileged.Group"
+DisplayName: "GCP User Added to Privileged Group"
+Enabled: false
+LogTypes:
+  - GCP.AuditLog
+Severity: Low
+Tags:
+  - Configuration Required
+Reports:
+  MITRE ATT&CK:
+    - TA0004:T1078.004 # Privilege Escalation: Valid Accounts: Cloud Accounts
+    - TA0004:T1484.001 # Privilege Escalation: Domain or Tenant Policy Modification: Group Policy Modification
+Description: A user was added to a group with special previleges
+DedupPeriodMinutes: 60
+Threshold: 1
+Reference: 
+  https://github.com/GoogleCloudPlatform/security-analytics/blob/main/src/2.02/2.02.md
+Runbook: Determine if the user had been added to the group for legitimate reasons.
+Tests:
+  - Name: User Added to Privileged Group
+    ExpectedResult: true
+    Mocks:
+      - objectName: get_privileged_groups
+        returnValue: '["[email protected]"]'
+    Log:
+      {
+        "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Factivity",
+        "severity": "NOTICE",
+        "insertId": "285djodxlmu",
+        "resource": {
+          "type": "audited_resource",
+          "labels": {
+            "method": "google.admin.AdminService.addGroupMember",
+            "service": "admin.googleapis.com"
+          }
+        },
+        "timestamp": "2022-03-22T22:12:58.916Z",
+        "receiveTimestamp": "2022-03-22T22:12:59.439766009Z",
+        "protoPayload": {
+          "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
+          "serviceName": "admin.googleapis.com",
+          "methodName": "google.admin.AdminService.addGroupMember",
+          "resourceName": "organizations/123/groupSettings",
+          "authenticationInfo": {
+            "principalEmail": "[email protected]"
+          },
+          "requestMetadata": {
+            "callerIP": "11.22.33.44",
+            "requestAttributes": {},
+            "destinationAttributes": {}
+          },
+          "metadata": {
+            "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
+            "activityId": {
+              "timeUsec": "1647987178916000",
+              "uniqQualifier": "-8614641986436885296"
+            },
+            "event": [
+              {
+                "eventName": "ADD_GROUP_MEMBER",
+                "eventType": "GROUP_SETTINGS",
+                "parameter": [
+                  {
+                    "label": "LABEL_OPTIONAL",
+                    "value": "[email protected]",
+                    "type": "TYPE_STRING",
+                    "name": "USER_EMAIL"
+                  },
+                  {
+                    "type": "TYPE_STRING",
+                    "value": "[email protected]",
+                    "label": "LABEL_OPTIONAL",
+                    "name": "GROUP_EMAIL"
+                  }
+                ]
+              }
+            ]
+          }
+        }
+      }
+  - Name: User Added to Non-Privileged Group
+    ExpectedResult: false
+    Log:
+      {
+        "logName": "organizations/123/logs/cloudaudit.googleapis.com%2Factivity",
+        "severity": "NOTICE",
+        "insertId": "285djodxlmu",
+        "resource": {
+          "type": "audited_resource",
+          "labels": {
+            "method": "google.admin.AdminService.addGroupMember",
+            "service": "admin.googleapis.com"
+          }
+        },
+        "timestamp": "2022-03-22T22:12:58.916Z",
+        "receiveTimestamp": "2022-03-22T22:12:59.439766009Z",
+        "protoPayload": {
+          "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
+          "serviceName": "admin.googleapis.com",
+          "methodName": "google.admin.AdminService.addGroupMember",
+          "resourceName": "organizations/123/groupSettings",
+          "authenticationInfo": {
+            "principalEmail": "[email protected]"
+          },
+          "requestMetadata": {
+            "callerIP": "11.22.33.44",
+            "requestAttributes": {},
+            "destinationAttributes": {}
+          },
+          "metadata": {
+            "@type": "type.googleapis.com/ccc_hosted_reporting.ActivityProto",
+            "activityId": {
+              "timeUsec": "1647987178916000",
+              "uniqQualifier": "-8614641986436885296"
+            },
+            "event": [
+              {
+                "eventName": "ADD_GROUP_MEMBER",
+                "eventType": "GROUP_SETTINGS",
+                "parameter": [
+                  {
+                    "label": "LABEL_OPTIONAL",
+                    "value": "[email protected]",
+                    "type": "TYPE_STRING",
+                    "name": "USER_EMAIL"
+                  },
+                  {
+                    "type": "TYPE_STRING",
+                    "value": "[email protected]",
+                    "label": "LABEL_OPTIONAL",
+                    "name": "GROUP_EMAIL"
+                  }
+                ]
+              }
+            ]
+          }
+        }
+      }