Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider adding requestParameters to aws_rule_context() helper #1401

Open
pbnj-dragon opened this issue Oct 22, 2024 · 0 comments · May be fixed by #1402
Open

Consider adding requestParameters to aws_rule_context() helper #1401

pbnj-dragon opened this issue Oct 22, 2024 · 0 comments · May be fixed by #1402
Labels
enhancement New feature or request

Comments

@pbnj-dragon
Copy link
Contributor

pbnj-dragon commented Oct 22, 2024
edited
Loading

Problem

When an alert from an AWS detection rule is sent to a destination, the alert context does not include requestParameters, which contains critical details relevant to the AWS alert and subsequent incident response.

Proposed Enhancement

The requestParameters can be added to the aws_rule_context() helper helper function, like:

def aws_rule_context(event: dict):
    return {
        "eventName": event.get("eventName", "<MISSING_EVENT_NAME>"),
        "eventSource": event.get("eventSource", "<MISSING_ACCOUNT_ID>"),
        "awsRegion": event.get("awsRegion", "<MISSING_AWS_REGION>"),
        "recipientAccountId": event.get("recipientAccountId", "<MISSING_ACCOUNT_ID>"),
+       "requestParameters": event.get("requestParameters", "<MISSING_REQUEST_PARAMETERS>"),
        "sourceIPAddress": event.get("sourceIPAddress", "<MISSING_SOURCE_IP>"),
        "userAgent": event.get("userAgent", "<MISSING_USER_AGENT>"),
        "userIdentity": event.get("userIdentity", "<MISSING_USER_IDENTITY>"),
    }

Workaround

The workaround would be to clone the managed rule, just to extend the alert_context(), like:

def alert_context(event):
-    return aws_rule_context(event)
+    return aws_rule_context(event) | {"requestParameters": event.get("requestParameters", "<MISSING_REQUEST_PARAMETERS>")}

But this approach has a few notable downsides:

  1. Lose out when/if Panther-managed AWS detections are updated in the future
  2. Duplicate all Panther-managed detections just to add a JSON key/value (high effort for little value)

Not sure if there is another workaround available that achieves the desired outcome without these downsides.

Happy to submit a Pull Request if the proposed solution is acceptable.
pbnj-dragon added a commit to pbnj-dragon/panther-analysis that referenced this issue Oct 22, 2024
@pbnj-dragon
feat: add requestParameters
69894dd 
Closes panther-labs#1401
@pbnj-dragon pbnj-dragon linked a pull request Oct 22, 2024 that will close this issue
Open
@arielkr256 arielkr256 added the enhancement New feature or request label Oct 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add requestParameters pbnj-dragon/panther-analysis
2 participants
@arielkr256 @pbnj-dragon