From ed14f87717aedafa5af2c139792617c7f9f0c6ac Mon Sep 17 00:00:00 2001 From: akozlovets098 Date: Tue, 17 Sep 2024 17:12:37 +0300 Subject: [PATCH 1/7] THREAT-387 Sublime Security Rules --- global_helpers/panther_sublime_helpers.py | 17 ++ global_helpers/panther_sublime_helpers.yml | 5 + .../sublime_mailboxes_deactivated.py | 10 ++ .../sublime_mailboxes_deactivated.yml | 160 ++++++++++++++++++ ...e_message_source_deleted_or_deactivated.py | 15 ++ ..._message_source_deleted_or_deactivated.yml | 160 ++++++++++++++++++ .../sublime_rules_deleted_or_deactivated.py | 15 ++ .../sublime_rules_deleted_or_deactivated.yml | 160 ++++++++++++++++++ 8 files changed, 542 insertions(+) create mode 100644 global_helpers/panther_sublime_helpers.py create mode 100644 global_helpers/panther_sublime_helpers.yml create mode 100644 rules/sublime_rules/sublime_mailboxes_deactivated.py create mode 100644 rules/sublime_rules/sublime_mailboxes_deactivated.yml create mode 100644 rules/sublime_rules/sublime_message_source_deleted_or_deactivated.py create mode 100644 rules/sublime_rules/sublime_message_source_deleted_or_deactivated.yml create mode 100644 rules/sublime_rules/sublime_rules_deleted_or_deactivated.py create mode 100644 rules/sublime_rules/sublime_rules_deleted_or_deactivated.yml diff --git a/global_helpers/panther_sublime_helpers.py b/global_helpers/panther_sublime_helpers.py new file mode 100644 index 000000000..e513005b2 --- /dev/null +++ b/global_helpers/panther_sublime_helpers.py @@ -0,0 +1,17 @@ +def sublime_alert_context(event) -> dict: + context = {} + context["key"] = event.get("key", "") + context["events_types"] = event.deep_walk("events", "type", default=[""]) + context["users_emails"] = event.deep_walk( + "events", "created_by", "email_address", default=[""] + ) + context["users_roles"] = event.deep_walk( + "events", "created_by", "role", default=[""] + ) + context["request_ips"] = event.deep_walk( + "events", "data", "request", "ip", default=[""] + ) + context["request_paths"] = event.deep_walk( + "events", "data", "request", "path", default=[""] + ) + return context diff --git a/global_helpers/panther_sublime_helpers.yml b/global_helpers/panther_sublime_helpers.yml new file mode 100644 index 000000000..e95880cc2 --- /dev/null +++ b/global_helpers/panther_sublime_helpers.yml @@ -0,0 +1,5 @@ +AnalysisType: global +Filename: panther_sublime_helpers.py +GlobalID: "panther_sublime_helpers" +Description: > + Global helpers for Sublime detections diff --git a/rules/sublime_rules/sublime_mailboxes_deactivated.py b/rules/sublime_rules/sublime_mailboxes_deactivated.py new file mode 100644 index 000000000..ac0ba5275 --- /dev/null +++ b/rules/sublime_rules/sublime_mailboxes_deactivated.py @@ -0,0 +1,10 @@ +from panther_sublime_helpers import sublime_alert_context + + +def rule(event): + all_events = event.deep_walk("events", "type") + return "message_source.deactivate_mailboxes" in all_events + + +def alert_context(event): + return sublime_alert_context(event) diff --git a/rules/sublime_rules/sublime_mailboxes_deactivated.yml b/rules/sublime_rules/sublime_mailboxes_deactivated.yml new file mode 100644 index 000000000..d6b7047ef --- /dev/null +++ b/rules/sublime_rules/sublime_mailboxes_deactivated.yml @@ -0,0 +1,160 @@ +AnalysisType: rule +Description: A Sublime User disabled some mailbox(es). +DisplayName: "Sublime Mailbox Deactivated" +Enabled: true +Filename: sublime_mailboxes_deactivated.py +Runbook: Assess if this was done by the user for a valid business reason. Be vigilant to re-enable the mailboxes if it's in the best security interest for your organization's security posture. +Reference: https://docs.sublime.security/docs/add-message-source +Severity: Medium +DedupPeriodMinutes: 60 +AlertTitle: Sublime message mailbox(es) were deactivated +LogTypes: + - Custom.Sublime.AuditLogs +RuleID: "Sublime.Mailbox.Deactivated" +Threshold: 1 +Reports: + MITRE ATT&CK: + - TA0005:T1562.001 # Impair Defenses: Disable or Modify Tools +Tests: + - ExpectedResult: false + Name: Other Events + Log: + { + "count": 2, + "end": "2024-09-09 19:35:31.467216000", + "events": [ + { + "created_at": "2024-09-09 19:33:34.237078000", + "created_by": { + "active": true, + "created_at": "2024-08-28 22:05:15.715644000", + "email_address": "john.doe@sublime.security", + "first_name": "John", + "google_oauth_user_id": "", + "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", + "is_enrolled": true, + "last_name": "Doe", + "microsoft_oauth_user_id": "", + "role": "admin", + "updated_at": "2024-08-28 22:05:15.715644000" + }, + "data": { + "request": { + "authentication_method": "user_session", + "body": "{\"mailbox_ids\":[\"493c6e21-7787-419b-bada-7c4f50cbb932\"]}", + "id": "73444211-31af-42d8-99b4-34a139cf7d4a", + "ip": "1.2.3.4", + "method": "POST", + "path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/deactivate", + "query": { }, + "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" + } + }, + "id": "084732e5-7704-4bbe-ab5a-77f1aa65a737", + "type": "message_source.deactivate" + }, + { + "created_at": "2024-09-09 19:29:00.885628000", + "created_by": { + "active": true, + "created_at": "2024-08-28 22:05:15.715644000", + "email_address": "john.doe@sublime.security", + "first_name": "John", + "google_oauth_user_id": "", + "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", + "is_enrolled": true, + "last_name": "Doe", + "microsoft_oauth_user_id": "", + "role": "admin", + "updated_at": "2024-08-28 22:05:15.715644000" + }, + "data": { + "request": { + "authentication_method": "user_session", + "body": "", + "id": "50a3caa3-aab5-4ca4-948f-0d6426f10d36", + "ip": "1.2.3.4", + "method": "DELETE", + "path": "/v1/rules/6f52131e-5532-4c49-b5d3-2e20d7dedd7a", + "query": { }, + "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" + } + }, + "id": "1f9d8783-6f22-4d82-bea7-77656719b341", + "type": "rules.delete" + }, + ], + "key": "sublime_platform_audit_log/2024/09/09/193531Z-BKQVAP.json", + "start": "2024-09-09 19:25:31.467216000" + } + - ExpectedResult: true + Name: Mailbox Deactivated + Log: + { + "count": 2, + "end": "2024-09-09 19:35:31.467216000", + "events": [ + { + "created_at": "2024-09-09 19:33:34.237078000", + "created_by": { + "active": true, + "created_at": "2024-08-28 22:05:15.715644000", + "email_address": "john.doe@sublime.security", + "first_name": "John", + "google_oauth_user_id": "", + "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", + "is_enrolled": true, + "last_name": "Doe", + "microsoft_oauth_user_id": "", + "role": "admin", + "updated_at": "2024-08-28 22:05:15.715644000" + }, + "data": { + "request": { + "authentication_method": "user_session", + "body": "{\"mailbox_ids\":[\"493c6e21-7787-419b-bada-7c4f50cbb932\"]}", + "id": "73444211-31af-42d8-99b4-34a139cf7d4a", + "ip": "1.2.3.4", + "method": "POST", + "path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/mailboxes/deactivate", + "query": { }, + "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" + } + }, + "id": "084732e5-7704-4bbe-ab5a-77f1aa65a737", + "type": "message_source.deactivate_mailboxes" + }, + { + "created_at": "2024-09-09 19:29:00.885628000", + "created_by": { + "active": true, + "created_at": "2024-08-28 22:05:15.715644000", + "email_address": "john.doe@sublime.security", + "first_name": "John", + "google_oauth_user_id": "", + "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", + "is_enrolled": true, + "last_name": "Doe", + "microsoft_oauth_user_id": "", + "role": "admin", + "updated_at": "2024-08-28 22:05:15.715644000" + }, + "data": { + "request": { + "authentication_method": "user_session", + "body": "", + "id": "3bdc635a-7630-4687-9972-2db9fe87e2c8", + "ip": "1.2.3.4", + "method": "POST", + "path": "/v1/rules/6f52131e-5532-4c49-b5d3-2e20d7dedd7a/activate", + "query": { }, + "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" + } + }, + "id": "7d9fe001-d80d-4d0d-9cd7-cc2f27a896ce", + "type": "rules.activate", + }, + ], + "key": "sublime_platform_audit_log/2024/09/09/193531Z-BKQVAP.json", + "start": "2024-09-09 19:25:31.467216000" + } diff --git a/rules/sublime_rules/sublime_message_source_deleted_or_deactivated.py b/rules/sublime_rules/sublime_message_source_deleted_or_deactivated.py new file mode 100644 index 000000000..ac70c8bdc --- /dev/null +++ b/rules/sublime_rules/sublime_message_source_deleted_or_deactivated.py @@ -0,0 +1,15 @@ +from panther_sublime_helpers import sublime_alert_context + +SUSPICIOUS_EVENTS = [ + "message_source.deactivate", + "message_source.delete", +] + + +def rule(event): + all_events = event.deep_walk("events", "type") + return any(event in all_events for event in SUSPICIOUS_EVENTS) + + +def alert_context(event): + return sublime_alert_context(event) diff --git a/rules/sublime_rules/sublime_message_source_deleted_or_deactivated.yml b/rules/sublime_rules/sublime_message_source_deleted_or_deactivated.yml new file mode 100644 index 000000000..a5de9d793 --- /dev/null +++ b/rules/sublime_rules/sublime_message_source_deleted_or_deactivated.yml @@ -0,0 +1,160 @@ +AnalysisType: rule +Description: A Sublime User disabled or deleted some message source(s). +DisplayName: "Sublime Message Source Deleted Or Deactivated" +Enabled: true +Filename: sublime_message_source_deleted_or_deactivated.py +Runbook: Assess if this was done by the user for a valid business reason. Be vigilant to re-enable the message source(s) if it's in the best security interest for your organization's security posture. +Reference: https://docs.sublime.security/docs/message-types +Severity: Medium +DedupPeriodMinutes: 60 +AlertTitle: Sublime message source(s) were deleted or deactivated +LogTypes: + - Custom.Sublime.AuditLogs +RuleID: "Sublime.Message.Source.Deleted.Or.Deactivated" +Threshold: 1 +Reports: + MITRE ATT&CK: + - TA0005:T1562.001 # Impair Defenses: Disable or Modify Tools +Tests: + - ExpectedResult: true + Name: Message Source Deactivated + Log: + { + "count": 2, + "end": "2024-09-09 19:35:31.467216000", + "events": [ + { + "created_at": "2024-09-09 19:33:34.237078000", + "created_by": { + "active": true, + "created_at": "2024-08-28 22:05:15.715644000", + "email_address": "john.doe@sublime.security", + "first_name": "John", + "google_oauth_user_id": "", + "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", + "is_enrolled": true, + "last_name": "Doe", + "microsoft_oauth_user_id": "", + "role": "admin", + "updated_at": "2024-08-28 22:05:15.715644000" + }, + "data": { + "request": { + "authentication_method": "user_session", + "body": "{\"mailbox_ids\":[\"493c6e21-7787-419b-bada-7c4f50cbb932\"]}", + "id": "73444211-31af-42d8-99b4-34a139cf7d4a", + "ip": "1.2.3.4", + "method": "POST", + "path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/deactivate", + "query": { }, + "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" + } + }, + "id": "084732e5-7704-4bbe-ab5a-77f1aa65a737", + "type": "message_source.deactivate" + }, + { + "created_at": "2024-09-09 19:29:00.885628000", + "created_by": { + "active": true, + "created_at": "2024-08-28 22:05:15.715644000", + "email_address": "john.doe@sublime.security", + "first_name": "John", + "google_oauth_user_id": "", + "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", + "is_enrolled": true, + "last_name": "Doe", + "microsoft_oauth_user_id": "", + "role": "admin", + "updated_at": "2024-08-28 22:05:15.715644000" + }, + "data": { + "request": { + "authentication_method": "user_session", + "body": "", + "id": "50a3caa3-aab5-4ca4-948f-0d6426f10d36", + "ip": "1.2.3.4", + "method": "DELETE", + "path": "/v1/rules/6f52131e-5532-4c49-b5d3-2e20d7dedd7a", + "query": { }, + "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" + } + }, + "id": "1f9d8783-6f22-4d82-bea7-77656719b341", + "type": "rules.delete" + }, + ], + "key": "sublime_platform_audit_log/2024/09/09/193531Z-BKQVAP.json", + "start": "2024-09-09 19:25:31.467216000" + } + - ExpectedResult: false + Name: Other Events + Log: + { + "count": 2, + "end": "2024-09-09 19:35:31.467216000", + "events": [ + { + "created_at": "2024-09-09 19:33:34.237078000", + "created_by": { + "active": true, + "created_at": "2024-08-28 22:05:15.715644000", + "email_address": "john.doe@sublime.security", + "first_name": "John", + "google_oauth_user_id": "", + "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", + "is_enrolled": true, + "last_name": "Doe", + "microsoft_oauth_user_id": "", + "role": "admin", + "updated_at": "2024-08-28 22:05:15.715644000" + }, + "data": { + "request": { + "authentication_method": "user_session", + "body": "{\"mailbox_ids\":[\"493c6e21-7787-419b-bada-7c4f50cbb932\"]}", + "id": "73444211-31af-42d8-99b4-34a139cf7d4a", + "ip": "1.2.3.4", + "method": "POST", + "path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/mailboxes/deactivate", + "query": { }, + "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" + } + }, + "id": "084732e5-7704-4bbe-ab5a-77f1aa65a737", + "type": "message_source.deactivate_mailboxes" + }, + { + "created_at": "2024-09-09 19:29:00.885628000", + "created_by": { + "active": true, + "created_at": "2024-08-28 22:05:15.715644000", + "email_address": "john.doe@sublime.security", + "first_name": "John", + "google_oauth_user_id": "", + "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", + "is_enrolled": true, + "last_name": "Doe", + "microsoft_oauth_user_id": "", + "role": "admin", + "updated_at": "2024-08-28 22:05:15.715644000" + }, + "data": { + "request": { + "authentication_method": "user_session", + "body": "", + "id": "3bdc635a-7630-4687-9972-2db9fe87e2c8", + "ip": "1.2.3.4", + "method": "POST", + "path": "/v1/rules/6f52131e-5532-4c49-b5d3-2e20d7dedd7a/activate", + "query": { }, + "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" + } + }, + "id": "7d9fe001-d80d-4d0d-9cd7-cc2f27a896ce", + "type": "rules.activate", + }, + ], + "key": "sublime_platform_audit_log/2024/09/09/193531Z-BKQVAP.json", + "start": "2024-09-09 19:25:31.467216000" + } diff --git a/rules/sublime_rules/sublime_rules_deleted_or_deactivated.py b/rules/sublime_rules/sublime_rules_deleted_or_deactivated.py new file mode 100644 index 000000000..08a810569 --- /dev/null +++ b/rules/sublime_rules/sublime_rules_deleted_or_deactivated.py @@ -0,0 +1,15 @@ +from panther_sublime_helpers import sublime_alert_context + +SUSPICIOUS_EVENTS = [ + "rules.delete", + "rules.deactivate", +] + + +def rule(event): + all_events = event.deep_walk("events", "type") + return any(event in all_events for event in SUSPICIOUS_EVENTS) + + +def alert_context(event): + return sublime_alert_context(event) diff --git a/rules/sublime_rules/sublime_rules_deleted_or_deactivated.yml b/rules/sublime_rules/sublime_rules_deleted_or_deactivated.yml new file mode 100644 index 000000000..9b242ec3e --- /dev/null +++ b/rules/sublime_rules/sublime_rules_deleted_or_deactivated.yml @@ -0,0 +1,160 @@ +AnalysisType: rule +Description: A Sublime User disabled or deleted some rule(s). +DisplayName: "Sublime Rules Deleted Or Deactivated" +Enabled: true +Filename: sublime_rules_deleted_or_deactivated.py +Runbook: Assess if this was done by the user for a valid business reason. Be vigilant to re-enable the rules if it's in the best security interest for your organization's security posture. +Reference: https://docs.sublime.security/docs/rules-overview +Severity: Medium +DedupPeriodMinutes: 60 +AlertTitle: Sublime rules were deleted or deactivated +LogTypes: + - Custom.Sublime.AuditLogs +RuleID: "Sublime.Rules.Deleted.Or.Deactivated" +Threshold: 1 +Reports: + MITRE ATT&CK: + - TA0005:T1562.001 # Impair Defenses: Disable or Modify Tools +Tests: + - ExpectedResult: true + Name: Rule Deleted + Log: + { + "count": 2, + "end": "2024-09-09 19:35:31.467216000", + "events": [ + { + "created_at": "2024-09-09 19:33:34.237078000", + "created_by": { + "active": true, + "created_at": "2024-08-28 22:05:15.715644000", + "email_address": "john.doe@sublime.security", + "first_name": "John", + "google_oauth_user_id": "", + "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", + "is_enrolled": true, + "last_name": "Doe", + "microsoft_oauth_user_id": "", + "role": "admin", + "updated_at": "2024-08-28 22:05:15.715644000" + }, + "data": { + "request": { + "authentication_method": "user_session", + "body": "{\"mailbox_ids\":[\"493c6e21-7787-419b-bada-7c4f50cbb932\"]}", + "id": "73444211-31af-42d8-99b4-34a139cf7d4a", + "ip": "1.2.3.4", + "method": "POST", + "path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/mailboxes/deactivate", + "query": { }, + "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" + } + }, + "id": "084732e5-7704-4bbe-ab5a-77f1aa65a737", + "type": "message_source.deactivate_mailboxes" + }, + { + "created_at": "2024-09-09 19:29:00.885628000", + "created_by": { + "active": true, + "created_at": "2024-08-28 22:05:15.715644000", + "email_address": "john.doe@sublime.security", + "first_name": "John", + "google_oauth_user_id": "", + "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", + "is_enrolled": true, + "last_name": "Doe", + "microsoft_oauth_user_id": "", + "role": "admin", + "updated_at": "2024-08-28 22:05:15.715644000" + }, + "data": { + "request": { + "authentication_method": "user_session", + "body": "", + "id": "50a3caa3-aab5-4ca4-948f-0d6426f10d36", + "ip": "1.2.3.4", + "method": "DELETE", + "path": "/v1/rules/6f52131e-5532-4c49-b5d3-2e20d7dedd7a", + "query": { }, + "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" + } + }, + "id": "1f9d8783-6f22-4d82-bea7-77656719b341", + "type": "rules.delete" + }, + ], + "key": "sublime_platform_audit_log/2024/09/09/193531Z-BKQVAP.json", + "start": "2024-09-09 19:25:31.467216000" + } + - ExpectedResult: false + Name: Other Events + Log: + { + "count": 2, + "end": "2024-09-09 19:35:31.467216000", + "events": [ + { + "created_at": "2024-09-09 19:33:34.237078000", + "created_by": { + "active": true, + "created_at": "2024-08-28 22:05:15.715644000", + "email_address": "john.doe@sublime.security", + "first_name": "John", + "google_oauth_user_id": "", + "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", + "is_enrolled": true, + "last_name": "Doe", + "microsoft_oauth_user_id": "", + "role": "admin", + "updated_at": "2024-08-28 22:05:15.715644000" + }, + "data": { + "request": { + "authentication_method": "user_session", + "body": "{\"mailbox_ids\":[\"493c6e21-7787-419b-bada-7c4f50cbb932\"]}", + "id": "73444211-31af-42d8-99b4-34a139cf7d4a", + "ip": "1.2.3.4", + "method": "POST", + "path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/mailboxes/deactivate", + "query": { }, + "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" + } + }, + "id": "084732e5-7704-4bbe-ab5a-77f1aa65a737", + "type": "message_source.deactivate_mailboxes" + }, + { + "created_at": "2024-09-09 19:29:00.885628000", + "created_by": { + "active": true, + "created_at": "2024-08-28 22:05:15.715644000", + "email_address": "john.doe@sublime.security", + "first_name": "John", + "google_oauth_user_id": "", + "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", + "is_enrolled": true, + "last_name": "Doe", + "microsoft_oauth_user_id": "", + "role": "admin", + "updated_at": "2024-08-28 22:05:15.715644000" + }, + "data": { + "request": { + "authentication_method": "user_session", + "body": "", + "id": "3bdc635a-7630-4687-9972-2db9fe87e2c8", + "ip": "1.2.3.4", + "method": "POST", + "path": "/v1/rules/6f52131e-5532-4c49-b5d3-2e20d7dedd7a/activate", + "query": { }, + "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" + } + }, + "id": "7d9fe001-d80d-4d0d-9cd7-cc2f27a896ce", + "type": "rules.activate", + }, + ], + "key": "sublime_platform_audit_log/2024/09/09/193531Z-BKQVAP.json", + "start": "2024-09-09 19:25:31.467216000" + } From 5e99825e9c7bb5884351591e0fcdc6e1472d2271 Mon Sep 17 00:00:00 2001 From: akozlovets098 Date: Tue, 17 Sep 2024 17:22:17 +0300 Subject: [PATCH 2/7] THREAT-387 Sublime Security Rules - added pack --- packs/sublime.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 packs/sublime.yml diff --git a/packs/sublime.yml b/packs/sublime.yml new file mode 100644 index 000000000..6612070a9 --- /dev/null +++ b/packs/sublime.yml @@ -0,0 +1,15 @@ +AnalysisType: pack +PackID: PantherManaged.Sublime +Description: Group of all Sublime detections +PackDefinition: + IDs: + - Sublime.Mailbox.Deactivated + - Sublime.Message.Source.Deleted.Or.Deactivated + - Sublime.Rules.Deleted.Or.Deactivated + # Globals used in these detections + - panther_base_helpers + - panther_sublime_helpers + - panther_config + - panther_config_defaults + - panther_config_overrides +DisplayName: "Panther Sublime Pack" From 42a86c3f45b2d09de9894fda85e732e4c85b647f Mon Sep 17 00:00:00 2001 From: Nicholas Hakmiller Date: Tue, 24 Sep 2024 12:00:53 -0700 Subject: [PATCH 3/7] use updated format & pat --- Pipfile | 2 +- global_helpers/panther_sublime_helpers.py | 19 +- .../sublime_mailboxes_deactivated.py | 3 +- .../sublime_mailboxes_deactivated.yml | 186 +++++------------ ...e_message_source_deleted_or_deactivated.py | 3 +- ..._message_source_deleted_or_deactivated.yml | 188 ++++++------------ .../sublime_rules_deleted_or_deactivated.py | 3 +- .../sublime_rules_deleted_or_deactivated.yml | 188 ++++++------------ 8 files changed, 180 insertions(+), 412 deletions(-) diff --git a/Pipfile b/Pipfile index ad90510e5..655b3271c 100644 --- a/Pipfile +++ b/Pipfile @@ -19,7 +19,7 @@ wrapt = "~=1.15" [packages] policyuniverse = "==1.5.1.20230817" requests = "==2.31.0" -panther-analysis-tool = "~=0.52.2" +panther-analysis-tool = "~=0.52.3" panther-detection-helpers = "==0.4.0" [requires] diff --git a/global_helpers/panther_sublime_helpers.py b/global_helpers/panther_sublime_helpers.py index e513005b2..e68368ae2 100644 --- a/global_helpers/panther_sublime_helpers.py +++ b/global_helpers/panther_sublime_helpers.py @@ -1,17 +1,16 @@ def sublime_alert_context(event) -> dict: context = {} - context["key"] = event.get("key", "") - context["events_types"] = event.deep_walk("events", "type", default=[""]) - context["users_emails"] = event.deep_walk( - "events", "created_by", "email_address", default=[""] + context["events_type"] = event.get("type", default="") + context["users_emails"] = event.deep_get( + "created_by", "email_address", default="" ) - context["users_roles"] = event.deep_walk( - "events", "created_by", "role", default=[""] + context["users_role"] = event.deep_get( + "created_by", "role", default="" ) - context["request_ips"] = event.deep_walk( - "events", "data", "request", "ip", default=[""] + context["request_ip"] = event.deep_get( + "data", "request", "ip", default="" ) - context["request_paths"] = event.deep_walk( - "events", "data", "request", "path", default=[""] + context["request_path"] = event.deep_get( + "data", "request", "path", default="" ) return context diff --git a/rules/sublime_rules/sublime_mailboxes_deactivated.py b/rules/sublime_rules/sublime_mailboxes_deactivated.py index ac0ba5275..be043e1ba 100644 --- a/rules/sublime_rules/sublime_mailboxes_deactivated.py +++ b/rules/sublime_rules/sublime_mailboxes_deactivated.py @@ -2,8 +2,7 @@ def rule(event): - all_events = event.deep_walk("events", "type") - return "message_source.deactivate_mailboxes" in all_events + return event.get("type") == "message_source.deactivate_mailboxes" def alert_context(event): diff --git a/rules/sublime_rules/sublime_mailboxes_deactivated.yml b/rules/sublime_rules/sublime_mailboxes_deactivated.yml index d6b7047ef..fb797d549 100644 --- a/rules/sublime_rules/sublime_mailboxes_deactivated.yml +++ b/rules/sublime_rules/sublime_mailboxes_deactivated.yml @@ -9,7 +9,7 @@ Severity: Medium DedupPeriodMinutes: 60 AlertTitle: Sublime message mailbox(es) were deactivated LogTypes: - - Custom.Sublime.AuditLogs + - Sublime.Audit RuleID: "Sublime.Mailbox.Deactivated" Threshold: 1 Reports: @@ -20,141 +20,65 @@ Tests: Name: Other Events Log: { - "count": 2, - "end": "2024-09-09 19:35:31.467216000", - "events": [ - { - "created_at": "2024-09-09 19:33:34.237078000", - "created_by": { - "active": true, - "created_at": "2024-08-28 22:05:15.715644000", - "email_address": "john.doe@sublime.security", - "first_name": "John", - "google_oauth_user_id": "", - "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", - "is_enrolled": true, - "last_name": "Doe", - "microsoft_oauth_user_id": "", - "role": "admin", - "updated_at": "2024-08-28 22:05:15.715644000" - }, - "data": { - "request": { - "authentication_method": "user_session", - "body": "{\"mailbox_ids\":[\"493c6e21-7787-419b-bada-7c4f50cbb932\"]}", - "id": "73444211-31af-42d8-99b4-34a139cf7d4a", - "ip": "1.2.3.4", - "method": "POST", - "path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/deactivate", - "query": { }, - "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" - } - }, - "id": "084732e5-7704-4bbe-ab5a-77f1aa65a737", - "type": "message_source.deactivate" - }, - { - "created_at": "2024-09-09 19:29:00.885628000", - "created_by": { - "active": true, - "created_at": "2024-08-28 22:05:15.715644000", - "email_address": "john.doe@sublime.security", - "first_name": "John", - "google_oauth_user_id": "", - "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", - "is_enrolled": true, - "last_name": "Doe", - "microsoft_oauth_user_id": "", - "role": "admin", - "updated_at": "2024-08-28 22:05:15.715644000" - }, - "data": { - "request": { - "authentication_method": "user_session", - "body": "", - "id": "50a3caa3-aab5-4ca4-948f-0d6426f10d36", - "ip": "1.2.3.4", - "method": "DELETE", - "path": "/v1/rules/6f52131e-5532-4c49-b5d3-2e20d7dedd7a", - "query": { }, - "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" - } - }, - "id": "1f9d8783-6f22-4d82-bea7-77656719b341", - "type": "rules.delete" - }, - ], - "key": "sublime_platform_audit_log/2024/09/09/193531Z-BKQVAP.json", - "start": "2024-09-09 19:25:31.467216000" - } + "created_at": "2024-09-09 19:33:34.237078000", + "created_by": { + "active": true, + "created_at": "2024-08-28 22:05:15.715644000", + "email_address": "john.doe@sublime.security", + "first_name": "John", + "google_oauth_user_id": "", + "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", + "is_enrolled": true, + "last_name": "Doe", + "microsoft_oauth_user_id": "", + "role": "admin", + "updated_at": "2024-08-28 22:05:15.715644000" + }, + "data": { + "request": { + "authentication_method": "user_session", + "body": "{\"mailbox_ids\":[\"493c6e21-7787-419b-bada-7c4f50cbb932\"]}", + "id": "73444211-31af-42d8-99b4-34a139cf7d4a", + "ip": "1.2.3.4", + "method": "POST", + "path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/deactivate", + "query": { }, + "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" + } + }, + "id": "084732e5-7704-4bbe-ab5a-77f1aa65a737", + "type": "message_source.deactivate" + } - ExpectedResult: true Name: Mailbox Deactivated Log: { - "count": 2, - "end": "2024-09-09 19:35:31.467216000", - "events": [ - { - "created_at": "2024-09-09 19:33:34.237078000", - "created_by": { - "active": true, - "created_at": "2024-08-28 22:05:15.715644000", - "email_address": "john.doe@sublime.security", - "first_name": "John", - "google_oauth_user_id": "", - "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", - "is_enrolled": true, - "last_name": "Doe", - "microsoft_oauth_user_id": "", - "role": "admin", - "updated_at": "2024-08-28 22:05:15.715644000" - }, - "data": { - "request": { - "authentication_method": "user_session", - "body": "{\"mailbox_ids\":[\"493c6e21-7787-419b-bada-7c4f50cbb932\"]}", - "id": "73444211-31af-42d8-99b4-34a139cf7d4a", - "ip": "1.2.3.4", - "method": "POST", - "path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/mailboxes/deactivate", - "query": { }, - "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" + "created_at": "2024-09-09 19:33:34.237078000", + "created_by": { + "active": true, + "created_at": "2024-08-28 22:05:15.715644000", + "email_address": "john.doe@sublime.security", + "first_name": "John", + "google_oauth_user_id": "", + "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", + "is_enrolled": true, + "last_name": "Doe", + "microsoft_oauth_user_id": "", + "role": "admin", + "updated_at": "2024-08-28 22:05:15.715644000" + }, + "data": { + "request": { + "authentication_method": "user_session", + "body": "{\"mailbox_ids\":[\"493c6e21-7787-419b-bada-7c4f50cbb932\"]}", + "id": "73444211-31af-42d8-99b4-34a139cf7d4a", + "ip": "1.2.3.4", + "method": "POST", + "path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/deactivate", + "query": { }, + "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" } }, "id": "084732e5-7704-4bbe-ab5a-77f1aa65a737", "type": "message_source.deactivate_mailboxes" - }, - { - "created_at": "2024-09-09 19:29:00.885628000", - "created_by": { - "active": true, - "created_at": "2024-08-28 22:05:15.715644000", - "email_address": "john.doe@sublime.security", - "first_name": "John", - "google_oauth_user_id": "", - "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", - "is_enrolled": true, - "last_name": "Doe", - "microsoft_oauth_user_id": "", - "role": "admin", - "updated_at": "2024-08-28 22:05:15.715644000" - }, - "data": { - "request": { - "authentication_method": "user_session", - "body": "", - "id": "3bdc635a-7630-4687-9972-2db9fe87e2c8", - "ip": "1.2.3.4", - "method": "POST", - "path": "/v1/rules/6f52131e-5532-4c49-b5d3-2e20d7dedd7a/activate", - "query": { }, - "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" - } - }, - "id": "7d9fe001-d80d-4d0d-9cd7-cc2f27a896ce", - "type": "rules.activate", - }, - ], - "key": "sublime_platform_audit_log/2024/09/09/193531Z-BKQVAP.json", - "start": "2024-09-09 19:25:31.467216000" - } + } diff --git a/rules/sublime_rules/sublime_message_source_deleted_or_deactivated.py b/rules/sublime_rules/sublime_message_source_deleted_or_deactivated.py index ac70c8bdc..bb6869b2f 100644 --- a/rules/sublime_rules/sublime_message_source_deleted_or_deactivated.py +++ b/rules/sublime_rules/sublime_message_source_deleted_or_deactivated.py @@ -7,8 +7,7 @@ def rule(event): - all_events = event.deep_walk("events", "type") - return any(event in all_events for event in SUSPICIOUS_EVENTS) + return event.get('type') in SUSPICIOUS_EVENTS def alert_context(event): diff --git a/rules/sublime_rules/sublime_message_source_deleted_or_deactivated.yml b/rules/sublime_rules/sublime_message_source_deleted_or_deactivated.yml index a5de9d793..15855307a 100644 --- a/rules/sublime_rules/sublime_message_source_deleted_or_deactivated.yml +++ b/rules/sublime_rules/sublime_message_source_deleted_or_deactivated.yml @@ -9,7 +9,7 @@ Severity: Medium DedupPeriodMinutes: 60 AlertTitle: Sublime message source(s) were deleted or deactivated LogTypes: - - Custom.Sublime.AuditLogs + - Sublime.Audit RuleID: "Sublime.Message.Source.Deleted.Or.Deactivated" Threshold: 1 Reports: @@ -20,141 +20,65 @@ Tests: Name: Message Source Deactivated Log: { - "count": 2, - "end": "2024-09-09 19:35:31.467216000", - "events": [ - { - "created_at": "2024-09-09 19:33:34.237078000", - "created_by": { - "active": true, - "created_at": "2024-08-28 22:05:15.715644000", - "email_address": "john.doe@sublime.security", - "first_name": "John", - "google_oauth_user_id": "", - "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", - "is_enrolled": true, - "last_name": "Doe", - "microsoft_oauth_user_id": "", - "role": "admin", - "updated_at": "2024-08-28 22:05:15.715644000" - }, - "data": { - "request": { - "authentication_method": "user_session", - "body": "{\"mailbox_ids\":[\"493c6e21-7787-419b-bada-7c4f50cbb932\"]}", - "id": "73444211-31af-42d8-99b4-34a139cf7d4a", - "ip": "1.2.3.4", - "method": "POST", - "path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/deactivate", - "query": { }, - "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" - } - }, - "id": "084732e5-7704-4bbe-ab5a-77f1aa65a737", - "type": "message_source.deactivate" - }, - { - "created_at": "2024-09-09 19:29:00.885628000", - "created_by": { - "active": true, - "created_at": "2024-08-28 22:05:15.715644000", - "email_address": "john.doe@sublime.security", - "first_name": "John", - "google_oauth_user_id": "", - "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", - "is_enrolled": true, - "last_name": "Doe", - "microsoft_oauth_user_id": "", - "role": "admin", - "updated_at": "2024-08-28 22:05:15.715644000" - }, - "data": { - "request": { - "authentication_method": "user_session", - "body": "", - "id": "50a3caa3-aab5-4ca4-948f-0d6426f10d36", - "ip": "1.2.3.4", - "method": "DELETE", - "path": "/v1/rules/6f52131e-5532-4c49-b5d3-2e20d7dedd7a", - "query": { }, - "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" - } - }, - "id": "1f9d8783-6f22-4d82-bea7-77656719b341", - "type": "rules.delete" - }, - ], - "key": "sublime_platform_audit_log/2024/09/09/193531Z-BKQVAP.json", - "start": "2024-09-09 19:25:31.467216000" - } + "created_at": "2024-09-09 19:33:34.237078000", + "created_by": { + "active": true, + "created_at": "2024-08-28 22:05:15.715644000", + "email_address": "john.doe@sublime.security", + "first_name": "John", + "google_oauth_user_id": "", + "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", + "is_enrolled": true, + "last_name": "Doe", + "microsoft_oauth_user_id": "", + "role": "admin", + "updated_at": "2024-08-28 22:05:15.715644000" + }, + "data": { + "request": { + "authentication_method": "user_session", + "body": "{\"mailbox_ids\":[\"493c6e21-7787-419b-bada-7c4f50cbb932\"]}", + "id": "73444211-31af-42d8-99b4-34a139cf7d4a", + "ip": "1.2.3.4", + "method": "POST", + "path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/deactivate", + "query": { }, + "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" + } + }, + "id": "084732e5-7704-4bbe-ab5a-77f1aa65a737", + "type": "message_source.deactivate" + } - ExpectedResult: false Name: Other Events Log: { - "count": 2, - "end": "2024-09-09 19:35:31.467216000", - "events": [ - { - "created_at": "2024-09-09 19:33:34.237078000", - "created_by": { - "active": true, - "created_at": "2024-08-28 22:05:15.715644000", - "email_address": "john.doe@sublime.security", - "first_name": "John", - "google_oauth_user_id": "", - "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", - "is_enrolled": true, - "last_name": "Doe", - "microsoft_oauth_user_id": "", - "role": "admin", - "updated_at": "2024-08-28 22:05:15.715644000" - }, - "data": { - "request": { - "authentication_method": "user_session", - "body": "{\"mailbox_ids\":[\"493c6e21-7787-419b-bada-7c4f50cbb932\"]}", - "id": "73444211-31af-42d8-99b4-34a139cf7d4a", - "ip": "1.2.3.4", - "method": "POST", - "path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/mailboxes/deactivate", - "query": { }, - "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" - } - }, - "id": "084732e5-7704-4bbe-ab5a-77f1aa65a737", - "type": "message_source.deactivate_mailboxes" + "created_at": "2024-09-09 19:33:34.237078000", + "created_by": { + "active": true, + "created_at": "2024-08-28 22:05:15.715644000", + "email_address": "john.doe@sublime.security", + "first_name": "John", + "google_oauth_user_id": "", + "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", + "is_enrolled": true, + "last_name": "Doe", + "microsoft_oauth_user_id": "", + "role": "admin", + "updated_at": "2024-08-28 22:05:15.715644000" }, - { - "created_at": "2024-09-09 19:29:00.885628000", - "created_by": { - "active": true, - "created_at": "2024-08-28 22:05:15.715644000", - "email_address": "john.doe@sublime.security", - "first_name": "John", - "google_oauth_user_id": "", - "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", - "is_enrolled": true, - "last_name": "Doe", - "microsoft_oauth_user_id": "", - "role": "admin", - "updated_at": "2024-08-28 22:05:15.715644000" - }, - "data": { - "request": { - "authentication_method": "user_session", - "body": "", - "id": "3bdc635a-7630-4687-9972-2db9fe87e2c8", - "ip": "1.2.3.4", - "method": "POST", - "path": "/v1/rules/6f52131e-5532-4c49-b5d3-2e20d7dedd7a/activate", - "query": { }, - "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" + "data": { + "request": { + "authentication_method": "user_session", + "body": "{\"mailbox_ids\":[\"493c6e21-7787-419b-bada-7c4f50cbb932\"]}", + "id": "73444211-31af-42d8-99b4-34a139cf7d4a", + "ip": "1.2.3.4", + "method": "POST", + "path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/deactivate", + "query": { }, + "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" } }, - "id": "7d9fe001-d80d-4d0d-9cd7-cc2f27a896ce", - "type": "rules.activate", - }, - ], - "key": "sublime_platform_audit_log/2024/09/09/193531Z-BKQVAP.json", - "start": "2024-09-09 19:25:31.467216000" - } + "id": "084732e5-7704-4bbe-ab5a-77f1aa65a737", + "type": "rule.deactivate" + } diff --git a/rules/sublime_rules/sublime_rules_deleted_or_deactivated.py b/rules/sublime_rules/sublime_rules_deleted_or_deactivated.py index 08a810569..0cf13a394 100644 --- a/rules/sublime_rules/sublime_rules_deleted_or_deactivated.py +++ b/rules/sublime_rules/sublime_rules_deleted_or_deactivated.py @@ -7,8 +7,7 @@ def rule(event): - all_events = event.deep_walk("events", "type") - return any(event in all_events for event in SUSPICIOUS_EVENTS) + return event.get('type') in SUSPICIOUS_EVENTS def alert_context(event): diff --git a/rules/sublime_rules/sublime_rules_deleted_or_deactivated.yml b/rules/sublime_rules/sublime_rules_deleted_or_deactivated.yml index 9b242ec3e..48bcdd7d4 100644 --- a/rules/sublime_rules/sublime_rules_deleted_or_deactivated.yml +++ b/rules/sublime_rules/sublime_rules_deleted_or_deactivated.yml @@ -9,7 +9,7 @@ Severity: Medium DedupPeriodMinutes: 60 AlertTitle: Sublime rules were deleted or deactivated LogTypes: - - Custom.Sublime.AuditLogs + - Sublime.Audit RuleID: "Sublime.Rules.Deleted.Or.Deactivated" Threshold: 1 Reports: @@ -20,141 +20,65 @@ Tests: Name: Rule Deleted Log: { - "count": 2, - "end": "2024-09-09 19:35:31.467216000", - "events": [ - { - "created_at": "2024-09-09 19:33:34.237078000", - "created_by": { - "active": true, - "created_at": "2024-08-28 22:05:15.715644000", - "email_address": "john.doe@sublime.security", - "first_name": "John", - "google_oauth_user_id": "", - "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", - "is_enrolled": true, - "last_name": "Doe", - "microsoft_oauth_user_id": "", - "role": "admin", - "updated_at": "2024-08-28 22:05:15.715644000" - }, - "data": { - "request": { - "authentication_method": "user_session", - "body": "{\"mailbox_ids\":[\"493c6e21-7787-419b-bada-7c4f50cbb932\"]}", - "id": "73444211-31af-42d8-99b4-34a139cf7d4a", - "ip": "1.2.3.4", - "method": "POST", - "path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/mailboxes/deactivate", - "query": { }, - "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" - } - }, - "id": "084732e5-7704-4bbe-ab5a-77f1aa65a737", - "type": "message_source.deactivate_mailboxes" - }, - { - "created_at": "2024-09-09 19:29:00.885628000", - "created_by": { - "active": true, - "created_at": "2024-08-28 22:05:15.715644000", - "email_address": "john.doe@sublime.security", - "first_name": "John", - "google_oauth_user_id": "", - "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", - "is_enrolled": true, - "last_name": "Doe", - "microsoft_oauth_user_id": "", - "role": "admin", - "updated_at": "2024-08-28 22:05:15.715644000" - }, - "data": { - "request": { - "authentication_method": "user_session", - "body": "", - "id": "50a3caa3-aab5-4ca4-948f-0d6426f10d36", - "ip": "1.2.3.4", - "method": "DELETE", - "path": "/v1/rules/6f52131e-5532-4c49-b5d3-2e20d7dedd7a", - "query": { }, - "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" - } - }, - "id": "1f9d8783-6f22-4d82-bea7-77656719b341", - "type": "rules.delete" - }, - ], - "key": "sublime_platform_audit_log/2024/09/09/193531Z-BKQVAP.json", - "start": "2024-09-09 19:25:31.467216000" - } + "created_at": "2024-09-09 19:33:34.237078000", + "created_by": { + "active": true, + "created_at": "2024-08-28 22:05:15.715644000", + "email_address": "john.doe@sublime.security", + "first_name": "John", + "google_oauth_user_id": "", + "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", + "is_enrolled": true, + "last_name": "Doe", + "microsoft_oauth_user_id": "", + "role": "admin", + "updated_at": "2024-08-28 22:05:15.715644000" + }, + "data": { + "request": { + "authentication_method": "user_session", + "body": "{\"mailbox_ids\":[\"493c6e21-7787-419b-bada-7c4f50cbb932\"]}", + "id": "73444211-31af-42d8-99b4-34a139cf7d4a", + "ip": "1.2.3.4", + "method": "POST", + "path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/deactivate", + "query": { }, + "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" + } + }, + "id": "084732e5-7704-4bbe-ab5a-77f1aa65a737", + "type": "rules.delete" + } - ExpectedResult: false Name: Other Events Log: { - "count": 2, - "end": "2024-09-09 19:35:31.467216000", - "events": [ - { - "created_at": "2024-09-09 19:33:34.237078000", - "created_by": { - "active": true, - "created_at": "2024-08-28 22:05:15.715644000", - "email_address": "john.doe@sublime.security", - "first_name": "John", - "google_oauth_user_id": "", - "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", - "is_enrolled": true, - "last_name": "Doe", - "microsoft_oauth_user_id": "", - "role": "admin", - "updated_at": "2024-08-28 22:05:15.715644000" - }, - "data": { - "request": { - "authentication_method": "user_session", - "body": "{\"mailbox_ids\":[\"493c6e21-7787-419b-bada-7c4f50cbb932\"]}", - "id": "73444211-31af-42d8-99b4-34a139cf7d4a", - "ip": "1.2.3.4", - "method": "POST", - "path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/mailboxes/deactivate", - "query": { }, - "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" - } - }, - "id": "084732e5-7704-4bbe-ab5a-77f1aa65a737", - "type": "message_source.deactivate_mailboxes" + "created_at": "2024-09-09 19:33:34.237078000", + "created_by": { + "active": true, + "created_at": "2024-08-28 22:05:15.715644000", + "email_address": "john.doe@sublime.security", + "first_name": "John", + "google_oauth_user_id": "", + "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", + "is_enrolled": true, + "last_name": "Doe", + "microsoft_oauth_user_id": "", + "role": "admin", + "updated_at": "2024-08-28 22:05:15.715644000" }, - { - "created_at": "2024-09-09 19:29:00.885628000", - "created_by": { - "active": true, - "created_at": "2024-08-28 22:05:15.715644000", - "email_address": "john.doe@sublime.security", - "first_name": "John", - "google_oauth_user_id": "", - "id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316", - "is_enrolled": true, - "last_name": "Doe", - "microsoft_oauth_user_id": "", - "role": "admin", - "updated_at": "2024-08-28 22:05:15.715644000" - }, - "data": { - "request": { - "authentication_method": "user_session", - "body": "", - "id": "3bdc635a-7630-4687-9972-2db9fe87e2c8", - "ip": "1.2.3.4", - "method": "POST", - "path": "/v1/rules/6f52131e-5532-4c49-b5d3-2e20d7dedd7a/activate", - "query": { }, - "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" + "data": { + "request": { + "authentication_method": "user_session", + "body": "{\"mailbox_ids\":[\"493c6e21-7787-419b-bada-7c4f50cbb932\"]}", + "id": "73444211-31af-42d8-99b4-34a139cf7d4a", + "ip": "1.2.3.4", + "method": "POST", + "path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/deactivate", + "query": { }, + "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" } }, - "id": "7d9fe001-d80d-4d0d-9cd7-cc2f27a896ce", - "type": "rules.activate", - }, - ], - "key": "sublime_platform_audit_log/2024/09/09/193531Z-BKQVAP.json", - "start": "2024-09-09 19:25:31.467216000" - } + "id": "084732e5-7704-4bbe-ab5a-77f1aa65a737", + "type": "message_source.deactivate" + } From b0a627836e1f8cd0923c714920d6093b060778bb Mon Sep 17 00:00:00 2001 From: Nicholas Hakmiller Date: Tue, 24 Sep 2024 15:21:54 -0700 Subject: [PATCH 4/7] add pass through detection --- .../sublime_rules/sublime_message_flagged.py | 12 ++++ .../sublime_rules/sublime_message_flagged.yml | 69 +++++++++++++++++++ 2 files changed, 81 insertions(+) create mode 100644 rules/sublime_rules/sublime_message_flagged.py create mode 100644 rules/sublime_rules/sublime_message_flagged.yml diff --git a/rules/sublime_rules/sublime_message_flagged.py b/rules/sublime_rules/sublime_message_flagged.py new file mode 100644 index 000000000..b29da598d --- /dev/null +++ b/rules/sublime_rules/sublime_message_flagged.py @@ -0,0 +1,12 @@ +def rule(event): + return event.get("type") == "message.flagged" + + +def alert_context(event): + flagged_rules = event.deep_walk('data', 'flagged_rules', 'name', default=['']) + return { + 'flagged_rules': flagged_rules, + } + +def title(event): + return f'Sublime flagged email message that matched {len(event.deep_get("data", "flagged_rules", default=[]))} Sublime rules' diff --git a/rules/sublime_rules/sublime_message_flagged.yml b/rules/sublime_rules/sublime_message_flagged.yml new file mode 100644 index 000000000..a0fb9f6fc --- /dev/null +++ b/rules/sublime_rules/sublime_message_flagged.yml @@ -0,0 +1,69 @@ +AnalysisType: rule +Description: Sublime flagged some messages as suspicious. +DisplayName: "Sublime Flagged an Email" +Enabled: true +Filename: sublime_message_flagged.py +# Runbook: Assess if this was done by the user for a valid business reason. Be vigilant to re-enable the mailboxes if it's in the best security interest for your organization's security posture. +# Reference: https://docs.sublime.security/docs/add-message-source +Severity: High +DedupPeriodMinutes: 60 +LogTypes: + - Sublime.MessageEvent +RuleID: "Sublime.Message.Flagged" +Threshold: 1 +Tests: + - ExpectedResult: true + Name: Message Flagged + Log: + { + "p_source_file": { + "aws_s3_bucket": "audit.log.export", + "aws_s3_key": "sublime_platform_message_events/2024/09/24/164544Z-FPXIFG.json" + }, + "p_any_sha256_hashes": [ + "fb8b46e3317ac7d5036c6b21517d363634293c6d4f6bf1b1e67548c80948a1c6" + ], + "p_event_time": "2024-09-24 16:45:43.302769000", + "p_log_type": "Sublime.MessageEvent", + "p_parse_time": "2024-09-24 16:51:47.687095351", + "p_row_id": "a23385494d57dfbbbdcbe4fa218101", + "p_schema_version": 0, + "p_source_id": "7e2a59aa-687e-430e-ae4a-81d3c0163f52", + "p_source_label": "Sublime Real Logs", + "p_udm": {}, + "created_at": "2024-09-24 16:45:43.302769000", + "data": { + "flagged_rules": [ + { + "id": "b0ab266f-8a12-4020-b165-e97bb1aacc42", + "name": "Credential phishing: Engaging language and other indicators (untrusted sender)" + }, + { + "id": "a014f82e-f2d7-4058-adb1-36fc086de0b8", + "name": "Attachment: HTML smuggling with unescape" + }, + { + "id": "e4866908-60fe-46f0-866e-84d412627006", + "name": "Headers: Zimbra mailer from a non-supported OS version" + }, + { + "id": "5a9dc2cd-39f5-4814-95df-aa7614cc8bdd", + "name": "Impersonation: Human Resources with link or attachment and engaging language" + }, + { + "id": "7988f1f5-5c95-42c2-9140-ead5a975918e", + "name": "Request for Quote or Purchase (RFQ|RFP) with HTML smuggling attachment" + } + ], + "message": { + "canonical_id": "fb8b46e3317ac7d5036c6b21517d363634293c6d4f6bf1b1e67548c80948a1c6", + "external_id": "b86b1e58-e9f8-4b55-8b54-1402f9f95e69", + "id": "019224ec-aba6-763d-bb2e-cd4cbd40a29f", + "mailbox": { + "id": "624c8394-4fe2-4ba0-bd2b-86d2e503c614" + }, + "message_source_id": "91956379-c2f3-4c50-a410-3ba89fb8bc74" + } + }, + "type": "message.flagged" + } From 6349595ddd4fa7df78515a9cc0a0e50e17fb826e Mon Sep 17 00:00:00 2001 From: Nicholas Hakmiller Date: Tue, 24 Sep 2024 15:25:13 -0700 Subject: [PATCH 5/7] linting --- global_helpers/panther_sublime_helpers.py | 12 +++--------- rules/sublime_rules/sublime_message_flagged.py | 8 +++++--- .../sublime_message_source_deleted_or_deactivated.py | 2 +- .../sublime_rules_deleted_or_deactivated.py | 2 +- 4 files changed, 10 insertions(+), 14 deletions(-) diff --git a/global_helpers/panther_sublime_helpers.py b/global_helpers/panther_sublime_helpers.py index e68368ae2..677b650f2 100644 --- a/global_helpers/panther_sublime_helpers.py +++ b/global_helpers/panther_sublime_helpers.py @@ -4,13 +4,7 @@ def sublime_alert_context(event) -> dict: context["users_emails"] = event.deep_get( "created_by", "email_address", default="" ) - context["users_role"] = event.deep_get( - "created_by", "role", default="" - ) - context["request_ip"] = event.deep_get( - "data", "request", "ip", default="" - ) - context["request_path"] = event.deep_get( - "data", "request", "path", default="" - ) + context["users_role"] = event.deep_get("created_by", "role", default="") + context["request_ip"] = event.deep_get("data", "request", "ip", default="") + context["request_path"] = event.deep_get("data", "request", "path", default="") return context diff --git a/rules/sublime_rules/sublime_message_flagged.py b/rules/sublime_rules/sublime_message_flagged.py index b29da598d..cf62a8f8d 100644 --- a/rules/sublime_rules/sublime_message_flagged.py +++ b/rules/sublime_rules/sublime_message_flagged.py @@ -3,10 +3,12 @@ def rule(event): def alert_context(event): - flagged_rules = event.deep_walk('data', 'flagged_rules', 'name', default=['']) + flagged_rules = event.deep_walk("data", "flagged_rules", "name", default=[""]) return { - 'flagged_rules': flagged_rules, + "flagged_rules": flagged_rules, } + def title(event): - return f'Sublime flagged email message that matched {len(event.deep_get("data", "flagged_rules", default=[]))} Sublime rules' + rule_count = len(event.deep_get("data", "flagged_rules", default=[])) + return f"Sublime flagged email message that matched {rule_count} Sublime rules" diff --git a/rules/sublime_rules/sublime_message_source_deleted_or_deactivated.py b/rules/sublime_rules/sublime_message_source_deleted_or_deactivated.py index bb6869b2f..15f06b40b 100644 --- a/rules/sublime_rules/sublime_message_source_deleted_or_deactivated.py +++ b/rules/sublime_rules/sublime_message_source_deleted_or_deactivated.py @@ -7,7 +7,7 @@ def rule(event): - return event.get('type') in SUSPICIOUS_EVENTS + return event.get("type") in SUSPICIOUS_EVENTS def alert_context(event): diff --git a/rules/sublime_rules/sublime_rules_deleted_or_deactivated.py b/rules/sublime_rules/sublime_rules_deleted_or_deactivated.py index 0cf13a394..48b010c30 100644 --- a/rules/sublime_rules/sublime_rules_deleted_or_deactivated.py +++ b/rules/sublime_rules/sublime_rules_deleted_or_deactivated.py @@ -7,7 +7,7 @@ def rule(event): - return event.get('type') in SUSPICIOUS_EVENTS + return event.get("type") in SUSPICIOUS_EVENTS def alert_context(event): From 5d1f4395aa3a2fc41dfb673a9805ef3df290b90d Mon Sep 17 00:00:00 2001 From: Nicholas Hakmiller Date: Tue, 24 Sep 2024 15:26:47 -0700 Subject: [PATCH 6/7] update pat --- Pipfile | 2 +- Pipfile.lock | 438 +++++++++++++++++++++++++-------------------------- 2 files changed, 220 insertions(+), 220 deletions(-) diff --git a/Pipfile b/Pipfile index 655b3271c..34665ad49 100644 --- a/Pipfile +++ b/Pipfile @@ -19,7 +19,7 @@ wrapt = "~=1.15" [packages] policyuniverse = "==1.5.1.20230817" requests = "==2.31.0" -panther-analysis-tool = "~=0.52.3" +panther-analysis-tool = "*" panther-detection-helpers = "==0.4.0" [requires] diff --git a/Pipfile.lock b/Pipfile.lock index ee193312b..85a118f8c 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "026afcb94cce204a0503a31f2038233be9ca4d5dd9a527ac293d76b8085df102" + "sha256": "6300da9adf6b59e41d31127ed5a07fab544215bca2c9002c79d9d48d6fe16b01" }, "pipfile-spec": 6, "requires": { @@ -26,100 +26,100 @@ }, "aiohttp": { "hashes": [ - "sha256:02594361128f780eecc2a29939d9dfc870e17b45178a867bf61a11b2a4367277", - "sha256:03f2645adbe17f274444953bdea69f8327e9d278d961d85657cb0d06864814c1", - "sha256:074d1bff0163e107e97bd48cad9f928fa5a3eb4b9d33366137ffce08a63e37fe", - "sha256:0912b8a8fadeb32ff67a3ed44249448c20148397c1ed905d5dac185b4ca547bb", - "sha256:0d277cfb304118079e7044aad0b76685d30ecb86f83a0711fc5fb257ffe832ca", - "sha256:0d93400c18596b7dc4794d48a63fb361b01a0d8eb39f28800dc900c8fbdaca91", - "sha256:123dd5b16b75b2962d0fff566effb7a065e33cd4538c1692fb31c3bda2bfb972", - "sha256:17e997105bd1a260850272bfb50e2a328e029c941c2708170d9d978d5a30ad9a", - "sha256:18a01eba2574fb9edd5f6e5fb25f66e6ce061da5dab5db75e13fe1558142e0a3", - "sha256:1923a5c44061bffd5eebeef58cecf68096e35003907d8201a4d0d6f6e387ccaa", - "sha256:1942244f00baaacaa8155eca94dbd9e8cc7017deb69b75ef67c78e89fdad3c77", - "sha256:1b2c16a919d936ca87a3c5f0e43af12a89a3ce7ccbce59a2d6784caba945b68b", - "sha256:1c19de68896747a2aa6257ae4cf6ef59d73917a36a35ee9d0a6f48cff0f94db8", - "sha256:1e72589da4c90337837fdfe2026ae1952c0f4a6e793adbbfbdd40efed7c63599", - "sha256:22c0a23a3b3138a6bf76fc553789cb1a703836da86b0f306b6f0dc1617398abc", - "sha256:2c634a3207a5445be65536d38c13791904fda0748b9eabf908d3fe86a52941cf", - "sha256:2d21ac12dc943c68135ff858c3a989f2194a709e6e10b4c8977d7fcd67dfd511", - "sha256:2f1f1c75c395991ce9c94d3e4aa96e5c59c8356a15b1c9231e783865e2772699", - "sha256:305be5ff2081fa1d283a76113b8df7a14c10d75602a38d9f012935df20731487", - "sha256:33e6bc4bab477c772a541f76cd91e11ccb6d2efa2b8d7d7883591dfb523e5987", - "sha256:349ef8a73a7c5665cca65c88ab24abe75447e28aa3bc4c93ea5093474dfdf0ff", - "sha256:380f926b51b92d02a34119d072f178d80bbda334d1a7e10fa22d467a66e494db", - "sha256:38172a70005252b6893088c0f5e8a47d173df7cc2b2bd88650957eb84fcf5022", - "sha256:391cc3a9c1527e424c6865e087897e766a917f15dddb360174a70467572ac6ce", - "sha256:3a1c32a19ee6bbde02f1cb189e13a71b321256cc1d431196a9f824050b160d5a", - "sha256:4120d7fefa1e2d8fb6f650b11489710091788de554e2b6f8347c7a20ceb003f5", - "sha256:424ae21498790e12eb759040bbb504e5e280cab64693d14775c54269fd1d2bb7", - "sha256:44b324a6b8376a23e6ba25d368726ee3bc281e6ab306db80b5819999c737d820", - "sha256:4790f0e15f00058f7599dab2b206d3049d7ac464dc2e5eae0e93fa18aee9e7bf", - "sha256:4aff049b5e629ef9b3e9e617fa6e2dfeda1bf87e01bcfecaf3949af9e210105e", - "sha256:4b38b1570242fbab8d86a84128fb5b5234a2f70c2e32f3070143a6d94bc854cf", - "sha256:4d46c7b4173415d8e583045fbc4daa48b40e31b19ce595b8d92cf639396c15d5", - "sha256:4f1c9866ccf48a6df2b06823e6ae80573529f2af3a0992ec4fe75b1a510df8a6", - "sha256:4f7acae3cf1a2a2361ec4c8e787eaaa86a94171d2417aae53c0cca6ca3118ff6", - "sha256:54d9ddea424cd19d3ff6128601a4a4d23d54a421f9b4c0fff740505813739a91", - "sha256:58718e181c56a3c02d25b09d4115eb02aafe1a732ce5714ab70326d9776457c3", - "sha256:5ede29d91a40ba22ac1b922ef510aab871652f6c88ef60b9dcdf773c6d32ad7a", - "sha256:61645818edd40cc6f455b851277a21bf420ce347baa0b86eaa41d51ef58ba23d", - "sha256:66bf9234e08fe561dccd62083bf67400bdbf1c67ba9efdc3dac03650e97c6088", - "sha256:673f988370f5954df96cc31fd99c7312a3af0a97f09e407399f61583f30da9bc", - "sha256:676f94c5480d8eefd97c0c7e3953315e4d8c2b71f3b49539beb2aa676c58272f", - "sha256:6c225286f2b13bab5987425558baa5cbdb2bc925b2998038fa028245ef421e75", - "sha256:7384d0b87d4635ec38db9263e6a3f1eb609e2e06087f0aa7f63b76833737b471", - "sha256:7e2fe37ac654032db1f3499fe56e77190282534810e2a8e833141a021faaab0e", - "sha256:7f2bfc0032a00405d4af2ba27f3c429e851d04fad1e5ceee4080a1c570476697", - "sha256:7f6b639c36734eaa80a6c152a238242bedcee9b953f23bb887e9102976343092", - "sha256:814375093edae5f1cb31e3407997cf3eacefb9010f96df10d64829362ae2df69", - "sha256:8224f98be68a84b19f48e0bdc14224b5a71339aff3a27df69989fa47d01296f3", - "sha256:898715cf566ec2869d5cb4d5fb4be408964704c46c96b4be267442d265390f32", - "sha256:8989f46f3d7ef79585e98fa991e6ded55d2f48ae56d2c9fa5e491a6e4effb589", - "sha256:8ba01ebc6175e1e6b7275c907a3a36be48a2d487549b656aa90c8a910d9f3178", - "sha256:8c5c6fa16412b35999320f5c9690c0f554392dc222c04e559217e0f9ae244b92", - "sha256:8c6a4e5e40156d72a40241a25cc226051c0a8d816610097a8e8f517aeacd59a2", - "sha256:8eaf44ccbc4e35762683078b72bf293f476561d8b68ec8a64f98cf32811c323e", - "sha256:8fb4fc029e135859f533025bc82047334e24b0d489e75513144f25408ecaf058", - "sha256:9093a81e18c45227eebe4c16124ebf3e0d893830c6aca7cc310bfca8fe59d857", - "sha256:94c4381ffba9cc508b37d2e536b418d5ea9cfdc2848b9a7fea6aebad4ec6aac1", - "sha256:94fac7c6e77ccb1ca91e9eb4cb0ac0270b9fb9b289738654120ba8cebb1189c6", - "sha256:95c4dc6f61d610bc0ee1edc6f29d993f10febfe5b76bb470b486d90bbece6b22", - "sha256:975218eee0e6d24eb336d0328c768ebc5d617609affaca5dbbd6dd1984f16ed0", - "sha256:ad146dae5977c4dd435eb31373b3fe9b0b1bf26858c6fc452bf6af394067e10b", - "sha256:afe16a84498441d05e9189a15900640a2d2b5e76cf4efe8cbb088ab4f112ee57", - "sha256:b1c43eb1ab7cbf411b8e387dc169acb31f0ca0d8c09ba63f9eac67829585b44f", - "sha256:b90078989ef3fc45cf9221d3859acd1108af7560c52397ff4ace8ad7052a132e", - "sha256:b98e698dc34966e5976e10bbca6d26d6724e6bdea853c7c10162a3235aba6e16", - "sha256:ba5a8b74c2a8af7d862399cdedce1533642fa727def0b8c3e3e02fcb52dca1b1", - "sha256:c31ad0c0c507894e3eaa843415841995bf8de4d6b2d24c6e33099f4bc9fc0d4f", - "sha256:c3b9162bab7e42f21243effc822652dc5bb5e8ff42a4eb62fe7782bcbcdfacf6", - "sha256:c58c6837a2c2a7cf3133983e64173aec11f9c2cd8e87ec2fdc16ce727bcf1a04", - "sha256:c83f7a107abb89a227d6c454c613e7606c12a42b9a4ca9c5d7dad25d47c776ae", - "sha256:cde98f323d6bf161041e7627a5fd763f9fd829bcfcd089804a5fdce7bb6e1b7d", - "sha256:ce91db90dbf37bb6fa0997f26574107e1b9d5ff939315247b7e615baa8ec313b", - "sha256:d00f3c5e0d764a5c9aa5a62d99728c56d455310bcc288a79cab10157b3af426f", - "sha256:d17920f18e6ee090bdd3d0bfffd769d9f2cb4c8ffde3eb203777a3895c128862", - "sha256:d55f011da0a843c3d3df2c2cf4e537b8070a419f891c930245f05d329c4b0689", - "sha256:d742c36ed44f2798c8d3f4bc511f479b9ceef2b93f348671184139e7d708042c", - "sha256:d9a487ef090aea982d748b1b0d74fe7c3950b109df967630a20584f9a99c0683", - "sha256:d9ef084e3dc690ad50137cc05831c52b6ca428096e6deb3c43e95827f531d5ef", - "sha256:da452c2c322e9ce0cfef392e469a26d63d42860f829026a63374fde6b5c5876f", - "sha256:dc4826823121783dccc0871e3f405417ac116055bf184ac04c36f98b75aacd12", - "sha256:de7a5299827253023c55ea549444e058c0eb496931fa05d693b95140a947cb73", - "sha256:e04a1f2a65ad2f93aa20f9ff9f1b672bf912413e5547f60749fa2ef8a644e061", - "sha256:e1ca1ef5ba129718a8fc827b0867f6aa4e893c56eb00003b7367f8a733a9b072", - "sha256:ee40b40aa753d844162dcc80d0fe256b87cba48ca0054f64e68000453caead11", - "sha256:f071854b47d39591ce9a17981c46790acb30518e2f83dfca8db2dfa091178691", - "sha256:f29930bc2921cef955ba39a3ff87d2c4398a0394ae217f41cb02d5c26c8b1b77", - "sha256:f489a2c9e6455d87eabf907ac0b7d230a9786be43fbe884ad184ddf9e9c1e385", - "sha256:f5bf3ead3cb66ab990ee2561373b009db5bc0e857549b6c9ba84b20bc462e172", - "sha256:f6f18898ace4bcd2d41a122916475344a87f1dfdec626ecde9ee802a711bc569", - "sha256:f8112fb501b1e0567a1251a2fd0747baae60a4ab325a871e975b7bb67e59221f", - "sha256:fd31f176429cecbc1ba499d4aba31aaccfea488f418d60376b911269d3b883c5" + "sha256:02108326574ff60267b7b35b17ac5c0bbd0008ccb942ce4c48b657bb90f0b8aa", + "sha256:029a019627b37fa9eac5c75cc54a6bb722c4ebbf5a54d8c8c0fb4dd8facf2702", + "sha256:03fa40d1450ee5196e843315ddf74a51afc7e83d489dbfc380eecefea74158b1", + "sha256:0749c4d5a08a802dd66ecdf59b2df4d76b900004017468a7bb736c3b5a3dd902", + "sha256:0754690a3a26e819173a34093798c155bafb21c3c640bff13be1afa1e9d421f9", + "sha256:0a75d5c9fb4f06c41d029ae70ad943c3a844c40c0a769d12be4b99b04f473d3d", + "sha256:0b82c8ebed66ce182893e7c0b6b60ba2ace45b1df104feb52380edae266a4850", + "sha256:0be3115753baf8b4153e64f9aa7bf6c0c64af57979aa900c31f496301b374570", + "sha256:14477c4e52e2f17437b99893fd220ffe7d7ee41df5ebf931a92b8ca82e6fd094", + "sha256:164ecd32e65467d86843dbb121a6666c3deb23b460e3f8aefdcaacae79eb718a", + "sha256:1cb045ec5961f51af3e2c08cd6fe523f07cc6e345033adee711c49b7b91bb954", + "sha256:1e52e59ed5f4cc3a3acfe2a610f8891f216f486de54d95d6600a2c9ba1581f4d", + "sha256:217791c6a399cc4f2e6577bb44344cba1f5714a2aebf6a0bea04cfa956658284", + "sha256:25d92f794f1332f656e3765841fc2b7ad5c26c3f3d01e8949eeb3495691cf9f4", + "sha256:2708baccdc62f4b1251e59c2aac725936a900081f079b88843dabcab0feeeb27", + "sha256:27cf19a38506e2e9f12fc17e55f118f04897b0a78537055d93a9de4bf3022e3d", + "sha256:289fa8a20018d0d5aa9e4b35d899bd51bcb80f0d5f365d9a23e30dac3b79159b", + "sha256:2cd5290ab66cfca2f90045db2cc6434c1f4f9fbf97c9f1c316e785033782e7d2", + "sha256:2dd56e3c43660ed3bea67fd4c5025f1ac1f9ecf6f0b991a6e5efe2e678c490c5", + "sha256:3427031064b0d5c95647e6369c4aa3c556402f324a3e18107cb09517abe5f962", + "sha256:3468b39f977a11271517c6925b226720e148311039a380cc9117b1e2258a721f", + "sha256:370e2d47575c53c817ee42a18acc34aad8da4dbdaac0a6c836d58878955f1477", + "sha256:3d2665c5df629eb2f981dab244c01bfa6cdc185f4ffa026639286c4d56fafb54", + "sha256:3e15e33bfc73fa97c228f72e05e8795e163a693fd5323549f49367c76a6e5883", + "sha256:3fb4216e3ec0dbc01db5ba802f02ed78ad8f07121be54eb9e918448cc3f61b7c", + "sha256:40271a2a375812967401c9ca8077de9368e09a43a964f4dce0ff603301ec9358", + "sha256:438c5863feb761f7ca3270d48c292c334814459f61cc12bab5ba5b702d7c9e56", + "sha256:4407a80bca3e694f2d2a523058e20e1f9f98a416619e04f6dc09dc910352ac8b", + "sha256:444d1704e2af6b30766debed9be8a795958029e552fe77551355badb1944012c", + "sha256:4611db8c907f90fe86be112efdc2398cd7b4c8eeded5a4f0314b70fdea8feab0", + "sha256:473961b3252f3b949bb84873d6e268fb6d8aa0ccc6eb7404fa58c76a326bb8e1", + "sha256:4752df44df48fd42b80f51d6a97553b482cda1274d9dc5df214a3a1aa5d8f018", + "sha256:47647c8af04a70e07a2462931b0eba63146a13affa697afb4ecbab9d03a480ce", + "sha256:482f74057ea13d387a7549d7a7ecb60e45146d15f3e58a2d93a0ad2d5a8457cd", + "sha256:4bef1480ee50f75abcfcb4b11c12de1005968ca9d0172aec4a5057ba9f2b644f", + "sha256:4fabdcdc781a36b8fd7b2ca9dea8172f29a99e11d00ca0f83ffeb50958da84a1", + "sha256:5582de171f0898139cf51dd9fcdc79b848e28d9abd68e837f0803fc9f30807b1", + "sha256:58c5d7318a136a3874c78717dd6de57519bc64f6363c5827c2b1cb775bea71dd", + "sha256:5db26bbca8e7968c4c977a0c640e0b9ce7224e1f4dcafa57870dc6ee28e27de6", + "sha256:614fc21e86adc28e4165a6391f851a6da6e9cbd7bb232d0df7718b453a89ee98", + "sha256:6419728b08fb6380c66a470d2319cafcec554c81780e2114b7e150329b9a9a7f", + "sha256:669c0efe7e99f6d94d63274c06344bd0e9c8daf184ce5602a29bc39e00a18720", + "sha256:66bc81361131763660b969132a22edce2c4d184978ba39614e8f8f95db5c95f8", + "sha256:671745ea7db19693ce867359d503772177f0b20fa8f6ee1e74e00449f4c4151d", + "sha256:682836fc672972cc3101cc9e30d49c5f7e8f1d010478d46119fe725a4545acfd", + "sha256:6a504d7cdb431a777d05a124fd0b21efb94498efa743103ea01b1e3136d2e4fb", + "sha256:6a86610174de8a85a920e956e2d4f9945e7da89f29a00e95ac62a4a414c4ef4e", + "sha256:6b50b367308ca8c12e0b50cba5773bc9abe64c428d3fd2bbf5cd25aab37c77bf", + "sha256:7475da7a5e2ccf1a1c86c8fee241e277f4874c96564d06f726d8df8e77683ef7", + "sha256:7641920bdcc7cd2d3ddfb8bb9133a6c9536b09dbd49490b79e125180b2d25b93", + "sha256:79a9f42efcc2681790595ab3d03c0e52d01edc23a0973ea09f0dc8d295e12b8e", + "sha256:7ea35d849cdd4a9268f910bff4497baebbc1aa3f2f625fd8ccd9ac99c860c621", + "sha256:8198b7c002aae2b40b2d16bfe724b9a90bcbc9b78b2566fc96131ef4e382574d", + "sha256:81b292f37969f9cc54f4643f0be7dacabf3612b3b4a65413661cf6c350226787", + "sha256:844d48ff9173d0b941abed8b2ea6a412f82b56d9ab1edb918c74000c15839362", + "sha256:8617c96a20dd57e7e9d398ff9d04f3d11c4d28b1767273a5b1a018ada5a654d3", + "sha256:8a637d387db6fdad95e293fab5433b775fd104ae6348d2388beaaa60d08b38c4", + "sha256:92351aa5363fc3c1f872ca763f86730ced32b01607f0c9662b1fa711087968d0", + "sha256:9843d683b8756971797be171ead21511d2215a2d6e3c899c6e3107fbbe826791", + "sha256:995ab1a238fd0d19dc65f2d222e5eb064e409665c6426a3e51d5101c1979ee84", + "sha256:9bd6b2033993d5ae80883bb29b83fb2b432270bbe067c2f53cc73bb57c46065f", + "sha256:9d26da22a793dfd424be1050712a70c0afd96345245c29aced1e35dbace03413", + "sha256:a976ef488f26e224079deb3d424f29144c6d5ba4ded313198169a8af8f47fb82", + "sha256:a9f196c970db2dcde4f24317e06615363349dc357cf4d7a3b0716c20ac6d7bcd", + "sha256:b169f8e755e541b72e714b89a831b315bbe70db44e33fead28516c9e13d5f931", + "sha256:b504c08c45623bf5c7ca41be380156d925f00199b3970efd758aef4a77645feb", + "sha256:ba18573bb1de1063d222f41de64a0d3741223982dcea863b3f74646faf618ec7", + "sha256:ba3662d41abe2eab0eeec7ee56f33ef4e0b34858f38abf24377687f9e1fb00a5", + "sha256:bd294dcdc1afdc510bb51d35444003f14e327572877d016d576ac3b9a5888a27", + "sha256:bdbeff1b062751c2a2a55b171f7050fb7073633c699299d042e962aacdbe1a07", + "sha256:bf861da9a43d282d6dd9dcd64c23a0fccf2c5aa5cd7c32024513c8c79fb69de3", + "sha256:c82a94ddec996413a905f622f3da02c4359952aab8d817c01cf9915419525e95", + "sha256:c91781d969fbced1993537f45efe1213bd6fccb4b37bfae2a026e20d6fbed206", + "sha256:c9721cdd83a994225352ca84cd537760d41a9da3c0eacb3ff534747ab8fba6d0", + "sha256:cca776a440795db437d82c07455761c85bbcf3956221c3c23b8c93176c278ce7", + "sha256:cf8b8560aa965f87bf9c13bf9fed7025993a155ca0ce8422da74bf46d18c2f5f", + "sha256:d2578ef941be0c2ba58f6f421a703527d08427237ed45ecb091fed6f83305336", + "sha256:d2b3935a22c9e41a8000d90588bed96cf395ef572dbb409be44c6219c61d900d", + "sha256:d4dfa5ad4bce9ca30a76117fbaa1c1decf41ebb6c18a4e098df44298941566f9", + "sha256:d7f408c43f5e75ea1edc152fb375e8f46ef916f545fb66d4aebcbcfad05e2796", + "sha256:dc1a16f3fc1944c61290d33c88dc3f09ba62d159b284c38c5331868425aca426", + "sha256:e0009258e97502936d3bd5bf2ced15769629097d0abb81e6495fba1047824fe0", + "sha256:e05b39158f2af0e2438cc2075cfc271f4ace0c3cc4a81ec95b27a0432e161951", + "sha256:e1f80cd17d81a404b6e70ef22bfe1870bafc511728397634ad5f5efc8698df56", + "sha256:e2e7d5591ea868d5ec82b90bbeb366a198715672841d46281b623e23079593db", + "sha256:f3af26f86863fad12e25395805bb0babbd49d512806af91ec9708a272b696248", + "sha256:f52e54fd776ad0da1006708762213b079b154644db54bcfc62f06eaa5b896402", + "sha256:f8b8e49fe02f744d38352daca1dbef462c3874900bd8166516f6ea8e82b5aacf", + "sha256:fb138fbf9f53928e779650f5ed26d0ea1ed8b2cab67f0ea5d63afa09fdc07593", + "sha256:fe517113fe4d35d9072b826c3e147d63c5f808ca8167d450b4f96c520c8a1d8d", + "sha256:ff99ae06eef85c7a565854826114ced72765832ee16c7e3e766c5e4c5b98d20e" ], "markers": "python_version >= '3.8'", - "version": "==3.10.5" + "version": "==3.10.6" }, "aiosignal": { "hashes": [ @@ -131,11 +131,11 @@ }, "anyio": { "hashes": [ - "sha256:5aadc6a1bbb7cdb0bede386cac5e2940f5e2ff3aa20277e991cf028e0585ce94", - "sha256:c1b2d8f46a8a812513012e1107cb0e68c17159a7a594208005a57dc776e1bdc7" + "sha256:137b4559cbb034c477165047febb6ff83f390fc3b20bf181c1fc0a728cb8beeb", + "sha256:c7d2e9d63e31599eeb636c8c5c03a7e108d73b345f064f1c19fdc87b79036a9a" ], - "markers": "python_version >= '3.8'", - "version": "==4.4.0" + "markers": "python_version >= '3.9'", + "version": "==4.6.0" }, "appdirs": { "hashes": [ @@ -162,19 +162,19 @@ }, "boto3": { "hashes": [ - "sha256:47e89d95964f10beee21ee723c3290874fddf364269bd97d200e8bfa9bf93a06", - "sha256:aaddbeb8c37608492f2c8286d004101464833d4c6e49af44601502b8b18785ed" + "sha256:b04087afd3570ba540fd293823c77270ec675672af23da9396bd5988a3f8128b", + "sha256:c31db992655db233d98762612690cfe60723c9e1503b5709aad92c1c564877bb" ], "markers": "python_version >= '3.8'", - "version": "==1.35.20" + "version": "==1.35.26" }, "botocore": { "hashes": [ - "sha256:62412038f960691a299e60492f9ee7e8e75af563f2eca7f3640b3b54b8f5d236", - "sha256:82ad8a73fcd5852d127461c8dadbe40bf679f760a4efb0dde8d4d269ad3f126f" + "sha256:0b9dee5e4a3314e251e103585837506b17fcc7485c3c8adb61a9a913f46da1e7", + "sha256:19efc3a22c9df77960712b4e203f912486f8bcd3794bff0fd7b2a0f5f1d5712d" ], "markers": "python_version >= '3.8'", - "version": "==1.35.20" + "version": "==1.35.26" }, "certifi": { "hashes": [ @@ -306,11 +306,11 @@ }, "datadog": { "hashes": [ - "sha256:3a58e85f8da47c4a47893b42c759570ba0280cd212413d9b7246cb8fcb86f586", - "sha256:bac96fa0ef555cb10e828c05a7810a13db2bf3bfed34813fac45d3c9a2227b43" + "sha256:579d4db54bd6ef918c5250217edb15b80b7b11582b8e24fce43702768c3f2e2d", + "sha256:eb101abee34fe6c1121558fd5ea48f592eb661604abb7914c4f693d8ad25a515" ], "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5, 3.6'", - "version": "==0.50.0" + "version": "==0.50.1" }, "diff-cover": { "hashes": [ @@ -669,10 +669,10 @@ }, "panther-analysis-tool": { "hashes": [ - "sha256:f240d3ce5928603659ee84397627f3d79c6af58adb49de68362d22050c3d7942" + "sha256:cbad8ec7f772c8276d4ea5fb280260d1ecaf0f9057eda3d3d2f8fcf5df6b4952" ], "index": "pypi", - "version": "==0.52.2" + "version": "==0.53.0" }, "panther-core": { "hashes": [ @@ -1133,11 +1133,11 @@ }, "sqlfluff": { "hashes": [ - "sha256:c94429bb2af65064ea51920d288b892fc12a9a2442340042fd62676387072c46", - "sha256:d910bb62ff3352265b8e0053f68748cb74e1468fb07d8af9bf942ea968635e7d" + "sha256:65d91dac2b27a248fb3d388d3c3f91c0c704bfa77e6b10b72a599a684795fe76", + "sha256:f80832d4d280e8d7cb05afbd77634b3282b757d00bf513a428fcf4ed670634d8" ], "markers": "python_version >= '3.8'", - "version": "==3.1.1" + "version": "==3.2.0" }, "tblib": { "hashes": [ @@ -1173,101 +1173,101 @@ }, "yarl": { "hashes": [ - "sha256:01a8697ec24f17c349c4f655763c4db70eebc56a5f82995e5e26e837c6eb0e49", - "sha256:02da8759b47d964f9173c8675710720b468aa1c1693be0c9c64abb9d8d9a4867", - "sha256:04293941646647b3bfb1719d1d11ff1028e9c30199509a844da3c0f5919dc520", - "sha256:067b961853c8e62725ff2893226fef3d0da060656a9827f3f520fb1d19b2b68a", - "sha256:077da604852be488c9a05a524068cdae1e972b7dc02438161c32420fb4ec5e14", - "sha256:09696438cb43ea6f9492ef237761b043f9179f455f405279e609f2bc9100212a", - "sha256:0b8486f322d8f6a38539136a22c55f94d269addb24db5cb6f61adc61eabc9d93", - "sha256:0ea9682124fc062e3d931c6911934a678cb28453f957ddccf51f568c2f2b5e05", - "sha256:0f351fa31234699d6084ff98283cb1e852270fe9e250a3b3bf7804eb493bd937", - "sha256:14438dfc5015661f75f85bc5adad0743678eefee266ff0c9a8e32969d5d69f74", - "sha256:15061ce6584ece023457fb8b7a7a69ec40bf7114d781a8c4f5dcd68e28b5c53b", - "sha256:15439f3c5c72686b6c3ff235279630d08936ace67d0fe5c8d5bbc3ef06f5a420", - "sha256:17b5a386d0d36fb828e2fb3ef08c8829c1ebf977eef88e5367d1c8c94b454639", - "sha256:18ac56c9dd70941ecad42b5a906820824ca72ff84ad6fa18db33c2537ae2e089", - "sha256:1bb2d9e212fb7449b8fb73bc461b51eaa17cc8430b4a87d87be7b25052d92f53", - "sha256:1e969fa4c1e0b1a391f3fcbcb9ec31e84440253325b534519be0d28f4b6b533e", - "sha256:1fa2e7a406fbd45b61b4433e3aa254a2c3e14c4b3186f6e952d08a730807fa0c", - "sha256:2164cd9725092761fed26f299e3f276bb4b537ca58e6ff6b252eae9631b5c96e", - "sha256:21a7c12321436b066c11ec19c7e3cb9aec18884fe0d5b25d03d756a9e654edfe", - "sha256:238a21849dd7554cb4d25a14ffbfa0ef380bb7ba201f45b144a14454a72ffa5a", - "sha256:250e888fa62d73e721f3041e3a9abf427788a1934b426b45e1b92f62c1f68366", - "sha256:25861303e0be76b60fddc1250ec5986c42f0a5c0c50ff57cc30b1be199c00e63", - "sha256:267b24f891e74eccbdff42241c5fb4f974de2d6271dcc7d7e0c9ae1079a560d9", - "sha256:27fcb271a41b746bd0e2a92182df507e1c204759f460ff784ca614e12dd85145", - "sha256:2909fa3a7d249ef64eeb2faa04b7957e34fefb6ec9966506312349ed8a7e77bf", - "sha256:3257978c870728a52dcce8c2902bf01f6c53b65094b457bf87b2644ee6238ddc", - "sha256:327c724b01b8641a1bf1ab3b232fb638706e50f76c0b5bf16051ab65c868fac5", - "sha256:3de5292f9f0ee285e6bd168b2a77b2a00d74cbcfa420ed078456d3023d2f6dff", - "sha256:3fce4da3703ee6048ad4138fe74619c50874afe98b1ad87b2698ef95bf92c96d", - "sha256:3ff6b1617aa39279fe18a76c8d165469c48b159931d9b48239065767ee455b2b", - "sha256:400cd42185f92de559d29eeb529e71d80dfbd2f45c36844914a4a34297ca6f00", - "sha256:4179522dc0305c3fc9782549175c8e8849252fefeb077c92a73889ccbcd508ad", - "sha256:4307d9a3417eea87715c9736d050c83e8c1904e9b7aada6ce61b46361b733d92", - "sha256:476e20c433b356e16e9a141449f25161e6b69984fb4cdbd7cd4bd54c17844998", - "sha256:489fa8bde4f1244ad6c5f6d11bb33e09cf0d1d0367edb197619c3e3fc06f3d91", - "sha256:48a28bed68ab8fb7e380775f0029a079f08a17799cb3387a65d14ace16c12e2b", - "sha256:48dfd117ab93f0129084577a07287376cc69c08138694396f305636e229caa1a", - "sha256:4973eac1e2ff63cf187073cd4e1f1148dcd119314ab79b88e1b3fad74a18c9d5", - "sha256:498442e3af2a860a663baa14fbf23fb04b0dd758039c0e7c8f91cb9279799bff", - "sha256:501c503eed2bb306638ccb60c174f856cc3246c861829ff40eaa80e2f0330367", - "sha256:504cf0d4c5e4579a51261d6091267f9fd997ef58558c4ffa7a3e1460bd2336fa", - "sha256:61a5f2c14d0a1adfdd82258f756b23a550c13ba4c86c84106be4c111a3a4e413", - "sha256:637c7ddb585a62d4469f843dac221f23eec3cbad31693b23abbc2c366ad41ff4", - "sha256:66b63c504d2ca43bf7221a1f72fbe981ff56ecb39004c70a94485d13e37ebf45", - "sha256:67459cf8cf31da0e2cbdb4b040507e535d25cfbb1604ca76396a3a66b8ba37a6", - "sha256:688654f8507464745ab563b041d1fb7dab5d9912ca6b06e61d1c4708366832f5", - "sha256:6907daa4b9d7a688063ed098c472f96e8181733c525e03e866fb5db480a424df", - "sha256:69721b8effdb588cb055cc22f7c5105ca6fdaa5aeb3ea09021d517882c4a904c", - "sha256:6d23754b9939cbab02c63434776df1170e43b09c6a517585c7ce2b3d449b7318", - "sha256:7175a87ab8f7fbde37160a15e58e138ba3b2b0e05492d7351314a250d61b1591", - "sha256:72bf26f66456baa0584eff63e44545c9f0eaed9b73cb6601b647c91f14c11f38", - "sha256:74db2ef03b442276d25951749a803ddb6e270d02dda1d1c556f6ae595a0d76a8", - "sha256:750f656832d7d3cb0c76be137ee79405cc17e792f31e0a01eee390e383b2936e", - "sha256:75e0ae31fb5ccab6eda09ba1494e87eb226dcbd2372dae96b87800e1dcc98804", - "sha256:768ecc550096b028754ea28bf90fde071c379c62c43afa574edc6f33ee5daaec", - "sha256:7d51324a04fc4b0e097ff8a153e9276c2593106a811704025bbc1d6916f45ca6", - "sha256:7e975a2211952a8a083d1b9d9ba26472981ae338e720b419eb50535de3c02870", - "sha256:8215f6f21394d1f46e222abeb06316e77ef328d628f593502d8fc2a9117bde83", - "sha256:8258c86f47e080a258993eed877d579c71da7bda26af86ce6c2d2d072c11320d", - "sha256:8418c053aeb236b20b0ab8fa6bacfc2feaaf7d4683dd96528610989c99723d5f", - "sha256:87f020d010ba80a247c4abc335fc13421037800ca20b42af5ae40e5fd75e7909", - "sha256:884eab2ce97cbaf89f264372eae58388862c33c4f551c15680dd80f53c89a269", - "sha256:8a336eaa7ee7e87cdece3cedb395c9657d227bfceb6781295cf56abcd3386a26", - "sha256:8aef1b64da41d18026632d99a06b3fefe1d08e85dd81d849fa7c96301ed22f1b", - "sha256:8aef97ba1dd2138112890ef848e17d8526fe80b21f743b4ee65947ea184f07a2", - "sha256:8ed653638ef669e0efc6fe2acb792275cb419bf9cb5c5049399f3556995f23c7", - "sha256:9361628f28f48dcf8b2f528420d4d68102f593f9c2e592bfc842f5fb337e44fd", - "sha256:946eedc12895873891aaceb39bceb484b4977f70373e0122da483f6c38faaa68", - "sha256:94d0caaa912bfcdc702a4204cd5e2bb01eb917fc4f5ea2315aa23962549561b0", - "sha256:964a428132227edff96d6f3cf261573cb0f1a60c9a764ce28cda9525f18f7786", - "sha256:999bfee0a5b7385a0af5ffb606393509cfde70ecca4f01c36985be6d33e336da", - "sha256:a08ea567c16f140af8ddc7cb58e27e9138a1386e3e6e53982abaa6f2377b38cc", - "sha256:a28b70c9e2213de425d9cba5ab2e7f7a1c8ca23a99c4b5159bf77b9c31251447", - "sha256:a34e1e30f1774fa35d37202bbeae62423e9a79d78d0874e5556a593479fdf239", - "sha256:a4264515f9117be204935cd230fb2a052dd3792789cc94c101c535d349b3dab0", - "sha256:a7915ea49b0c113641dc4d9338efa9bd66b6a9a485ffe75b9907e8573ca94b84", - "sha256:aac44097d838dda26526cffb63bdd8737a2dbdf5f2c68efb72ad83aec6673c7e", - "sha256:b91044952da03b6f95fdba398d7993dd983b64d3c31c358a4c89e3c19b6f7aef", - "sha256:ba444bdd4caa2a94456ef67a2f383710928820dd0117aae6650a4d17029fa25e", - "sha256:c2dc4250fe94d8cd864d66018f8344d4af50e3758e9d725e94fecfa27588ff82", - "sha256:c35f493b867912f6fda721a59cc7c4766d382040bdf1ddaeeaa7fa4d072f4675", - "sha256:c92261eb2ad367629dc437536463dc934030c9e7caca861cc51990fe6c565f26", - "sha256:ce928c9c6409c79e10f39604a7e214b3cb69552952fbda8d836c052832e6a979", - "sha256:d95b52fbef190ca87d8c42f49e314eace4fc52070f3dfa5f87a6594b0c1c6e46", - "sha256:dae7bd0daeb33aa3e79e72877d3d51052e8b19c9025ecf0374f542ea8ec120e4", - "sha256:e286580b6511aac7c3268a78cdb861ec739d3e5a2a53b4809faef6b49778eaff", - "sha256:e4b53f73077e839b3f89c992223f15b1d2ab314bdbdf502afdc7bb18e95eae27", - "sha256:e8f63904df26d1a66aabc141bfd258bf738b9bc7bc6bdef22713b4f5ef789a4c", - "sha256:f3a6d90cab0bdf07df8f176eae3a07127daafcf7457b997b2bf46776da2c7eb7", - "sha256:f41fa79114a1d2eddb5eea7b912d6160508f57440bd302ce96eaa384914cd265", - "sha256:f46f81501160c28d0c0b7333b4f7be8983dbbc161983b6fb814024d1b4952f79", - "sha256:f61db3b7e870914dbd9434b560075e0366771eecbe6d2b5561f5bc7485f39efd" + "sha256:0103c52f8dfe5d573c856322149ddcd6d28f51b4d4a3ee5c4b3c1b0a05c3d034", + "sha256:01549468858b87d36f967c97d02e6e54106f444aeb947ed76f8f71f85ed07cec", + "sha256:0274b1b7a9c9c32b7bf250583e673ff99fb9fccb389215841e2652d9982de740", + "sha256:0ac33d22b2604b020569a82d5f8a03ba637ba42cc1adf31f616af70baf81710b", + "sha256:0d0a5e87bc48d76dfcfc16295201e9812d5f33d55b4a0b7cad1025b92bf8b91b", + "sha256:10b690cd78cbaca2f96a7462f303fdd2b596d3978b49892e4b05a7567c591572", + "sha256:126309c0f52a2219b3d1048aca00766429a1346596b186d51d9fa5d2070b7b13", + "sha256:15871130439ad10abb25a4631120d60391aa762b85fcab971411e556247210a0", + "sha256:17d4dc4ff47893a06737b8788ed2ba2f5ac4e8bb40281c8603920f7d011d5bdd", + "sha256:18c2a7757561f05439c243f517dbbb174cadfae3a72dee4ae7c693f5b336570f", + "sha256:1d4017e78fb22bc797c089b746230ad78ecd3cdb215bc0bd61cb72b5867da57e", + "sha256:1f50a37aeeb5179d293465e522fd686080928c4d89e0ff215e1f963405ec4def", + "sha256:20d817c0893191b2ab0ba30b45b77761e8dfec30a029b7c7063055ca71157f84", + "sha256:22839d1d1eab9e4b427828a88a22beb86f67c14d8ff81175505f1cc8493f3500", + "sha256:22dda2799c8d39041d731e02bf7690f0ef34f1691d9ac9dfcb98dd1e94c8b058", + "sha256:2376d8cf506dffd0e5f2391025ae8675b09711016656590cb03b55894161fcfa", + "sha256:24197ba3114cc85ddd4091e19b2ddc62650f2e4a899e51b074dfd52d56cf8c72", + "sha256:24416bb5e221e29ddf8aac5b97e94e635ca2c5be44a1617ad6fe32556df44294", + "sha256:2631c9d7386bd2d4ce24ecc6ebf9ae90b3efd713d588d90504eaa77fec4dba01", + "sha256:28389a68981676bf74e2e199fe42f35d1aa27a9c98e3a03e6f58d2d3d054afe1", + "sha256:2aee7594d2c2221c717a8e394bbed4740029df4c0211ceb0f04815686e99c795", + "sha256:2e430ac432f969ef21770645743611c1618362309e3ad7cab45acd1ad1a540ff", + "sha256:2e912b282466444023610e4498e3795c10e7cfd641744524876239fcf01d538d", + "sha256:30ffc046ebddccb3c4cac72c1a3e1bc343492336f3ca86d24672e90ccc5e788a", + "sha256:319c206e83e46ec2421b25b300c8482b6fe8a018baca246be308c736d9dab267", + "sha256:326b8a079a9afcac0575971e56dabdf7abb2ea89a893e6949b77adfeb058b50e", + "sha256:36ee0115b9edca904153a66bb74a9ff1ce38caff015de94eadfb9ba8e6ecd317", + "sha256:3e26e64f42bce5ddf9002092b2c37b13071c2e6413d5c05f9fa9de58ed2f7749", + "sha256:4ea99e64b2ad2635e0f0597b63f5ea6c374791ff2fa81cdd4bad8ed9f047f56f", + "sha256:501a1576716032cc6d48c7c47bcdc42d682273415a8f2908e7e72cb4625801f3", + "sha256:54c8cee662b5f8c30ad7eedfc26123f845f007798e4ff1001d9528fe959fd23c", + "sha256:595bbcdbfc4a9c6989d7489dca8510cba053ff46b16c84ffd95ac8e90711d419", + "sha256:5b860055199aec8d6fe4dcee3c5196ce506ca198a50aab0059ffd26e8e815828", + "sha256:5c667b383529520b8dd6bd496fc318678320cb2a6062fdfe6d3618da6b8790f6", + "sha256:5fb475a4cdde582c9528bb412b98f899680492daaba318231e96f1a0a1bb0d53", + "sha256:607d12f0901f6419a8adceb139847c42c83864b85371f58270e42753f9780fa6", + "sha256:64c5b0f2b937fe40d0967516eee5504b23cb247b8b7ffeba7213a467d9646fdc", + "sha256:664380c7ed524a280b6a2d5d9126389c3e96cd6e88986cdb42ca72baa27421d6", + "sha256:6af871f70cfd5b528bd322c65793b5fd5659858cdfaa35fbe563fb99b667ed1f", + "sha256:6c89894cc6f6ddd993813e79244b36b215c14f65f9e4f1660b1f2ba9e5594b95", + "sha256:6dee0496d5f1a8f57f0f28a16f81a2033fc057a2cf9cd710742d11828f8c80e2", + "sha256:6e9a9f50892153bad5046c2a6df153224aa6f0573a5a8ab44fc54a1e886f6e21", + "sha256:712ba8722c0699daf186de089ddc4677651eb9875ed7447b2ad50697522cbdd9", + "sha256:717f185086bb9d817d4537dd18d5df5d657598cd00e6fc22e4d54d84de266c1d", + "sha256:71978ba778948760cff528235c951ea0ef7a4f9c84ac5a49975f8540f76c3f73", + "sha256:71af3766bb46738d12cc288d9b8de7ef6f79c31fd62757e2b8a505fe3680b27f", + "sha256:73a183042ae0918c82ce2df38c3db2409b0eeae88e3afdfc80fb67471a95b33b", + "sha256:7564525a4673fde53dee7d4c307a961c0951918f0b8c7f09b2c9e02067cf6504", + "sha256:76a59d1b63de859398bc7764c860a769499511463c1232155061fe0147f13e01", + "sha256:7e9905fc2dc1319e4c39837b906a024cf71b1261cc66b0cd89678f779c0c61f5", + "sha256:8112f640a4f7e7bf59f7cabf0d47a29b8977528c521d73a64d5cc9e99e48a174", + "sha256:835010cc17d0020e7931d39e487d72c8e01c98e669b6896a8b8c9aa8ca69a949", + "sha256:838dde2cb570cfbb4cab8a876a0974e8b90973ea40b3ac27a79b8a74c8a2db15", + "sha256:8d31dd0245d88cf7239e96e8f2a99f815b06e458a5854150f8e6f0e61618d41b", + "sha256:96b34830bd6825ca0220bf005ea99ac83eb9ce51301ddb882dcf613ae6cd95fb", + "sha256:96c8ff1e1dd680e38af0887927cab407a4e51d84a5f02ae3d6eb87233036c763", + "sha256:9a7ee79183f0b17dcede8b6723e7da2ded529cf159a878214be9a5d3098f5b1e", + "sha256:a3e2aff8b822ab0e0bdbed9f50494b3a35629c4b9488ae391659973a37a9f53f", + "sha256:a4f3ab9eb8ab2d585ece959c48d234f7b39ac0ca1954a34d8b8e58a52064bdb3", + "sha256:a8b54949267bd5704324397efe9fbb6aa306466dee067550964e994d309db5f1", + "sha256:a96198d5d26f40557d986c1253bfe0e02d18c9d9b93cf389daf1a3c9f7c755fa", + "sha256:aebbd47df77190ada603157f0b3670d578c110c31746ecc5875c394fdcc59a99", + "sha256:af1107299cef049ad00a93df4809517be432283a0847bcae48343ebe5ea340dc", + "sha256:b63465b53baeaf2122a337d4ab57d6bbdd09fcadceb17a974cfa8a0300ad9c67", + "sha256:ba1c779b45a399cc25f511c681016626f69e51e45b9d350d7581998722825af9", + "sha256:bce00f3b1f7f644faae89677ca68645ed5365f1c7f874fdd5ebf730a69640d38", + "sha256:bfdf419bf5d3644f94cd7052954fc233522f5a1b371fc0b00219ebd9c14d5798", + "sha256:c1caa5763d1770216596e0a71b5567f27aac28c95992110212c108ec74589a48", + "sha256:c3e4e1f7b08d1ec6b685ccd3e2d762219c550164fbf524498532e39f9413436e", + "sha256:c85ab016e96a975afbdb9d49ca90f3bca9920ef27c64300843fe91c3d59d8d20", + "sha256:c924deab8105f86980983eced740433fb7554a7f66db73991affa4eda99d5402", + "sha256:d4f818f6371970d6a5d1e42878389bbfb69dcde631e4bbac5ec1cb11158565ca", + "sha256:d920401941cb898ef089422e889759dd403309eb370d0e54f1bdf6ca07fef603", + "sha256:da045bd1147d12bd43fb032296640a7cc17a7f2eaba67495988362e99db24fd2", + "sha256:dc3192a81ecd5ff954cecd690327badd5a84d00b877e1573f7c9097ce13e5bfb", + "sha256:ddae504cfb556fe220efae65e35be63cd11e3c314b202723fc2119ce19f0ca2e", + "sha256:de4544b1fb29cf14870c4e2b8a897c0242449f5dcebd3e0366aa0aa3cf58a23a", + "sha256:dea360778e0668a7ad25d7727d03364de8a45bfd5d808f81253516b9f2217765", + "sha256:e2254fe137c4a360b0a13173a56444f756252c9283ba4d267ca8e9081cd140ea", + "sha256:e64f0421892a207d3780903085c1b04efeb53b16803b23d947de5a7261b71355", + "sha256:e97a29b37830ba1262d8dfd48ddb5b28ad4d3ebecc5d93a9c7591d98641ec737", + "sha256:eacbcf30efaca7dc5cb264228ffecdb95fdb1e715b1ec937c0ce6b734161e0c8", + "sha256:eee5ff934b0c9f4537ff9596169d56cab1890918004791a7a06b879b3ba2a7ef", + "sha256:eff6bac402719c14e17efe845d6b98593c56c843aca6def72080fbede755fd1f", + "sha256:f10954b233d4df5cc3137ffa5ced97f8894152df817e5d149bf05a0ef2ab8134", + "sha256:f23bb1a7a6e8e8b612a164fdd08e683bcc16c76f928d6dbb7bdbee2374fbfee6", + "sha256:f494c01b28645c431239863cb17af8b8d15b93b0d697a0320d5dd34cd9d7c2fa", + "sha256:f6a071d2c3d39b4104f94fc08ab349e9b19b951ad4b8e3b6d7ea92d6ef7ccaf8", + "sha256:f736f54565f8dd7e3ab664fef2bc461d7593a389a7f28d4904af8d55a91bd55f", + "sha256:f8981a94a27ac520a398302afb74ae2c0be1c3d2d215c75c582186a006c9e7b0", + "sha256:fd24996e12e1ba7c397c44be75ca299da14cde34d74bc5508cce233676cc68d0", + "sha256:ff54340fc1129e8e181827e2234af3ff659b4f17d9bbe77f43bc19e6577fadec" ], "markers": "python_version >= '3.8'", - "version": "==1.11.1" + "version": "==1.12.1" } }, "develop": { @@ -1281,12 +1281,12 @@ }, "bandit": { "hashes": [ - "sha256:52077cb339000f337fb25f7e045995c4ad01511e716e5daac37014b9752de8ec", - "sha256:7c395a436743018f7be0a4cbb0a4ea9b902b6d87264ddecf8cfdc73b4f78ff61" + "sha256:59ed5caf5d92b6ada4bf65bc6437feea4a9da1093384445fed4d472acc6cff7b", + "sha256:665721d7bebbb4485a339c55161ac0eedde27d51e638000d91c8c2d68343ad02" ], "index": "pypi", "markers": "python_version >= '3.8'", - "version": "==1.7.9" + "version": "==1.7.10" }, "black": { "hashes": [ @@ -1319,19 +1319,19 @@ }, "boto3": { "hashes": [ - "sha256:47e89d95964f10beee21ee723c3290874fddf364269bd97d200e8bfa9bf93a06", - "sha256:aaddbeb8c37608492f2c8286d004101464833d4c6e49af44601502b8b18785ed" + "sha256:5df4e2cbe3409db07d3a0d8d63d5220ce3202a78206ad87afdbb41519b26ce45", + "sha256:b1cfad301184cdd44dfd4805187ccab12de8dd28dd12a11a5cfdace17918c6de" ], "markers": "python_version >= '3.8'", - "version": "==1.35.20" + "version": "==1.35.25" }, "botocore": { "hashes": [ - "sha256:62412038f960691a299e60492f9ee7e8e75af563f2eca7f3640b3b54b8f5d236", - "sha256:82ad8a73fcd5852d127461c8dadbe40bf679f760a4efb0dde8d4d269ad3f126f" + "sha256:76c5706b2c6533000603ae8683a297c887abbbaf6ee31e1b2e2863b74b2989bc", + "sha256:e58d60260abf10ccc4417967923117c9902a6a0cff9fddb6ea7ff42dc1bd4630" ], "markers": "python_version >= '3.8'", - "version": "==1.35.20" + "version": "==1.35.25" }, "certifi": { "hashes": [ @@ -1737,12 +1737,12 @@ }, "moto": { "hashes": [ - "sha256:0f849243269fd03372426c302b18cb605302da32620d7f0266be6a40735b2acd", - "sha256:c738ffe85d3844ef37b865951736c4faf2e0f3e4f05db87bdad97a6c01b88174" + "sha256:57aa8c2af417cc64a0ddfe63e5bcd1ada90f5079b73cdd1f74c4e9fb30a1a7e6", + "sha256:fa1e92ffb55dbfb9fa92a2115a88c32481b75aa3fbd24075d1f29af2f9becffa" ], "index": "pypi", "markers": "python_version >= '3.8'", - "version": "==5.0.14" + "version": "==5.0.15" }, "mypy": { "hashes": [ @@ -1812,11 +1812,11 @@ }, "platformdirs": { "hashes": [ - "sha256:50a5450e2e84f44539718293cbb1da0a0885c9d14adf21b77bae4e66fc99d9b5", - "sha256:d4e0b7d8ec176b341fb03cb11ca12d0276faa8c485f9cd218f613840463fc2c0" + "sha256:357fb2acbc885b0419afd3ce3ed34564c13c9b95c89360cd9563f73aa5e2b907", + "sha256:73e575e1408ab8103900836b97580d5307456908a03e92031bab39e4554cc3fb" ], "markers": "python_version >= '3.8'", - "version": "==4.3.3" + "version": "==4.3.6" }, "pycparser": { "hashes": [ From 7936f7d86f29a1da169c6c6c1768a3083d1a7ea1 Mon Sep 17 00:00:00 2001 From: Ariel Date: Wed, 25 Sep 2024 11:59:58 -0600 Subject: [PATCH 7/7] pack update --- Pipfile | 2 +- Pipfile.lock | 14 +++++++------- packs/sublime.yml | 7 ++----- 3 files changed, 10 insertions(+), 13 deletions(-) diff --git a/Pipfile b/Pipfile index 34665ad49..29639e024 100644 --- a/Pipfile +++ b/Pipfile @@ -19,7 +19,7 @@ wrapt = "~=1.15" [packages] policyuniverse = "==1.5.1.20230817" requests = "==2.31.0" -panther-analysis-tool = "*" +panther-analysis-tool = "~=0.53.0" panther-detection-helpers = "==0.4.0" [requires] diff --git a/Pipfile.lock b/Pipfile.lock index 85a118f8c..584c7aae5 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "6300da9adf6b59e41d31127ed5a07fab544215bca2c9002c79d9d48d6fe16b01" + "sha256": "bc085450d7da8902b3d6fd6c7f755382e951e032c2689464e02c397bdccd6ae5" }, "pipfile-spec": 6, "requires": { @@ -1319,19 +1319,19 @@ }, "boto3": { "hashes": [ - "sha256:5df4e2cbe3409db07d3a0d8d63d5220ce3202a78206ad87afdbb41519b26ce45", - "sha256:b1cfad301184cdd44dfd4805187ccab12de8dd28dd12a11a5cfdace17918c6de" + "sha256:b04087afd3570ba540fd293823c77270ec675672af23da9396bd5988a3f8128b", + "sha256:c31db992655db233d98762612690cfe60723c9e1503b5709aad92c1c564877bb" ], "markers": "python_version >= '3.8'", - "version": "==1.35.25" + "version": "==1.35.26" }, "botocore": { "hashes": [ - "sha256:76c5706b2c6533000603ae8683a297c887abbbaf6ee31e1b2e2863b74b2989bc", - "sha256:e58d60260abf10ccc4417967923117c9902a6a0cff9fddb6ea7ff42dc1bd4630" + "sha256:0b9dee5e4a3314e251e103585837506b17fcc7485c3c8adb61a9a913f46da1e7", + "sha256:19efc3a22c9df77960712b4e203f912486f8bcd3794bff0fd7b2a0f5f1d5712d" ], "markers": "python_version >= '3.8'", - "version": "==1.35.25" + "version": "==1.35.26" }, "certifi": { "hashes": [ diff --git a/packs/sublime.yml b/packs/sublime.yml index 6612070a9..a53c3c42c 100644 --- a/packs/sublime.yml +++ b/packs/sublime.yml @@ -1,15 +1,12 @@ AnalysisType: pack PackID: PantherManaged.Sublime -Description: Group of all Sublime detections +Description: Group of all Sublime Security detections PackDefinition: IDs: - Sublime.Mailbox.Deactivated + - Sublime.Message.Flagged - Sublime.Message.Source.Deleted.Or.Deactivated - Sublime.Rules.Deleted.Or.Deactivated # Globals used in these detections - - panther_base_helpers - panther_sublime_helpers - - panther_config - - panther_config_defaults - - panther_config_overrides DisplayName: "Panther Sublime Pack"