Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New Rule: Standard Sign-In from Rogue State #1332

Draft
wants to merge 7 commits into
base: develop
Choose a base branch
from
Draft

New Rule: Standard Sign-In from Rogue State #1332

wants to merge 7 commits into from

Conversation

ben-githubs
Copy link
Contributor

Background

Some customers have requested the option to detect when a sign-in is detected from a list of "rogue nations". The list should be configurable according to each customer's needs. To ensure the detection is most effective, we use the Panther UDM to apply the logic to multiple log sources.

Changes

  • added new rule Standard.SignInFromRogueState
  • added new helper panther_country_helpers which allows users to get contextual information on different countries
  • updated the Standard.OneLogin.Events datamodel

Testing

  • make lint, make test
  • added unit tests for various different log types

@ben-githubs
initial commit
fc57409
@ben-githubs
add: panther_country_helpers
3ed786f 
Added a new helper (panther_country_helpers) to contain code
relating to getting contextual information from country codes. Moved
the existing functions out out panther_base_helpers and expanded on
them. Also refactored the rogue state sign-in rule to use the new
helper.
@ben-githubs
edit: fix onelogin datamodel
5d35591 
OneLogin data model was checking the event type as an integer, but our
schema actually casts the event type as a string, so the data model never
mapped correctly. I've fixed this. Since I'm unsure if there's any likelihood of
the event type being an integer instead of a string, I've opted to manually cast
it to a string when comparing
@ben-githubs
edit: added a bunch of unit tests to Standard.SignInFromRogueState
129fa29
@ben-githubs
chore: made linter happy
cfd1a25
@ben-githubs ben-githubs requested a review from a team as a code owner August 20, 2024 15:11
@github-actions GitHub Actions
Copy link

😱
looks like some things could be wrong with the packs

[INFO][root]: ignoring file dependabot.yml

@ben-githubs
Copy link
Contributor Author

@arielkr256 there were 2 log sources associated with this rule that I was unable to write tests for: Atlassian and Zendesk. I couldn't find test login events to use. Should I remove those log types from the rule if we can't test them?

@arielkr256
Copy link
Contributor

Let's use an existing python module like pycountry instead of implementing our own.

@arielkr256 arielkr256 added the enhancement New feature or request label Sep 4, 2024
@ben-githubs
Copy link
Contributor Author

I've added pycountry to the pipenv file and adjusted the detection to use it. We're blocked until I can get pycountry added to the backend python runtime, so I'm gonna convert this to a draft for now to prevent it getting merged accidentally.

@ben-githubs ben-githubs marked this pull request as draft September 4, 2024 21:22
@arielkr256 arielkr256 added rules Real-time log data detections and removed enhancement New feature or request labels Sep 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
rules Real-time log data detections
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ben-githubs @arielkr256