Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prepare for v3.62.0 #1338

Merged
merged 49 commits into from
Aug 27, 2024
Merged
Changes from 1 commit
Commits
Show all changes
49 commits
Select commit Hold shift + click to select a range
944da69
add: new user created, password changed
ben-githubs Jul 22, 2024
4cae76b
add: Crowdstrike.UserDeleted
ben-githubs Jul 22, 2024
5caa1be
add: Crowdstrike.EphemeralUserAccount
ben-githubs Jul 22, 2024
f5b63ff
abstract "turn audit keys to dictionary" away from "alert context"
ben-githubs Jul 22, 2024
5f930be
add: Crowdstrike.AdminRoleAssigned
ben-githubs Jul 22, 2024
d4381b7
chore: formatting updates to python code
ben-githubs Jul 24, 2024
6b6cb06
add: Crowdstrike.SingleIpAllowlisted
ben-githubs Jul 26, 2024
349a077
add: Crowdstrike.AllowlistRemoved
ben-githubs Jul 26, 2024
b3a70a6
edit: Crowdstrike.SingleIpAllowlisted detects updated allow lists as …
ben-githubs Jul 26, 2024
a9498ba
Improve github webhook modified rule
geoffg-sentry Aug 9, 2024
7bcec48
remove deprecated iocs and helper references
arielkr256 Aug 9, 2024
c06b89f
remove deprecated ioc rules
arielkr256 Aug 13, 2024
9f207a6
remove failing tests
arielkr256 Aug 13, 2024
a12ba46
lint
arielkr256 Aug 13, 2024
b2eb2af
edit: update Crowdstrike.UserPasswordChange with dynamic severity
ben-githubs Aug 13, 2024
0d0d4db
edit: minor fixes and suggestions raised by Ariel
ben-githubs Aug 13, 2024
dc3d432
add: Crowdstrike.IpAllowlistChanged
ben-githubs Aug 13, 2024
a66a12f
fix: minor changes to str_to_list and Crowdstrike.IpAllowlistChanged
ben-githubs Aug 14, 2024
4299b50
Merge pull request #1325 from panther-labs/remove-deprecated
arielkr256 Aug 14, 2024
901901f
add: Crowdstrike.NewAdminUserCreated
ben-githubs Aug 15, 2024
a060b68
chore: make yaml formatting consistent
ben-githubs Aug 15, 2024
594556e
Info Alerts are Signals, Nonrouted
arielkr256 Aug 15, 2024
e3cb9a2
Merge pull request #1328 from panther-labs/info-alerts-are-signals-no…
arielkr256 Aug 16, 2024
fcb3433
edit: update pack manifest
ben-githubs Aug 16, 2024
896e4ac
fix: mispelled rule id in pack manifest
ben-githubs Aug 16, 2024
d1f1ce3
Merge branch 'release' into ben/new/cs_eventstreams_audit_rules
arielkr256 Aug 16, 2024
98c4c4a
Merge pull request #1307 from panther-labs/ben/new/cs_eventstreams_au…
arielkr256 Aug 16, 2024
790b4e5
Okta rate limit tuning (#1329)
arielkr256 Aug 19, 2024
1e0fbf5
traffic mirroring tuning (#1330)
arielkr256 Aug 19, 2024
3e6592f
better deduplication of alerts (#1331)
arielkr256 Aug 19, 2024
14aec5e
add dynamic severity to AWS.CloudTrail.SnapshotMadePublic
ben-githubs Aug 21, 2024
155d4c2
initial commit
ben-githubs Aug 21, 2024
64703f6
Missing MITRE ATT&CK tactics (#1322)
arielkr256 Aug 21, 2024
3ee6ad2
tuning Wiz Alert Passthrough rule (#1326)
arielkr256 Aug 21, 2024
38cf297
Merge branch 'release' into improve-github-webhook-modified-rule
arielkr256 Aug 22, 2024
14932ca
Merge pull request #1324 from geoffg-sentry/improve-github-webhook-mo…
arielkr256 Aug 22, 2024
704b750
Merge branch 'release' into THREAT-325-Tweak-AWS.CloudTrail.SnapshotM…
arielkr256 Aug 22, 2024
77f83ed
Merge pull request #1333 from panther-labs/THREAT-325-Tweak-AWS.Cloud…
arielkr256 Aug 22, 2024
254fa34
fixed unit tests that were failing in pypanther
ben-githubs Aug 22, 2024
04187a0
Merge pull request #1335 from panther-labs/THREAT-378/fix-failing-pyp…
arielkr256 Aug 22, 2024
4ba7f33
Convert to Signals
arielkr256 Aug 26, 2024
4532e1b
Merge pull request #1336 from panther-labs/signals-for-noisy-alerts
arielkr256 Aug 26, 2024
9d38712
update slack passthrough anomaly rules
arielkr256 Aug 27, 2024
51efb76
Merge branch 'release' into THREAT-371/slack-anomaly-detection-tuning
arielkr256 Aug 27, 2024
d5a2b43
Merge pull request #1334 from panther-labs/THREAT-371/slack-anomaly-d…
arielkr256 Aug 27, 2024
2ba9384
PAT update v0.52.1
arielkr256 Aug 27, 2024
8341a04
Merge branch 'release' into pat-version-bump
le4ker Aug 27, 2024
7833588
Merge pull request #1337 from panther-labs/pat-version-bump
arielkr256 Aug 27, 2024
a4aed26
Merge branch 'main' into release
arielkr256 Aug 27, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
add: Crowdstrike.SingleIpAllowlisted
ben-githubs committed Jul 26, 2024
commit 6b6cb0627b0a196fc138d42c046ec2075ded4fe3
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
from crowdstrike_event_streams_helpers import audit_keys_dict, cs_alert_context


def get_single_ips(event) -> list[str]:
"""Searches the "cidrs" field of the event audit keys, and returns any cidr entries which
are actually just single IP addresses."""
single_ips = []
audit_keys = audit_keys_dict(event)
cidrs = str_to_list(audit_keys["cidrs"])
for entry in cidrs:
if "/" not in entry:
single_ips.append(entry)
elif entry.endswith("/32"):
# A 32-bit CIDR range is the same as a single IP address
single_ips.append(entry[:-3])
return single_ips


def str_to_list(liststr: str) -> list[str]:
"""Several crowdstrike values are returned as a list like "[x,y,z]". This function convetrs
such entries to Python list of strings, like: ["x", "y", "z"]."""
return [x.strip() for x in liststr[1:-1].split(",")]


def rule(event):
# Only alert if an allow list is created
if event.deep_get("event", "OperationName") != "CreateAllowlistGroup":
return False

# Only alert if there's a single IP address allowed by the allowlist
single_ips = get_single_ips(event)

# Return true if there were any single IPs
return len(single_ips) > 0


def title(event):
# Title format: {actor} granted {contexts_str} access to {a, X} single ip{s}
single_ips = get_single_ips(event)
actor = event.deep_get("event", "UserId")

# contexts_str: one of API, UI, or API & UI
# Also a more general case: API, UI, and XX (for if they add extra contexts in the future)
contexts = str_to_list(audit_keys_dict(event)["contexts"])
if len(contexts) == 1:
contexts_str = contexts[0]
else:
contexts_str = ", ".join(contexts[:-1]) + " & " + contexts[-1]

num_ips_str = "a single ip" if len(contexts) == 1 else f"{len(single_ips)} single ips"

return f"{actor} granted {contexts_str} access to {num_ips_str}"


def alert_context(event):
context = cs_alert_context(event)
context.update({"single_ips": get_single_ips(event)})
return context
Original file line number Diff line number Diff line change
@@ -0,0 +1,180 @@
AnalysisType: rule
Filename: crowdstrike_single_ip_allowlisted.py
RuleID: "Crowdstrike.SingleIpAllowlisted"
DisplayName: "Crowdstrike Single IP Allowlisted"
Reports:
MITRE ATT&CK:
- T1556.009 # Modify Authentication Process: Conditional Access Policies
Enabled: true
LogTypes:
- Crowdstrike.EventStreams
Description: A single IP (instead of a CIDR range) was allowlisted. This could indicate a bad actor permitting access from another machine.
DedupPeriodMinutes: 60
Threshold: 1
Runbook: Validate this action was authorized, and determine the client to which the IP belongs to.
Severity: Medium
Tests:
- Name: A Single IP In Created Allowlist
ExpectedResult: true
Log:
{
"event": {
"AuditKeyValues": [
{
"Key": "allowlist_group_id",
"ValueString": "24821376-7e77-431e-9469-74846978fe64"
},
{
"Key": "group_name",
"ValueString": "example_group"
},
{
"Key": "description",
"ValueString": ""
},
{
"Key": "cidrs",
"ValueString": "[1.1.1.1]"
},
{
"Key": "contexts",
"ValueString": "[API]"
},
{
"Key": "active",
"ValueString": "false"
}
],
"OperationName": "CreateAllowlistGroup",
"ServiceName": "Crowdstrike Allowlist Management",
"Success": true,
"UTCTimestamp": "2024-07-26 16:13:13.000000000",
"UserId": "wormtongue@isengard.org",
"UserIp": "1.2.3.4"
},
"metadata": {
"customerIDString": "fake_cust_id",
"eventCreationTime": "2024-07-26 16:13:13.579000000",
"eventType": "AuthActivityAuditEvent",
"offset": 365164,
"version": "1.0"
}
}
- Name: Multiple Single IPs In Created Allowlist
ExpectedResult: true
Log:
{
"event": {
"AuditKeyValues": [
{
"Key": "allowlist_group_id",
"ValueString": "24821376-7e77-431e-9469-74846978fe64"
},
{
"Key": "group_name",
"ValueString": "example_group"
},
{
"Key": "description",
"ValueString": ""
},
{
"Key": "cidrs",
"ValueString": "[1.1.1.1, 2.2.2.2, 3.3.3.3/32]"
},
{
"Key": "contexts",
"ValueString": "[API, UI, OTHER]"
},
{
"Key": "active",
"ValueString": "false"
}
],
"OperationName": "CreateAllowlistGroup",
"ServiceName": "Crowdstrike Allowlist Management",
"Success": true,
"UTCTimestamp": "2024-07-26 16:13:13.000000000",
"UserId": "wormtongue@isengard.org",
"UserIp": "1.2.3.4"
},
"metadata": {
"customerIDString": "fake_cust_id",
"eventCreationTime": "2024-07-26 16:13:13.579000000",
"eventType": "AuthActivityAuditEvent",
"offset": 365164,
"version": "1.0"
}
}
- Name: Only CIDR Ranges In Created Allowlist
ExpectedResult: false
Log:
{
"event": {
"AuditKeyValues": [
{
"Key": "allowlist_group_id",
"ValueString": "24821376-7e77-431e-9469-74846978fe64"
},
{
"Key": "group_name",
"ValueString": "example_group"
},
{
"Key": "description",
"ValueString": ""
},
{
"Key": "cidrs",
"ValueString": "[1.1.1.1/12, 2.2.2.2/8, 3.3.3.3/4]"
},
{
"Key": "contexts",
"ValueString": "[API, UI, OTHER]"
},
{
"Key": "active",
"ValueString": "false"
}
],
"OperationName": "CreateAllowlistGroup",
"ServiceName": "Crowdstrike Allowlist Management",
"Success": true,
"UTCTimestamp": "2024-07-26 16:13:13.000000000",
"UserId": "wormtongue@isengard.org",
"UserIp": "1.2.3.4"
},
"metadata": {
"customerIDString": "fake_cust_id",
"eventCreationTime": "2024-07-26 16:13:13.579000000",
"eventType": "AuthActivityAuditEvent",
"offset": 365164,
"version": "1.0"
}
}
- Name: Unrelated Event
ExpectedResult: false
Log:
{
"metadata": {
"customerIDString": "fake_customer_id",
"offset": 341329,
"eventType": "AuthActivityAuditEvent",
"eventCreationTime": "2024-07-22 15:50:16.923000000",
"version": "1.0"
},
"event": {
"UserId": "sharkey@hobbiton.co",
"UserIp": "192.0.2.100",
"OperationName": "deleteUser",
"ServiceName": "CrowdStrike Authentication",
"Success": true,
"UTCTimestamp": "2024-07-22 15:50:16.923000000",
"AuditKeyValues": [
{
"Key": "target_name",
"ValueString": "frodo.baggins@hobbiton.co"
}
]
}
}