From f1eee0c62510b5c24892a60887851068b61fb4d9 Mon Sep 17 00:00:00 2001 From: ben-githubs <38414634+ben-githubs@users.noreply.github.com> Date: Mon, 2 Dec 2024 14:22:59 -0600 Subject: [PATCH] Wiz.Alert.Passthrough: New Dedup Logic (#1438) --- rules/wiz_rules/wiz_alert_passthrough.py | 9 +++- rules/wiz_rules/wiz_alert_passthrough.yml | 66 +++++++++++++++++++++++ 2 files changed, 73 insertions(+), 2 deletions(-) diff --git a/rules/wiz_rules/wiz_alert_passthrough.py b/rules/wiz_rules/wiz_alert_passthrough.py index 7e84ace86..3357201c3 100644 --- a/rules/wiz_rules/wiz_alert_passthrough.py +++ b/rules/wiz_rules/wiz_alert_passthrough.py @@ -13,12 +13,17 @@ def title(event): def severity(event): - # if event.get("severity") == "INFORMATIONAL": - # return "INFO" return event.get("severity") def dedup(event): + # For lower-severity events, dedup based on specific source rule to reduce overall alert volume + if event.get("severity") in ("INFO", "LOW"): + dedup_str = str(event.deep_get("sourceRule", "id")) + if dedup_str: + return dedup_str + # If the severity is higher, or for some reason we couldn't generate a dedup string based on + # the source rule, then use the alert severity + the resource ID itself. return event.deep_get( "entitySnapshot", "externalId", default="" ) + event.get("severity", "") diff --git a/rules/wiz_rules/wiz_alert_passthrough.yml b/rules/wiz_rules/wiz_alert_passthrough.yml index 4bb4b36a6..fa7640b20 100644 --- a/rules/wiz_rules/wiz_alert_passthrough.yml +++ b/rules/wiz_rules/wiz_alert_passthrough.yml @@ -78,6 +78,72 @@ Tests: "type": "TOXIC_COMBINATION", "updatedAt": "2024-06-04 02:28:06.763277000" } + - Name: Low-Severity Open Alert + ExpectedResult: true + Log: + { + "createdAt": "2024-06-04 02:28:06.763277000", + "entitySnapshot": { + "cloudProviderURL": "", + "externalId": "someExternalId", + "id": "12345", + "name": "someName", + "nativeType": "", + "providerId": "someProviderId", + "region": "", + "resourceGroupExternalId": "", + "subscriptionExternalId": "", + "subscriptionName": "", + "tags": { }, + "type": "DATA_FINDING" + }, + "id": "54321", + "notes": [ ], + "projects": [ + { + "businessUnit": "", + "id": "45678", + "name": "Project 2", + "riskProfile": { + "businessImpact": "MBI" + }, + "slug": "project-2" + }, + ], + "serviceTickets": [ ], + "severity": "LOW", + "sourceRule": { + "__typename": "Control", + "controlDescription": "Alert Description", + "id": "12345", + "name": "Alert Name", + "resolutionRecommendation": "Alert Resolution Recommendation", + "securitySubCategories": [ + { + "category": { + "framework": { + "name": "Wiz for Risk Assessment" + }, + "name": "High Profile Threats" + }, + "title": "High-profile vulnerability exploited in the wild" + }, + { + "category": { + "framework": { + "name": "MITRE ATT&CK Matrix" + }, + "name": "TA0001 Initial Access" + }, + "title": "T1190 Exploit Public-Facing Application" + }, + ] + }, + "status": "OPEN", + "statusChangedAt": "2024-06-04 02:28:06.597355000", + "type": "TOXIC_COMBINATION", + "updatedAt": "2024-06-04 02:28:06.763277000" + } - Name: Resolved Alert ExpectedResult: false Log: