diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 5d8e0b94c..21ee22919 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -31,7 +31,7 @@ jobs: - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf #v3.2.0 - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db #v3.6.1 + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 #v3.7.1 - name: Build Image run: docker buildx build --load -f Dockerfile -t panther-analysis:latest . - name: Test Image diff --git a/rules/github_rules/github_action_failed.py b/rules/github_rules/github_action_failed.py index 64178ef6f..5911fbeda 100644 --- a/rules/github_rules/github_action_failed.py +++ b/rules/github_rules/github_action_failed.py @@ -2,7 +2,7 @@ from unittest.mock import MagicMock from global_filter_github import filter_include_event -from panther_base_helpers import deep_get, github_alert_context +from panther_base_helpers import github_alert_context # The keys for MONITORED_ACTIONS are gh_org/repo_name # The values for MONITORED_ACTIONS are a list of ["action_names"] @@ -15,22 +15,22 @@ def rule(event): global MONITORED_ACTIONS # pylint: disable=global-statement if isinstance(MONITORED_ACTIONS, MagicMock): MONITORED_ACTIONS = json.loads(MONITORED_ACTIONS()) # pylint: disable=not-callable - repo = deep_get(event, "repo", default="") - action_name = deep_get(event, "name", default="") + repo = event.get("repo", "") + action_name = event.get("name", "") return all( [ - deep_get(event, "action", default="") == "workflows.completed_workflow_run", + event.get("action", "") == "workflows.completed_workflow_run", + event.get("conclusion", "") == "failure", repo in MONITORED_ACTIONS, action_name in MONITORED_ACTIONS.get(repo, []), - deep_get(event, "conclusion", default="") == "failure", ] ) def title(event): - repo = deep_get(event, "repo", default="") - action_name = deep_get(event, "name", default="") - return f"The GitHub Action [{action_name}] in [{repo}] has failed" + repo = event.get("repo", "") + action_name = event.get("name", "") + return f"GitHub Action [{action_name}] in [{repo}] has failed" def alert_context(event): diff --git a/rules/sublime_rules/sublime_mailboxes_deactivated.yml b/rules/sublime_rules/sublime_mailboxes_deactivated.yml index fb797d549..06a16bab2 100644 --- a/rules/sublime_rules/sublime_mailboxes_deactivated.yml +++ b/rules/sublime_rules/sublime_mailboxes_deactivated.yml @@ -21,64 +21,70 @@ Tests: Log: { "created_at": "2024-09-09 19:33:34.237078000", - "created_by": { - "active": true, - "created_at": "2024-08-28 22:05:15.715644000", - "email_address": "john.doe@sublime.security", - "first_name": "John", - "google_oauth_user_id": "", - "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", - "is_enrolled": true, - "last_name": "Doe", - "microsoft_oauth_user_id": "", - "role": "admin", - "updated_at": "2024-08-28 22:05:15.715644000" + "created_by": + { + "active": true, + "created_at": "2024-08-28 22:05:15.715644000", + "email_address": "john.doe@sublime.security", + "first_name": "John", + "google_oauth_user_id": "", + "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", + "is_enrolled": true, + "last_name": "Doe", + "microsoft_oauth_user_id": "", + "role": "admin", + "updated_at": "2024-08-28 22:05:15.715644000", }, - "data": { - "request": { - "authentication_method": "user_session", - "body": "{\"mailbox_ids\":[\"493c6e21-7787-419b-bada-7c4f50cbb932\"]}", - "id": "73444211-31af-42d8-99b4-34a139cf7d4a", - "ip": "1.2.3.4", - "method": "POST", - "path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/deactivate", - "query": { }, - "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" - } - }, - "id": "084732e5-7704-4bbe-ab5a-77f1aa65a737", - "type": "message_source.deactivate" - } + "data": + { + "request": + { + "authentication_method": "user_session", + "body": '{"mailbox_ids":["493c6e21-7787-419b-bada-7c4f50cbb932"]}', + "id": "73444211-31af-42d8-99b4-34a139cf7d4a", + "ip": "1.2.3.4", + "method": "POST", + "path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/deactivate", + "query": {}, + "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36", + }, + }, + "id": "084732e5-7704-4bbe-ab5a-77f1aa65a737", + "type": "message_source.deactivate", + } - ExpectedResult: true Name: Mailbox Deactivated Log: { "created_at": "2024-09-09 19:33:34.237078000", - "created_by": { - "active": true, - "created_at": "2024-08-28 22:05:15.715644000", - "email_address": "john.doe@sublime.security", - "first_name": "John", - "google_oauth_user_id": "", - "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", - "is_enrolled": true, - "last_name": "Doe", - "microsoft_oauth_user_id": "", - "role": "admin", - "updated_at": "2024-08-28 22:05:15.715644000" + "created_by": + { + "active": true, + "created_at": "2024-08-28 22:05:15.715644000", + "email_address": "john.doe@sublime.security", + "first_name": "John", + "google_oauth_user_id": "", + "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", + "is_enrolled": true, + "last_name": "Doe", + "microsoft_oauth_user_id": "", + "role": "admin", + "updated_at": "2024-08-28 22:05:15.715644000", + }, + "data": + { + "request": + { + "authentication_method": "user_session", + "body": '{"mailbox_ids":["493c6e21-7787-419b-bada-7c4f50cbb932"]}', + "id": "73444211-31af-42d8-99b4-34a139cf7d4a", + "ip": "1.2.3.4", + "method": "POST", + "path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/deactivate", + "query": {}, + "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36", + }, }, - "data": { - "request": { - "authentication_method": "user_session", - "body": "{\"mailbox_ids\":[\"493c6e21-7787-419b-bada-7c4f50cbb932\"]}", - "id": "73444211-31af-42d8-99b4-34a139cf7d4a", - "ip": "1.2.3.4", - "method": "POST", - "path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/deactivate", - "query": { }, - "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" - } - }, - "id": "084732e5-7704-4bbe-ab5a-77f1aa65a737", - "type": "message_source.deactivate_mailboxes" - } + "id": "084732e5-7704-4bbe-ab5a-77f1aa65a737", + "type": "message_source.deactivate_mailboxes", + } diff --git a/rules/sublime_rules/sublime_message_flagged.yml b/rules/sublime_rules/sublime_message_flagged.yml index a0fb9f6fc..ed7204686 100644 --- a/rules/sublime_rules/sublime_message_flagged.yml +++ b/rules/sublime_rules/sublime_message_flagged.yml @@ -16,54 +16,55 @@ Tests: Name: Message Flagged Log: { - "p_source_file": { - "aws_s3_bucket": "audit.log.export", - "aws_s3_key": "sublime_platform_message_events/2024/09/24/164544Z-FPXIFG.json" - }, - "p_any_sha256_hashes": [ - "fb8b46e3317ac7d5036c6b21517d363634293c6d4f6bf1b1e67548c80948a1c6" - ], - "p_event_time": "2024-09-24 16:45:43.302769000", - "p_log_type": "Sublime.MessageEvent", - "p_parse_time": "2024-09-24 16:51:47.687095351", - "p_row_id": "a23385494d57dfbbbdcbe4fa218101", - "p_schema_version": 0, - "p_source_id": "7e2a59aa-687e-430e-ae4a-81d3c0163f52", - "p_source_label": "Sublime Real Logs", - "p_udm": {}, - "created_at": "2024-09-24 16:45:43.302769000", - "data": { - "flagged_rules": [ - { - "id": "b0ab266f-8a12-4020-b165-e97bb1aacc42", - "name": "Credential phishing: Engaging language and other indicators (untrusted sender)" - }, - { - "id": "a014f82e-f2d7-4058-adb1-36fc086de0b8", - "name": "Attachment: HTML smuggling with unescape" - }, - { - "id": "e4866908-60fe-46f0-866e-84d412627006", - "name": "Headers: Zimbra mailer from a non-supported OS version" - }, - { - "id": "5a9dc2cd-39f5-4814-95df-aa7614cc8bdd", - "name": "Impersonation: Human Resources with link or attachment and engaging language" - }, - { - "id": "7988f1f5-5c95-42c2-9140-ead5a975918e", - "name": "Request for Quote or Purchase (RFQ|RFP) with HTML smuggling attachment" - } - ], - "message": { - "canonical_id": "fb8b46e3317ac7d5036c6b21517d363634293c6d4f6bf1b1e67548c80948a1c6", - "external_id": "b86b1e58-e9f8-4b55-8b54-1402f9f95e69", - "id": "019224ec-aba6-763d-bb2e-cd4cbd40a29f", - "mailbox": { - "id": "624c8394-4fe2-4ba0-bd2b-86d2e503c614" - }, - "message_source_id": "91956379-c2f3-4c50-a410-3ba89fb8bc74" - } - }, - "type": "message.flagged" + "p_source_file": + { + "aws_s3_bucket": "audit.log.export", + "aws_s3_key": "sublime_platform_message_events/2024/09/24/164544Z-FPXIFG.json", + }, + "p_any_sha256_hashes": + ["fb8b46e3317ac7d5036c6b21517d363634293c6d4f6bf1b1e67548c80948a1c6"], + "p_event_time": "2024-09-24 16:45:43.302769000", + "p_log_type": "Sublime.MessageEvent", + "p_parse_time": "2024-09-24 16:51:47.687095351", + "p_row_id": "a23385494d57dfbbbdcbe4fa218101", + "p_schema_version": 0, + "p_source_id": "7e2a59aa-687e-430e-ae4a-81d3c0163f52", + "p_source_label": "Sublime Real Logs", + "p_udm": {}, + "created_at": "2024-09-24 16:45:43.302769000", + "data": + { + "flagged_rules": + [ + { + "id": "b0ab266f-8a12-4020-b165-e97bb1aacc42", + "name": "Credential phishing: Engaging language and other indicators (untrusted sender)", + }, + { + "id": "a014f82e-f2d7-4058-adb1-36fc086de0b8", + "name": "Attachment: HTML smuggling with unescape", + }, + { + "id": "e4866908-60fe-46f0-866e-84d412627006", + "name": "Headers: Zimbra mailer from a non-supported OS version", + }, + { + "id": "5a9dc2cd-39f5-4814-95df-aa7614cc8bdd", + "name": "Impersonation: Human Resources with link or attachment and engaging language", + }, + { + "id": "7988f1f5-5c95-42c2-9140-ead5a975918e", + "name": "Request for Quote or Purchase (RFQ|RFP) with HTML smuggling attachment", + }, + ], + "message": + { + "canonical_id": "fb8b46e3317ac7d5036c6b21517d363634293c6d4f6bf1b1e67548c80948a1c6", + "external_id": "b86b1e58-e9f8-4b55-8b54-1402f9f95e69", + "id": "019224ec-aba6-763d-bb2e-cd4cbd40a29f", + "mailbox": { "id": "624c8394-4fe2-4ba0-bd2b-86d2e503c614" }, + "message_source_id": "91956379-c2f3-4c50-a410-3ba89fb8bc74", + }, + }, + "type": "message.flagged", } diff --git a/rules/sublime_rules/sublime_message_source_deleted_or_deactivated.yml b/rules/sublime_rules/sublime_message_source_deleted_or_deactivated.yml index 15855307a..e4c211501 100644 --- a/rules/sublime_rules/sublime_message_source_deleted_or_deactivated.yml +++ b/rules/sublime_rules/sublime_message_source_deleted_or_deactivated.yml @@ -21,64 +21,70 @@ Tests: Log: { "created_at": "2024-09-09 19:33:34.237078000", - "created_by": { - "active": true, - "created_at": "2024-08-28 22:05:15.715644000", - "email_address": "john.doe@sublime.security", - "first_name": "John", - "google_oauth_user_id": "", - "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", - "is_enrolled": true, - "last_name": "Doe", - "microsoft_oauth_user_id": "", - "role": "admin", - "updated_at": "2024-08-28 22:05:15.715644000" + "created_by": + { + "active": true, + "created_at": "2024-08-28 22:05:15.715644000", + "email_address": "john.doe@sublime.security", + "first_name": "John", + "google_oauth_user_id": "", + "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", + "is_enrolled": true, + "last_name": "Doe", + "microsoft_oauth_user_id": "", + "role": "admin", + "updated_at": "2024-08-28 22:05:15.715644000", }, - "data": { - "request": { - "authentication_method": "user_session", - "body": "{\"mailbox_ids\":[\"493c6e21-7787-419b-bada-7c4f50cbb932\"]}", - "id": "73444211-31af-42d8-99b4-34a139cf7d4a", - "ip": "1.2.3.4", - "method": "POST", - "path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/deactivate", - "query": { }, - "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" - } - }, - "id": "084732e5-7704-4bbe-ab5a-77f1aa65a737", - "type": "message_source.deactivate" - } + "data": + { + "request": + { + "authentication_method": "user_session", + "body": '{"mailbox_ids":["493c6e21-7787-419b-bada-7c4f50cbb932"]}', + "id": "73444211-31af-42d8-99b4-34a139cf7d4a", + "ip": "1.2.3.4", + "method": "POST", + "path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/deactivate", + "query": {}, + "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36", + }, + }, + "id": "084732e5-7704-4bbe-ab5a-77f1aa65a737", + "type": "message_source.deactivate", + } - ExpectedResult: false Name: Other Events Log: { "created_at": "2024-09-09 19:33:34.237078000", - "created_by": { - "active": true, - "created_at": "2024-08-28 22:05:15.715644000", - "email_address": "john.doe@sublime.security", - "first_name": "John", - "google_oauth_user_id": "", - "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", - "is_enrolled": true, - "last_name": "Doe", - "microsoft_oauth_user_id": "", - "role": "admin", - "updated_at": "2024-08-28 22:05:15.715644000" + "created_by": + { + "active": true, + "created_at": "2024-08-28 22:05:15.715644000", + "email_address": "john.doe@sublime.security", + "first_name": "John", + "google_oauth_user_id": "", + "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", + "is_enrolled": true, + "last_name": "Doe", + "microsoft_oauth_user_id": "", + "role": "admin", + "updated_at": "2024-08-28 22:05:15.715644000", + }, + "data": + { + "request": + { + "authentication_method": "user_session", + "body": '{"mailbox_ids":["493c6e21-7787-419b-bada-7c4f50cbb932"]}', + "id": "73444211-31af-42d8-99b4-34a139cf7d4a", + "ip": "1.2.3.4", + "method": "POST", + "path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/deactivate", + "query": {}, + "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36", + }, }, - "data": { - "request": { - "authentication_method": "user_session", - "body": "{\"mailbox_ids\":[\"493c6e21-7787-419b-bada-7c4f50cbb932\"]}", - "id": "73444211-31af-42d8-99b4-34a139cf7d4a", - "ip": "1.2.3.4", - "method": "POST", - "path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/deactivate", - "query": { }, - "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" - } - }, - "id": "084732e5-7704-4bbe-ab5a-77f1aa65a737", - "type": "rule.deactivate" - } + "id": "084732e5-7704-4bbe-ab5a-77f1aa65a737", + "type": "rule.deactivate", + } diff --git a/rules/sublime_rules/sublime_rules_deleted_or_deactivated.yml b/rules/sublime_rules/sublime_rules_deleted_or_deactivated.yml index 48bcdd7d4..9a823a79d 100644 --- a/rules/sublime_rules/sublime_rules_deleted_or_deactivated.yml +++ b/rules/sublime_rules/sublime_rules_deleted_or_deactivated.yml @@ -21,64 +21,70 @@ Tests: Log: { "created_at": "2024-09-09 19:33:34.237078000", - "created_by": { - "active": true, - "created_at": "2024-08-28 22:05:15.715644000", - "email_address": "john.doe@sublime.security", - "first_name": "John", - "google_oauth_user_id": "", - "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", - "is_enrolled": true, - "last_name": "Doe", - "microsoft_oauth_user_id": "", - "role": "admin", - "updated_at": "2024-08-28 22:05:15.715644000" + "created_by": + { + "active": true, + "created_at": "2024-08-28 22:05:15.715644000", + "email_address": "john.doe@sublime.security", + "first_name": "John", + "google_oauth_user_id": "", + "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", + "is_enrolled": true, + "last_name": "Doe", + "microsoft_oauth_user_id": "", + "role": "admin", + "updated_at": "2024-08-28 22:05:15.715644000", }, - "data": { - "request": { - "authentication_method": "user_session", - "body": "{\"mailbox_ids\":[\"493c6e21-7787-419b-bada-7c4f50cbb932\"]}", - "id": "73444211-31af-42d8-99b4-34a139cf7d4a", - "ip": "1.2.3.4", - "method": "POST", - "path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/deactivate", - "query": { }, - "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" - } - }, - "id": "084732e5-7704-4bbe-ab5a-77f1aa65a737", - "type": "rules.delete" - } + "data": + { + "request": + { + "authentication_method": "user_session", + "body": '{"mailbox_ids":["493c6e21-7787-419b-bada-7c4f50cbb932"]}', + "id": "73444211-31af-42d8-99b4-34a139cf7d4a", + "ip": "1.2.3.4", + "method": "POST", + "path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/deactivate", + "query": {}, + "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36", + }, + }, + "id": "084732e5-7704-4bbe-ab5a-77f1aa65a737", + "type": "rules.delete", + } - ExpectedResult: false Name: Other Events Log: { "created_at": "2024-09-09 19:33:34.237078000", - "created_by": { - "active": true, - "created_at": "2024-08-28 22:05:15.715644000", - "email_address": "john.doe@sublime.security", - "first_name": "John", - "google_oauth_user_id": "", - "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", - "is_enrolled": true, - "last_name": "Doe", - "microsoft_oauth_user_id": "", - "role": "admin", - "updated_at": "2024-08-28 22:05:15.715644000" + "created_by": + { + "active": true, + "created_at": "2024-08-28 22:05:15.715644000", + "email_address": "john.doe@sublime.security", + "first_name": "John", + "google_oauth_user_id": "", + "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", + "is_enrolled": true, + "last_name": "Doe", + "microsoft_oauth_user_id": "", + "role": "admin", + "updated_at": "2024-08-28 22:05:15.715644000", + }, + "data": + { + "request": + { + "authentication_method": "user_session", + "body": '{"mailbox_ids":["493c6e21-7787-419b-bada-7c4f50cbb932"]}', + "id": "73444211-31af-42d8-99b4-34a139cf7d4a", + "ip": "1.2.3.4", + "method": "POST", + "path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/deactivate", + "query": {}, + "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36", + }, }, - "data": { - "request": { - "authentication_method": "user_session", - "body": "{\"mailbox_ids\":[\"493c6e21-7787-419b-bada-7c4f50cbb932\"]}", - "id": "73444211-31af-42d8-99b4-34a139cf7d4a", - "ip": "1.2.3.4", - "method": "POST", - "path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/deactivate", - "query": { }, - "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" - } - }, - "id": "084732e5-7704-4bbe-ab5a-77f1aa65a737", - "type": "message_source.deactivate" - } + "id": "084732e5-7704-4bbe-ab5a-77f1aa65a737", + "type": "message_source.deactivate", + }