Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

THREAT-387 Sublime Security Rules #1356

Merged
merged 8 commits into from
Sep 25, 2024
Merged

THREAT-387 Sublime Security Rules #1356

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
ed14f87
THREAT-387 Sublime Security Rules
akozlovets098 Sep 17, 2024
5e99825
THREAT-387 Sublime Security Rules - added pack
akozlovets098 Sep 17, 2024
42a86c3
use updated format & pat
Sep 24, 2024
b0a6278
add pass through detection
Sep 24, 2024
6349595
linting
Sep 24, 2024
5d1f439
update pat
Sep 24, 2024
ebde90b
Merge branch 'release' into THREAT-387-Sublime-Security-Rules
arielkr256 Sep 25, 2024
7936f7d
pack update
arielkr256 Sep 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions global_helpers/panther_sublime_helpers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
def sublime_alert_context(event) -> dict:
context = {}
context["key"] = event.get("key", "<KEY_NOT_FOUND>")
context["events_types"] = event.deep_walk("events", "type", default=["<TYPES_NOT_FOUND>"])
context["users_emails"] = event.deep_walk(
"events", "created_by", "email_address", default=["<EMAILS_NOT_FOUND>"]
)
context["users_roles"] = event.deep_walk(
"events", "created_by", "role", default=["<ROLES_NOT_FOUND>"]
)
context["request_ips"] = event.deep_walk(
"events", "data", "request", "ip", default=["<IPS_NOT_FOUND>"]
)
context["request_paths"] = event.deep_walk(
"events", "data", "request", "path", default=["<PATHS_NOT_FOUND>"]
)
return context
5 changes: 5 additions & 0 deletions global_helpers/panther_sublime_helpers.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
AnalysisType: global
Filename: panther_sublime_helpers.py
GlobalID: "panther_sublime_helpers"
Description: >
Global helpers for Sublime detections
15 changes: 15 additions & 0 deletions packs/sublime.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
AnalysisType: pack
PackID: PantherManaged.Sublime
Description: Group of all Sublime detections
PackDefinition:
IDs:
- Sublime.Mailbox.Deactivated
- Sublime.Message.Source.Deleted.Or.Deactivated
- Sublime.Rules.Deleted.Or.Deactivated
# Globals used in these detections
- panther_base_helpers
- panther_sublime_helpers
- panther_config
- panther_config_defaults
- panther_config_overrides
DisplayName: "Panther Sublime Pack"
10 changes: 10 additions & 0 deletions rules/sublime_rules/sublime_mailboxes_deactivated.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
from panther_sublime_helpers import sublime_alert_context


def rule(event):
all_events = event.deep_walk("events", "type")
nhakmiller marked this conversation as resolved.
Show resolved Hide resolved
return "message_source.deactivate_mailboxes" in all_events


def alert_context(event):
return sublime_alert_context(event)
160 changes: 160 additions & 0 deletions rules/sublime_rules/sublime_mailboxes_deactivated.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,160 @@
AnalysisType: rule
Description: A Sublime User disabled some mailbox(es).
DisplayName: "Sublime Mailbox Deactivated"
Enabled: true
Filename: sublime_mailboxes_deactivated.py
Runbook: Assess if this was done by the user for a valid business reason. Be vigilant to re-enable the mailboxes if it's in the best security interest for your organization's security posture.
Reference: https://docs.sublime.security/docs/add-message-source
Severity: Medium
DedupPeriodMinutes: 60
AlertTitle: Sublime message mailbox(es) were deactivated
LogTypes:
- Custom.Sublime.AuditLogs
nhakmiller marked this conversation as resolved.
Show resolved Hide resolved
RuleID: "Sublime.Mailbox.Deactivated"
Threshold: 1
Reports:
MITRE ATT&CK:
- TA0005:T1562.001 # Impair Defenses: Disable or Modify Tools
Tests:
- ExpectedResult: false
Name: Other Events
Log:
nhakmiller marked this conversation as resolved.
Show resolved Hide resolved
{
"count": 2,
"end": "2024-09-09 19:35:31.467216000",
"events": [
{
"created_at": "2024-09-09 19:33:34.237078000",
"created_by": {
"active": true,
"created_at": "2024-08-28 22:05:15.715644000",
"email_address": "[email protected]",
"first_name": "John",
"google_oauth_user_id": "",
"id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316",
"is_enrolled": true,
"last_name": "Doe",
"microsoft_oauth_user_id": "",
"role": "admin",
"updated_at": "2024-08-28 22:05:15.715644000"
},
"data": {
"request": {
"authentication_method": "user_session",
"body": "{\"mailbox_ids\":[\"493c6e21-7787-419b-bada-7c4f50cbb932\"]}",
"id": "73444211-31af-42d8-99b4-34a139cf7d4a",
"ip": "1.2.3.4",
"method": "POST",
"path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/deactivate",
"query": { },
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"
}
},
"id": "084732e5-7704-4bbe-ab5a-77f1aa65a737",
"type": "message_source.deactivate"
},
{
"created_at": "2024-09-09 19:29:00.885628000",
"created_by": {
"active": true,
"created_at": "2024-08-28 22:05:15.715644000",
"email_address": "[email protected]",
"first_name": "John",
"google_oauth_user_id": "",
"id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316",
"is_enrolled": true,
"last_name": "Doe",
"microsoft_oauth_user_id": "",
"role": "admin",
"updated_at": "2024-08-28 22:05:15.715644000"
},
"data": {
"request": {
"authentication_method": "user_session",
"body": "",
"id": "50a3caa3-aab5-4ca4-948f-0d6426f10d36",
"ip": "1.2.3.4",
"method": "DELETE",
"path": "/v1/rules/6f52131e-5532-4c49-b5d3-2e20d7dedd7a",
"query": { },
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"
}
},
"id": "1f9d8783-6f22-4d82-bea7-77656719b341",
"type": "rules.delete"
},
],
"key": "sublime_platform_audit_log/2024/09/09/193531Z-BKQVAP.json",
"start": "2024-09-09 19:25:31.467216000"
}
- ExpectedResult: true
Name: Mailbox Deactivated
Log:
{
"count": 2,
"end": "2024-09-09 19:35:31.467216000",
"events": [
{
"created_at": "2024-09-09 19:33:34.237078000",
"created_by": {
"active": true,
"created_at": "2024-08-28 22:05:15.715644000",
"email_address": "[email protected]",
"first_name": "John",
"google_oauth_user_id": "",
"id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316",
"is_enrolled": true,
"last_name": "Doe",
"microsoft_oauth_user_id": "",
"role": "admin",
"updated_at": "2024-08-28 22:05:15.715644000"
},
"data": {
"request": {
"authentication_method": "user_session",
"body": "{\"mailbox_ids\":[\"493c6e21-7787-419b-bada-7c4f50cbb932\"]}",
"id": "73444211-31af-42d8-99b4-34a139cf7d4a",
"ip": "1.2.3.4",
"method": "POST",
"path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/mailboxes/deactivate",
"query": { },
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"
}
},
"id": "084732e5-7704-4bbe-ab5a-77f1aa65a737",
"type": "message_source.deactivate_mailboxes"
},
{
"created_at": "2024-09-09 19:29:00.885628000",
"created_by": {
"active": true,
"created_at": "2024-08-28 22:05:15.715644000",
"email_address": "[email protected]",
"first_name": "John",
"google_oauth_user_id": "",
"id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316",
"is_enrolled": true,
"last_name": "Doe",
"microsoft_oauth_user_id": "",
"role": "admin",
"updated_at": "2024-08-28 22:05:15.715644000"
},
"data": {
"request": {
"authentication_method": "user_session",
"body": "",
"id": "3bdc635a-7630-4687-9972-2db9fe87e2c8",
"ip": "1.2.3.4",
"method": "POST",
"path": "/v1/rules/6f52131e-5532-4c49-b5d3-2e20d7dedd7a/activate",
"query": { },
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"
}
},
"id": "7d9fe001-d80d-4d0d-9cd7-cc2f27a896ce",
"type": "rules.activate",
},
],
"key": "sublime_platform_audit_log/2024/09/09/193531Z-BKQVAP.json",
"start": "2024-09-09 19:25:31.467216000"
}
15 changes: 15 additions & 0 deletions rules/sublime_rules/sublime_message_source_deleted_or_deactivated.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
from panther_sublime_helpers import sublime_alert_context

SUSPICIOUS_EVENTS = [
"message_source.deactivate",
"message_source.delete",
]


def rule(event):
all_events = event.deep_walk("events", "type")
return any(event in all_events for event in SUSPICIOUS_EVENTS)


def alert_context(event):
return sublime_alert_context(event)
160 changes: 160 additions & 0 deletions rules/sublime_rules/sublime_message_source_deleted_or_deactivated.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,160 @@
AnalysisType: rule
Description: A Sublime User disabled or deleted some message source(s).
DisplayName: "Sublime Message Source Deleted Or Deactivated"
Enabled: true
Filename: sublime_message_source_deleted_or_deactivated.py
Runbook: Assess if this was done by the user for a valid business reason. Be vigilant to re-enable the message source(s) if it's in the best security interest for your organization's security posture.
Reference: https://docs.sublime.security/docs/message-types
Severity: Medium
DedupPeriodMinutes: 60
AlertTitle: Sublime message source(s) were deleted or deactivated
LogTypes:
- Custom.Sublime.AuditLogs
nhakmiller marked this conversation as resolved.
Show resolved Hide resolved
RuleID: "Sublime.Message.Source.Deleted.Or.Deactivated"
Threshold: 1
Reports:
MITRE ATT&CK:
- TA0005:T1562.001 # Impair Defenses: Disable or Modify Tools
Tests:
- ExpectedResult: true
Name: Message Source Deactivated
Log:
{
"count": 2,
"end": "2024-09-09 19:35:31.467216000",
"events": [
{
"created_at": "2024-09-09 19:33:34.237078000",
"created_by": {
"active": true,
"created_at": "2024-08-28 22:05:15.715644000",
"email_address": "[email protected]",
"first_name": "John",
"google_oauth_user_id": "",
"id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316",
"is_enrolled": true,
"last_name": "Doe",
"microsoft_oauth_user_id": "",
"role": "admin",
"updated_at": "2024-08-28 22:05:15.715644000"
},
"data": {
"request": {
"authentication_method": "user_session",
"body": "{\"mailbox_ids\":[\"493c6e21-7787-419b-bada-7c4f50cbb932\"]}",
"id": "73444211-31af-42d8-99b4-34a139cf7d4a",
"ip": "1.2.3.4",
"method": "POST",
"path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/deactivate",
"query": { },
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"
}
},
"id": "084732e5-7704-4bbe-ab5a-77f1aa65a737",
"type": "message_source.deactivate"
},
{
"created_at": "2024-09-09 19:29:00.885628000",
"created_by": {
"active": true,
"created_at": "2024-08-28 22:05:15.715644000",
"email_address": "[email protected]",
"first_name": "John",
"google_oauth_user_id": "",
"id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316",
"is_enrolled": true,
"last_name": "Doe",
"microsoft_oauth_user_id": "",
"role": "admin",
"updated_at": "2024-08-28 22:05:15.715644000"
},
"data": {
"request": {
"authentication_method": "user_session",
"body": "",
"id": "50a3caa3-aab5-4ca4-948f-0d6426f10d36",
"ip": "1.2.3.4",
"method": "DELETE",
"path": "/v1/rules/6f52131e-5532-4c49-b5d3-2e20d7dedd7a",
"query": { },
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"
}
},
"id": "1f9d8783-6f22-4d82-bea7-77656719b341",
"type": "rules.delete"
},
],
"key": "sublime_platform_audit_log/2024/09/09/193531Z-BKQVAP.json",
"start": "2024-09-09 19:25:31.467216000"
}
- ExpectedResult: false
Name: Other Events
Log:
{
"count": 2,
"end": "2024-09-09 19:35:31.467216000",
"events": [
{
"created_at": "2024-09-09 19:33:34.237078000",
"created_by": {
"active": true,
"created_at": "2024-08-28 22:05:15.715644000",
"email_address": "[email protected]",
"first_name": "John",
"google_oauth_user_id": "",
"id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316",
"is_enrolled": true,
"last_name": "Doe",
"microsoft_oauth_user_id": "",
"role": "admin",
"updated_at": "2024-08-28 22:05:15.715644000"
},
"data": {
"request": {
"authentication_method": "user_session",
"body": "{\"mailbox_ids\":[\"493c6e21-7787-419b-bada-7c4f50cbb932\"]}",
"id": "73444211-31af-42d8-99b4-34a139cf7d4a",
"ip": "1.2.3.4",
"method": "POST",
"path": "/v1/message-sources/febb5bf4-2ead-47b1-b467-0ac729bf6871/mailboxes/deactivate",
"query": { },
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"
}
},
"id": "084732e5-7704-4bbe-ab5a-77f1aa65a737",
"type": "message_source.deactivate_mailboxes"
},
{
"created_at": "2024-09-09 19:29:00.885628000",
"created_by": {
"active": true,
"created_at": "2024-08-28 22:05:15.715644000",
"email_address": "[email protected]",
"first_name": "John",
"google_oauth_user_id": "",
"id": "cd3aedfe-a61f-4e0e-ba30-14dcc7883316",
"is_enrolled": true,
"last_name": "Doe",
"microsoft_oauth_user_id": "",
"role": "admin",
"updated_at": "2024-08-28 22:05:15.715644000"
},
"data": {
"request": {
"authentication_method": "user_session",
"body": "",
"id": "3bdc635a-7630-4687-9972-2db9fe87e2c8",
"ip": "1.2.3.4",
"method": "POST",
"path": "/v1/rules/6f52131e-5532-4c49-b5d3-2e20d7dedd7a/activate",
"query": { },
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"
}
},
"id": "7d9fe001-d80d-4d0d-9cd7-cc2f27a896ce",
"type": "rules.activate",
},
],
"key": "sublime_platform_audit_log/2024/09/09/193531Z-BKQVAP.json",
"start": "2024-09-09 19:25:31.467216000"
}
Loading
Loading