Skip to content

Commit

Permalink
Merge branch 'release' into THREAT-370/remove-deprecate-rules
Browse files Browse the repository at this point in the history
  • Loading branch information
arielkr256 authored Oct 7, 2024
2 parents bedba3f + 4d95257 commit fd57161
Show file tree
Hide file tree
Showing 6 changed files with 240 additions and 221 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/docker.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ jobs:
- uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf #v3.2.0
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db #v3.6.1
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 #v3.7.1
- name: Build Image
run: docker buildx build --load -f Dockerfile -t panther-analysis:latest .
- name: Test Image
Expand Down
16 changes: 8 additions & 8 deletions rules/github_rules/github_action_failed.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
from unittest.mock import MagicMock

from global_filter_github import filter_include_event
from panther_base_helpers import deep_get, github_alert_context
from panther_base_helpers import github_alert_context

# The keys for MONITORED_ACTIONS are gh_org/repo_name
# The values for MONITORED_ACTIONS are a list of ["action_names"]
Expand All @@ -15,22 +15,22 @@ def rule(event):
global MONITORED_ACTIONS # pylint: disable=global-statement
if isinstance(MONITORED_ACTIONS, MagicMock):
MONITORED_ACTIONS = json.loads(MONITORED_ACTIONS()) # pylint: disable=not-callable
repo = deep_get(event, "repo", default="")
action_name = deep_get(event, "name", default="")
repo = event.get("repo", "")
action_name = event.get("name", "")
return all(
[
deep_get(event, "action", default="") == "workflows.completed_workflow_run",
event.get("action", "") == "workflows.completed_workflow_run",
event.get("conclusion", "") == "failure",
repo in MONITORED_ACTIONS,
action_name in MONITORED_ACTIONS.get(repo, []),
deep_get(event, "conclusion", default="") == "failure",
]
)


def title(event):
repo = deep_get(event, "repo", default="<NO_REPO>")
action_name = deep_get(event, "name", default="<NO_ACTION_NAME>")
return f"The GitHub Action [{action_name}] in [{repo}] has failed"
repo = event.get("repo", "<NO_REPO>")
action_name = event.get("name", "<NO_ACTION_NAME>")
return f"GitHub Action [{action_name}] in [{repo}] has failed"


def alert_context(event):
Expand Down
114 changes: 60 additions & 54 deletions rules/sublime_rules/sublime_mailboxes_deactivated.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,64 +21,70 @@ Tests:
Log:
{
"created_at": "2024-09-09 19:33:34.237078000",
"created_by": {
"active": true,
"created_at": "2024-08-28 22:05:15.715644000",
"email_address": "[email protected]",
"first_name": "John",
"google_oauth_user_id": "",
"id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316",
"is_enrolled": true,
"last_name": "Doe",
"microsoft_oauth_user_id": "",
"role": "admin",
"updated_at": "2024-08-28 22:05:15.715644000"
"created_by":
{
"active": true,
"created_at": "2024-08-28 22:05:15.715644000",
"email_address": "[email protected]",
"first_name": "John",
"google_oauth_user_id": "",
"id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316",
"is_enrolled": true,
"last_name": "Doe",
"microsoft_oauth_user_id": "",
"role": "admin",
"updated_at": "2024-08-28 22:05:15.715644000",
},
"data": {
"request": {
"authentication_method": "user_session",
"body": "{\"mailbox_ids\":[\"493c6e21-7787-419b-bada-7c4f50cbb932\"]}",
"id": "73444211-31af-42d8-99b4-34a139cf7d4a",
"ip": "1.2.3.4",
"method": "POST",
"path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/deactivate",
"query": { },
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"
}
},
"id": "084732e5-7704-4bbe-ab5a-77f1aa65a737",
"type": "message_source.deactivate"
}
"data":
{
"request":
{
"authentication_method": "user_session",
"body": '{"mailbox_ids":["493c6e21-7787-419b-bada-7c4f50cbb932"]}',
"id": "73444211-31af-42d8-99b4-34a139cf7d4a",
"ip": "1.2.3.4",
"method": "POST",
"path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/deactivate",
"query": {},
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36",
},
},
"id": "084732e5-7704-4bbe-ab5a-77f1aa65a737",
"type": "message_source.deactivate",
}
- ExpectedResult: true
Name: Mailbox Deactivated
Log:
{
"created_at": "2024-09-09 19:33:34.237078000",
"created_by": {
"active": true,
"created_at": "2024-08-28 22:05:15.715644000",
"email_address": "[email protected]",
"first_name": "John",
"google_oauth_user_id": "",
"id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316",
"is_enrolled": true,
"last_name": "Doe",
"microsoft_oauth_user_id": "",
"role": "admin",
"updated_at": "2024-08-28 22:05:15.715644000"
"created_by":
{
"active": true,
"created_at": "2024-08-28 22:05:15.715644000",
"email_address": "[email protected]",
"first_name": "John",
"google_oauth_user_id": "",
"id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316",
"is_enrolled": true,
"last_name": "Doe",
"microsoft_oauth_user_id": "",
"role": "admin",
"updated_at": "2024-08-28 22:05:15.715644000",
},
"data":
{
"request":
{
"authentication_method": "user_session",
"body": '{"mailbox_ids":["493c6e21-7787-419b-bada-7c4f50cbb932"]}',
"id": "73444211-31af-42d8-99b4-34a139cf7d4a",
"ip": "1.2.3.4",
"method": "POST",
"path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/deactivate",
"query": {},
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36",
},
},
"data": {
"request": {
"authentication_method": "user_session",
"body": "{\"mailbox_ids\":[\"493c6e21-7787-419b-bada-7c4f50cbb932\"]}",
"id": "73444211-31af-42d8-99b4-34a139cf7d4a",
"ip": "1.2.3.4",
"method": "POST",
"path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/deactivate",
"query": { },
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"
}
},
"id": "084732e5-7704-4bbe-ab5a-77f1aa65a737",
"type": "message_source.deactivate_mailboxes"
}
"id": "084732e5-7704-4bbe-ab5a-77f1aa65a737",
"type": "message_source.deactivate_mailboxes",
}
101 changes: 51 additions & 50 deletions rules/sublime_rules/sublime_message_flagged.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,54 +16,55 @@ Tests:
Name: Message Flagged
Log:
{
"p_source_file": {
"aws_s3_bucket": "audit.log.export",
"aws_s3_key": "sublime_platform_message_events/2024/09/24/164544Z-FPXIFG.json"
},
"p_any_sha256_hashes": [
"fb8b46e3317ac7d5036c6b21517d363634293c6d4f6bf1b1e67548c80948a1c6"
],
"p_event_time": "2024-09-24 16:45:43.302769000",
"p_log_type": "Sublime.MessageEvent",
"p_parse_time": "2024-09-24 16:51:47.687095351",
"p_row_id": "a23385494d57dfbbbdcbe4fa218101",
"p_schema_version": 0,
"p_source_id": "7e2a59aa-687e-430e-ae4a-81d3c0163f52",
"p_source_label": "Sublime Real Logs",
"p_udm": {},
"created_at": "2024-09-24 16:45:43.302769000",
"data": {
"flagged_rules": [
{
"id": "b0ab266f-8a12-4020-b165-e97bb1aacc42",
"name": "Credential phishing: Engaging language and other indicators (untrusted sender)"
},
{
"id": "a014f82e-f2d7-4058-adb1-36fc086de0b8",
"name": "Attachment: HTML smuggling with unescape"
},
{
"id": "e4866908-60fe-46f0-866e-84d412627006",
"name": "Headers: Zimbra mailer from a non-supported OS version"
},
{
"id": "5a9dc2cd-39f5-4814-95df-aa7614cc8bdd",
"name": "Impersonation: Human Resources with link or attachment and engaging language"
},
{
"id": "7988f1f5-5c95-42c2-9140-ead5a975918e",
"name": "Request for Quote or Purchase (RFQ|RFP) with HTML smuggling attachment"
}
],
"message": {
"canonical_id": "fb8b46e3317ac7d5036c6b21517d363634293c6d4f6bf1b1e67548c80948a1c6",
"external_id": "b86b1e58-e9f8-4b55-8b54-1402f9f95e69",
"id": "019224ec-aba6-763d-bb2e-cd4cbd40a29f",
"mailbox": {
"id": "624c8394-4fe2-4ba0-bd2b-86d2e503c614"
},
"message_source_id": "91956379-c2f3-4c50-a410-3ba89fb8bc74"
}
},
"type": "message.flagged"
"p_source_file":
{
"aws_s3_bucket": "audit.log.export",
"aws_s3_key": "sublime_platform_message_events/2024/09/24/164544Z-FPXIFG.json",
},
"p_any_sha256_hashes":
["fb8b46e3317ac7d5036c6b21517d363634293c6d4f6bf1b1e67548c80948a1c6"],
"p_event_time": "2024-09-24 16:45:43.302769000",
"p_log_type": "Sublime.MessageEvent",
"p_parse_time": "2024-09-24 16:51:47.687095351",
"p_row_id": "a23385494d57dfbbbdcbe4fa218101",
"p_schema_version": 0,
"p_source_id": "7e2a59aa-687e-430e-ae4a-81d3c0163f52",
"p_source_label": "Sublime Real Logs",
"p_udm": {},
"created_at": "2024-09-24 16:45:43.302769000",
"data":
{
"flagged_rules":
[
{
"id": "b0ab266f-8a12-4020-b165-e97bb1aacc42",
"name": "Credential phishing: Engaging language and other indicators (untrusted sender)",
},
{
"id": "a014f82e-f2d7-4058-adb1-36fc086de0b8",
"name": "Attachment: HTML smuggling with unescape",
},
{
"id": "e4866908-60fe-46f0-866e-84d412627006",
"name": "Headers: Zimbra mailer from a non-supported OS version",
},
{
"id": "5a9dc2cd-39f5-4814-95df-aa7614cc8bdd",
"name": "Impersonation: Human Resources with link or attachment and engaging language",
},
{
"id": "7988f1f5-5c95-42c2-9140-ead5a975918e",
"name": "Request for Quote or Purchase (RFQ|RFP) with HTML smuggling attachment",
},
],
"message":
{
"canonical_id": "fb8b46e3317ac7d5036c6b21517d363634293c6d4f6bf1b1e67548c80948a1c6",
"external_id": "b86b1e58-e9f8-4b55-8b54-1402f9f95e69",
"id": "019224ec-aba6-763d-bb2e-cd4cbd40a29f",
"mailbox": { "id": "624c8394-4fe2-4ba0-bd2b-86d2e503c614" },
"message_source_id": "91956379-c2f3-4c50-a410-3ba89fb8bc74",
},
},
"type": "message.flagged",
}
Loading

0 comments on commit fd57161

Please sign in to comment.