From f772fd66bc7b3d77818837d4dfbf36721f0794ac Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 11 Sep 2024 15:18:44 +0000 Subject: [PATCH 1/8] build(deps): bump step-security/harden-runner from 2.9.1 to 2.10.1 (#1352) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.9.1 to 2.10.1. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde...91182cccc01eb5e619899d80e4e971d6181294a7) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> --- .github/workflows/check-packs.yml | 2 +- .github/workflows/docker.yml | 2 +- .github/workflows/lint.yml | 2 +- .github/workflows/release.yml | 2 +- .github/workflows/test.yml | 2 +- .github/workflows/upload.yml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/check-packs.yml b/.github/workflows/check-packs.yml index b3bbe76db..63e8125ba 100644 --- a/.github/workflows/check-packs.yml +++ b/.github/workflows/check-packs.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 with: disable-sudo: true egress-policy: block diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 9fd8f4efd..ddf65f16c 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -11,7 +11,7 @@ jobs: name: Build Dockerfile runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 with: disable-sudo: true egress-policy: block diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 93dbc05df..d9d43f016 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 with: disable-sudo: true egress-policy: block diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e601601b9..9be6c8f50 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,7 +15,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.PANTHER_BOT_AUTOMATION_TOKEN }} steps: - - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 with: egress-policy: audit - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 562fc8b1e..95c608498 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 with: disable-sudo: true egress-policy: block diff --git a/.github/workflows/upload.yml b/.github/workflows/upload.yml index 7bc2a82ea..5648ae330 100644 --- a/.github/workflows/upload.yml +++ b/.github/workflows/upload.yml @@ -14,7 +14,7 @@ jobs: API_HOST: ${{ secrets.API_HOST }} API_TOKEN: ${{ secrets.API_TOKEN }} steps: - - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 with: egress-policy: audit - name: Validate Secrets From 192113e78e34a3c3c3f6921cbf3e6314df015436 Mon Sep 17 00:00:00 2001 From: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> Date: Wed, 11 Sep 2024 10:17:53 -0600 Subject: [PATCH 2/8] Refreshing Contributing Guidelines (#1344) * Refreshing Contributing Guidelines * implement Cara's suggestions * another update * implement Remy's suggestions --- CONTRIBUTING.md | 47 ++++++++++++++++++---- STYLE_GUIDE.md | 101 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 141 insertions(+), 7 deletions(-) create mode 100644 STYLE_GUIDE.md diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 8c029d7ce..99449ad73 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,12 +1,45 @@ -# Contributing +# Contributing to `panther-analysis` -Please follow the [Code of Conduct](https://github.com/panther-labs/panther-analysis/blob/main/CODE_OF_CONDUCT.md) -in all of your interactions with the project. +Thank you for your interest in contributing to Panther's open-source ruleset! We appreciate all types of contributions, including new detection rules, feature requests, and bug reports. + +## What makes a good detection? + +Please familiarize yourself with these helpful resources on writing high-quality Panther rules: + +- The blog post Panther's founder, Jack Naglieri, wrote on [The Anatomy of a High Quality SIEM Rule](https://jacknaglieri.substack.com/p/hq-siem-rules) +- Panther's [Detection Documentation](https://docs.panther.com/detections) +- The `panther-analysis` [Style Guide](https://github.com/panther-labs/panther-analysis/blob/main/STYLE_GUIDE.md) + +Especially excellent contributions will be considered for a quarterly prize! We will announce a winner in the **Panther-Analysis Seasonal Newsletter**, where we share updates and celebrate contributions to Panther’s open-source ruleset. + +## Testing your changes + +Before submitting your pull request, make sure to: -## Pull Request Process +- Write or update relevant unit tests +- Redact any sensitive information or PII from example logs +- Format, lint, and test your changes to ensure CI tests pass, using the following commands: + ```bash + make fmt + make lint + make test + ``` -1. Create new detections in the appropriate folder (or create your own) or make modifications to existing ones +## Pull Request process + +1. Make desired detection changes. This may include creating new detections in existing log type directories, creating new log type directories, updating existing detections, etc 2. Commit both the Python and Metadata files 3. Write a clear commit message -4. Open a [Pull Request](https://github.com/panther-labs/panther-analysis/pulls) -5. Incorporate feedback and merge once you have the sign-off of other code owners. If you do not have permission, you may request a reviewer to merge it for you. +4. Open a [Pull Request](https://github.com/panther-labs/panther-analysis/pulls). +5. Once your PR has been approved by code owners, if you have merge permissions, merge it. If you do not have merge permissions, leave a comment requesting a code owner merge it for you + +## Code of Conduct + +Please follow the [Code of Conduct](https://github.com/panther-labs/panther-analysis/blob/main/CODE_OF_CONDUCT.md) +in all of your interactions with this project. + +## Need help? + +If you need assistance at any point, feel free to open a support ticket, or reach out to us on [Panther Community Slack](https://pnthr.io/community). + +Thank you again for your contributions, and we look forward to working together! \ No newline at end of file diff --git a/STYLE_GUIDE.md b/STYLE_GUIDE.md new file mode 100644 index 000000000..029dfdb91 --- /dev/null +++ b/STYLE_GUIDE.md @@ -0,0 +1,101 @@ +# panther-analysis Style Guide + +This style guide highlights essential best practices for writing python rules and alert metadata. For a more detailed guide, visit [Writing Python Detections](https://docs.panther.com/detections/rules/python) in the Panther documentation. + +## Metadata best practices + +### RuleID, Filename, and DisplayName + +- `RuleID`, `Filename`, and `DisplayName` should all be similar to one another. A good litmus test is: If you have the `RuleID`, would you be able to identify the related Python file (its `Filename`), and vice versa? +- `RuleID` should start with the log type identifier followed by a `.` + +Example: +```yaml +DisplayName: "AWS Compromised IAM Key Quarantine" +RuleID: "AWS.CloudTrail.IAMCompromisedKeyQuarantine" +Filename: aws_iam_compromised_key_quarantine.py +``` + +### Severity + +Review the [Alert Severity Guidelines](https://docs.panther.com/detections/rules#alert-severity) in Panther's documentation. Consider additional factors that could increase or decrease severity, such as exploitation in the wild, potential for false positives, and actionability. + +### Reference + +The `Reference` value should be a link to a relevant security or threat research report that describes the attack this rule detects, including why it is valuable to detect it from a security perspective. Avoid generic documentation links, such as general API or log source pages. + +### Runbook + +The `Runbook` value should provide clear triage steps for incident responders. See [Define Clear Triage Steps](https://jacknaglieri.substack.com/i/148126819/define-clear-triage-steps). + +### MITRE ATT&CK reports + +- MITRE ATT&CK tactics and techniques should be in the form `TA####:T####` or `TA####:T####.###` +- Add a comment with the Technique name +- Optionally add the Technique name to Tags as well + +Example: +```yaml +Reports: + MITRE ATT&CK: + - TA0006:T1556 # Modify Authentication Process +Tags: + - Modify Authentication Process +``` + +### Tags + +Use tags to label rules for easy classification and reporting. Some commonly used tags are: + +- `Configuration Required` indicates a rule should be configured for your environment before enabling +- MITRE ATT&CK Technique friendly names +- Killchain phase +- Log type +- Relevant security control or compliance framework +- `Deprecated` indicates a rule has been deprecated and should no longer be used + +### Unit tests + +- Review Panther's [Testing Documentation](https://docs.panther.com/detections/testing) +- Write tests for both positive and negative cases +- Redact all sensitive information and PII from example logs +- Put tests at the very bottom of the .yml file + +## Python best practices + +### Use `get` and `deep_get` + +- Use `event.get('field', '')` for top level fields and `event.deep_get('nested', 'field', default='')` for nested fields +- Always specify a default return value. This helps prevent unnecessary `AttributeErrors` when fields are not present in logs +- Don't directly access fields like `event['field']`, which can also cause `AttributeErrors` +- Panther's normalized event class has `deep_get` as a built-in method, so it is not necessary to import it from a helper. For example: + +```python +# Do this +def rule(event): + return event.deep_get('foo', default='') == 'bar' + +# Instead of this +from panther_base_helpers import deep_get + +def rule(event): + return deep_get(event, 'foo', default='') == 'bar' +``` + +### Use dynamic functions + +Panther's [dynamic auxiliary functions](https://docs.panther.com/detections/rules/python#alert-functions-in-python-detections) are a powerful tool for programattically modifying alerts based on event criteria and should be used when appropriate. + +### Use existing `alert_context` functions + +Check for `alert_context` functions in `global_helpers` for the LogType you are developing against. Alert context can be extended in specific rules, for example: + +```python +from panther_base_helpers import aws_rule_context + +def alert_context(event): + return aws_rule_context(event) | {'another_field': 'another_value'} +``` + + + From 34512d26baeaf192c6fb30a3f2490fc5e6366e65 Mon Sep 17 00:00:00 2001 From: ben-githubs <38414634+ben-githubs@users.noreply.github.com> Date: Mon, 16 Sep 2024 10:09:25 -0500 Subject: [PATCH 3/8] Remove Multi-Table Queries from Packs (#1353) * tagged multi-table queries * removed multi-table queries (and assoc. rules) from packs --- packs/aws.yml | 2 -- packs/okta.yml | 3 --- packs/onepassword.yml | 3 --- ...thentication_from_CrowdStrike_Unmanaged_Device_FDREvent.yml | 2 ++ ..._Authentication_from_CrowdStrike_Unmanaged_Device_Query.yml | 2 ++ .../Okta_Login_From_CrowdStrike_Unmanaged_Device_Query.yml | 2 ++ .../onepass_login_from_crowdstrike_unmanaged_device_query.yml | 2 ++ .../Okta_Login_From_CrowdStrike_Unmanaged_Device_FDREvent.yml | 2 ++ ...nepass_login_from_crowdstrike_unmanaged_device_FDREvent.yml | 2 ++ 9 files changed, 12 insertions(+), 8 deletions(-) diff --git a/packs/aws.yml b/packs/aws.yml index b0e549ee8..aef920d52 100644 --- a/packs/aws.yml +++ b/packs/aws.yml @@ -132,7 +132,6 @@ PackDefinition: - AWS.WAF.Disassociation - AWS.WAF.HasXSSPredicate # Other rules - - AWS.Authentication.From.CrowdStrike.Unmanaged.Device - AWS.CloudTrail.Account.Discovery - AWS.CloudTrail.CloudWatchLogs - AWS.CloudTrail.LogEncryption @@ -174,7 +173,6 @@ PackDefinition: - AWS.CloudTrail.LoginProfileCreatedOrModified - AWS.Console.Login # Queries - - AWS Authentication from CrowdStrike Unmanaged Device - Query.CloudTrail.Password.Spraying - Query.VPC.DNS.Tunneling - VPC Flow Port Scanning diff --git a/packs/okta.yml b/packs/okta.yml index 9d0906103..721176782 100644 --- a/packs/okta.yml +++ b/packs/okta.yml @@ -25,7 +25,6 @@ PackDefinition: - Okta.Phishing.Attempt.Blocked.FastPass - Okta.User.MFA.Reset.Single - Okta.PasswordAccess - - Okta.Login.From.CrowdStrike.Unmanaged.Device - Okta.PotentiallyStolenSession - Okta.Support.Reset # Globals used in these detections @@ -35,8 +34,6 @@ PackDefinition: - panther_config - panther_config_defaults - panther_config_overrides - # Queries - - Okta Login From CrowdStrike Unmanaged Device # Data Model - Standard.Okta.SystemLog DisplayName: "Panther Okta Pack" diff --git a/packs/onepassword.yml b/packs/onepassword.yml index 6fb20019c..8ea7183df 100644 --- a/packs/onepassword.yml +++ b/packs/onepassword.yml @@ -8,12 +8,9 @@ PackDefinition: - Standard.OnePassword.SignInAttempt # 1Password Specific Rules - OnePassword.Unusual.Client - - OnePassword.Login.From.CrowdStrike.Unmanaged.Device # Supporting Global Helpers - panther_base_helpers - panther_event_type_helpers - panther_config - panther_config_defaults - panther_config_overrides - # Queries - - 1Password Login From CrowdStrike Unmanaged Device Query diff --git a/queries/aws_queries/AWS_Authentication_from_CrowdStrike_Unmanaged_Device_FDREvent.yml b/queries/aws_queries/AWS_Authentication_from_CrowdStrike_Unmanaged_Device_FDREvent.yml index c009a458a..7d059de3e 100644 --- a/queries/aws_queries/AWS_Authentication_from_CrowdStrike_Unmanaged_Device_FDREvent.yml +++ b/queries/aws_queries/AWS_Authentication_from_CrowdStrike_Unmanaged_Device_FDREvent.yml @@ -20,3 +20,5 @@ QueryName: "AWS Authentication from CrowdStrike Unmanaged Device (crowdstrike_fd Schedule: RateMinutes: 1440 TimeoutMinutes: 3 +Tags: + - Multi-Table Query diff --git a/queries/crowdstrike_queries/AWS_Authentication_from_CrowdStrike_Unmanaged_Device_Query.yml b/queries/crowdstrike_queries/AWS_Authentication_from_CrowdStrike_Unmanaged_Device_Query.yml index b7a4b767e..fa688e340 100644 --- a/queries/crowdstrike_queries/AWS_Authentication_from_CrowdStrike_Unmanaged_Device_Query.yml +++ b/queries/crowdstrike_queries/AWS_Authentication_from_CrowdStrike_Unmanaged_Device_Query.yml @@ -17,3 +17,5 @@ QueryName: "AWS Authentication from CrowdStrike Unmanaged Device" Schedule: RateMinutes: 60 TimeoutMinutes: 3 +Tags: + - Multi-Table Query diff --git a/queries/crowdstrike_queries/Okta_Login_From_CrowdStrike_Unmanaged_Device_Query.yml b/queries/crowdstrike_queries/Okta_Login_From_CrowdStrike_Unmanaged_Device_Query.yml index ab3f40ee2..75a72aaa8 100644 --- a/queries/crowdstrike_queries/Okta_Login_From_CrowdStrike_Unmanaged_Device_Query.yml +++ b/queries/crowdstrike_queries/Okta_Login_From_CrowdStrike_Unmanaged_Device_Query.yml @@ -19,3 +19,5 @@ QueryName: "Okta Login From CrowdStrike Unmanaged Device" Schedule: RateMinutes: 60 TimeoutMinutes: 1 +Tags: + - Multi-Table Query \ No newline at end of file diff --git a/queries/crowdstrike_queries/onepass_login_from_crowdstrike_unmanaged_device_query.yml b/queries/crowdstrike_queries/onepass_login_from_crowdstrike_unmanaged_device_query.yml index fd1bc3085..a562a7823 100644 --- a/queries/crowdstrike_queries/onepass_login_from_crowdstrike_unmanaged_device_query.yml +++ b/queries/crowdstrike_queries/onepass_login_from_crowdstrike_unmanaged_device_query.yml @@ -20,3 +20,5 @@ QueryName: "1Password Login From CrowdStrike Unmanaged Device Query" Schedule: RateMinutes: 60 TimeoutMinutes: 1 +Tags: + - Multi-Table Query diff --git a/queries/okta_queries/Okta_Login_From_CrowdStrike_Unmanaged_Device_FDREvent.yml b/queries/okta_queries/Okta_Login_From_CrowdStrike_Unmanaged_Device_FDREvent.yml index cf1956a65..5aabc2b46 100644 --- a/queries/okta_queries/Okta_Login_From_CrowdStrike_Unmanaged_Device_FDREvent.yml +++ b/queries/okta_queries/Okta_Login_From_CrowdStrike_Unmanaged_Device_FDREvent.yml @@ -22,3 +22,5 @@ QueryName: "Okta Login From CrowdStrike Unmanaged Device (crowdstrike_fdrevent t Schedule: RateMinutes: 1440 TimeoutMinutes: 1 +Tags: + - Multi-Table Query diff --git a/queries/onepassword_queries/onepass_login_from_crowdstrike_unmanaged_device_FDREvent.yml b/queries/onepassword_queries/onepass_login_from_crowdstrike_unmanaged_device_FDREvent.yml index ee620b734..a0b55991e 100644 --- a/queries/onepassword_queries/onepass_login_from_crowdstrike_unmanaged_device_FDREvent.yml +++ b/queries/onepassword_queries/onepass_login_from_crowdstrike_unmanaged_device_FDREvent.yml @@ -23,3 +23,5 @@ QueryName: "1Password Login From CrowdStrike Unmanaged Device Query (crowdstrike Schedule: RateMinutes: 1440 TimeoutMinutes: 1 +Tags: + - Multi-Table Query From 486b1ed08936840e7a9d9e41f76067b3ad5850e1 Mon Sep 17 00:00:00 2001 From: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> Date: Mon, 16 Sep 2024 09:32:26 -0600 Subject: [PATCH 4/8] validate and upload on PRs (#1351) * validate and upload on PRs * push to release * upload on push to release --- .github/workflows/upload.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/upload.yml b/.github/workflows/upload.yml index 5648ae330..45b4763ac 100644 --- a/.github/workflows/upload.yml +++ b/.github/workflows/upload.yml @@ -1,7 +1,7 @@ on: push: branches: - - main + - release permissions: contents: read From 4ebb769af873b552fce4d21c9b3fcd7b88efec9a Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Mon, 16 Sep 2024 22:47:23 +0300 Subject: [PATCH 5/8] THREAT-354 Converting caching rules to correlation (#1348) * THREAT-354 Converting caching rules to correlation * THREAT-354 Converting caching rules to correlation - fixed timeframes * THREAT-354 Converting caching rules to correlation - fixed timeframes --- .../notion_account_changed_after_login.yml | 55 ++++++++++++++ ...ful_login_after_high_risk_failed_login.yml | 68 +++++++++++++++++ packs/notion.yml | 6 +- packs/onelogin.yml | 5 +- rules/notion_rules/notion_account_changed.py | 35 +++++++++ rules/notion_rules/notion_account_changed.yml | 76 +++++++++++++++++++ .../notion_account_changed_after_login.yml | 3 +- rules/notion_rules/notion_login.py | 23 ++++++ rules/notion_rules/notion_login.yml | 75 ++++++++++++++++++ .../onelogin_high_risk_login.yml | 3 +- rules/onelogin_rules/onelogin_login.py | 8 ++ rules/onelogin_rules/onelogin_login.yml | 34 +++++++++ 12 files changed, 387 insertions(+), 4 deletions(-) create mode 100644 correlation_rules/notion_account_changed_after_login.yml create mode 100644 correlation_rules/onelogin_successful_login_after_high_risk_failed_login.yml create mode 100644 rules/notion_rules/notion_account_changed.py create mode 100644 rules/notion_rules/notion_account_changed.yml create mode 100644 rules/notion_rules/notion_login.py create mode 100644 rules/notion_rules/notion_login.yml create mode 100644 rules/onelogin_rules/onelogin_login.py create mode 100644 rules/onelogin_rules/onelogin_login.yml diff --git a/correlation_rules/notion_account_changed_after_login.yml b/correlation_rules/notion_account_changed_after_login.yml new file mode 100644 index 000000000..3149b8d40 --- /dev/null +++ b/correlation_rules/notion_account_changed_after_login.yml @@ -0,0 +1,55 @@ +AnalysisType: correlation_rule +RuleID: "Notion.Login.FOLLOWED.BY.AccountChange" +DisplayName: "Notion Login FOLLOWED BY AccountChange" +Enabled: true +Severity: Medium +Description: A Notion User logged in then changed their account details. +Reference: https://www.notion.so/help/account-settings +Runbook: Possible account takeover. Follow up with the Notion User to determine if this email change is genuine. +Reports: + MITRE ATT&CK: + - TA0004:T1098 # Account Manipulation +Detection: + - Sequence: + - ID: Login + RuleID: Notion.Login + - ID: AccountChange + RuleID: Notion.AccountChange + Transitions: + - ID: Login FOLLOWED BY AccountChange + From: Login + To: AccountChange + WithinTimeFrameMinutes: 15 + Match: + - On: p_alert_context.actor_id + LookbackWindowMinutes: 1440 + Schedule: + RateMinutes: 1440 + TimeoutMinutes: 5 +Tests: + - Name: Login, Followed By AccountChange within short time + ExpectedResult: true + RuleOutputs: + - ID: Login + Matches: + p_alert_context.actor_id: + 'i-abcdef0123456789a': + - "2024-06-01T10:00:01Z" + - ID: AccountChange + Matches: + p_alert_context.actor_id: + 'i-abcdef0123456789a': + - "2024-06-01T10:01:01Z" + - Name: Login, Followed By AccountChange not within short time + ExpectedResult: false + RuleOutputs: + - ID: Login + Matches: + p_alert_context.actor_id: + 'i-abcdef0123456789a': + - "2024-06-01T10:00:01Z" + - ID: AccountChange + Matches: + p_alert_context.actor_id: + 'i-abcdef0123456789a': + - "2024-06-01T11:01:01Z" diff --git a/correlation_rules/onelogin_successful_login_after_high_risk_failed_login.yml b/correlation_rules/onelogin_successful_login_after_high_risk_failed_login.yml new file mode 100644 index 000000000..34aa2edac --- /dev/null +++ b/correlation_rules/onelogin_successful_login_after_high_risk_failed_login.yml @@ -0,0 +1,68 @@ +AnalysisType: correlation_rule +RuleID: "OneLogin.HighRiskFailedLogin.FOLLOWED.BY.SuccessfulLogin" +DisplayName: "OneLogin High Risk Failed Login FOLLOWED BY Successful Login" +Enabled: true +Severity: Medium +Description: A OneLogin user successfully logged in after a failed high-risk login attempt. +Reference: https://resources.onelogin.com/OneLogin_RiskBasedAuthentication-WP-v5.pdf +Runbook: Investigate whether this was caused by expected user activity. +Reports: + MITRE ATT&CK: + - TA0001:T1078 # Valid Accounts +Detection: + - Sequence: + - ID: HighRiskFailedLogin + RuleID: OneLogin.HighRiskFailedLogin + - ID: SuccessfulLogin + RuleID: OneLogin.Login + Transitions: + - ID: HighRiskFailedLogin FOLLOWED BY SuccessfulLogin + From: HighRiskFailedLogin + To: SuccessfulLogin + WithinTimeFrameMinutes: 15 + Match: + - On: user_name + LookbackWindowMinutes: 1440 + Schedule: + RateMinutes: 1440 + TimeoutMinutes: 5 +Tests: + - Name: High Risk Failed Login FOLLOWED BY Successful Login within short time + ExpectedResult: true + RuleOutputs: + - ID: HighRiskFailedLogin + Matches: + user_name: + 'Some_user': + - "2024-06-01T10:00:01Z" + - ID: SuccessfulLogin + Matches: + user_name: + 'Some_user': + - "2024-06-01T10:01:01Z" + - Name: High Risk Failed Login FOLLOWED BY Successful Login not within short time + ExpectedResult: false + RuleOutputs: + - ID: HighRiskFailedLogin + Matches: + user_name: + 'Some_user': + - "2024-06-01T10:00:01Z" + - ID: SuccessfulLogin + Matches: + user_name: + 'Some_user': + - "2024-06-01T11:01:01Z" + - Name: High Risk Failed Login FOLLOWED BY Successful Login of other user + ExpectedResult: false + RuleOutputs: + - ID: HighRiskFailedLogin + Matches: + user_name: + 'Some_user': + - "2024-06-01T10:00:01Z" + - ID: SuccessfulLogin + Matches: + user_name: + 'Some_other_user': + - "2024-06-01T10:01:01Z" diff --git a/packs/notion.yml b/packs/notion.yml index 8e26d0ca8..6af944201 100644 --- a/packs/notion.yml +++ b/packs/notion.yml @@ -3,7 +3,6 @@ PackID: PantherManaged.Notion Description: Group of all Notion detections PackDefinition: IDs: - - Notion.AccountChangedAfterLogin - Notion.Audit.Log.Exported - Notion.PagePerms.GuestPermsChanged - Notion.LoginFromNewLocation @@ -17,6 +16,11 @@ PackDefinition: - Notion.Workspace.Public.Page.Added - Notion.SharingSettingsUpdated - Notion.TeamspaceOwnerAdded + # Correlation Rules + - Notion.Login.FOLLOWED.BY.AccountChange + # Signal Rules + - Notion.Login + - Notion.AccountChange # Globals used in these detections - global_filter_notion - panther_base_helpers diff --git a/packs/onelogin.yml b/packs/onelogin.yml index cf985947d..7fc9f0c64 100644 --- a/packs/onelogin.yml +++ b/packs/onelogin.yml @@ -5,7 +5,6 @@ PackDefinition: IDs: - OneLogin.ActiveLoginActivity - OneLogin.HighRiskFailedLogin - - OneLogin.HighRiskLogin - OneLogin.PasswordAccess - OneLogin.PasswordChanged - OneLogin.AuthFactorRemoved @@ -14,6 +13,10 @@ PackDefinition: - OneLogin.UnauthorizedAccess - OneLogin.UserAccountLocked - OneLogin.UserAssumption + # Correlation Rules + - OneLogin.HighRiskFailedLogin.FOLLOWED.BY.SuccessfulLogin + # Signal Rules + - OneLogin.Login # Globals used in these detections - panther_base_helpers - panther_oss_helpers diff --git a/rules/notion_rules/notion_account_changed.py b/rules/notion_rules/notion_account_changed.py new file mode 100644 index 000000000..305fc226d --- /dev/null +++ b/rules/notion_rules/notion_account_changed.py @@ -0,0 +1,35 @@ +from global_filter_notion import filter_include_event +from panther_notion_helpers import notion_alert_context + + +def rule(event): + if not filter_include_event(event): + return False + + allowed_event_types = { + "user.settings.login_method.email_updated", + "user.settings.login_method.password_updated", + "user.settings.login_method.password_added", + "user.settings.login_method.password_removed", + } + if event.deep_walk("event", "type") in allowed_event_types: + return True + return False + + +def title(event): + user_email = event.deep_walk("event", "actor", "person", "email", default="UNKNOWN EMAIL") + action_taken = { + "user.settings.login_method.email_updated": "changed their email", + "user.settings.login_method.password_updated": "changed their password", + "user.settings.login_method.password_added": "added a password to their account", + "user.settings.login_method.password_removed": "removed the password from their account", + }.get(event.deep_get("event", "type"), "altered their account info") + return f"Notion User [{user_email}] {action_taken}." + + +def alert_context(event): + context = notion_alert_context(event) + context["login_timestamp"] = event.get("p_event_time") + context["actor_id"] = event.deep_walk("event", "actor", "id") + return context diff --git a/rules/notion_rules/notion_account_changed.yml b/rules/notion_rules/notion_account_changed.yml new file mode 100644 index 000000000..38bf175d6 --- /dev/null +++ b/rules/notion_rules/notion_account_changed.yml @@ -0,0 +1,76 @@ +AnalysisType: rule +Filename: notion_account_changed.py +RuleID: "Notion.AccountChange" +DisplayName: "Signal - Notion Account Changed" +Enabled: true +CreateAlert: false +LogTypes: + - Notion.AuditLogs +Tags: + - Notion + - Identity & Access Management + - Persistence +Severity: Info +Description: A Notion User changed their account information. +DedupPeriodMinutes: 60 +Threshold: 1 +Reference: https://www.notion.so/help/account-settings +Tests: + - Name: Login event + ExpectedResult: false + Log: + { + "event": + { + "actor": + { + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "object": "user", + "person": { "email": "aragorn.elessar@lotr.com" }, + "type": "person", + }, + "details": { "authType": "email" }, + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "ip_address": "192.168.100.100", + "platform": "web", + "timestamp": "2023-06-12 21:40:28.690000000", + "type": "user.login", + "workspace_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + }, + "p_event_time": "2023-06-12 21:40:28.690000000", + "p_log_type": "Notion.AuditLogs", + "p_parse_time": "2023-06-12 22:53:51.602223297", + "p_row_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", + "p_schema_version": 0, + "p_source_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "p_source_label": "Notion Logs", + } + - Name: Email Changed + ExpectedResult: true + Log: + { + "event": + { + "actor": + { + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "object": "user", + "person": { "email": "aragorn.elessar@lotr.com" }, + "type": "person", + }, + "details": { "authType": "email" }, + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "ip_address": "192.168.100.100", + "platform": "web", + "timestamp": "2023-06-12 21:40:28.690000000", + "type": "user.settings.login_method.email_updated", + "workspace_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + }, + "p_event_time": "2023-06-12 21:40:28.690000000", + "p_log_type": "Notion.AuditLogs", + "p_parse_time": "2023-06-12 22:53:51.602223297", + "p_row_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", + "p_schema_version": 0, + "p_source_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "p_source_label": "Notion Logs", + } diff --git a/rules/notion_rules/notion_account_changed_after_login.yml b/rules/notion_rules/notion_account_changed_after_login.yml index c58f08882..f96a3ae38 100644 --- a/rules/notion_rules/notion_account_changed_after_login.yml +++ b/rules/notion_rules/notion_account_changed_after_login.yml @@ -1,7 +1,7 @@ AnalysisType: rule Filename: notion_account_changed_after_login.py RuleID: "Notion.AccountChangedAfterLogin" -DisplayName: "Notion Account Changed Shortly After Login" +DisplayName: "DEPRECATED - Notion Account Changed Shortly After Login" Enabled: true LogTypes: - Notion.AuditLogs @@ -9,6 +9,7 @@ Tags: - Notion - Identity & Access Management - Persistence + - DEPRECATED Severity: Medium Description: A Notion User logged in then changed their account details. DedupPeriodMinutes: 60 diff --git a/rules/notion_rules/notion_login.py b/rules/notion_rules/notion_login.py new file mode 100644 index 000000000..ca4e4fd65 --- /dev/null +++ b/rules/notion_rules/notion_login.py @@ -0,0 +1,23 @@ +from global_filter_notion import filter_include_event +from panther_notion_helpers import notion_alert_context + + +def rule(event): + if not filter_include_event(event): + return False + + if event.deep_walk("event", "type") == "user.login": + return True + return False + + +def title(event): + user_email = event.deep_walk("event", "actor", "person", "email", default="UNKNOWN EMAIL") + return f"Notion User [{user_email}] logged in." + + +def alert_context(event): + context = notion_alert_context(event) + context["login_timestamp"] = event.get("p_event_time") + context["actor_id"] = event.deep_walk("event", "actor", "id") + return context diff --git a/rules/notion_rules/notion_login.yml b/rules/notion_rules/notion_login.yml new file mode 100644 index 000000000..d34cbc877 --- /dev/null +++ b/rules/notion_rules/notion_login.yml @@ -0,0 +1,75 @@ +AnalysisType: rule +Filename: notion_login.py +RuleID: "Notion.Login" +DisplayName: "Signal - Notion Login" +Enabled: true +CreateAlert: false +LogTypes: + - Notion.AuditLogs +Tags: + - Notion + - Identity & Access Management +Severity: Info +Description: A Notion User logged in. +DedupPeriodMinutes: 60 +Threshold: 1 +Reference: https://www.notion.so/help/account-settings +Tests: + - Name: Login event + ExpectedResult: true + Log: + { + "event": + { + "actor": + { + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "object": "user", + "person": { "email": "aragorn.elessar@lotr.com" }, + "type": "person", + }, + "details": { "authType": "email" }, + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "ip_address": "192.168.100.100", + "platform": "web", + "timestamp": "2023-06-12 21:40:28.690000000", + "type": "user.login", + "workspace_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + }, + "p_event_time": "2023-06-12 21:40:28.690000000", + "p_log_type": "Notion.AuditLogs", + "p_parse_time": "2023-06-12 22:53:51.602223297", + "p_row_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", + "p_schema_version": 0, + "p_source_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "p_source_label": "Notion Logs", + } + - Name: Not login event + ExpectedResult: false + Log: + { + "event": + { + "actor": + { + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "object": "user", + "person": { "email": "aragorn.elessar@lotr.com" }, + "type": "person", + }, + "details": { "authType": "email" }, + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "ip_address": "192.168.100.100", + "platform": "web", + "timestamp": "2023-06-12 21:40:28.690000000", + "type": "user.settings.login_method.email_updated", + "workspace_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + }, + "p_event_time": "2023-06-12 21:40:28.690000000", + "p_log_type": "Notion.AuditLogs", + "p_parse_time": "2023-06-12 22:53:51.602223297", + "p_row_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", + "p_schema_version": 0, + "p_source_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "p_source_label": "Notion Logs", + } diff --git a/rules/onelogin_rules/onelogin_high_risk_login.yml b/rules/onelogin_rules/onelogin_high_risk_login.yml index dcae68313..5abbd0c11 100644 --- a/rules/onelogin_rules/onelogin_high_risk_login.yml +++ b/rules/onelogin_rules/onelogin_high_risk_login.yml @@ -1,12 +1,13 @@ AnalysisType: rule Filename: onelogin_high_risk_login.py RuleID: "OneLogin.HighRiskLogin" -DisplayName: "OneLogin High Risk Login" +DisplayName: "DEPRECATED - OneLogin High Risk Login" Enabled: true LogTypes: - OneLogin.Events Tags: - OneLogin + - DEPRECATED Severity: Medium Description: A OneLogin user successfully logged in after a failed high-risk login attempt. Reference: https://resources.onelogin.com/OneLogin_RiskBasedAuthentication-WP-v5.pdf diff --git a/rules/onelogin_rules/onelogin_login.py b/rules/onelogin_rules/onelogin_login.py new file mode 100644 index 000000000..f8ac12f62 --- /dev/null +++ b/rules/onelogin_rules/onelogin_login.py @@ -0,0 +1,8 @@ +def rule(event): + if str(event.get("event_type_id")) == "5": + return True + return False + + +def title(event): + return f"A user [{event.get('user_name', '')}] successfully logged in" diff --git a/rules/onelogin_rules/onelogin_login.yml b/rules/onelogin_rules/onelogin_login.yml new file mode 100644 index 000000000..31a6f2875 --- /dev/null +++ b/rules/onelogin_rules/onelogin_login.yml @@ -0,0 +1,34 @@ +AnalysisType: rule +Filename: onelogin_login.py +RuleID: "OneLogin.Login" +DisplayName: "Signal - OneLogin Login" +Enabled: true +CreateAlert: false +LogTypes: + - OneLogin.Events +Tags: + - OneLogin +Severity: Info +Description: A OneLogin user successfully logged in. +Reference: https://resources.onelogin.com/OneLogin_RiskBasedAuthentication-WP-v5.pdf +Tests: + - Name: Successful Login Event + ExpectedResult: true + Log: + { + "event_type_id": "5", + "actor_user_id": 123456, + "actor_user_name": "Bob Cat", + "user_id": 123456, + "user_name": "Bob Cat", + } + - Name: Failed Login Event + ExpectedResult: false + Log: + { + "event_type_id": "6", + "actor_user_id": 123456, + "actor_user_name": "Bob Cat", + "user_id": 123456, + "user_name": "Bob Cat", + } From 20646a49799034087f723c568ca380177bcebed2 Mon Sep 17 00:00:00 2001 From: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> Date: Mon, 16 Sep 2024 14:09:12 -0600 Subject: [PATCH 6/8] Validate on PR approval (#1354) --- .github/workflows/upload.yml | 5 +-- .github/workflows/validate.yml | 42 +++++++++++++++++++ ...tion_login_followed_by_account_change.yml} | 0 3 files changed, 43 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/validate.yml rename correlation_rules/{notion_account_changed_after_login.yml => notion_login_followed_by_account_change.yml} (100%) diff --git a/.github/workflows/upload.yml b/.github/workflows/upload.yml index 45b4763ac..a854ba46c 100644 --- a/.github/workflows/upload.yml +++ b/.github/workflows/upload.yml @@ -17,6 +17,7 @@ jobs: - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 with: egress-policy: audit + - name: Validate Secrets if: ${{ env.API_HOST == '' || env.API_TOKEN == '' }} run: | @@ -37,10 +38,6 @@ jobs: - name: Setup venv run: make venv - - name: validate - run: | - pipenv run panther_analysis_tool validate --api-host ${{ env.API_HOST }} --api-token ${{ env.API_TOKEN }} - - name: upload run: | pipenv run panther_analysis_tool upload --api-host ${{ env.API_HOST }} --api-token ${{ env.API_TOKEN }} diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml new file mode 100644 index 000000000..5b5e1192a --- /dev/null +++ b/.github/workflows/validate.yml @@ -0,0 +1,42 @@ +on: + pull_request_review: + types: [submitted] + +permissions: + contents: read + +jobs: + validate: + if: github.event.review.state == 'approved' + name: Validate + runs-on: ubuntu-latest + env: + API_HOST: ${{ secrets.API_HOST }} + API_TOKEN: ${{ secrets.API_TOKEN }} + steps: + - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Validate Secrets + if: ${{ env.API_HOST == '' || env.API_TOKEN == '' }} + run: | + echo "API_HOST or API_TOKEN not set" + exit 0 + + - name: Checkout panther-analysis + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7 + + - name: Set python version + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 #v5.2.0 + with: + python-version: "3.11" + + - name: Install pipenv + run: pip install pipenv + + - name: Setup venv + run: make venv + + - name: validate + run: | + pipenv run panther_analysis_tool validate --api-host ${{ env.API_HOST }} --api-token ${{ env.API_TOKEN }} diff --git a/correlation_rules/notion_account_changed_after_login.yml b/correlation_rules/notion_login_followed_by_account_change.yml similarity index 100% rename from correlation_rules/notion_account_changed_after_login.yml rename to correlation_rules/notion_login_followed_by_account_change.yml From 64046443088b86020ba349910e104d2415ee8284 Mon Sep 17 00:00:00 2001 From: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> Date: Mon, 16 Sep 2024 14:44:28 -0600 Subject: [PATCH 7/8] more correlation rules from AWS re:inforce (#1289) * more correlation rules from AWS re:inforce * unit tests --- .../aws_console_sign-in_without_okta.yml | 51 +++++++++++++++++++ ..._token_retrieved_by_unauthenticated_ip.yml | 50 ++++++++++++++++++ 2 files changed, 101 insertions(+) create mode 100644 correlation_rules/aws_console_sign-in_without_okta.yml create mode 100644 correlation_rules/aws_sso_access_token_retrieved_by_unauthenticated_ip.yml diff --git a/correlation_rules/aws_console_sign-in_without_okta.yml b/correlation_rules/aws_console_sign-in_without_okta.yml new file mode 100644 index 000000000..3aa81090f --- /dev/null +++ b/correlation_rules/aws_console_sign-in_without_okta.yml @@ -0,0 +1,51 @@ +AnalysisType: correlation_rule +RuleID: "AWS.Console.Sign-In.NOT.PRECEDED.BY.Okta" +DisplayName: "AWS Console Sign-In NOT PRECEDED BY Okta Redirect" +Enabled: false +Tags: + - AWS + - Configuration Required + - Okta + - Actor Profiles +Severity: High +Description: A user has logged into the AWS console without authenticating via Okta. This rule requires AWS SSO via Okta, both log sources configured, and Actor Profiles enabled. +Detection: + - Sequence: + - ID: Okta SSO to AWS + RuleID: Okta.SSO.to.AWS + Absence: true + - ID: AWS Console Sign-In + RuleID: AWS.Console.Sign-In + Transitions: + - ID: Okta SSO to AWS TO AWS Console Sign-In ON username + From: Okta SSO to AWS + To: AWS Console Sign-In + Match: + - On: p_udm.user.id + WithinTimeFrameMinutes: 15 + Schedule: + RateMinutes: 1440 + TimeoutMinutes: 5 + LookbackWindowMinutes: 1440 +Tests: + - Name: AWS Console Sign-In PRECEDED BY Okta Redirect + ExpectedResult: false + RuleOutputs: + - ID: Okta SSO to AWS + Matches: + p_udm.user.id: + igor.stravinsky: + - 0 + - ID: AWS Console Sign-In + Matches: + p_udm.user.id: + igor.stravinsky: + - 2 + - Name: AWS Console Sign-In NOT PRECEDED BY Okta Redirect + ExpectedResult: true + RuleOutputs: + - ID: AWS Console Sign-In + Matches: + p_udm.user.id: + igor.stravinsky: + - 2 \ No newline at end of file diff --git a/correlation_rules/aws_sso_access_token_retrieved_by_unauthenticated_ip.yml b/correlation_rules/aws_sso_access_token_retrieved_by_unauthenticated_ip.yml new file mode 100644 index 000000000..95e50c090 --- /dev/null +++ b/correlation_rules/aws_sso_access_token_retrieved_by_unauthenticated_ip.yml @@ -0,0 +1,50 @@ +AnalysisType: correlation_rule +RuleID: "AWS.SSO.Access.Token.Retrieved.by.Unauthenticated.IP" +DisplayName: "AWS SSO Access Token Retrieved by Unauthenticated IP" +Enabled: true +Severity: Medium +Description: |- + When using AWS in an enterprise environment, best practices dictate to use a single sign-on service for identity and access management. AWS SSO is a popular solution, integrating with third-party providers such as Okta and allowing to centrally manage roles and permissions in multiple AWS accounts. + + In this post, we demonstrate that AWS SSO is vulnerable by design to device code authentication phishing – just like any identity provider implementing OpenID Connect device code authentication. This technique was first demonstrated by Dr. Nestori Syynimaa for Azure AD. The feature provides a powerful phishing vector for attackers, rendering ineffective controls such as MFA (including Yubikeys) or IP allow-listing at the IdP level. +Reference: https://blog.christophetd.fr/phishing-for-aws-credentials-via-aws-sso-device-code-authentication/ +Detection: + - Sequence: + - ID: Absent CLI Prompt + RuleID: Sign-in.with.AWS.CLI.prompt + Absence: true + - ID: SSO Access Token Retrieved + RuleID: Retrieve.SSO.access.token + Transitions: + - ID: Absent CLI Prompt TO Access Token Retrieved ON IP Addr + From: Absent CLI Prompt + To: SSO Access Token Retrieved + WithinTimeFrameMinutes: 120 + Match: + - On: sourceIPAddress + Schedule: + RateMinutes: 1440 + TimeoutMinutes: 5 + LookbackWindowMinutes: 1440 +Tests: + - Name: AWS SSO Access Token Retrieved by Authenticated IP + ExpectedResult: false + RuleOutputs: + - ID: Absent CLI Prompt + Matches: + p_udm.user.id: + igor.stravinsky: + - 0 + - ID: SSO Access Token Retrieved + Matches: + p_udm.user.id: + igor.stravinsky: + - 2 + - Name: AWS SSO Access Token Retrieved by Unauthenticated IP + ExpectedResult: true + RuleOutputs: + - ID: SSO Access Token Retrieved + Matches: + p_udm.user.id: + igor.stravinsky: + - 2 \ No newline at end of file From a39d69c29b8cafc5075255cd923d6b1e73ea1018 Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Tue, 17 Sep 2024 00:54:29 +0300 Subject: [PATCH 8/8] Wiz audit rules (#1323) * traildiscover enrichment with managed schema (#1177) * traildiscover enrichment with managed schema * Add npm install in dockerfile (#1172) * add npm install in dockerfile * Remove Python optimizations; add prettier to PATH --------- Co-authored-by: egibs * schema name: TrailDiscover.CloudTrail * Fix Dockerfile; add Workflow to test image * updated data set * Add MongoDB.2FA.Disabled rule (#1190) Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * lint and fmt * fmt * add OCSF selector * additional OCSF mappings * Fix Pipfile * Rebase changes --------- Co-authored-by: Panos Sakkos Co-authored-by: egibs Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> * Update PAT to 0.46.0 (#1216) * sample_logs * Wiz Audit rules (without Mitre mappings, Severities and Runbooks) * Wiz Audit rules (updated Mitre mappings, Severities and Runbooks) * Validate on PR approval (#1354) * more correlation rules from AWS re:inforce (#1289) * more correlation rules from AWS re:inforce * unit tests * MITRE ATT&CK and severity * packs * pipfile update * update * pipfile * fix upload --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> Co-authored-by: Panos Sakkos Co-authored-by: egibs Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> Co-authored-by: Evan Gibler Co-authored-by: Ariel Ropek --- Pipfile | 2 +- Pipfile.lock | 845 +++++++++--------- ..._token_retrieved_by_unauthenticated_ip.yml | 12 +- global_helpers/panther_wiz_helpers.py | 15 + global_helpers/panther_wiz_helpers.yml | 5 + packs/github.yml | 1 + packs/wiz.yml | 17 + ...wiz_cicd_scan_policy_updated_or_deleted.py | 24 + ...iz_cicd_scan_policy_updated_or_deleted.yml | 92 ++ .../wiz_connector_updated_or_deleted.py | 24 + .../wiz_connector_updated_or_deleted.yml | 96 ++ .../wiz_data_classifier_updated_or_deleted.py | 24 + ...wiz_data_classifier_updated_or_deleted.yml | 98 ++ ..._integrity_validator_updated_or_deleted.py | 24 + ...integrity_validator_updated_or_deleted.yml | 97 ++ .../wiz_integration_updated_or_deleted.py | 24 + .../wiz_integration_updated_or_deleted.yml | 96 ++ rules/wiz_rules/wiz_revoke_user_sessions.py | 22 + rules/wiz_rules/wiz_revoke_user_sessions.yml | 96 ++ .../wiz_rotate_service_account_secret.py | 22 + .../wiz_rotate_service_account_secret.yml | 113 +++ rules/wiz_rules/wiz_rule_change.py | 47 + rules/wiz_rules/wiz_rule_change.yml | 97 ++ .../wiz_saml_identity_provider_change.py | 29 + .../wiz_saml_identity_provider_change.yml | 95 ++ rules/wiz_rules/wiz_service_account_change.py | 28 + .../wiz_rules/wiz_service_account_change.yml | 98 ++ rules/wiz_rules/wiz_update_ip_restrictions.py | 22 + .../wiz_rules/wiz_update_ip_restrictions.yml | 105 +++ rules/wiz_rules/wiz_update_login_settings.py | 22 + rules/wiz_rules/wiz_update_login_settings.yml | 105 +++ .../wiz_rules/wiz_update_scanner_settings.py | 22 + .../wiz_rules/wiz_update_scanner_settings.yml | 114 +++ .../wiz_update_support_contact_list.py | 22 + .../wiz_update_support_contact_list.yml | 110 +++ .../wiz_rules/wiz_user_created_or_deleted.py | 24 + .../wiz_rules/wiz_user_created_or_deleted.yml | 98 ++ .../wiz_user_role_updated_or_deleted.py | 31 + .../wiz_user_role_updated_or_deleted.yml | 96 ++ 39 files changed, 2494 insertions(+), 420 deletions(-) create mode 100644 global_helpers/panther_wiz_helpers.py create mode 100644 global_helpers/panther_wiz_helpers.yml create mode 100644 rules/wiz_rules/wiz_cicd_scan_policy_updated_or_deleted.py create mode 100644 rules/wiz_rules/wiz_cicd_scan_policy_updated_or_deleted.yml create mode 100644 rules/wiz_rules/wiz_connector_updated_or_deleted.py create mode 100644 rules/wiz_rules/wiz_connector_updated_or_deleted.yml create mode 100644 rules/wiz_rules/wiz_data_classifier_updated_or_deleted.py create mode 100644 rules/wiz_rules/wiz_data_classifier_updated_or_deleted.yml create mode 100644 rules/wiz_rules/wiz_image_integrity_validator_updated_or_deleted.py create mode 100644 rules/wiz_rules/wiz_image_integrity_validator_updated_or_deleted.yml create mode 100644 rules/wiz_rules/wiz_integration_updated_or_deleted.py create mode 100644 rules/wiz_rules/wiz_integration_updated_or_deleted.yml create mode 100644 rules/wiz_rules/wiz_revoke_user_sessions.py create mode 100644 rules/wiz_rules/wiz_revoke_user_sessions.yml create mode 100644 rules/wiz_rules/wiz_rotate_service_account_secret.py create mode 100644 rules/wiz_rules/wiz_rotate_service_account_secret.yml create mode 100644 rules/wiz_rules/wiz_rule_change.py create mode 100644 rules/wiz_rules/wiz_rule_change.yml create mode 100644 rules/wiz_rules/wiz_saml_identity_provider_change.py create mode 100644 rules/wiz_rules/wiz_saml_identity_provider_change.yml create mode 100644 rules/wiz_rules/wiz_service_account_change.py create mode 100644 rules/wiz_rules/wiz_service_account_change.yml create mode 100644 rules/wiz_rules/wiz_update_ip_restrictions.py create mode 100644 rules/wiz_rules/wiz_update_ip_restrictions.yml create mode 100644 rules/wiz_rules/wiz_update_login_settings.py create mode 100644 rules/wiz_rules/wiz_update_login_settings.yml create mode 100644 rules/wiz_rules/wiz_update_scanner_settings.py create mode 100644 rules/wiz_rules/wiz_update_scanner_settings.yml create mode 100644 rules/wiz_rules/wiz_update_support_contact_list.py create mode 100644 rules/wiz_rules/wiz_update_support_contact_list.yml create mode 100644 rules/wiz_rules/wiz_user_created_or_deleted.py create mode 100644 rules/wiz_rules/wiz_user_created_or_deleted.yml create mode 100644 rules/wiz_rules/wiz_user_role_updated_or_deleted.py create mode 100644 rules/wiz_rules/wiz_user_role_updated_or_deleted.yml diff --git a/Pipfile b/Pipfile index d6724ed71..ad90510e5 100644 --- a/Pipfile +++ b/Pipfile @@ -19,7 +19,7 @@ wrapt = "~=1.15" [packages] policyuniverse = "==1.5.1.20230817" requests = "==2.31.0" -panther-analysis-tool = "~=0.52.1" +panther-analysis-tool = "~=0.52.2" panther-detection-helpers = "==0.4.0" [requires] diff --git a/Pipfile.lock b/Pipfile.lock index e5710a507..ee193312b 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "2d6cb439cae8e43dfd78b3fafd7deaae66532baa23cb71f55f844946ac8c3bd4" + "sha256": "026afcb94cce204a0503a31f2038233be9ca4d5dd9a527ac293d76b8085df102" }, "pipfile-spec": 6, "requires": { @@ -162,27 +162,27 @@ }, "boto3": { "hashes": [ - "sha256:b41deed9ca7e0a619510a22e256e3e38b5f532624b4aff8964a1e870877b37bc", - "sha256:c35c560ef0cb0f133b6104bc374d60eeb7cb69c1d5d7907e4305a285d162bef0" + "sha256:47e89d95964f10beee21ee723c3290874fddf364269bd97d200e8bfa9bf93a06", + "sha256:aaddbeb8c37608492f2c8286d004101464833d4c6e49af44601502b8b18785ed" ], "markers": "python_version >= '3.8'", - "version": "==1.35.6" + "version": "==1.35.20" }, "botocore": { "hashes": [ - "sha256:8378c6cfef2dee15eb7b3ebbb55ba9c1de959f231292039b81eb35b72c50ad59", - "sha256:93ef31b80b05758db4dd67e010348a05b9ff43f82839629b7ac334f2a454996e" + "sha256:62412038f960691a299e60492f9ee7e8e75af563f2eca7f3640b3b54b8f5d236", + "sha256:82ad8a73fcd5852d127461c8dadbe40bf679f760a4efb0dde8d4d269ad3f126f" ], "markers": "python_version >= '3.8'", - "version": "==1.35.6" + "version": "==1.35.20" }, "certifi": { "hashes": [ - "sha256:5a1e7645bc0ec61a09e26c36f6106dd4cf40c6db3a1fb6352b0244e7fb057c7b", - "sha256:c198e21b1289c2ab85ee4e67bb4b4ef3ead0892059901a8d5b622f24a1101e90" + "sha256:922820b53db7a7257ffbda3f597266d435245903d80737e34f8a45ff3e3230d8", + "sha256:bec941d2aa8195e248a60b31ff9f0558284cf01a52591ceda73ea9afffd69fd9" ], "markers": "python_version >= '3.6'", - "version": "==2024.7.4" + "version": "==2024.8.30" }, "chardet": { "hashes": [ @@ -314,11 +314,11 @@ }, "diff-cover": { "hashes": [ - "sha256:2d520d6c4f41674c7e3010ce5e0f637bd2fab4dc2f8e3e174ad39e0364318310", - "sha256:b5ed20955b3ebdee94476e429cfd9f1324e1c19a04c4aae32a893b11c3673f1e" + "sha256:1e24edc51c39e810c47dd9986e76c333ed95859655c091f572e590c39cabbdbe", + "sha256:85a0b353ebbb678f9e87ea303f75b545bd0baca38f563219bb72f2ae862bba36" ], "markers": "python_full_version >= '3.8.10' and python_full_version < '4.0.0'", - "version": "==9.1.1" + "version": "==9.2.0" }, "dynaconf": { "hashes": [ @@ -420,19 +420,19 @@ }, "graphql-core": { "hashes": [ - "sha256:06d2aad0ac723e35b1cb47885d3e5c45e956a53bc1b209a9fc5369007fe46676", - "sha256:5766780452bd5ec8ba133f8bf287dc92713e3868ddd83aee4faab9fc3e303dc3" + "sha256:1604f2042edc5f3114f49cac9d77e25863be51b23a54a61a23245cf32f6476f0", + "sha256:acbe2e800980d0e39b4685dd058c2f4042660b89ebca38af83020fd872ff1264" ], "markers": "python_version >= '3.6' and python_version < '4'", - "version": "==3.2.3" + "version": "==3.2.4" }, "idna": { "hashes": [ - "sha256:050b4e5baadcd44d760cedbd2b8e639f2ff89bbc7a5730fcc662954303377aac", - "sha256:d838c2c0ed6fced7693d5e8ab8e734d5f8fda53a039c0164afb0b82e771e3603" + "sha256:12f65c9b470abda6dc35cf8e63cc574b1c52b11df2c86030af0ac09b01b13ea9", + "sha256:946d195a0d259cbba61165e88e65941f16e9b36ea6ddb97f00452bae8b1287d3" ], "markers": "python_version >= '3.6'", - "version": "==3.8" + "version": "==3.10" }, "iniconfig": { "hashes": [ @@ -557,99 +557,101 @@ }, "multidict": { "hashes": [ - "sha256:01265f5e40f5a17f8241d52656ed27192be03bfa8764d88e8220141d1e4b3556", - "sha256:0275e35209c27a3f7951e1ce7aaf93ce0d163b28948444bec61dd7badc6d3f8c", - "sha256:04bde7a7b3de05732a4eb39c94574db1ec99abb56162d6c520ad26f83267de29", - "sha256:04da1bb8c8dbadf2a18a452639771951c662c5ad03aefe4884775454be322c9b", - "sha256:09a892e4a9fb47331da06948690ae38eaa2426de97b4ccbfafbdcbe5c8f37ff8", - "sha256:0d63c74e3d7ab26de115c49bffc92cc77ed23395303d496eae515d4204a625e7", - "sha256:107c0cdefe028703fb5dafe640a409cb146d44a6ae201e55b35a4af8e95457dd", - "sha256:141b43360bfd3bdd75f15ed811850763555a251e38b2405967f8e25fb43f7d40", - "sha256:14c2976aa9038c2629efa2c148022ed5eb4cb939e15ec7aace7ca932f48f9ba6", - "sha256:19fe01cea168585ba0f678cad6f58133db2aa14eccaf22f88e4a6dccadfad8b3", - "sha256:1d147090048129ce3c453f0292e7697d333db95e52616b3793922945804a433c", - "sha256:1d9ea7a7e779d7a3561aade7d596649fbecfa5c08a7674b11b423783217933f9", - "sha256:215ed703caf15f578dca76ee6f6b21b7603791ae090fbf1ef9d865571039ade5", - "sha256:21fd81c4ebdb4f214161be351eb5bcf385426bf023041da2fd9e60681f3cebae", - "sha256:220dd781e3f7af2c2c1053da9fa96d9cf3072ca58f057f4c5adaaa1cab8fc442", - "sha256:228b644ae063c10e7f324ab1ab6b548bdf6f8b47f3ec234fef1093bc2735e5f9", - "sha256:29bfeb0dff5cb5fdab2023a7a9947b3b4af63e9c47cae2a10ad58394b517fddc", - "sha256:2f4848aa3baa109e6ab81fe2006c77ed4d3cd1e0ac2c1fbddb7b1277c168788c", - "sha256:2faa5ae9376faba05f630d7e5e6be05be22913782b927b19d12b8145968a85ea", - "sha256:2ffc42c922dbfddb4a4c3b438eb056828719f07608af27d163191cb3e3aa6cc5", - "sha256:37b15024f864916b4951adb95d3a80c9431299080341ab9544ed148091b53f50", - "sha256:3cc2ad10255f903656017363cd59436f2111443a76f996584d1077e43ee51182", - "sha256:3d25f19500588cbc47dc19081d78131c32637c25804df8414463ec908631e453", - "sha256:403c0911cd5d5791605808b942c88a8155c2592e05332d2bf78f18697a5fa15e", - "sha256:411bf8515f3be9813d06004cac41ccf7d1cd46dfe233705933dd163b60e37600", - "sha256:425bf820055005bfc8aa9a0b99ccb52cc2f4070153e34b701acc98d201693733", - "sha256:435a0984199d81ca178b9ae2c26ec3d49692d20ee29bc4c11a2a8d4514c67eda", - "sha256:4a6a4f196f08c58c59e0b8ef8ec441d12aee4125a7d4f4fef000ccb22f8d7241", - "sha256:4cc0ef8b962ac7a5e62b9e826bd0cd5040e7d401bc45a6835910ed699037a461", - "sha256:51d035609b86722963404f711db441cf7134f1889107fb171a970c9701f92e1e", - "sha256:53689bb4e102200a4fafa9de9c7c3c212ab40a7ab2c8e474491914d2305f187e", - "sha256:55205d03e8a598cfc688c71ca8ea5f66447164efff8869517f175ea632c7cb7b", - "sha256:5c0631926c4f58e9a5ccce555ad7747d9a9f8b10619621f22f9635f069f6233e", - "sha256:5cb241881eefd96b46f89b1a056187ea8e9ba14ab88ba632e68d7a2ecb7aadf7", - "sha256:60d698e8179a42ec85172d12f50b1668254628425a6bd611aba022257cac1386", - "sha256:612d1156111ae11d14afaf3a0669ebf6c170dbb735e510a7438ffe2369a847fd", - "sha256:6214c5a5571802c33f80e6c84713b2c79e024995b9c5897f794b43e714daeec9", - "sha256:6939c95381e003f54cd4c5516740faba40cf5ad3eeff460c3ad1d3e0ea2549bf", - "sha256:69db76c09796b313331bb7048229e3bee7928eb62bab5e071e9f7fcc4879caee", - "sha256:6bf7a982604375a8d49b6cc1b781c1747f243d91b81035a9b43a2126c04766f5", - "sha256:766c8f7511df26d9f11cd3a8be623e59cca73d44643abab3f8c8c07620524e4a", - "sha256:76c0de87358b192de7ea9649beb392f107dcad9ad27276324c24c91774ca5271", - "sha256:76f067f5121dcecf0d63a67f29080b26c43c71a98b10c701b0677e4a065fbd54", - "sha256:7901c05ead4b3fb75113fb1dd33eb1253c6d3ee37ce93305acd9d38e0b5f21a4", - "sha256:79660376075cfd4b2c80f295528aa6beb2058fd289f4c9252f986751a4cd0496", - "sha256:79a6d2ba910adb2cbafc95dad936f8b9386e77c84c35bc0add315b856d7c3abb", - "sha256:7afcdd1fc07befad18ec4523a782cde4e93e0a2bf71239894b8d61ee578c1319", - "sha256:7be7047bd08accdb7487737631d25735c9a04327911de89ff1b26b81745bd4e3", - "sha256:7c6390cf87ff6234643428991b7359b5f59cc15155695deb4eda5c777d2b880f", - "sha256:7df704ca8cf4a073334e0427ae2345323613e4df18cc224f647f251e5e75a527", - "sha256:85f67aed7bb647f93e7520633d8f51d3cbc6ab96957c71272b286b2f30dc70ed", - "sha256:896ebdcf62683551312c30e20614305f53125750803b614e9e6ce74a96232604", - "sha256:92d16a3e275e38293623ebf639c471d3e03bb20b8ebb845237e0d3664914caef", - "sha256:99f60d34c048c5c2fabc766108c103612344c46e35d4ed9ae0673d33c8fb26e8", - "sha256:9fe7b0653ba3d9d65cbe7698cca585bf0f8c83dbbcc710db9c90f478e175f2d5", - "sha256:a3145cb08d8625b2d3fee1b2d596a8766352979c9bffe5d7833e0503d0f0b5e5", - "sha256:aeaf541ddbad8311a87dd695ed9642401131ea39ad7bc8cf3ef3967fd093b626", - "sha256:b55358304d7a73d7bdf5de62494aaf70bd33015831ffd98bc498b433dfe5b10c", - "sha256:b82cc8ace10ab5bd93235dfaab2021c70637005e1ac787031f4d1da63d493c1d", - "sha256:c0868d64af83169e4d4152ec612637a543f7a336e4a307b119e98042e852ad9c", - "sha256:c1c1496e73051918fcd4f58ff2e0f2f3066d1c76a0c6aeffd9b45d53243702cc", - "sha256:c9bf56195c6bbd293340ea82eafd0071cb3d450c703d2c93afb89f93b8386ccc", - "sha256:cbebcd5bcaf1eaf302617c114aa67569dd3f090dd0ce8ba9e35e9985b41ac35b", - "sha256:cd6c8fca38178e12c00418de737aef1261576bd1b6e8c6134d3e729a4e858b38", - "sha256:ceb3b7e6a0135e092de86110c5a74e46bda4bd4fbfeeb3a3bcec79c0f861e450", - "sha256:cf590b134eb70629e350691ecca88eac3e3b8b3c86992042fb82e3cb1830d5e1", - "sha256:d3eb1ceec286eba8220c26f3b0096cf189aea7057b6e7b7a2e60ed36b373b77f", - "sha256:d65f25da8e248202bd47445cec78e0025c0fe7582b23ec69c3b27a640dd7a8e3", - "sha256:d6f6d4f185481c9669b9447bf9d9cf3b95a0e9df9d169bbc17e363b7d5487755", - "sha256:d84a5c3a5f7ce6db1f999fb9438f686bc2e09d38143f2d93d8406ed2dd6b9226", - "sha256:d946b0a9eb8aaa590df1fe082cee553ceab173e6cb5b03239716338629c50c7a", - "sha256:dce1c6912ab9ff5f179eaf6efe7365c1f425ed690b03341911bf4939ef2f3046", - "sha256:de170c7b4fe6859beb8926e84f7d7d6c693dfe8e27372ce3b76f01c46e489fcf", - "sha256:e02021f87a5b6932fa6ce916ca004c4d441509d33bbdbeca70d05dff5e9d2479", - "sha256:e030047e85cbcedbfc073f71836d62dd5dadfbe7531cae27789ff66bc551bd5e", - "sha256:e0e79d91e71b9867c73323a3444724d496c037e578a0e1755ae159ba14f4f3d1", - "sha256:e4428b29611e989719874670fd152b6625500ad6c686d464e99f5aaeeaca175a", - "sha256:e4972624066095e52b569e02b5ca97dbd7a7ddd4294bf4e7247d52635630dd83", - "sha256:e7be68734bd8c9a513f2b0cfd508802d6609da068f40dc57d4e3494cefc92929", - "sha256:e8e94e6912639a02ce173341ff62cc1201232ab86b8a8fcc05572741a5dc7d93", - "sha256:ea1456df2a27c73ce51120fa2f519f1bea2f4a03a917f4a43c8707cf4cbbae1a", - "sha256:ebd8d160f91a764652d3e51ce0d2956b38efe37c9231cd82cfc0bed2e40b581c", - "sha256:eca2e9d0cc5a889850e9bbd68e98314ada174ff6ccd1129500103df7a94a7a44", - "sha256:edd08e6f2f1a390bf137080507e44ccc086353c8e98c657e666c017718561b89", - "sha256:f285e862d2f153a70586579c15c44656f888806ed0e5b56b64489afe4a2dbfba", - "sha256:f2a1dee728b52b33eebff5072817176c172050d44d67befd681609b4746e1c2e", - "sha256:f7e301075edaf50500f0b341543c41194d8df3ae5caf4702f2095f3ca73dd8da", - "sha256:fb616be3538599e797a2017cccca78e354c767165e8858ab5116813146041a24", - "sha256:fce28b3c8a81b6b36dfac9feb1de115bab619b3c13905b419ec71d03a3fc1423", - "sha256:fe5d7785250541f7f5019ab9cba2c71169dc7d74d0f45253f8313f436458a4ef" + "sha256:052e10d2d37810b99cc170b785945421141bf7bb7d2f8799d431e7db229c385f", + "sha256:06809f4f0f7ab7ea2cabf9caca7d79c22c0758b58a71f9d32943ae13c7ace056", + "sha256:071120490b47aa997cca00666923a83f02c7fbb44f71cf7f136df753f7fa8761", + "sha256:0c3f390dc53279cbc8ba976e5f8035eab997829066756d811616b652b00a23a3", + "sha256:0e2b90b43e696f25c62656389d32236e049568b39320e2735d51f08fd362761b", + "sha256:0e5f362e895bc5b9e67fe6e4ded2492d8124bdf817827f33c5b46c2fe3ffaca6", + "sha256:10524ebd769727ac77ef2278390fb0068d83f3acb7773792a5080f2b0abf7748", + "sha256:10a9b09aba0c5b48c53761b7c720aaaf7cf236d5fe394cd399c7ba662d5f9966", + "sha256:16e5f4bf4e603eb1fdd5d8180f1a25f30056f22e55ce51fb3d6ad4ab29f7d96f", + "sha256:188215fc0aafb8e03341995e7c4797860181562380f81ed0a87ff455b70bf1f1", + "sha256:189f652a87e876098bbc67b4da1049afb5f5dfbaa310dd67c594b01c10388db6", + "sha256:1ca0083e80e791cffc6efce7660ad24af66c8d4079d2a750b29001b53ff59ada", + "sha256:1e16bf3e5fc9f44632affb159d30a437bfe286ce9e02754759be5536b169b305", + "sha256:2090f6a85cafc5b2db085124d752757c9d251548cedabe9bd31afe6363e0aff2", + "sha256:20b9b5fbe0b88d0bdef2012ef7dee867f874b72528cf1d08f1d59b0e3850129d", + "sha256:22ae2ebf9b0c69d206c003e2f6a914ea33f0a932d4aa16f236afc049d9958f4a", + "sha256:22f3105d4fb15c8f57ff3959a58fcab6ce36814486500cd7485651230ad4d4ef", + "sha256:23bfd518810af7de1116313ebd9092cb9aa629beb12f6ed631ad53356ed6b86c", + "sha256:27e5fc84ccef8dfaabb09d82b7d179c7cf1a3fbc8a966f8274fcb4ab2eb4cadb", + "sha256:3380252550e372e8511d49481bd836264c009adb826b23fefcc5dd3c69692f60", + "sha256:3702ea6872c5a2a4eeefa6ffd36b042e9773f05b1f37ae3ef7264b1163c2dcf6", + "sha256:37bb93b2178e02b7b618893990941900fd25b6b9ac0fa49931a40aecdf083fe4", + "sha256:3914f5aaa0f36d5d60e8ece6a308ee1c9784cd75ec8151062614657a114c4478", + "sha256:3a37ffb35399029b45c6cc33640a92bef403c9fd388acce75cdc88f58bd19a81", + "sha256:3c8b88a2ccf5493b6c8da9076fb151ba106960a2df90c2633f342f120751a9e7", + "sha256:3e97b5e938051226dc025ec80980c285b053ffb1e25a3db2a3aa3bc046bf7f56", + "sha256:3ec660d19bbc671e3a6443325f07263be452c453ac9e512f5eb935e7d4ac28b3", + "sha256:3efe2c2cb5763f2f1b275ad2bf7a287d3f7ebbef35648a9726e3b69284a4f3d6", + "sha256:483a6aea59cb89904e1ceabd2b47368b5600fb7de78a6e4a2c2987b2d256cf30", + "sha256:4867cafcbc6585e4b678876c489b9273b13e9fff9f6d6d66add5e15d11d926cb", + "sha256:48e171e52d1c4d33888e529b999e5900356b9ae588c2f09a52dcefb158b27506", + "sha256:4a9cb68166a34117d6646c0023c7b759bf197bee5ad4272f420a0141d7eb03a0", + "sha256:4b820514bfc0b98a30e3d85462084779900347e4d49267f747ff54060cc33925", + "sha256:4e18b656c5e844539d506a0a06432274d7bd52a7487e6828c63a63d69185626c", + "sha256:4e9f48f58c2c523d5a06faea47866cd35b32655c46b443f163d08c6d0ddb17d6", + "sha256:50b3a2710631848991d0bf7de077502e8994c804bb805aeb2925a981de58ec2e", + "sha256:55b6d90641869892caa9ca42ff913f7ff1c5ece06474fbd32fb2cf6834726c95", + "sha256:57feec87371dbb3520da6192213c7d6fc892d5589a93db548331954de8248fd2", + "sha256:58130ecf8f7b8112cdb841486404f1282b9c86ccb30d3519faf301b2e5659133", + "sha256:5845c1fd4866bb5dd3125d89b90e57ed3138241540897de748cdf19de8a2fca2", + "sha256:59bfeae4b25ec05b34f1956eaa1cb38032282cd4dfabc5056d0a1ec4d696d3aa", + "sha256:5b48204e8d955c47c55b72779802b219a39acc3ee3d0116d5080c388970b76e3", + "sha256:5c09fcfdccdd0b57867577b719c69e347a436b86cd83747f179dbf0cc0d4c1f3", + "sha256:6180c0ae073bddeb5a97a38c03f30c233e0a4d39cd86166251617d1bbd0af436", + "sha256:682b987361e5fd7a139ed565e30d81fd81e9629acc7d925a205366877d8c8657", + "sha256:6b5d83030255983181005e6cfbac1617ce9746b219bc2aad52201ad121226581", + "sha256:6bb5992037f7a9eff7991ebe4273ea7f51f1c1c511e6a2ce511d0e7bdb754492", + "sha256:73eae06aa53af2ea5270cc066dcaf02cc60d2994bbb2c4ef5764949257d10f43", + "sha256:76f364861c3bfc98cbbcbd402d83454ed9e01a5224bb3a28bf70002a230f73e2", + "sha256:820c661588bd01a0aa62a1283f20d2be4281b086f80dad9e955e690c75fb54a2", + "sha256:82176036e65644a6cc5bd619f65f6f19781e8ec2e5330f51aa9ada7504cc1926", + "sha256:87701f25a2352e5bf7454caa64757642734da9f6b11384c1f9d1a8e699758057", + "sha256:9079dfc6a70abe341f521f78405b8949f96db48da98aeb43f9907f342f627cdc", + "sha256:90f8717cb649eea3504091e640a1b8568faad18bd4b9fcd692853a04475a4b80", + "sha256:957cf8e4b6e123a9eea554fa7ebc85674674b713551de587eb318a2df3e00255", + "sha256:99f826cbf970077383d7de805c0681799491cb939c25450b9b5b3ced03ca99f1", + "sha256:9f636b730f7e8cb19feb87094949ba54ee5357440b9658b2a32a5ce4bce53972", + "sha256:a114d03b938376557927ab23f1e950827c3b893ccb94b62fd95d430fd0e5cf53", + "sha256:a185f876e69897a6f3325c3f19f26a297fa058c5e456bfcff8015e9a27e83ae1", + "sha256:a7a9541cd308eed5e30318430a9c74d2132e9a8cb46b901326272d780bf2d423", + "sha256:aa466da5b15ccea564bdab9c89175c762bc12825f4659c11227f515cee76fa4a", + "sha256:aaed8b0562be4a0876ee3b6946f6869b7bcdb571a5d1496683505944e268b160", + "sha256:ab7c4ceb38d91570a650dba194e1ca87c2b543488fe9309b4212694174fd539c", + "sha256:ac10f4c2b9e770c4e393876e35a7046879d195cd123b4f116d299d442b335bcd", + "sha256:b04772ed465fa3cc947db808fa306d79b43e896beb677a56fb2347ca1a49c1fa", + "sha256:b1c416351ee6271b2f49b56ad7f308072f6f44b37118d69c2cad94f3fa8a40d5", + "sha256:b225d95519a5bf73860323e633a664b0d85ad3d5bede6d30d95b35d4dfe8805b", + "sha256:b2f59caeaf7632cc633b5cf6fc449372b83bbdf0da4ae04d5be36118e46cc0aa", + "sha256:b58c621844d55e71c1b7f7c498ce5aa6985d743a1a59034c57a905b3f153c1ef", + "sha256:bf6bea52ec97e95560af5ae576bdac3aa3aae0b6758c6efa115236d9e07dae44", + "sha256:c08be4f460903e5a9d0f76818db3250f12e9c344e79314d1d570fc69d7f4eae4", + "sha256:c7053d3b0353a8b9de430a4f4b4268ac9a4fb3481af37dfe49825bf45ca24156", + "sha256:c943a53e9186688b45b323602298ab727d8865d8c9ee0b17f8d62d14b56f0753", + "sha256:ce2186a7df133a9c895dea3331ddc5ddad42cdd0d1ea2f0a51e5d161e4762f28", + "sha256:d093be959277cb7dee84b801eb1af388b6ad3ca6a6b6bf1ed7585895789d027d", + "sha256:d094ddec350a2fb899fec68d8353c78233debde9b7d8b4beeafa70825f1c281a", + "sha256:d1a9dd711d0877a1ece3d2e4fea11a8e75741ca21954c919406b44e7cf971304", + "sha256:d569388c381b24671589335a3be6e1d45546c2988c2ebe30fdcada8457a31008", + "sha256:d618649d4e70ac6efcbba75be98b26ef5078faad23592f9b51ca492953012429", + "sha256:d83a047959d38a7ff552ff94be767b7fd79b831ad1cd9920662db05fec24fe72", + "sha256:d8fff389528cad1618fb4b26b95550327495462cd745d879a8c7c2115248e399", + "sha256:da1758c76f50c39a2efd5e9859ce7d776317eb1dd34317c8152ac9251fc574a3", + "sha256:db7457bac39421addd0c8449933ac32d8042aae84a14911a757ae6ca3eef1392", + "sha256:e27bbb6d14416713a8bd7aaa1313c0fc8d44ee48d74497a0ff4c3a1b6ccb5167", + "sha256:e617fb6b0b6953fffd762669610c1c4ffd05632c138d61ac7e14ad187870669c", + "sha256:e9aa71e15d9d9beaad2c6b9319edcdc0a49a43ef5c0a4c8265ca9ee7d6c67774", + "sha256:ec2abea24d98246b94913b76a125e855eb5c434f7c46546046372fe60f666351", + "sha256:f179dee3b863ab1c59580ff60f9d99f632f34ccb38bf67a33ec6b3ecadd0fd76", + "sha256:f4c035da3f544b1882bac24115f3e2e8760f10a0107614fc9839fd232200b875", + "sha256:f67f217af4b1ff66c68a87318012de788dd95fcfeb24cc889011f4e1c7454dfd", + "sha256:f90c822a402cb865e396a504f9fc8173ef34212a342d92e362ca498cad308e28", + "sha256:ff3827aef427c89a25cc96ded1759271a93603aba9fb977a6d264648ebf989db" ], - "markers": "python_version >= '3.7'", - "version": "==6.0.5" + "markers": "python_version >= '3.8'", + "version": "==6.1.0" }, "nested-lookup": { "hashes": [ @@ -667,16 +669,16 @@ }, "panther-analysis-tool": { "hashes": [ - "sha256:52a20800f5313e3493cf82cc7681e586f8c3589edf1083352696875faba9c5e8" + "sha256:f240d3ce5928603659ee84397627f3d79c6af58adb49de68362d22050c3d7942" ], "index": "pypi", - "version": "==0.52.1" + "version": "==0.52.2" }, "panther-core": { "hashes": [ - "sha256:41acf19a0a90fcbcb4f932a5e780162f9072e50717eec1fd1e1e36b93b1dcfc2" + "sha256:1856638d21d7f6b5d800da7b213afe3b145e1aab3bf0668e7cd82eaef0230a51" ], - "version": "==0.11.1" + "version": "==0.11.2" }, "panther-detection-helpers": { "hashes": [ @@ -727,11 +729,11 @@ }, "pytest": { "hashes": [ - "sha256:4ba08f9ae7dcf84ded419494d229b48d0903ea6407b030eaec46df5e6a73bba5", - "sha256:c132345d12ce551242c87269de812483f5bcc87cdbb4722e48487ba194f9fdce" + "sha256:70b98107bd648308a7952b06e6ca9a50bc660be218d53c257cc1fc94fda10181", + "sha256:a6853c7375b2663155079443d2e45de913a911a11d669df02a50814944db57b2" ], "markers": "python_version >= '3.8'", - "version": "==8.3.2" + "version": "==8.3.3" }, "python-dateutil": { "hashes": [ @@ -810,88 +812,103 @@ }, "regex": { "hashes": [ - "sha256:01b689e887f612610c869421241e075c02f2e3d1ae93a037cb14f88ab6a8934c", - "sha256:04ce29e2c5fedf296b1a1b0acc1724ba93a36fb14031f3abfb7abda2806c1535", - "sha256:0ffe3f9d430cd37d8fa5632ff6fb36d5b24818c5c986893063b4e5bdb84cdf24", - "sha256:18300a1d78cf1290fa583cd8b7cde26ecb73e9f5916690cf9d42de569c89b1ce", - "sha256:185e029368d6f89f36e526764cf12bf8d6f0e3a2a7737da625a76f594bdfcbfc", - "sha256:19c65b00d42804e3fbea9708f0937d157e53429a39b7c61253ff15670ff62cb5", - "sha256:228b0d3f567fafa0633aee87f08b9276c7062da9616931382993c03808bb68ce", - "sha256:23acc72f0f4e1a9e6e9843d6328177ae3074b4182167e34119ec7233dfeccf53", - "sha256:25419b70ba00a16abc90ee5fce061228206173231f004437730b67ac77323f0d", - "sha256:2dfbb8baf8ba2c2b9aa2807f44ed272f0913eeeba002478c4577b8d29cde215c", - "sha256:2f1baff13cc2521bea83ab2528e7a80cbe0ebb2c6f0bfad15be7da3aed443908", - "sha256:33e2614a7ce627f0cdf2ad104797d1f68342d967de3695678c0cb84f530709f8", - "sha256:3426de3b91d1bc73249042742f45c2148803c111d1175b283270177fdf669024", - "sha256:382281306e3adaaa7b8b9ebbb3ffb43358a7bbf585fa93821300a418bb975281", - "sha256:3d974d24edb231446f708c455fd08f94c41c1ff4f04bcf06e5f36df5ef50b95a", - "sha256:3f3b6ca8eae6d6c75a6cff525c8530c60e909a71a15e1b731723233331de4169", - "sha256:3fac296f99283ac232d8125be932c5cd7644084a30748fda013028c815ba3364", - "sha256:416c0e4f56308f34cdb18c3f59849479dde5b19febdcd6e6fa4d04b6c31c9faa", - "sha256:438d9f0f4bc64e8dea78274caa5af971ceff0f8771e1a2333620969936ba10be", - "sha256:43affe33137fcd679bdae93fb25924979517e011f9dea99163f80b82eadc7e53", - "sha256:44fc61b99035fd9b3b9453f1713234e5a7c92a04f3577252b45feefe1b327759", - "sha256:45104baae8b9f67569f0f1dca5e1f1ed77a54ae1cd8b0b07aba89272710db61e", - "sha256:4fdd1384619f406ad9037fe6b6eaa3de2749e2e12084abc80169e8e075377d3b", - "sha256:538d30cd96ed7d1416d3956f94d54e426a8daf7c14527f6e0d6d425fcb4cca52", - "sha256:558a57cfc32adcf19d3f791f62b5ff564922942e389e3cfdb538a23d65a6b610", - "sha256:5eefee9bfe23f6df09ffb6dfb23809f4d74a78acef004aa904dc7c88b9944b05", - "sha256:64bd50cf16bcc54b274e20235bf8edbb64184a30e1e53873ff8d444e7ac656b2", - "sha256:65fd3d2e228cae024c411c5ccdffae4c315271eee4a8b839291f84f796b34eca", - "sha256:66b4c0731a5c81921e938dcf1a88e978264e26e6ac4ec96a4d21ae0354581ae0", - "sha256:68a8f8c046c6466ac61a36b65bb2395c74451df2ffb8458492ef49900efed293", - "sha256:6a1141a1dcc32904c47f6846b040275c6e5de0bf73f17d7a409035d55b76f289", - "sha256:6b9fc7e9cc983e75e2518496ba1afc524227c163e43d706688a6bb9eca41617e", - "sha256:6f51f9556785e5a203713f5efd9c085b4a45aecd2a42573e2b5041881b588d1f", - "sha256:7214477bf9bd195894cf24005b1e7b496f46833337b5dedb7b2a6e33f66d962c", - "sha256:731fcd76bbdbf225e2eb85b7c38da9633ad3073822f5ab32379381e8c3c12e94", - "sha256:74007a5b25b7a678459f06559504f1eec2f0f17bca218c9d56f6a0a12bfffdad", - "sha256:7a5486ca56c8869070a966321d5ab416ff0f83f30e0e2da1ab48815c8d165d46", - "sha256:7c479f5ae937ec9985ecaf42e2e10631551d909f203e31308c12d703922742f9", - "sha256:7df9ea48641da022c2a3c9c641650cd09f0cd15e8908bf931ad538f5ca7919c9", - "sha256:7e37e809b9303ec3a179085415cb5f418ecf65ec98cdfe34f6a078b46ef823ee", - "sha256:80c811cfcb5c331237d9bad3bea2c391114588cf4131707e84d9493064d267f9", - "sha256:836d3cc225b3e8a943d0b02633fb2f28a66e281290302a79df0e1eaa984ff7c1", - "sha256:84c312cdf839e8b579f504afcd7b65f35d60b6285d892b19adea16355e8343c9", - "sha256:86b17ba823ea76256b1885652e3a141a99a5c4422f4a869189db328321b73799", - "sha256:871e3ab2838fbcb4e0865a6e01233975df3a15e6fce93b6f99d75cacbd9862d1", - "sha256:88ecc3afd7e776967fa16c80f974cb79399ee8dc6c96423321d6f7d4b881c92b", - "sha256:8bc593dcce679206b60a538c302d03c29b18e3d862609317cb560e18b66d10cf", - "sha256:8fd5afd101dcf86a270d254364e0e8dddedebe6bd1ab9d5f732f274fa00499a5", - "sha256:945352286a541406f99b2655c973852da7911b3f4264e010218bbc1cc73168f2", - "sha256:973335b1624859cb0e52f96062a28aa18f3a5fc77a96e4a3d6d76e29811a0e6e", - "sha256:994448ee01864501912abf2bad9203bffc34158e80fe8bfb5b031f4f8e16da51", - "sha256:9cfd009eed1a46b27c14039ad5bbc5e71b6367c5b2e6d5f5da0ea91600817506", - "sha256:a2ec4419a3fe6cf8a4795752596dfe0adb4aea40d3683a132bae9c30b81e8d73", - "sha256:a4997716674d36a82eab3e86f8fa77080a5d8d96a389a61ea1d0e3a94a582cf7", - "sha256:a512eed9dfd4117110b1881ba9a59b31433caed0c4101b361f768e7bcbaf93c5", - "sha256:a82465ebbc9b1c5c50738536fdfa7cab639a261a99b469c9d4c7dcbb2b3f1e57", - "sha256:ae2757ace61bc4061b69af19e4689fa4416e1a04840f33b441034202b5cd02d4", - "sha256:b16582783f44fbca6fcf46f61347340c787d7530d88b4d590a397a47583f31dd", - "sha256:ba2537ef2163db9e6ccdbeb6f6424282ae4dea43177402152c67ef869cf3978b", - "sha256:bf7a89eef64b5455835f5ed30254ec19bf41f7541cd94f266ab7cbd463f00c41", - "sha256:c0abb5e4e8ce71a61d9446040c1e86d4e6d23f9097275c5bd49ed978755ff0fe", - "sha256:c414cbda77dbf13c3bc88b073a1a9f375c7b0cb5e115e15d4b73ec3a2fbc6f59", - "sha256:c51edc3541e11fbe83f0c4d9412ef6c79f664a3745fab261457e84465ec9d5a8", - "sha256:c5e69fd3eb0b409432b537fe3c6f44ac089c458ab6b78dcec14478422879ec5f", - "sha256:c918b7a1e26b4ab40409820ddccc5d49871a82329640f5005f73572d5eaa9b5e", - "sha256:c9bb87fdf2ab2370f21e4d5636e5317775e5d51ff32ebff2cf389f71b9b13750", - "sha256:ca5b2028c2f7af4e13fb9fc29b28d0ce767c38c7facdf64f6c2cd040413055f1", - "sha256:d0a07763776188b4db4c9c7fb1b8c494049f84659bb387b71c73bbc07f189e96", - "sha256:d33a0021893ede5969876052796165bab6006559ab845fd7b515a30abdd990dc", - "sha256:d55588cba7553f0b6ec33130bc3e114b355570b45785cebdc9daed8c637dd440", - "sha256:dac8e84fff5d27420f3c1e879ce9929108e873667ec87e0c8eeb413a5311adfe", - "sha256:eaef80eac3b4cfbdd6de53c6e108b4c534c21ae055d1dbea2de6b3b8ff3def38", - "sha256:eb462f0e346fcf41a901a126b50f8781e9a474d3927930f3490f38a6e73b6950", - "sha256:eb563dd3aea54c797adf513eeec819c4213d7dbfc311874eb4fd28d10f2ff0f2", - "sha256:f273674b445bcb6e4409bf8d1be67bc4b58e8b46fd0d560055d515b8830063cd", - "sha256:f6442f0f0ff81775eaa5b05af8a0ffa1dda36e9cf6ec1e0d3d245e8564b684ce", - "sha256:fb168b5924bef397b5ba13aabd8cf5df7d3d93f10218d7b925e360d436863f66", - "sha256:fbf8c2f00904eaf63ff37718eb13acf8e178cb940520e47b2f05027f5bb34ce3", - "sha256:fe4ebef608553aff8deb845c7f4f1d0740ff76fa672c011cc0bacb2a00fbde86" + "sha256:01c2acb51f8a7d6494c8c5eafe3d8e06d76563d8a8a4643b37e9b2dd8a2ff623", + "sha256:02087ea0a03b4af1ed6ebab2c54d7118127fee8d71b26398e8e4b05b78963199", + "sha256:040562757795eeea356394a7fb13076ad4f99d3c62ab0f8bdfb21f99a1f85664", + "sha256:042c55879cfeb21a8adacc84ea347721d3d83a159da6acdf1116859e2427c43f", + "sha256:079400a8269544b955ffa9e31f186f01d96829110a3bf79dc338e9910f794fca", + "sha256:07f45f287469039ffc2c53caf6803cd506eb5f5f637f1d4acb37a738f71dd066", + "sha256:09d77559e80dcc9d24570da3745ab859a9cf91953062e4ab126ba9d5993688ca", + "sha256:0cbff728659ce4bbf4c30b2a1be040faafaa9eca6ecde40aaff86f7889f4ab39", + "sha256:0e12c481ad92d129c78f13a2a3662317e46ee7ef96c94fd332e1c29131875b7d", + "sha256:0ea51dcc0835eea2ea31d66456210a4e01a076d820e9039b04ae8d17ac11dee6", + "sha256:0ffbcf9221e04502fc35e54d1ce9567541979c3fdfb93d2c554f0ca583a19b35", + "sha256:1494fa8725c285a81d01dc8c06b55287a1ee5e0e382d8413adc0a9197aac6408", + "sha256:16e13a7929791ac1216afde26f712802e3df7bf0360b32e4914dca3ab8baeea5", + "sha256:18406efb2f5a0e57e3a5881cd9354c1512d3bb4f5c45d96d110a66114d84d23a", + "sha256:18e707ce6c92d7282dfce370cd205098384b8ee21544e7cb29b8aab955b66fa9", + "sha256:220e92a30b426daf23bb67a7962900ed4613589bab80382be09b48896d211e92", + "sha256:23b30c62d0f16827f2ae9f2bb87619bc4fba2044911e2e6c2eb1af0161cdb766", + "sha256:23f9985c8784e544d53fc2930fc1ac1a7319f5d5332d228437acc9f418f2f168", + "sha256:297f54910247508e6e5cae669f2bc308985c60540a4edd1c77203ef19bfa63ca", + "sha256:2b08fce89fbd45664d3df6ad93e554b6c16933ffa9d55cb7e01182baaf971508", + "sha256:2cce2449e5927a0bf084d346da6cd5eb016b2beca10d0013ab50e3c226ffc0df", + "sha256:313ea15e5ff2a8cbbad96ccef6be638393041b0a7863183c2d31e0c6116688cf", + "sha256:323c1f04be6b2968944d730e5c2091c8c89767903ecaa135203eec4565ed2b2b", + "sha256:35f4a6f96aa6cb3f2f7247027b07b15a374f0d5b912c0001418d1d55024d5cb4", + "sha256:3b37fa423beefa44919e009745ccbf353d8c981516e807995b2bd11c2c77d268", + "sha256:3ce4f1185db3fbde8ed8aa223fc9620f276c58de8b0d4f8cc86fd1360829edb6", + "sha256:46989629904bad940bbec2106528140a218b4a36bb3042d8406980be1941429c", + "sha256:4838e24ee015101d9f901988001038f7f0d90dc0c3b115541a1365fb439add62", + "sha256:49b0e06786ea663f933f3710a51e9385ce0cba0ea56b67107fd841a55d56a231", + "sha256:4db21ece84dfeefc5d8a3863f101995de646c6cb0536952c321a2650aa202c36", + "sha256:54c4a097b8bc5bb0dfc83ae498061d53ad7b5762e00f4adaa23bee22b012e6ba", + "sha256:54d9ff35d4515debf14bc27f1e3b38bfc453eff3220f5bce159642fa762fe5d4", + "sha256:55b96e7ce3a69a8449a66984c268062fbaa0d8ae437b285428e12797baefce7e", + "sha256:57fdd2e0b2694ce6fc2e5ccf189789c3e2962916fb38779d3e3521ff8fe7a822", + "sha256:587d4af3979376652010e400accc30404e6c16b7df574048ab1f581af82065e4", + "sha256:5b513b6997a0b2f10e4fd3a1313568e373926e8c252bd76c960f96fd039cd28d", + "sha256:5ddcd9a179c0a6fa8add279a4444015acddcd7f232a49071ae57fa6e278f1f71", + "sha256:6113c008a7780792efc80f9dfe10ba0cd043cbf8dc9a76ef757850f51b4edc50", + "sha256:635a1d96665f84b292e401c3d62775851aedc31d4f8784117b3c68c4fcd4118d", + "sha256:64ce2799bd75039b480cc0360907c4fb2f50022f030bf9e7a8705b636e408fad", + "sha256:69dee6a020693d12a3cf892aba4808fe168d2a4cef368eb9bf74f5398bfd4ee8", + "sha256:6a2644a93da36c784e546de579ec1806bfd2763ef47babc1b03d765fe560c9f8", + "sha256:6b41e1adc61fa347662b09398e31ad446afadff932a24807d3ceb955ed865cc8", + "sha256:6c188c307e8433bcb63dc1915022deb553b4203a70722fc542c363bf120a01fd", + "sha256:6edd623bae6a737f10ce853ea076f56f507fd7726bee96a41ee3d68d347e4d16", + "sha256:73d6d2f64f4d894c96626a75578b0bf7d9e56dcda8c3d037a2118fdfe9b1c664", + "sha256:7a22ccefd4db3f12b526eccb129390942fe874a3a9fdbdd24cf55773a1faab1a", + "sha256:7fb89ee5d106e4a7a51bce305ac4efb981536301895f7bdcf93ec92ae0d91c7f", + "sha256:846bc79ee753acf93aef4184c040d709940c9d001029ceb7b7a52747b80ed2dd", + "sha256:85ab7824093d8f10d44330fe1e6493f756f252d145323dd17ab6b48733ff6c0a", + "sha256:8dee5b4810a89447151999428fe096977346cf2f29f4d5e29609d2e19e0199c9", + "sha256:8e5fb5f77c8745a60105403a774fe2c1759b71d3e7b4ca237a5e67ad066c7199", + "sha256:98eeee2f2e63edae2181c886d7911ce502e1292794f4c5ee71e60e23e8d26b5d", + "sha256:9d4a76b96f398697fe01117093613166e6aa8195d63f1b4ec3f21ab637632963", + "sha256:9e8719792ca63c6b8340380352c24dcb8cd7ec49dae36e963742a275dfae6009", + "sha256:a0b2b80321c2ed3fcf0385ec9e51a12253c50f146fddb2abbb10f033fe3d049a", + "sha256:a4cc92bb6db56ab0c1cbd17294e14f5e9224f0cc6521167ef388332604e92679", + "sha256:a738b937d512b30bf75995c0159c0ddf9eec0775c9d72ac0202076c72f24aa96", + "sha256:a8f877c89719d759e52783f7fe6e1c67121076b87b40542966c02de5503ace42", + "sha256:a906ed5e47a0ce5f04b2c981af1c9acf9e8696066900bf03b9d7879a6f679fc8", + "sha256:ae2941333154baff9838e88aa71c1d84f4438189ecc6021a12c7573728b5838e", + "sha256:b0d0a6c64fcc4ef9c69bd5b3b3626cc3776520a1637d8abaa62b9edc147a58f7", + "sha256:b5b029322e6e7b94fff16cd120ab35a253236a5f99a79fb04fda7ae71ca20ae8", + "sha256:b7aaa315101c6567a9a45d2839322c51c8d6e81f67683d529512f5bcfb99c802", + "sha256:be1c8ed48c4c4065ecb19d882a0ce1afe0745dfad8ce48c49586b90a55f02366", + "sha256:c0256beda696edcf7d97ef16b2a33a8e5a875affd6fa6567b54f7c577b30a137", + "sha256:c157bb447303070f256e084668b702073db99bbb61d44f85d811025fcf38f784", + "sha256:c57d08ad67aba97af57a7263c2d9006d5c404d721c5f7542f077f109ec2a4a29", + "sha256:c69ada171c2d0e97a4b5aa78fbb835e0ffbb6b13fc5da968c09811346564f0d3", + "sha256:c94bb0a9f1db10a1d16c00880bdebd5f9faf267273b8f5bd1878126e0fbde771", + "sha256:cb130fccd1a37ed894824b8c046321540263013da72745d755f2d35114b81a60", + "sha256:ced479f601cd2f8ca1fd7b23925a7e0ad512a56d6e9476f79b8f381d9d37090a", + "sha256:d05ac6fa06959c4172eccd99a222e1fbf17b5670c4d596cb1e5cde99600674c4", + "sha256:d552c78411f60b1fdaafd117a1fca2f02e562e309223b9d44b7de8be451ec5e0", + "sha256:dd4490a33eb909ef5078ab20f5f000087afa2a4daa27b4c072ccb3cb3050ad84", + "sha256:df5cbb1fbc74a8305b6065d4ade43b993be03dbe0f8b30032cced0d7740994bd", + "sha256:e28f9faeb14b6f23ac55bfbbfd3643f5c7c18ede093977f1df249f73fd22c7b1", + "sha256:e464b467f1588e2c42d26814231edecbcfe77f5ac414d92cbf4e7b55b2c2a776", + "sha256:e4c22e1ac1f1ec1e09f72e6c44d8f2244173db7eb9629cc3a346a8d7ccc31142", + "sha256:e53b5fbab5d675aec9f0c501274c467c0f9a5d23696cfc94247e1fb56501ed89", + "sha256:e93f1c331ca8e86fe877a48ad64e77882c0c4da0097f2212873a69bbfea95d0c", + "sha256:e997fd30430c57138adc06bba4c7c2968fb13d101e57dd5bb9355bf8ce3fa7e8", + "sha256:e9a091b0550b3b0207784a7d6d0f1a00d1d1c8a11699c1a4d93db3fbefc3ad35", + "sha256:eab4bb380f15e189d1313195b062a6aa908f5bd687a0ceccd47c8211e9cf0d4a", + "sha256:eb1ae19e64c14c7ec1995f40bd932448713d3c73509e82d8cd7744dc00e29e86", + "sha256:ecea58b43a67b1b79805f1a0255730edaf5191ecef84dbc4cc85eb30bc8b63b9", + "sha256:ee439691d8c23e76f9802c42a95cfeebf9d47cf4ffd06f18489122dbb0a7ad64", + "sha256:eee9130eaad130649fd73e5cd92f60e55708952260ede70da64de420cdcad554", + "sha256:f47cd43a5bfa48f86925fe26fbdd0a488ff15b62468abb5d2a1e092a4fb10e85", + "sha256:f6fff13ef6b5f29221d6904aa816c34701462956aa72a77f1f151a8ec4f56aeb", + "sha256:f745ec09bc1b0bd15cfc73df6fa4f726dcc26bb16c23a03f9e3367d357eeedd0", + "sha256:f8404bf61298bb6f8224bb9176c1424548ee1181130818fcd2cbffddc768bed8", + "sha256:f9268774428ec173654985ce55fc6caf4c6d11ade0f6f914d48ef4719eb05ebb", + "sha256:faa3c142464efec496967359ca99696c896c591c56c53506bac1ad465f66e919" ], "markers": "python_version >= '3.8'", - "version": "==2024.7.24" + "version": "==2024.9.11" }, "requests": { "hashes": [ @@ -1148,107 +1165,109 @@ }, "urllib3": { "hashes": [ - "sha256:a448b2f64d686155468037e1ace9f2d2199776e17f0a46610480d311f73e3472", - "sha256:dd505485549a7a552833da5e6063639d0d177c04f23bc3864e41e5dc5f612168" + "sha256:ca899ca043dcb1bafa3e262d73aa25c465bfb49e0bd9dd5d59f1d0acba2f8fac", + "sha256:e7d814a81dad81e6caf2ec9fdedb284ecc9c73076b62654547cc64ccdcae26e9" ], "markers": "python_version >= '3.8'", - "version": "==2.2.2" + "version": "==2.2.3" }, "yarl": { "hashes": [ - "sha256:008d3e808d03ef28542372d01057fd09168419cdc8f848efe2804f894ae03e51", - "sha256:03caa9507d3d3c83bca08650678e25364e1843b484f19986a527630ca376ecce", - "sha256:07574b007ee20e5c375a8fe4a0789fad26db905f9813be0f9fef5a68080de559", - "sha256:09efe4615ada057ba2d30df871d2f668af661e971dfeedf0c159927d48bbeff0", - "sha256:0d2454f0aef65ea81037759be5ca9947539667eecebca092733b2eb43c965a81", - "sha256:0e9d124c191d5b881060a9e5060627694c3bdd1fe24c5eecc8d5d7d0eb6faabc", - "sha256:18580f672e44ce1238b82f7fb87d727c4a131f3a9d33a5e0e82b793362bf18b4", - "sha256:1f23e4fe1e8794f74b6027d7cf19dc25f8b63af1483d91d595d4a07eca1fb26c", - "sha256:206a55215e6d05dbc6c98ce598a59e6fbd0c493e2de4ea6cc2f4934d5a18d130", - "sha256:23d32a2594cb5d565d358a92e151315d1b2268bc10f4610d098f96b147370136", - "sha256:26a1dc6285e03f3cc9e839a2da83bcbf31dcb0d004c72d0730e755b33466c30e", - "sha256:29e0f83f37610f173eb7e7b5562dd71467993495e568e708d99e9d1944f561ec", - "sha256:2b134fd795e2322b7684155b7855cc99409d10b2e408056db2b93b51a52accc7", - "sha256:2d47552b6e52c3319fede1b60b3de120fe83bde9b7bddad11a69fb0af7db32f1", - "sha256:357495293086c5b6d34ca9616a43d329317feab7917518bc97a08f9e55648455", - "sha256:35a2b9396879ce32754bd457d31a51ff0a9d426fd9e0e3c33394bf4b9036b099", - "sha256:3777ce5536d17989c91696db1d459574e9a9bd37660ea7ee4d3344579bb6f129", - "sha256:3986b6f41ad22988e53d5778f91855dc0399b043fc8946d4f2e68af22ee9ff10", - "sha256:44d8ffbb9c06e5a7f529f38f53eda23e50d1ed33c6c869e01481d3fafa6b8142", - "sha256:49a180c2e0743d5d6e0b4d1a9e5f633c62eca3f8a86ba5dd3c471060e352ca98", - "sha256:4aa9741085f635934f3a2583e16fcf62ba835719a8b2b28fb2917bb0537c1dfa", - "sha256:4b21516d181cd77ebd06ce160ef8cc2a5e9ad35fb1c5930882baff5ac865eee7", - "sha256:4b3c1ffe10069f655ea2d731808e76e0f452fc6c749bea04781daf18e6039525", - "sha256:4c7d56b293cc071e82532f70adcbd8b61909eec973ae9d2d1f9b233f3d943f2c", - "sha256:4e9035df8d0880b2f1c7f5031f33f69e071dfe72ee9310cfc76f7b605958ceb9", - "sha256:54525ae423d7b7a8ee81ba189f131054defdb122cde31ff17477951464c1691c", - "sha256:549d19c84c55d11687ddbd47eeb348a89df9cb30e1993f1b128f4685cd0ebbf8", - "sha256:54beabb809ffcacbd9d28ac57b0db46e42a6e341a030293fb3185c409e626b8b", - "sha256:566db86717cf8080b99b58b083b773a908ae40f06681e87e589a976faf8246bf", - "sha256:5a2e2433eb9344a163aced6a5f6c9222c0786e5a9e9cac2c89f0b28433f56e23", - "sha256:5aef935237d60a51a62b86249839b51345f47564208c6ee615ed2a40878dccdd", - "sha256:604f31d97fa493083ea21bd9b92c419012531c4e17ea6da0f65cacdcf5d0bd27", - "sha256:63b20738b5aac74e239622d2fe30df4fca4942a86e31bf47a81a0e94c14df94f", - "sha256:686a0c2f85f83463272ddffd4deb5e591c98aac1897d65e92319f729c320eece", - "sha256:6a962e04b8f91f8c4e5917e518d17958e3bdee71fd1d8b88cdce74dd0ebbf434", - "sha256:6ad6d10ed9b67a382b45f29ea028f92d25bc0bc1daf6c5b801b90b5aa70fb9ec", - "sha256:6f5cb257bc2ec58f437da2b37a8cd48f666db96d47b8a3115c29f316313654ff", - "sha256:6fe79f998a4052d79e1c30eeb7d6c1c1056ad33300f682465e1b4e9b5a188b78", - "sha256:7855426dfbddac81896b6e533ebefc0af2f132d4a47340cee6d22cac7190022d", - "sha256:7d5aaac37d19b2904bb9dfe12cdb08c8443e7ba7d2852894ad448d4b8f442863", - "sha256:801e9264d19643548651b9db361ce3287176671fb0117f96b5ac0ee1c3530d53", - "sha256:81eb57278deb6098a5b62e88ad8281b2ba09f2f1147c4767522353eaa6260b31", - "sha256:824d6c50492add5da9374875ce72db7a0733b29c2394890aef23d533106e2b15", - "sha256:8397a3817d7dcdd14bb266283cd1d6fc7264a48c186b986f32e86d86d35fbac5", - "sha256:848cd2a1df56ddbffeb375535fb62c9d1645dde33ca4d51341378b3f5954429b", - "sha256:84fc30f71689d7fc9168b92788abc977dc8cefa806909565fc2951d02f6b7d57", - "sha256:8619d6915b3b0b34420cf9b2bb6d81ef59d984cb0fde7544e9ece32b4b3043c3", - "sha256:8a854227cf581330ffa2c4824d96e52ee621dd571078a252c25e3a3b3d94a1b1", - "sha256:8be9e837ea9113676e5754b43b940b50cce76d9ed7d2461df1af39a8ee674d9f", - "sha256:928cecb0ef9d5a7946eb6ff58417ad2fe9375762382f1bf5c55e61645f2c43ad", - "sha256:957b4774373cf6f709359e5c8c4a0af9f6d7875db657adb0feaf8d6cb3c3964c", - "sha256:992f18e0ea248ee03b5a6e8b3b4738850ae7dbb172cc41c966462801cbf62cf7", - "sha256:9fc5fc1eeb029757349ad26bbc5880557389a03fa6ada41703db5e068881e5f2", - "sha256:a00862fb23195b6b8322f7d781b0dc1d82cb3bcac346d1e38689370cc1cc398b", - "sha256:a3a6ed1d525bfb91b3fc9b690c5a21bb52de28c018530ad85093cc488bee2dd2", - "sha256:a6327976c7c2f4ee6816eff196e25385ccc02cb81427952414a64811037bbc8b", - "sha256:a7409f968456111140c1c95301cadf071bd30a81cbd7ab829169fb9e3d72eae9", - "sha256:a825ec844298c791fd28ed14ed1bffc56a98d15b8c58a20e0e08c1f5f2bea1be", - "sha256:a8c1df72eb746f4136fe9a2e72b0c9dc1da1cbd23b5372f94b5820ff8ae30e0e", - "sha256:a9bd00dc3bc395a662900f33f74feb3e757429e545d831eef5bb280252631984", - "sha256:aa102d6d280a5455ad6a0f9e6d769989638718e938a6a0a2ff3f4a7ff8c62cc4", - "sha256:aaaea1e536f98754a6e5c56091baa1b6ce2f2700cc4a00b0d49eca8dea471074", - "sha256:ad4d7a90a92e528aadf4965d685c17dacff3df282db1121136c382dc0b6014d2", - "sha256:b8477c1ee4bd47c57d49621a062121c3023609f7a13b8a46953eb6c9716ca392", - "sha256:ba6f52cbc7809cd8d74604cce9c14868306ae4aa0282016b641c661f981a6e91", - "sha256:bac8d525a8dbc2a1507ec731d2867025d11ceadcb4dd421423a5d42c56818541", - "sha256:bef596fdaa8f26e3d66af846bbe77057237cb6e8efff8cd7cc8dff9a62278bbf", - "sha256:c0ec0ed476f77db9fb29bca17f0a8fcc7bc97ad4c6c1d8959c507decb22e8572", - "sha256:c38c9ddb6103ceae4e4498f9c08fac9b590c5c71b0370f98714768e22ac6fa66", - "sha256:c7224cab95645c7ab53791022ae77a4509472613e839dab722a72abe5a684575", - "sha256:c74018551e31269d56fab81a728f683667e7c28c04e807ba08f8c9e3bba32f14", - "sha256:ca06675212f94e7a610e85ca36948bb8fc023e458dd6c63ef71abfd482481aa5", - "sha256:d1d2532b340b692880261c15aee4dc94dd22ca5d61b9db9a8a361953d36410b1", - "sha256:d25039a474c4c72a5ad4b52495056f843a7ff07b632c1b92ea9043a3d9950f6e", - "sha256:d5ff2c858f5f6a42c2a8e751100f237c5e869cbde669a724f2062d4c4ef93551", - "sha256:d7d7f7de27b8944f1fee2c26a88b4dabc2409d2fea7a9ed3df79b67277644e17", - "sha256:d7eeb6d22331e2fd42fce928a81c697c9ee2d51400bd1a28803965883e13cead", - "sha256:d8a1c6c0be645c745a081c192e747c5de06e944a0d21245f4cf7c05e457c36e0", - "sha256:d8b889777de69897406c9fb0b76cdf2fd0f31267861ae7501d93003d55f54fbe", - "sha256:d9e09c9d74f4566e905a0b8fa668c58109f7624db96a2171f21747abc7524234", - "sha256:db8e58b9d79200c76956cefd14d5c90af54416ff5353c5bfd7cbe58818e26ef0", - "sha256:ddb2a5c08a4eaaba605340fdee8fc08e406c56617566d9643ad8bf6852778fc7", - "sha256:e0381b4ce23ff92f8170080c97678040fc5b08da85e9e292292aba67fdac6c34", - "sha256:e23a6d84d9d1738dbc6e38167776107e63307dfc8ad108e580548d1f2c587f42", - "sha256:e516dc8baf7b380e6c1c26792610230f37147bb754d6426462ab115a02944385", - "sha256:ea65804b5dc88dacd4a40279af0cdadcfe74b3e5b4c897aa0d81cf86927fee78", - "sha256:ec61d826d80fc293ed46c9dd26995921e3a82146feacd952ef0757236fc137be", - "sha256:ee04010f26d5102399bd17f8df8bc38dc7ccd7701dc77f4a68c5b8d733406958", - "sha256:f3bc6af6e2b8f92eced34ef6a96ffb248e863af20ef4fde9448cc8c9b858b749", - "sha256:f7d6b36dd2e029b6bcb8a13cf19664c7b8e19ab3a58e0fefbb5b8461447ed5ec" + "sha256:01a8697ec24f17c349c4f655763c4db70eebc56a5f82995e5e26e837c6eb0e49", + "sha256:02da8759b47d964f9173c8675710720b468aa1c1693be0c9c64abb9d8d9a4867", + "sha256:04293941646647b3bfb1719d1d11ff1028e9c30199509a844da3c0f5919dc520", + "sha256:067b961853c8e62725ff2893226fef3d0da060656a9827f3f520fb1d19b2b68a", + "sha256:077da604852be488c9a05a524068cdae1e972b7dc02438161c32420fb4ec5e14", + "sha256:09696438cb43ea6f9492ef237761b043f9179f455f405279e609f2bc9100212a", + "sha256:0b8486f322d8f6a38539136a22c55f94d269addb24db5cb6f61adc61eabc9d93", + "sha256:0ea9682124fc062e3d931c6911934a678cb28453f957ddccf51f568c2f2b5e05", + "sha256:0f351fa31234699d6084ff98283cb1e852270fe9e250a3b3bf7804eb493bd937", + "sha256:14438dfc5015661f75f85bc5adad0743678eefee266ff0c9a8e32969d5d69f74", + "sha256:15061ce6584ece023457fb8b7a7a69ec40bf7114d781a8c4f5dcd68e28b5c53b", + "sha256:15439f3c5c72686b6c3ff235279630d08936ace67d0fe5c8d5bbc3ef06f5a420", + "sha256:17b5a386d0d36fb828e2fb3ef08c8829c1ebf977eef88e5367d1c8c94b454639", + "sha256:18ac56c9dd70941ecad42b5a906820824ca72ff84ad6fa18db33c2537ae2e089", + "sha256:1bb2d9e212fb7449b8fb73bc461b51eaa17cc8430b4a87d87be7b25052d92f53", + "sha256:1e969fa4c1e0b1a391f3fcbcb9ec31e84440253325b534519be0d28f4b6b533e", + "sha256:1fa2e7a406fbd45b61b4433e3aa254a2c3e14c4b3186f6e952d08a730807fa0c", + "sha256:2164cd9725092761fed26f299e3f276bb4b537ca58e6ff6b252eae9631b5c96e", + "sha256:21a7c12321436b066c11ec19c7e3cb9aec18884fe0d5b25d03d756a9e654edfe", + "sha256:238a21849dd7554cb4d25a14ffbfa0ef380bb7ba201f45b144a14454a72ffa5a", + "sha256:250e888fa62d73e721f3041e3a9abf427788a1934b426b45e1b92f62c1f68366", + "sha256:25861303e0be76b60fddc1250ec5986c42f0a5c0c50ff57cc30b1be199c00e63", + "sha256:267b24f891e74eccbdff42241c5fb4f974de2d6271dcc7d7e0c9ae1079a560d9", + "sha256:27fcb271a41b746bd0e2a92182df507e1c204759f460ff784ca614e12dd85145", + "sha256:2909fa3a7d249ef64eeb2faa04b7957e34fefb6ec9966506312349ed8a7e77bf", + "sha256:3257978c870728a52dcce8c2902bf01f6c53b65094b457bf87b2644ee6238ddc", + "sha256:327c724b01b8641a1bf1ab3b232fb638706e50f76c0b5bf16051ab65c868fac5", + "sha256:3de5292f9f0ee285e6bd168b2a77b2a00d74cbcfa420ed078456d3023d2f6dff", + "sha256:3fce4da3703ee6048ad4138fe74619c50874afe98b1ad87b2698ef95bf92c96d", + "sha256:3ff6b1617aa39279fe18a76c8d165469c48b159931d9b48239065767ee455b2b", + "sha256:400cd42185f92de559d29eeb529e71d80dfbd2f45c36844914a4a34297ca6f00", + "sha256:4179522dc0305c3fc9782549175c8e8849252fefeb077c92a73889ccbcd508ad", + "sha256:4307d9a3417eea87715c9736d050c83e8c1904e9b7aada6ce61b46361b733d92", + "sha256:476e20c433b356e16e9a141449f25161e6b69984fb4cdbd7cd4bd54c17844998", + "sha256:489fa8bde4f1244ad6c5f6d11bb33e09cf0d1d0367edb197619c3e3fc06f3d91", + "sha256:48a28bed68ab8fb7e380775f0029a079f08a17799cb3387a65d14ace16c12e2b", + "sha256:48dfd117ab93f0129084577a07287376cc69c08138694396f305636e229caa1a", + "sha256:4973eac1e2ff63cf187073cd4e1f1148dcd119314ab79b88e1b3fad74a18c9d5", + "sha256:498442e3af2a860a663baa14fbf23fb04b0dd758039c0e7c8f91cb9279799bff", + "sha256:501c503eed2bb306638ccb60c174f856cc3246c861829ff40eaa80e2f0330367", + "sha256:504cf0d4c5e4579a51261d6091267f9fd997ef58558c4ffa7a3e1460bd2336fa", + "sha256:61a5f2c14d0a1adfdd82258f756b23a550c13ba4c86c84106be4c111a3a4e413", + "sha256:637c7ddb585a62d4469f843dac221f23eec3cbad31693b23abbc2c366ad41ff4", + "sha256:66b63c504d2ca43bf7221a1f72fbe981ff56ecb39004c70a94485d13e37ebf45", + "sha256:67459cf8cf31da0e2cbdb4b040507e535d25cfbb1604ca76396a3a66b8ba37a6", + "sha256:688654f8507464745ab563b041d1fb7dab5d9912ca6b06e61d1c4708366832f5", + "sha256:6907daa4b9d7a688063ed098c472f96e8181733c525e03e866fb5db480a424df", + "sha256:69721b8effdb588cb055cc22f7c5105ca6fdaa5aeb3ea09021d517882c4a904c", + "sha256:6d23754b9939cbab02c63434776df1170e43b09c6a517585c7ce2b3d449b7318", + "sha256:7175a87ab8f7fbde37160a15e58e138ba3b2b0e05492d7351314a250d61b1591", + "sha256:72bf26f66456baa0584eff63e44545c9f0eaed9b73cb6601b647c91f14c11f38", + "sha256:74db2ef03b442276d25951749a803ddb6e270d02dda1d1c556f6ae595a0d76a8", + "sha256:750f656832d7d3cb0c76be137ee79405cc17e792f31e0a01eee390e383b2936e", + "sha256:75e0ae31fb5ccab6eda09ba1494e87eb226dcbd2372dae96b87800e1dcc98804", + "sha256:768ecc550096b028754ea28bf90fde071c379c62c43afa574edc6f33ee5daaec", + "sha256:7d51324a04fc4b0e097ff8a153e9276c2593106a811704025bbc1d6916f45ca6", + "sha256:7e975a2211952a8a083d1b9d9ba26472981ae338e720b419eb50535de3c02870", + "sha256:8215f6f21394d1f46e222abeb06316e77ef328d628f593502d8fc2a9117bde83", + "sha256:8258c86f47e080a258993eed877d579c71da7bda26af86ce6c2d2d072c11320d", + "sha256:8418c053aeb236b20b0ab8fa6bacfc2feaaf7d4683dd96528610989c99723d5f", + "sha256:87f020d010ba80a247c4abc335fc13421037800ca20b42af5ae40e5fd75e7909", + "sha256:884eab2ce97cbaf89f264372eae58388862c33c4f551c15680dd80f53c89a269", + "sha256:8a336eaa7ee7e87cdece3cedb395c9657d227bfceb6781295cf56abcd3386a26", + "sha256:8aef1b64da41d18026632d99a06b3fefe1d08e85dd81d849fa7c96301ed22f1b", + "sha256:8aef97ba1dd2138112890ef848e17d8526fe80b21f743b4ee65947ea184f07a2", + "sha256:8ed653638ef669e0efc6fe2acb792275cb419bf9cb5c5049399f3556995f23c7", + "sha256:9361628f28f48dcf8b2f528420d4d68102f593f9c2e592bfc842f5fb337e44fd", + "sha256:946eedc12895873891aaceb39bceb484b4977f70373e0122da483f6c38faaa68", + "sha256:94d0caaa912bfcdc702a4204cd5e2bb01eb917fc4f5ea2315aa23962549561b0", + "sha256:964a428132227edff96d6f3cf261573cb0f1a60c9a764ce28cda9525f18f7786", + "sha256:999bfee0a5b7385a0af5ffb606393509cfde70ecca4f01c36985be6d33e336da", + "sha256:a08ea567c16f140af8ddc7cb58e27e9138a1386e3e6e53982abaa6f2377b38cc", + "sha256:a28b70c9e2213de425d9cba5ab2e7f7a1c8ca23a99c4b5159bf77b9c31251447", + "sha256:a34e1e30f1774fa35d37202bbeae62423e9a79d78d0874e5556a593479fdf239", + "sha256:a4264515f9117be204935cd230fb2a052dd3792789cc94c101c535d349b3dab0", + "sha256:a7915ea49b0c113641dc4d9338efa9bd66b6a9a485ffe75b9907e8573ca94b84", + "sha256:aac44097d838dda26526cffb63bdd8737a2dbdf5f2c68efb72ad83aec6673c7e", + "sha256:b91044952da03b6f95fdba398d7993dd983b64d3c31c358a4c89e3c19b6f7aef", + "sha256:ba444bdd4caa2a94456ef67a2f383710928820dd0117aae6650a4d17029fa25e", + "sha256:c2dc4250fe94d8cd864d66018f8344d4af50e3758e9d725e94fecfa27588ff82", + "sha256:c35f493b867912f6fda721a59cc7c4766d382040bdf1ddaeeaa7fa4d072f4675", + "sha256:c92261eb2ad367629dc437536463dc934030c9e7caca861cc51990fe6c565f26", + "sha256:ce928c9c6409c79e10f39604a7e214b3cb69552952fbda8d836c052832e6a979", + "sha256:d95b52fbef190ca87d8c42f49e314eace4fc52070f3dfa5f87a6594b0c1c6e46", + "sha256:dae7bd0daeb33aa3e79e72877d3d51052e8b19c9025ecf0374f542ea8ec120e4", + "sha256:e286580b6511aac7c3268a78cdb861ec739d3e5a2a53b4809faef6b49778eaff", + "sha256:e4b53f73077e839b3f89c992223f15b1d2ab314bdbdf502afdc7bb18e95eae27", + "sha256:e8f63904df26d1a66aabc141bfd258bf738b9bc7bc6bdef22713b4f5ef789a4c", + "sha256:f3a6d90cab0bdf07df8f176eae3a07127daafcf7457b997b2bf46776da2c7eb7", + "sha256:f41fa79114a1d2eddb5eea7b912d6160508f57440bd302ce96eaa384914cd265", + "sha256:f46f81501160c28d0c0b7333b4f7be8983dbbc161983b6fb814024d1b4952f79", + "sha256:f61db3b7e870914dbd9434b560075e0366771eecbe6d2b5561f5bc7485f39efd" ], - "markers": "python_version >= '3.7'", - "version": "==1.9.4" + "markers": "python_version >= '3.8'", + "version": "==1.11.1" } }, "develop": { @@ -1300,100 +1319,100 @@ }, "boto3": { "hashes": [ - "sha256:b41deed9ca7e0a619510a22e256e3e38b5f532624b4aff8964a1e870877b37bc", - "sha256:c35c560ef0cb0f133b6104bc374d60eeb7cb69c1d5d7907e4305a285d162bef0" + "sha256:47e89d95964f10beee21ee723c3290874fddf364269bd97d200e8bfa9bf93a06", + "sha256:aaddbeb8c37608492f2c8286d004101464833d4c6e49af44601502b8b18785ed" ], "markers": "python_version >= '3.8'", - "version": "==1.35.6" + "version": "==1.35.20" }, "botocore": { "hashes": [ - "sha256:8378c6cfef2dee15eb7b3ebbb55ba9c1de959f231292039b81eb35b72c50ad59", - "sha256:93ef31b80b05758db4dd67e010348a05b9ff43f82839629b7ac334f2a454996e" + "sha256:62412038f960691a299e60492f9ee7e8e75af563f2eca7f3640b3b54b8f5d236", + "sha256:82ad8a73fcd5852d127461c8dadbe40bf679f760a4efb0dde8d4d269ad3f126f" ], "markers": "python_version >= '3.8'", - "version": "==1.35.6" + "version": "==1.35.20" }, "certifi": { "hashes": [ - "sha256:5a1e7645bc0ec61a09e26c36f6106dd4cf40c6db3a1fb6352b0244e7fb057c7b", - "sha256:c198e21b1289c2ab85ee4e67bb4b4ef3ead0892059901a8d5b622f24a1101e90" + "sha256:922820b53db7a7257ffbda3f597266d435245903d80737e34f8a45ff3e3230d8", + "sha256:bec941d2aa8195e248a60b31ff9f0558284cf01a52591ceda73ea9afffd69fd9" ], "markers": "python_version >= '3.6'", - "version": "==2024.7.4" + "version": "==2024.8.30" }, "cffi": { "hashes": [ - "sha256:011aff3524d578a9412c8b3cfaa50f2c0bd78e03eb7af7aa5e0df59b158efb2f", - "sha256:0a048d4f6630113e54bb4b77e315e1ba32a5a31512c31a273807d0027a7e69ab", - "sha256:0bb15e7acf8ab35ca8b24b90af52c8b391690ef5c4aec3d31f38f0d37d2cc499", - "sha256:0d46ee4764b88b91f16661a8befc6bfb24806d885e27436fdc292ed7e6f6d058", - "sha256:0e60821d312f99d3e1569202518dddf10ae547e799d75aef3bca3a2d9e8ee693", - "sha256:0fdacad9e0d9fc23e519efd5ea24a70348305e8d7d85ecbb1a5fa66dc834e7fb", - "sha256:14b9cbc8f7ac98a739558eb86fabc283d4d564dafed50216e7f7ee62d0d25377", - "sha256:17c6d6d3260c7f2d94f657e6872591fe8733872a86ed1345bda872cfc8c74885", - "sha256:1a2ddbac59dc3716bc79f27906c010406155031a1c801410f1bafff17ea304d2", - "sha256:2404f3de742f47cb62d023f0ba7c5a916c9c653d5b368cc966382ae4e57da401", - "sha256:24658baf6224d8f280e827f0a50c46ad819ec8ba380a42448e24459daf809cf4", - "sha256:24aa705a5f5bd3a8bcfa4d123f03413de5d86e497435693b638cbffb7d5d8a1b", - "sha256:2770bb0d5e3cc0e31e7318db06efcbcdb7b31bcb1a70086d3177692a02256f59", - "sha256:331ad15c39c9fe9186ceaf87203a9ecf5ae0ba2538c9e898e3a6967e8ad3db6f", - "sha256:3aa9d43b02a0c681f0bfbc12d476d47b2b2b6a3f9287f11ee42989a268a1833c", - "sha256:41f4915e09218744d8bae14759f983e466ab69b178de38066f7579892ff2a555", - "sha256:4304d4416ff032ed50ad6bb87416d802e67139e31c0bde4628f36a47a3164bfa", - "sha256:435a22d00ec7d7ea533db494da8581b05977f9c37338c80bc86314bec2619424", - "sha256:45f7cd36186db767d803b1473b3c659d57a23b5fa491ad83c6d40f2af58e4dbb", - "sha256:48b389b1fd5144603d61d752afd7167dfd205973a43151ae5045b35793232aa2", - "sha256:4e67d26532bfd8b7f7c05d5a766d6f437b362c1bf203a3a5ce3593a645e870b8", - "sha256:516a405f174fd3b88829eabfe4bb296ac602d6a0f68e0d64d5ac9456194a5b7e", - "sha256:5ba5c243f4004c750836f81606a9fcb7841f8874ad8f3bf204ff5e56332b72b9", - "sha256:5bdc0f1f610d067c70aa3737ed06e2726fd9d6f7bfee4a351f4c40b6831f4e82", - "sha256:6107e445faf057c118d5050560695e46d272e5301feffda3c41849641222a828", - "sha256:6327b572f5770293fc062a7ec04160e89741e8552bf1c358d1a23eba68166759", - "sha256:669b29a9eca6146465cc574659058ed949748f0809a2582d1f1a324eb91054dc", - "sha256:6ce01337d23884b21c03869d2f68c5523d43174d4fc405490eb0091057943118", - "sha256:6d872186c1617d143969defeadac5a904e6e374183e07977eedef9c07c8953bf", - "sha256:6f76a90c345796c01d85e6332e81cab6d70de83b829cf1d9762d0a3da59c7932", - "sha256:70d2aa9fb00cf52034feac4b913181a6e10356019b18ef89bc7c12a283bf5f5a", - "sha256:7cbc78dc018596315d4e7841c8c3a7ae31cc4d638c9b627f87d52e8abaaf2d29", - "sha256:856bf0924d24e7f93b8aee12a3a1095c34085600aa805693fb7f5d1962393206", - "sha256:8a98748ed1a1df4ee1d6f927e151ed6c1a09d5ec21684de879c7ea6aa96f58f2", - "sha256:93a7350f6706b31f457c1457d3a3259ff9071a66f312ae64dc024f049055f72c", - "sha256:964823b2fc77b55355999ade496c54dde161c621cb1f6eac61dc30ed1b63cd4c", - "sha256:a003ac9edc22d99ae1286b0875c460351f4e101f8c9d9d2576e78d7e048f64e0", - "sha256:a0ce71725cacc9ebf839630772b07eeec220cbb5f03be1399e0457a1464f8e1a", - "sha256:a47eef975d2b8b721775a0fa286f50eab535b9d56c70a6e62842134cf7841195", - "sha256:a8b5b9712783415695663bd463990e2f00c6750562e6ad1d28e072a611c5f2a6", - "sha256:a9015f5b8af1bb6837a3fcb0cdf3b874fe3385ff6274e8b7925d81ccaec3c5c9", - "sha256:aec510255ce690d240f7cb23d7114f6b351c733a74c279a84def763660a2c3bc", - "sha256:b00e7bcd71caa0282cbe3c90966f738e2db91e64092a877c3ff7f19a1628fdcb", - "sha256:b50aaac7d05c2c26dfd50c3321199f019ba76bb650e346a6ef3616306eed67b0", - "sha256:b7b6ea9e36d32582cda3465f54c4b454f62f23cb083ebc7a94e2ca6ef011c3a7", - "sha256:bb9333f58fc3a2296fb1d54576138d4cf5d496a2cc118422bd77835e6ae0b9cb", - "sha256:c1c13185b90bbd3f8b5963cd8ce7ad4ff441924c31e23c975cb150e27c2bf67a", - "sha256:c3b8bd3133cd50f6b637bb4322822c94c5ce4bf0d724ed5ae70afce62187c492", - "sha256:c5d97162c196ce54af6700949ddf9409e9833ef1003b4741c2b39ef46f1d9720", - "sha256:c815270206f983309915a6844fe994b2fa47e5d05c4c4cef267c3b30e34dbe42", - "sha256:cab2eba3830bf4f6d91e2d6718e0e1c14a2f5ad1af68a89d24ace0c6b17cced7", - "sha256:d1df34588123fcc88c872f5acb6f74ae59e9d182a2707097f9e28275ec26a12d", - "sha256:d6bdcd415ba87846fd317bee0774e412e8792832e7805938987e4ede1d13046d", - "sha256:db9a30ec064129d605d0f1aedc93e00894b9334ec74ba9c6bdd08147434b33eb", - "sha256:dbc183e7bef690c9abe5ea67b7b60fdbca81aa8da43468287dae7b5c046107d4", - "sha256:dca802c8db0720ce1c49cce1149ff7b06e91ba15fa84b1d59144fef1a1bc7ac2", - "sha256:dec6b307ce928e8e112a6bb9921a1cb00a0e14979bf28b98e084a4b8a742bd9b", - "sha256:df8bb0010fdd0a743b7542589223a2816bdde4d94bb5ad67884348fa2c1c67e8", - "sha256:e4094c7b464cf0a858e75cd14b03509e84789abf7b79f8537e6a72152109c76e", - "sha256:e4760a68cab57bfaa628938e9c2971137e05ce48e762a9cb53b76c9b569f1204", - "sha256:eb09b82377233b902d4c3fbeeb7ad731cdab579c6c6fda1f763cd779139e47c3", - "sha256:eb862356ee9391dc5a0b3cbc00f416b48c1b9a52d252d898e5b7696a5f9fe150", - "sha256:ef9528915df81b8f4c7612b19b8628214c65c9b7f74db2e34a646a0a2a0da2d4", - "sha256:f3157624b7558b914cb039fd1af735e5e8049a87c817cc215109ad1c8779df76", - "sha256:f3e0992f23bbb0be00a921eae5363329253c3b86287db27092461c887b791e5e", - "sha256:f9338cc05451f1942d0d8203ec2c346c830f8e86469903d5126c1f0a13a2bcbb", - "sha256:ffef8fd58a36fb5f1196919638f73dd3ae0db1a878982b27a9a5a176ede4ba91" + "sha256:045d61c734659cc045141be4bae381a41d89b741f795af1dd018bfb532fd0df8", + "sha256:0984a4925a435b1da406122d4d7968dd861c1385afe3b45ba82b750f229811e2", + "sha256:0e2b1fac190ae3ebfe37b979cc1ce69c81f4e4fe5746bb401dca63a9062cdaf1", + "sha256:0f048dcf80db46f0098ccac01132761580d28e28bc0f78ae0d58048063317e15", + "sha256:1257bdabf294dceb59f5e70c64a3e2f462c30c7ad68092d01bbbfb1c16b1ba36", + "sha256:1c39c6016c32bc48dd54561950ebd6836e1670f2ae46128f67cf49e789c52824", + "sha256:1d599671f396c4723d016dbddb72fe8e0397082b0a77a4fab8028923bec050e8", + "sha256:28b16024becceed8c6dfbc75629e27788d8a3f9030691a1dbf9821a128b22c36", + "sha256:2bb1a08b8008b281856e5971307cc386a8e9c5b625ac297e853d36da6efe9c17", + "sha256:30c5e0cb5ae493c04c8b42916e52ca38079f1b235c2f8ae5f4527b963c401caf", + "sha256:31000ec67d4221a71bd3f67df918b1f88f676f1c3b535a7eb473255fdc0b83fc", + "sha256:386c8bf53c502fff58903061338ce4f4950cbdcb23e2902d86c0f722b786bbe3", + "sha256:3edc8d958eb099c634dace3c7e16560ae474aa3803a5df240542b305d14e14ed", + "sha256:45398b671ac6d70e67da8e4224a065cec6a93541bb7aebe1b198a61b58c7b702", + "sha256:46bf43160c1a35f7ec506d254e5c890f3c03648a4dbac12d624e4490a7046cd1", + "sha256:4ceb10419a9adf4460ea14cfd6bc43d08701f0835e979bf821052f1805850fe8", + "sha256:51392eae71afec0d0c8fb1a53b204dbb3bcabcb3c9b807eedf3e1e6ccf2de903", + "sha256:5da5719280082ac6bd9aa7becb3938dc9f9cbd57fac7d2871717b1feb0902ab6", + "sha256:610faea79c43e44c71e1ec53a554553fa22321b65fae24889706c0a84d4ad86d", + "sha256:636062ea65bd0195bc012fea9321aca499c0504409f413dc88af450b57ffd03b", + "sha256:6883e737d7d9e4899a8a695e00ec36bd4e5e4f18fabe0aca0efe0a4b44cdb13e", + "sha256:6b8b4a92e1c65048ff98cfe1f735ef8f1ceb72e3d5f0c25fdb12087a23da22be", + "sha256:6f17be4345073b0a7b8ea599688f692ac3ef23ce28e5df79c04de519dbc4912c", + "sha256:706510fe141c86a69c8ddc029c7910003a17353970cff3b904ff0686a5927683", + "sha256:72e72408cad3d5419375fc87d289076ee319835bdfa2caad331e377589aebba9", + "sha256:733e99bc2df47476e3848417c5a4540522f234dfd4ef3ab7fafdf555b082ec0c", + "sha256:7596d6620d3fa590f677e9ee430df2958d2d6d6de2feeae5b20e82c00b76fbf8", + "sha256:78122be759c3f8a014ce010908ae03364d00a1f81ab5c7f4a7a5120607ea56e1", + "sha256:805b4371bf7197c329fcb3ead37e710d1bca9da5d583f5073b799d5c5bd1eee4", + "sha256:85a950a4ac9c359340d5963966e3e0a94a676bd6245a4b55bc43949eee26a655", + "sha256:8f2cdc858323644ab277e9bb925ad72ae0e67f69e804f4898c070998d50b1a67", + "sha256:9755e4345d1ec879e3849e62222a18c7174d65a6a92d5b346b1863912168b595", + "sha256:98e3969bcff97cae1b2def8ba499ea3d6f31ddfdb7635374834cf89a1a08ecf0", + "sha256:a08d7e755f8ed21095a310a693525137cfe756ce62d066e53f502a83dc550f65", + "sha256:a1ed2dd2972641495a3ec98445e09766f077aee98a1c896dcb4ad0d303628e41", + "sha256:a24ed04c8ffd54b0729c07cee15a81d964e6fee0e3d4d342a27b020d22959dc6", + "sha256:a45e3c6913c5b87b3ff120dcdc03f6131fa0065027d0ed7ee6190736a74cd401", + "sha256:a9b15d491f3ad5d692e11f6b71f7857e7835eb677955c00cc0aefcd0669adaf6", + "sha256:ad9413ccdeda48c5afdae7e4fa2192157e991ff761e7ab8fdd8926f40b160cc3", + "sha256:b2ab587605f4ba0bf81dc0cb08a41bd1c0a5906bd59243d56bad7668a6fc6c16", + "sha256:b62ce867176a75d03a665bad002af8e6d54644fad99a3c70905c543130e39d93", + "sha256:c03e868a0b3bc35839ba98e74211ed2b05d2119be4e8a0f224fba9384f1fe02e", + "sha256:c59d6e989d07460165cc5ad3c61f9fd8f1b4796eacbd81cee78957842b834af4", + "sha256:c7eac2ef9b63c79431bc4b25f1cd649d7f061a28808cbc6c47b534bd789ef964", + "sha256:c9c3d058ebabb74db66e431095118094d06abf53284d9c81f27300d0e0d8bc7c", + "sha256:ca74b8dbe6e8e8263c0ffd60277de77dcee6c837a3d0881d8c1ead7268c9e576", + "sha256:caaf0640ef5f5517f49bc275eca1406b0ffa6aa184892812030f04c2abf589a0", + "sha256:cdf5ce3acdfd1661132f2a9c19cac174758dc2352bfe37d98aa7512c6b7178b3", + "sha256:d016c76bdd850f3c626af19b0542c9677ba156e4ee4fccfdd7848803533ef662", + "sha256:d01b12eeeb4427d3110de311e1774046ad344f5b1a7403101878976ecd7a10f3", + "sha256:d63afe322132c194cf832bfec0dc69a99fb9bb6bbd550f161a49e9e855cc78ff", + "sha256:da95af8214998d77a98cc14e3a3bd00aa191526343078b530ceb0bd710fb48a5", + "sha256:dd398dbc6773384a17fe0d3e7eeb8d1a21c2200473ee6806bb5e6a8e62bb73dd", + "sha256:de2ea4b5833625383e464549fec1bc395c1bdeeb5f25c4a3a82b5a8c756ec22f", + "sha256:de55b766c7aa2e2a3092c51e0483d700341182f08e67c63630d5b6f200bb28e5", + "sha256:df8b1c11f177bc2313ec4b2d46baec87a5f3e71fc8b45dab2ee7cae86d9aba14", + "sha256:e03eab0a8677fa80d646b5ddece1cbeaf556c313dcfac435ba11f107ba117b5d", + "sha256:e221cf152cff04059d011ee126477f0d9588303eb57e88923578ace7baad17f9", + "sha256:e31ae45bc2e29f6b2abd0de1cc3b9d5205aa847cafaecb8af1476a609a2f6eb7", + "sha256:edae79245293e15384b51f88b00613ba9f7198016a5948b5dddf4917d4d26382", + "sha256:f1e22e8c4419538cb197e4dd60acc919d7696e5ef98ee4da4e01d3f8cfa4cc5a", + "sha256:f3a2b4222ce6b60e2e8b337bb9596923045681d71e5a082783484d845390938e", + "sha256:f6a16c31041f09ead72d69f583767292f750d24913dadacf5756b966aacb3f1a", + "sha256:f75c7ab1f9e4aca5414ed4d8e5c0e303a34f4421f8a0d47a4d019ceff0ab6af4", + "sha256:f79fc4fc25f1c8698ff97788206bb3c2598949bfe0fef03d299eb1b5356ada99", + "sha256:f7f5baafcc48261359e14bcd6d9bff6d4b28d9103847c9e136694cb0501aef87", + "sha256:fc48c783f9c87e60831201f2cce7f3b2e4846bf4d8728eabe54d60700b318a0b" ], "markers": "platform_python_implementation != 'PyPy'", - "version": "==1.17.0" + "version": "==1.17.1" }, "charset-normalizer": { "hashes": [ @@ -1501,36 +1520,36 @@ }, "cryptography": { "hashes": [ - "sha256:0663585d02f76929792470451a5ba64424acc3cd5227b03921dab0e2f27b1709", - "sha256:08a24a7070b2b6804c1940ff0f910ff728932a9d0e80e7814234269f9d46d069", - "sha256:232ce02943a579095a339ac4b390fbbe97f5b5d5d107f8a08260ea2768be8cc2", - "sha256:2905ccf93a8a2a416f3ec01b1a7911c3fe4073ef35640e7ee5296754e30b762b", - "sha256:299d3da8e00b7e2b54bb02ef58d73cd5f55fb31f33ebbf33bd00d9aa6807df7e", - "sha256:2c6d112bf61c5ef44042c253e4859b3cbbb50df2f78fa8fae6747a7814484a70", - "sha256:31e44a986ceccec3d0498e16f3d27b2ee5fdf69ce2ab89b52eaad1d2f33d8778", - "sha256:3d9a1eca329405219b605fac09ecfc09ac09e595d6def650a437523fcd08dd22", - "sha256:3dcdedae5c7710b9f97ac6bba7e1052b95c7083c9d0e9df96e02a1932e777895", - "sha256:47ca71115e545954e6c1d207dd13461ab81f4eccfcb1345eac874828b5e3eaaf", - "sha256:4a997df8c1c2aae1e1e5ac49c2e4f610ad037fc5a3aadc7b64e39dea42249431", - "sha256:51956cf8730665e2bdf8ddb8da0056f699c1a5715648c1b0144670c1ba00b48f", - "sha256:5bcb8a5620008a8034d39bce21dc3e23735dfdb6a33a06974739bfa04f853947", - "sha256:64c3f16e2a4fc51c0d06af28441881f98c5d91009b8caaff40cf3548089e9c74", - "sha256:6e2b11c55d260d03a8cf29ac9b5e0608d35f08077d8c087be96287f43af3ccdc", - "sha256:7b3f5fe74a5ca32d4d0f302ffe6680fcc5c28f8ef0dc0ae8f40c0f3a1b4fca66", - "sha256:844b6d608374e7d08f4f6e6f9f7b951f9256db41421917dfb2d003dde4cd6b66", - "sha256:9a8d6802e0825767476f62aafed40532bd435e8a5f7d23bd8b4f5fd04cc80ecf", - "sha256:aae4d918f6b180a8ab8bf6511a419473d107df4dbb4225c7b48c5c9602c38c7f", - "sha256:ac1955ce000cb29ab40def14fd1bbfa7af2017cca696ee696925615cafd0dce5", - "sha256:b88075ada2d51aa9f18283532c9f60e72170041bba88d7f37e49cbb10275299e", - "sha256:cb013933d4c127349b3948aa8aaf2f12c0353ad0eccd715ca789c8a0f671646f", - "sha256:cc70b4b581f28d0a254d006f26949245e3657d40d8857066c2ae22a61222ef55", - "sha256:e9c5266c432a1e23738d178e51c2c7a5e2ddf790f248be939448c0ba2021f9d1", - "sha256:ea9e57f8ea880eeea38ab5abf9fbe39f923544d7884228ec67d666abd60f5a47", - "sha256:ee0c405832ade84d4de74b9029bedb7b31200600fa524d218fc29bfa371e97f5", - "sha256:fdcb265de28585de5b859ae13e3846a8e805268a823a12a4da2597f1f5afc9f0" + "sha256:014f58110f53237ace6a408b5beb6c427b64e084eb451ef25a28308270086494", + "sha256:1bbcce1a551e262dfbafb6e6252f1ae36a248e615ca44ba302df077a846a8806", + "sha256:203e92a75716d8cfb491dc47c79e17d0d9207ccffcbcb35f598fbe463ae3444d", + "sha256:27e613d7077ac613e399270253259d9d53872aaf657471473ebfc9a52935c062", + "sha256:2bd51274dcd59f09dd952afb696bf9c61a7a49dfc764c04dd33ef7a6b502a1e2", + "sha256:38926c50cff6f533f8a2dae3d7f19541432610d114a70808f0926d5aaa7121e4", + "sha256:511f4273808ab590912a93ddb4e3914dfd8a388fed883361b02dea3791f292e1", + "sha256:58d4e9129985185a06d849aa6df265bdd5a74ca6e1b736a77959b498e0505b85", + "sha256:5b43d1ea6b378b54a1dc99dd8a2b5be47658fe9a7ce0a58ff0b55f4b43ef2b84", + "sha256:61ec41068b7b74268fa86e3e9e12b9f0c21fcf65434571dbb13d954bceb08042", + "sha256:666ae11966643886c2987b3b721899d250855718d6d9ce41b521252a17985f4d", + "sha256:68aaecc4178e90719e95298515979814bda0cbada1256a4485414860bd7ab962", + "sha256:7c05650fe8023c5ed0d46793d4b7d7e6cd9c04e68eabe5b0aeea836e37bdcec2", + "sha256:80eda8b3e173f0f247f711eef62be51b599b5d425c429b5d4ca6a05e9e856baa", + "sha256:8385d98f6a3bf8bb2d65a73e17ed87a3ba84f6991c155691c51112075f9ffc5d", + "sha256:88cce104c36870d70c49c7c8fd22885875d950d9ee6ab54df2745f83ba0dc365", + "sha256:9d3cdb25fa98afdd3d0892d132b8d7139e2c087da1712041f6b762e4f807cc96", + "sha256:a575913fb06e05e6b4b814d7f7468c2c660e8bb16d8d5a1faf9b33ccc569dd47", + "sha256:ac119bb76b9faa00f48128b7f5679e1d8d437365c5d26f1c2c3f0da4ce1b553d", + "sha256:c1332724be35d23a854994ff0b66530119500b6053d0bd3363265f7e5e77288d", + "sha256:d03a475165f3134f773d1388aeb19c2d25ba88b6a9733c5c590b9ff7bbfa2e0c", + "sha256:d75601ad10b059ec832e78823b348bfa1a59f6b8d545db3a24fd44362a1564cb", + "sha256:de41fd81a41e53267cb020bb3a7212861da53a7d39f863585d13ea11049cf277", + "sha256:e710bf40870f4db63c3d7d929aa9e09e4e7ee219e703f949ec4073b4294f6172", + "sha256:ea25acb556320250756e53f9e20a4177515f012c9eaea17eb7587a8c4d8ae034", + "sha256:f98bf604c82c416bc829e490c700ca1553eafdf2912a91e23a79d97d9801372a", + "sha256:fba1007b3ef89946dbbb515aeeb41e30203b004f0b4b00e5e16078b518563289" ], "markers": "python_version >= '3.7'", - "version": "==43.0.0" + "version": "==43.0.1" }, "decorator": { "hashes": [ @@ -1552,11 +1571,11 @@ }, "idna": { "hashes": [ - "sha256:050b4e5baadcd44d760cedbd2b8e639f2ff89bbc7a5730fcc662954303377aac", - "sha256:d838c2c0ed6fced7693d5e8ab8e734d5f8fda53a039c0164afb0b82e771e3603" + "sha256:12f65c9b470abda6dc35cf8e63cc574b1c52b11df2c86030af0ac09b01b13ea9", + "sha256:946d195a0d259cbba61165e88e65941f16e9b36ea6ddb97f00452bae8b1287d3" ], "markers": "python_version >= '3.6'", - "version": "==3.8" + "version": "==3.10" }, "isort": { "hashes": [ @@ -1718,12 +1737,12 @@ }, "moto": { "hashes": [ - "sha256:984377a9c4536543fc09f49a1d5210c61c4a4f55c79719f7d9f8dcdd9bf55ea5", - "sha256:ddf8864f0d61af88fd07a4e5eac428c6bebf4fcd10023f8e756e65e9e7b7e4a5" + "sha256:0f849243269fd03372426c302b18cb605302da32620d7f0266be6a40735b2acd", + "sha256:c738ffe85d3844ef37b865951736c4faf2e0f3e4f05db87bdad97a6c01b88174" ], "index": "pypi", "markers": "python_version >= '3.8'", - "version": "==5.0.13" + "version": "==5.0.14" }, "mypy": { "hashes": [ @@ -1793,11 +1812,11 @@ }, "platformdirs": { "hashes": [ - "sha256:2d7a1657e36a80ea911db832a8a6ece5ee53d8de21edd5cc5879af6530b1bfee", - "sha256:38b7b51f512eed9e84a22788b4bce1de17c0adb134d6becb09836e37d8654cd3" + "sha256:50a5450e2e84f44539718293cbb1da0a0885c9d14adf21b77bae4e66fc99d9b5", + "sha256:d4e0b7d8ec176b341fb03cb11ca12d0276faa8c485f9cd218f613840463fc2c0" ], "markers": "python_version >= '3.8'", - "version": "==4.2.2" + "version": "==4.3.3" }, "pycparser": { "hashes": [ @@ -1919,11 +1938,11 @@ }, "rich": { "hashes": [ - "sha256:2e85306a063b9492dffc86278197a60cbece75bcb766022f3436f567cae11bdc", - "sha256:a5ac1f1cd448ade0d59cc3356f7db7a7ccda2c8cbae9c7a90c28ff463d3e91f4" + "sha256:1760a3c0848469b97b558fc61c85233e3dafb69c7a071b4d60c38099d3cd4c06", + "sha256:8260cda28e3db6bf04d2d1ef4dbc03ba80a824c88b0e7668a0f23126a424844a" ], "markers": "python_full_version >= '3.7.0'", - "version": "==13.8.0" + "version": "==13.8.1" }, "s3transfer": { "hashes": [ @@ -1967,11 +1986,11 @@ }, "urllib3": { "hashes": [ - "sha256:a448b2f64d686155468037e1ace9f2d2199776e17f0a46610480d311f73e3472", - "sha256:dd505485549a7a552833da5e6063639d0d177c04f23bc3864e41e5dc5f612168" + "sha256:ca899ca043dcb1bafa3e262d73aa25c465bfb49e0bd9dd5d59f1d0acba2f8fac", + "sha256:e7d814a81dad81e6caf2ec9fdedb284ecc9c73076b62654547cc64ccdcae26e9" ], "markers": "python_version >= '3.8'", - "version": "==2.2.2" + "version": "==2.2.3" }, "werkzeug": { "hashes": [ diff --git a/correlation_rules/aws_sso_access_token_retrieved_by_unauthenticated_ip.yml b/correlation_rules/aws_sso_access_token_retrieved_by_unauthenticated_ip.yml index 95e50c090..18303a56b 100644 --- a/correlation_rules/aws_sso_access_token_retrieved_by_unauthenticated_ip.yml +++ b/correlation_rules/aws_sso_access_token_retrieved_by_unauthenticated_ip.yml @@ -32,19 +32,19 @@ Tests: RuleOutputs: - ID: Absent CLI Prompt Matches: - p_udm.user.id: - igor.stravinsky: + sourceIPAddress: + "1.2.3.4": - 0 - ID: SSO Access Token Retrieved Matches: - p_udm.user.id: - igor.stravinsky: + sourceIPAddress: + "1.2.3.4": - 2 - Name: AWS SSO Access Token Retrieved by Unauthenticated IP ExpectedResult: true RuleOutputs: - ID: SSO Access Token Retrieved Matches: - p_udm.user.id: - igor.stravinsky: + sourceIPAddress: + "1.2.3.4": - 2 \ No newline at end of file diff --git a/global_helpers/panther_wiz_helpers.py b/global_helpers/panther_wiz_helpers.py new file mode 100644 index 000000000..39441b50a --- /dev/null +++ b/global_helpers/panther_wiz_helpers.py @@ -0,0 +1,15 @@ +def wiz_success(event): + if event.get("status", "") == "SUCCESS": + return True + return False + + +def wiz_alert_context(event): + return { + "action": event.get("action", ""), + "user": event.get("user", ""), + "source_ip": event.get("sourceip", ""), + "event_id": event.get("id", ""), + "service_account": event.get("serviceaccount", ""), + "action_parameters": event.get("actionparameters", ""), + } diff --git a/global_helpers/panther_wiz_helpers.yml b/global_helpers/panther_wiz_helpers.yml new file mode 100644 index 000000000..9802088f4 --- /dev/null +++ b/global_helpers/panther_wiz_helpers.yml @@ -0,0 +1,5 @@ +AnalysisType: global +Filename: panther_wiz_helpers.py +GlobalID: "panther_wiz_helpers" +Description: > + Used to define global helpers for Wiz events diff --git a/packs/github.yml b/packs/github.yml index d0fcf0bb7..cd8c7e0e4 100644 --- a/packs/github.yml +++ b/packs/github.yml @@ -18,6 +18,7 @@ PackDefinition: #- GitHub.Repo.HookModified - GitHub.Repo.InitialAccess - Github.Repo.VisibilityChange + - Github.Repo.VulnerabilityDismissed - GitHub.Secret.Scanning.Alert.Created - GitHub.Team.Modified - GitHub.Webhook.Modified diff --git a/packs/wiz.yml b/packs/wiz.yml index 68b2cce38..ff87a58e4 100644 --- a/packs/wiz.yml +++ b/packs/wiz.yml @@ -5,6 +5,23 @@ DisplayName: "Panther Wiz Pack" PackDefinition: IDs: - Wiz.Alert.Passthrough + - Wiz.Update.IP.Restrictions + - Wiz.Update.Support.Contact.List + - Wiz.SAML.Identity.Provider.Change + - Wiz.Data.Classifier.Updated.Or.Deleted + - Wiz.Update.Login.Settings + - Wiz.Image.Integrity.Validator.Updated.Or.Deleted + - Wiz.Update.Scanner.Settings + - Wiz.User.Created.Or.Deleted + - Wiz.Rotate.Service.Account.Secret + - Wiz.Connector.Updated.Or.Deleted + - Wiz.Service.Account.Change + - Wiz.Revoke.User.Sessions + - Wiz.User.Role.Updated.Or.Deleted + - Wiz.Integration.Updated.Or.Deleted + - Wiz.Rule.Change + - Wiz.CICD.Scan.Policy.Updated.Or.Deleted + - panther_wiz_helpers - panther_base_helpers - panther_config - panther_config_defaults diff --git a/rules/wiz_rules/wiz_cicd_scan_policy_updated_or_deleted.py b/rules/wiz_rules/wiz_cicd_scan_policy_updated_or_deleted.py new file mode 100644 index 000000000..30c256af9 --- /dev/null +++ b/rules/wiz_rules/wiz_cicd_scan_policy_updated_or_deleted.py @@ -0,0 +1,24 @@ +from panther_wiz_helpers import wiz_alert_context, wiz_success + +SUSPICIOUS_ACTIONS = ["DeleteCICDScanPolicy", "UpdateCICDScanPolicy"] + + +def rule(event): + if not wiz_success(event): + return False + return event.get("action", "ACTION_NOT_FOUND") in SUSPICIOUS_ACTIONS + + +def title(event): + return ( + f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " + f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + ) + + +def dedup(event): + return event.get("id") + + +def alert_context(event): + return wiz_alert_context(event) diff --git a/rules/wiz_rules/wiz_cicd_scan_policy_updated_or_deleted.yml b/rules/wiz_rules/wiz_cicd_scan_policy_updated_or_deleted.yml new file mode 100644 index 000000000..b0973f558 --- /dev/null +++ b/rules/wiz_rules/wiz_cicd_scan_policy_updated_or_deleted.yml @@ -0,0 +1,92 @@ +AnalysisType: rule +RuleID: Wiz.CICD.Scan.Policy.Updated.Or.Deleted +Description: This rule detects updates and deletions of CICD scan policies. +DisplayName: Wiz CICD Scan Policy Updated Or Deleted +Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again. +Reference: https://www.wiz.io/academy/ci-cd-security-best-practices +Enabled: true +Filename: wiz_cicd_scan_policy_updated_or_deleted.py +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0005:T1562.001 # Impair Defenses: Disable or Modify Tools +LogTypes: + - Wiz.Audit +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: DeleteCICDScanPolicy + ExpectedResult: true + Log: + { + "action": "DeleteCICDScanPolicy", + "actionparameters": { + "input": { + "id": "12345-cd1f-4a4b-b3e4-12345" + } + }, + "id": "12345-de20-4e00-b958-12345", + "log_type": null, + "requestid": "12345-284b-4166-aea7-12345", + "serviceaccount": null, + "sourceip": "8.8.8.8", + "status": "SUCCESS", + "timestamp": "2023-09-01 14:27:42.694", + "user": { + "id": "test@company.com", + "name": "test@company.com" + } + } + - Name: CreateUser + ExpectedResult: false + Log: + { + "id": "220d23be-f07c-4d97-b4a6-87ad04eddb14", + "action": "CreateUser", + "requestId": "0d9521b2-c3f8-4a73-bf7c-20257788752e", + "status": "SUCCESS", + "timestamp": "2024-07-29T09:40:15.66643Z", + "actionParameters": { + "input": { + "assignedProjectIds": null, + "email": "testy@company.com", + "expiresAt": null, + "name": "Test User", + "role": "GLOBAL_ADMIN" + }, + "selection": [ + "__typename", + { + "user": [ + "__typename", + "id" + ] + } + ] + }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", + "sourceIP": "8.8.8.8", + "serviceAccount": null, + "user": { + "id": "someuser@company.com", + "name": "someuser@company.com" + } + } + - Name: DeleteCICDScanPolicy - Fail + ExpectedResult: false + Log: + { + "action": "DeleteCICDScanPolicy", + "actionparameters": { }, + "id": "12345-de20-4e00-b958-12345", + "log_type": null, + "requestid": "12345-284b-4166-aea7-12345", + "serviceaccount": null, + "sourceip": "8.8.8.8", + "status": "FAILED", + "timestamp": "2023-09-01 14:27:42.694", + "user": { + "id": "test@company.com", + "name": "test@company.com" + } + } diff --git a/rules/wiz_rules/wiz_connector_updated_or_deleted.py b/rules/wiz_rules/wiz_connector_updated_or_deleted.py new file mode 100644 index 000000000..212d962cd --- /dev/null +++ b/rules/wiz_rules/wiz_connector_updated_or_deleted.py @@ -0,0 +1,24 @@ +from panther_wiz_helpers import wiz_alert_context, wiz_success + +SUSPICIOUS_ACTIONS = ["DeleteConnector", "UpdateConnector"] + + +def rule(event): + if not wiz_success(event): + return False + return event.get("action", "ACTION_NOT_FOUND") in SUSPICIOUS_ACTIONS + + +def title(event): + return ( + f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " + f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + ) + + +def dedup(event): + return event.get("id") + + +def alert_context(event): + return wiz_alert_context(event) diff --git a/rules/wiz_rules/wiz_connector_updated_or_deleted.yml b/rules/wiz_rules/wiz_connector_updated_or_deleted.yml new file mode 100644 index 000000000..1769e6f02 --- /dev/null +++ b/rules/wiz_rules/wiz_connector_updated_or_deleted.yml @@ -0,0 +1,96 @@ +AnalysisType: rule +RuleID: Wiz.Connector.Updated.Or.Deleted +Description: This rule detects updates and deletions of connectors. +DisplayName: Wiz Connector Updated Or Deleted +Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again. +Reference: https://help.vulcancyber.com/en/articles/6735270-wiz-connector # article about integration with Vulcan +Enabled: true +Filename: wiz_connector_updated_or_deleted.py +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0005:T1562.001 # Impair Defenses: Disable or Modify Tools +LogTypes: + - Wiz.Audit +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: DeleteConnector + ExpectedResult: true + Log: + { + "id": "c4fe1656-23a3-4b60-a689-d59a337c5551", + "action": "DeleteConnector", + "requestId": "471b9148-887a-49ff-ad83-162d7e38cf4e", + "status": "SUCCESS", + "timestamp": "2024-07-09T08:03:09.825336Z", + "actionParameters": { + "input": { + "id": "7a55031b-98f4-4a64-b77c-ad0bc9d7b54b" + }, + "selection": [ + "__typename", + "_stub" + ] + }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", + "sourceIP": "12.34.56.78", + "serviceAccount": null, + "user": { + "id": "test.user@company.com", + "name": "user@company.com" + } + } + - Name: CreateUser + ExpectedResult: false + Log: + { + "id": "220d23be-f07c-4d97-b4a6-87ad04eddb14", + "action": "CreateUser", + "requestId": "0d9521b2-c3f8-4a73-bf7c-20257788752e", + "status": "SUCCESS", + "timestamp": "2024-07-29T09:40:15.66643Z", + "actionParameters": { + "input": { + "assignedProjectIds": null, + "email": "testy@company.com", + "expiresAt": null, + "name": "Test User", + "role": "GLOBAL_ADMIN" + }, + "selection": [ + "__typename", + { + "user": [ + "__typename", + "id" + ] + } + ] + }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", + "sourceIP": "8.8.8.8", + "serviceAccount": null, + "user": { + "id": "someuser@company.com", + "name": "someuser@company.com" + } + } + - Name: DeleteConnector - Fail + ExpectedResult: false + Log: + { + "id": "c4fe1656-23a3-4b60-a689-d59a337c5551", + "action": "DeleteConnector", + "requestId": "471b9148-887a-49ff-ad83-162d7e38cf4e", + "status": "FAILED", + "timestamp": "2024-07-09T08:03:09.825336Z", + "actionParameters": { }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", + "sourceIP": "12.34.56.78", + "serviceAccount": null, + "user": { + "id": "test.user@company.com", + "name": "user@company.com" + } + } diff --git a/rules/wiz_rules/wiz_data_classifier_updated_or_deleted.py b/rules/wiz_rules/wiz_data_classifier_updated_or_deleted.py new file mode 100644 index 000000000..19d531b25 --- /dev/null +++ b/rules/wiz_rules/wiz_data_classifier_updated_or_deleted.py @@ -0,0 +1,24 @@ +from panther_wiz_helpers import wiz_alert_context, wiz_success + +SUSPICIOUS_ACTIONS = ["DeleteDataClassifier", "UpdateDataClassifier"] + + +def rule(event): + if not wiz_success(event): + return False + return event.get("action", "ACTION_NOT_FOUND") in SUSPICIOUS_ACTIONS + + +def title(event): + return ( + f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " + f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + ) + + +def dedup(event): + return event.get("id") + + +def alert_context(event): + return wiz_alert_context(event) diff --git a/rules/wiz_rules/wiz_data_classifier_updated_or_deleted.yml b/rules/wiz_rules/wiz_data_classifier_updated_or_deleted.yml new file mode 100644 index 000000000..5164d3433 --- /dev/null +++ b/rules/wiz_rules/wiz_data_classifier_updated_or_deleted.yml @@ -0,0 +1,98 @@ +AnalysisType: rule +RuleID: Wiz.Data.Classifier.Updated.Or.Deleted +Description: This rule detects updates and deletions of data classifiers. +DisplayName: Wiz Data Classifier Updated Or Deleted +Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again. +Reference: https://www.wiz.io/solutions/dspm +Enabled: true +Filename: wiz_data_classifier_updated_or_deleted.py +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0005:T1562.001 # Impair Defenses: Disable or Modify Tools +LogTypes: + - Wiz.Audit +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: DeleteDataClassifier + ExpectedResult: true + Log: + { + "action": "DeleteDataClassifier", + "actionparameters": { + "input": { + "id": "CUSTOM-12345-c697-4c0f-9689-12345" + }, + "selection": [ + "__typename", + "_stub" + ] + }, + "id": "12345-2df6-4c45-838f-12345", + "log_type": "auditLogEntries", + "requestid": "12435-b44f-4216-ad13-12345", + "serviceaccount": null, + "sourceip": "8.8.8.8", + "status": "SUCCESS", + "timestamp": "2024-07-31 18:10:36.936", + "user": { + "id": "test@company.com", + "name": "test@company.com" + }, + "useragent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36" + } + - Name: CreateUser + ExpectedResult: false + Log: + { + "id": "220d23be-f07c-4d97-b4a6-87ad04eddb14", + "action": "CreateUser", + "requestId": "0d9521b2-c3f8-4a73-bf7c-20257788752e", + "status": "SUCCESS", + "timestamp": "2024-07-29T09:40:15.66643Z", + "actionParameters": { + "input": { + "assignedProjectIds": null, + "email": "testy@company.com", + "expiresAt": null, + "name": "Test User", + "role": "GLOBAL_ADMIN" + }, + "selection": [ + "__typename", + { + "user": [ + "__typename", + "id" + ] + } + ] + }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", + "sourceIP": "8.8.8.8", + "serviceAccount": null, + "user": { + "id": "someuser@company.com", + "name": "someuser@company.com" + } + } + - Name: DeleteDataClassifier - Fail + ExpectedResult: false + Log: + { + "action": "DeleteDataClassifier", + "actionparameters": { }, + "id": "12345-2df6-4c45-838f-12345", + "log_type": "auditLogEntries", + "requestid": "12435-b44f-4216-ad13-12345", + "serviceaccount": null, + "sourceip": "8.8.8.8", + "status": "FAILED", + "timestamp": "2024-07-31 18:10:36.936", + "user": { + "id": "test@company.com", + "name": "test@company.com" + }, + "useragent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36" + } diff --git a/rules/wiz_rules/wiz_image_integrity_validator_updated_or_deleted.py b/rules/wiz_rules/wiz_image_integrity_validator_updated_or_deleted.py new file mode 100644 index 000000000..6d770523f --- /dev/null +++ b/rules/wiz_rules/wiz_image_integrity_validator_updated_or_deleted.py @@ -0,0 +1,24 @@ +from panther_wiz_helpers import wiz_alert_context, wiz_success + +SUSPICIOUS_ACTIONS = ["DeleteImageIntegrityValidator", "UpdateImageIntegrityValidator"] + + +def rule(event): + if not wiz_success(event): + return False + return event.get("action", "ACTION_NOT_FOUND") in SUSPICIOUS_ACTIONS + + +def title(event): + return ( + f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " + f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + ) + + +def dedup(event): + return event.get("id") + + +def alert_context(event): + return wiz_alert_context(event) diff --git a/rules/wiz_rules/wiz_image_integrity_validator_updated_or_deleted.yml b/rules/wiz_rules/wiz_image_integrity_validator_updated_or_deleted.yml new file mode 100644 index 000000000..cfe82bdf7 --- /dev/null +++ b/rules/wiz_rules/wiz_image_integrity_validator_updated_or_deleted.yml @@ -0,0 +1,97 @@ +AnalysisType: rule +RuleID: Wiz.Image.Integrity.Validator.Updated.Or.Deleted +Description: This rule detects updates and deletions of image integrity validators. +DisplayName: Wiz Image Integrity Validator Updated Or Deleted +Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again. +Reference: https://www.wiz.io/blog/ensuring-supply-chain-security-verify-container-image-integrity-with-the-wiz-admi +Enabled: true +Filename: wiz_image_integrity_validator_updated_or_deleted.py +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0005:T1562.001 # Impair Defenses: Disable or Modify Tools +LogTypes: + - Wiz.Audit +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: DeleteImageIntegrityValidator + ExpectedResult: true + Log: + { + "action": "DeleteImageIntegrityValidator", + "actionparameters": { + "input": { + "id": "12345-5273-4bcb-9bd6-12345" + }, + "selection": [ + "_stub" + ] + }, + "id": "12345-362c-494a-b601-12345", + "log_type": "auditLogEntries", + "requestid": "12345-6532-4130-bb3a-12345", + "serviceaccount": { + "id": "test", + "name": "test1" + }, + "sourceip": "8.8.8.8", + "status": "SUCCESS", + "timestamp": "2024-04-16 21:45:03.392", + "user": null, + "useragent": "Terraform-Provider/1.10.2360" + } + - Name: CreateUser + ExpectedResult: false + Log: + { + "id": "220d23be-f07c-4d97-b4a6-87ad04eddb14", + "action": "CreateUser", + "requestId": "0d9521b2-c3f8-4a73-bf7c-20257788752e", + "status": "SUCCESS", + "timestamp": "2024-07-29T09:40:15.66643Z", + "actionParameters": { + "input": { + "assignedProjectIds": null, + "email": "testy@company.com", + "expiresAt": null, + "name": "Test User", + "role": "GLOBAL_ADMIN" + }, + "selection": [ + "__typename", + { + "user": [ + "__typename", + "id" + ] + } + ] + }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", + "sourceIP": "8.8.8.8", + "serviceAccount": null, + "user": { + "id": "someuser@company.com", + "name": "someuser@company.com" + } + } + - Name: DeleteImageIntegrityValidator - Fail + ExpectedResult: false + Log: + { + "action": "DeleteImageIntegrityValidator", + "actionparameters": { }, + "id": "12345-362c-494a-b601-12345", + "log_type": "auditLogEntries", + "requestid": "12345-6532-4130-bb3a-12345", + "serviceaccount": { + "id": "test", + "name": "test1" + }, + "sourceip": "8.8.8.8", + "status": "FAILED", + "timestamp": "2024-04-16 21:45:03.392", + "user": null, + "useragent": "Terraform-Provider/1.10.2360" + } diff --git a/rules/wiz_rules/wiz_integration_updated_or_deleted.py b/rules/wiz_rules/wiz_integration_updated_or_deleted.py new file mode 100644 index 000000000..8fa56f2aa --- /dev/null +++ b/rules/wiz_rules/wiz_integration_updated_or_deleted.py @@ -0,0 +1,24 @@ +from panther_wiz_helpers import wiz_alert_context, wiz_success + +SUSPICIOUS_ACTIONS = ["DeleteIntegration", "UpdateIntegration"] + + +def rule(event): + if not wiz_success(event): + return False + return event.get("action", "ACTION_NOT_FOUND") in SUSPICIOUS_ACTIONS + + +def title(event): + return ( + f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " + f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + ) + + +def dedup(event): + return event.get("id") + + +def alert_context(event): + return wiz_alert_context(event) diff --git a/rules/wiz_rules/wiz_integration_updated_or_deleted.yml b/rules/wiz_rules/wiz_integration_updated_or_deleted.yml new file mode 100644 index 000000000..fe12b9ca9 --- /dev/null +++ b/rules/wiz_rules/wiz_integration_updated_or_deleted.yml @@ -0,0 +1,96 @@ +AnalysisType: rule +RuleID: Wiz.Integration.Updated.Or.Deleted +Description: This rule detects updates and deletions of Wiz integrations. +DisplayName: Wiz Integration Updated Or Deleted +Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again. +Reference: https://www.wiz.io/integrations +Enabled: true +Filename: wiz_integration_updated_or_deleted.py +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0005:T1562.001 # Impair Defenses: Disable or Modify Tools +LogTypes: + - Wiz.Audit +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: DeleteIntegration + ExpectedResult: true + Log: + { + "action": "DeleteIntegration", + "actionParameters": { + "input": { + "id": "ab4ab152-509c-425b-aa1f-601b386dfe3f" + }, + "selection": [ + "__typename", + "_stub" + ] + }, + "id": "62e490d5-484c-4c21-a2ed-b6ebcaaa5aad", + "log_type": "auditLogEntries", + "requestId": "bc968f65-060c-40a0-85de-3d74d02d6a54", + "sourceIP": "12.34.56.78", + "status": "SUCCESS", + "timestamp": "2024-06-27 09:19:08.731355000", + "user": { + "id": "test.user@company.com", + "name": "user@company.com" + }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" + } + - Name: CreateUser + ExpectedResult: false + Log: + { + "id": "220d23be-f07c-4d97-b4a6-87ad04eddb14", + "action": "CreateUser", + "requestId": "0d9521b2-c3f8-4a73-bf7c-20257788752e", + "status": "SUCCESS", + "timestamp": "2024-07-29T09:40:15.66643Z", + "actionParameters": { + "input": { + "assignedProjectIds": null, + "email": "testy@company.com", + "expiresAt": null, + "name": "Test User", + "role": "GLOBAL_ADMIN" + }, + "selection": [ + "__typename", + { + "user": [ + "__typename", + "id" + ] + } + ] + }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", + "sourceIP": "8.8.8.8", + "serviceAccount": null, + "user": { + "id": "someuser@company.com", + "name": "someuser@company.com" + } + } + - Name: DeleteIntegration - Fail + ExpectedResult: false + Log: + { + "action": "DeleteIntegration", + "actionParameters": { }, + "id": "62e490d5-484c-4c21-a2ed-b6ebcaaa5aad", + "log_type": "auditLogEntries", + "requestId": "bc968f65-060c-40a0-85de-3d74d02d6a54", + "sourceIP": "12.34.56.78", + "status": "FAILED", + "timestamp": "2024-06-27 09:19:08.731355000", + "user": { + "id": "test.user@company.com", + "name": "user@company.com" + }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" + } diff --git a/rules/wiz_rules/wiz_revoke_user_sessions.py b/rules/wiz_rules/wiz_revoke_user_sessions.py new file mode 100644 index 000000000..79a05c4cd --- /dev/null +++ b/rules/wiz_rules/wiz_revoke_user_sessions.py @@ -0,0 +1,22 @@ +from panther_wiz_helpers import wiz_alert_context, wiz_success + + +def rule(event): + if not wiz_success(event): + return False + return event.get("action", "ACTION_NOT_FOUND") == "RevokeUserSessions" + + +def title(event): + return ( + f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " + f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + ) + + +def dedup(event): + return event.get("id") + + +def alert_context(event): + return wiz_alert_context(event) diff --git a/rules/wiz_rules/wiz_revoke_user_sessions.yml b/rules/wiz_rules/wiz_revoke_user_sessions.yml new file mode 100644 index 000000000..ccb9b069d --- /dev/null +++ b/rules/wiz_rules/wiz_revoke_user_sessions.yml @@ -0,0 +1,96 @@ +AnalysisType: rule +RuleID: Wiz.Revoke.User.Sessions +Description: This rule detects user sessions revoked. +DisplayName: Wiz Revoke User Sessions +Runbook: Verify that this change was planned. If not, revoke all the sessions of the account and change its credentials +Reference: https://www.wiz.io/blog/storm-0558-compromised-microsoft-key-enables-authentication-of-countless-micr +Enabled: true +Filename: wiz_revoke_user_sessions.py +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0040:T1531 # Account Access Removal +LogTypes: + - Wiz.Audit +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: RevokeUserSessions + ExpectedResult: true + Log: + { + "id": "07fdb41e-e83d-46e2-814a-6cebc47acf97", + "action": "RevokeUserSessions", + "requestId": "5fa96b8f-2c85-4c2d-b0f9-d4a4307ea8a7", + "status": "SUCCESS", + "timestamp": "2024-07-31T17:55:29.239928Z", + "actionParameters": { + "input": { + "id": "" + }, + "selection": [ + "__typename", + "_stub" + ] + }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", + "sourceIP": "12.34.56.78", + "serviceAccount": null, + "user": { + "id": "test.user@company.com", + "name": "user@company.com" + } + } + - Name: CreateUser + ExpectedResult: false + Log: + { + "id": "220d23be-f07c-4d97-b4a6-87ad04eddb14", + "action": "CreateUser", + "requestId": "0d9521b2-c3f8-4a73-bf7c-20257788752e", + "status": "SUCCESS", + "timestamp": "2024-07-29T09:40:15.66643Z", + "actionParameters": { + "input": { + "assignedProjectIds": null, + "email": "testy@company.com", + "expiresAt": null, + "name": "Test User", + "role": "GLOBAL_ADMIN" + }, + "selection": [ + "__typename", + { + "user": [ + "__typename", + "id" + ] + } + ] + }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", + "sourceIP": "8.8.8.8", + "serviceAccount": null, + "user": { + "id": "someuser@company.com", + "name": "someuser@company.com" + } + } + - Name: RevokeUserSessions - Fail + ExpectedResult: false + Log: + { + "id": "07fdb41e-e83d-46e2-814a-6cebc47acf97", + "action": "RevokeUserSessions", + "requestId": "5fa96b8f-2c85-4c2d-b0f9-d4a4307ea8a7", + "status": "FAILED", + "timestamp": "2024-07-31T17:55:29.239928Z", + "actionParameters": { }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", + "sourceIP": "12.34.56.78", + "serviceAccount": null, + "user": { + "id": "test.user@company.com", + "name": "user@company.com" + } + } diff --git a/rules/wiz_rules/wiz_rotate_service_account_secret.py b/rules/wiz_rules/wiz_rotate_service_account_secret.py new file mode 100644 index 000000000..9577440df --- /dev/null +++ b/rules/wiz_rules/wiz_rotate_service_account_secret.py @@ -0,0 +1,22 @@ +from panther_wiz_helpers import wiz_alert_context, wiz_success + + +def rule(event): + if not wiz_success(event): + return False + return event.get("action", "ACTION_NOT_FOUND") == "RotateServiceAccountSecret" + + +def title(event): + return ( + f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " + f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + ) + + +def dedup(event): + return event.get("id") + + +def alert_context(event): + return wiz_alert_context(event) diff --git a/rules/wiz_rules/wiz_rotate_service_account_secret.yml b/rules/wiz_rules/wiz_rotate_service_account_secret.yml new file mode 100644 index 000000000..7d27f5ee4 --- /dev/null +++ b/rules/wiz_rules/wiz_rotate_service_account_secret.yml @@ -0,0 +1,113 @@ +AnalysisType: rule +RuleID: Wiz.Rotate.Service.Account.Secret +Description: This rule detects service account secrets rotations. +DisplayName: Wiz Rotate Service Account Secret +Runbook: Verify the action was planned. +Reference: https://www.wiz.io/academy/kubernetes-secrets +Enabled: true +Filename: wiz_rotate_service_account_secret.py +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0001:T1078.004 # Valid Accounts: Cloud Accounts +LogTypes: + - Wiz.Audit +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: RotateServiceAccountSecret + ExpectedResult: true + Log: + { + "id": "d78f5ef1-3814-4d47-b789-0e43d4cc0ef2", + "action": "RotateServiceAccountSecret", + "requestId": "2303f545-a219-4c6d-b217-b76bb5e06a20", + "status": "SUCCESS", + "timestamp": "2024-07-16T10:47:43.562393Z", + "actionParameters": { + "ID": "rsao...", + "selection": [ + "__typename", + { + "serviceAccount": [ + "__typename", + "id", + "enabled", + "name", + "clientId", + "scopes", + "lastRotatedAt", + "expiresAt", + "description", + { + "integration": [ + "__typename", + "id" + ] + }, + "clientSecret" + ] + } + ] + }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", + "sourceIP": "12.34.56.78", + "serviceAccount": null, + "user": { + "id": "test.user@company.com", + "name": "user@company.com" + } + } + - Name: CreateUser + ExpectedResult: false + Log: + { + "id": "220d23be-f07c-4d97-b4a6-87ad04eddb14", + "action": "CreateUser", + "requestId": "0d9521b2-c3f8-4a73-bf7c-20257788752e", + "status": "SUCCESS", + "timestamp": "2024-07-29T09:40:15.66643Z", + "actionParameters": { + "input": { + "assignedProjectIds": null, + "email": "testy@company.com", + "expiresAt": null, + "name": "Test User", + "role": "GLOBAL_ADMIN" + }, + "selection": [ + "__typename", + { + "user": [ + "__typename", + "id" + ] + } + ] + }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", + "sourceIP": "8.8.8.8", + "serviceAccount": null, + "user": { + "id": "someuser@company.com", + "name": "someuser@company.com" + } + } + - Name: RotateServiceAccountSecret - Fail + ExpectedResult: false + Log: + { + "id": "d78f5ef1-3814-4d47-b789-0e43d4cc0ef2", + "action": "RotateServiceAccountSecret", + "requestId": "2303f545-a219-4c6d-b217-b76bb5e06a20", + "status": "FAILED", + "timestamp": "2024-07-16T10:47:43.562393Z", + "actionParameters": { }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", + "sourceIP": "12.34.56.78", + "serviceAccount": null, + "user": { + "id": "test.user@company.com", + "name": "user@company.com" + } + } diff --git a/rules/wiz_rules/wiz_rule_change.py b/rules/wiz_rules/wiz_rule_change.py new file mode 100644 index 000000000..153fb0a3a --- /dev/null +++ b/rules/wiz_rules/wiz_rule_change.py @@ -0,0 +1,47 @@ +from panther_wiz_helpers import wiz_alert_context, wiz_success + +SUSPICIOUS_ACTIONS = [ + "DeleteAutomationRule", + "UpdateAutomationRule", + "DeleteCloudEventRule", + "UpdateCloudEventRule", + "DeleteCloudConfigurationRule", + "UpdateCloudConfigurationRule", + "DeleteHostConfigurationRule", + "UpdateHostConfigurationRule", + "CreateIgnoreRule", + "DeleteIgnoreRule", # we have no sample log for such event, but I suppose there should be one + "UpdateIgnoreRule", + "CreateMalwareExclusion", + "UpdateMalwareExclusion", +] + + +def rule(event): + if not wiz_success(event): + return False + return event.get("action", "ACTION_NOT_FOUND") in SUSPICIOUS_ACTIONS + + +def title(event): + return ( + f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " + f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + ) + + +def dedup(event): + return event.get("id") + + +def alert_context(event): + return wiz_alert_context(event) + + +def severity(event): + action = event.get("action", "ACTION_NOT_FOUND") + if "Delete" in action: + return "High" + if "Create" in action: + return "Low" + return "Default" diff --git a/rules/wiz_rules/wiz_rule_change.yml b/rules/wiz_rules/wiz_rule_change.yml new file mode 100644 index 000000000..b81b59334 --- /dev/null +++ b/rules/wiz_rules/wiz_rule_change.yml @@ -0,0 +1,97 @@ +AnalysisType: rule +RuleID: Wiz.Rule.Change +Description: This rule detects creations, updates and deletions of Wiz rules. +DisplayName: Wiz Rule Change +Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again. If needed, review the privileges of existing accounts. +Reference: https://www.wiz.io/blog/custom-runtime-rules-and-response-policies +Enabled: true +Filename: wiz_rule_change.py +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0005:T1562.001 # Impair Defenses: Disable or Modify Tools +LogTypes: + - Wiz.Audit +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: DeleteCloudConfigurationRule + ExpectedResult: true + Log: + { + "action": "DeleteCloudConfigurationRule", + "actionparameters": { + "input": { + "id": "12345-3fd7-4063-8e06-12345" + }, + "selection": [ + "__typename", + "_stub" + ] + }, + "id": "12345-0301-491d-9fe6-12345", + "log_type": "auditLogEntries", + "requestid": "12345-c18f-4ce0-9288-12345", + "serviceaccount": null, + "sourceip": "8.8.8.8", + "status": "SUCCESS", + "timestamp": "2024-03-24 10:58:31.347", + "user": { + "id": "testy@company.com", + "name": "testy@company.com" + }, + "useragent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" + } + - Name: CreateUser + ExpectedResult: false + Log: + { + "id": "220d23be-f07c-4d97-b4a6-87ad04eddb14", + "action": "CreateUser", + "requestId": "0d9521b2-c3f8-4a73-bf7c-20257788752e", + "status": "SUCCESS", + "timestamp": "2024-07-29T09:40:15.66643Z", + "actionParameters": { + "input": { + "assignedProjectIds": null, + "email": "testy@company.com", + "expiresAt": null, + "name": "Test User", + "role": "GLOBAL_ADMIN" + }, + "selection": [ + "__typename", + { + "user": [ + "__typename", + "id" + ] + } + ] + }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", + "sourceIP": "8.8.8.8", + "serviceAccount": null, + "user": { + "id": "someuser@company.com", + "name": "someuser@company.com" + } + } + - Name: DeleteCloudConfigurationRule - Fail + ExpectedResult: false + Log: + { + "action": "DeleteCloudConfigurationRule", + "id": "12345-0301-491d-9fe6-12345", + "log_type": "auditLogEntries", + "requestid": "12345-c18f-4ce0-9288-12345", + "serviceaccount": null, + "sourceip": "8.8.8.8", + "status": "FAILED", + "timestamp": "2024-03-24 10:58:31.347", + "user": { + "id": "testy@company.com", + "name": "testy@company.com" + }, + "useragent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" + } diff --git a/rules/wiz_rules/wiz_saml_identity_provider_change.py b/rules/wiz_rules/wiz_saml_identity_provider_change.py new file mode 100644 index 000000000..d183ed51b --- /dev/null +++ b/rules/wiz_rules/wiz_saml_identity_provider_change.py @@ -0,0 +1,29 @@ +from panther_wiz_helpers import wiz_alert_context, wiz_success + +SUSPICIOUS_ACTIONS = [ + "UpdateSAMLIdentityProvider", + "DeleteSAMLIdentityProvider", + "CreateSAMLIdentityProvider", + "ModifySAMLIdentityProviderGroupMappings", +] + + +def rule(event): + if not wiz_success(event): + return False + return event.get("action", "ACTION_NOT_FOUND") in SUSPICIOUS_ACTIONS + + +def title(event): + return ( + f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " + f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + ) + + +def dedup(event): + return event.get("id") + + +def alert_context(event): + return wiz_alert_context(event) diff --git a/rules/wiz_rules/wiz_saml_identity_provider_change.yml b/rules/wiz_rules/wiz_saml_identity_provider_change.yml new file mode 100644 index 000000000..071b6c5bd --- /dev/null +++ b/rules/wiz_rules/wiz_saml_identity_provider_change.yml @@ -0,0 +1,95 @@ +AnalysisType: rule +RuleID: Wiz.SAML.Identity.Provider.Change +Description: This rule detects creations, updates and deletions of SAML identity providers. +DisplayName: Wiz SAML Identity Provider Change +Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again. +Reference: https://support.wiz.io/hc/en-us/articles/5644029716380-Single-Sign-on-SSO-Overview +Enabled: true +Filename: wiz_saml_identity_provider_change.py +Severity: High +Reports: + MITRE ATT&CK: + - TA0004:T1484.002 # Domain or Tenant Policy Modification: Trust Modification +LogTypes: + - Wiz.Audit +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: DeleteSAMLIdentityProvider + ExpectedResult: true + Log: + { + "id": "0fc891d1-c2e3-4db2-b896-7af27964c71b", + "action": "DeleteSAMLIdentityProvider", + "requestId": "eec733c5-175c-4d0c-8b65-b9344f223a36", + "status": "SUCCESS", + "timestamp": "2024-07-12T08:59:33.946633Z", + "actionParameters": { + "input": { + "id": "" + }, + "selection": [ + "_stub" + ] + }, + "userAgent": "Wiz-Terraform-Provider/1.13.3433", + "sourceIP": "12.34.56.78", + "serviceAccount": { + "id": "", + "name": "test-graphql-api" + }, + "user": null + } + - Name: CreateUser + ExpectedResult: false + Log: + { + "id": "220d23be-f07c-4d97-b4a6-87ad04eddb14", + "action": "CreateUser", + "requestId": "0d9521b2-c3f8-4a73-bf7c-20257788752e", + "status": "SUCCESS", + "timestamp": "2024-07-29T09:40:15.66643Z", + "actionParameters": { + "input": { + "assignedProjectIds": null, + "email": "testy@company.com", + "expiresAt": null, + "name": "Test User", + "role": "GLOBAL_ADMIN" + }, + "selection": [ + "__typename", + { + "user": [ + "__typename", + "id" + ] + } + ] + }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", + "sourceIP": "8.8.8.8", + "serviceAccount": null, + "user": { + "id": "someuser@company.com", + "name": "someuser@company.com" + } + } + - Name: DeleteSAMLIdentityProvider - Fail + ExpectedResult: false + Log: + { + "id": "0fc891d1-c2e3-4db2-b896-7af27964c71b", + "action": "DeleteSAMLIdentityProvider", + "requestId": "eec733c5-175c-4d0c-8b65-b9344f223a36", + "status": "FAILED", + "timestamp": "2024-07-12T08:59:33.946633Z", + "actionParameters": { }, + "userAgent": "Wiz-Terraform-Provider/1.13.3433", + "sourceIP": "12.34.56.78", + "serviceAccount": { + "id": "", + "name": "test-graphql-api" + }, + "user": null + } diff --git a/rules/wiz_rules/wiz_service_account_change.py b/rules/wiz_rules/wiz_service_account_change.py new file mode 100644 index 000000000..b8faba6fd --- /dev/null +++ b/rules/wiz_rules/wiz_service_account_change.py @@ -0,0 +1,28 @@ +from panther_wiz_helpers import wiz_alert_context, wiz_success + +SUSPICIOUS_ACTIONS = [ + "CreateServiceAccount", + "DeleteServiceAccount", + "UpdateServiceAccount", +] + + +def rule(event): + if not wiz_success(event): + return False + return event.get("action", "ACTION_NOT_FOUND") in SUSPICIOUS_ACTIONS + + +def title(event): + return ( + f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " + f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + ) + + +def dedup(event): + return event.get("id") + + +def alert_context(event): + return wiz_alert_context(event) diff --git a/rules/wiz_rules/wiz_service_account_change.yml b/rules/wiz_rules/wiz_service_account_change.yml new file mode 100644 index 000000000..70c6ad5bf --- /dev/null +++ b/rules/wiz_rules/wiz_service_account_change.yml @@ -0,0 +1,98 @@ +AnalysisType: rule +RuleID: Wiz.Service.Account.Change +Description: This rule detects creations, updates and deletions of service accounts. +DisplayName: Wiz Service Account Change +Runbook: Confirm this user acted with valid business intent and determine whether this activity was authorized. +Reference: https://www.wiz.io/blog/non-human-identities-dashboard +Enabled: true +Filename: wiz_service_account_change.py +Severity: High +Reports: + MITRE ATT&CK: + - TA0001:T1078.004 # Valid Accounts: Cloud Accounts +LogTypes: + - Wiz.Audit +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: DeleteServiceAccount + ExpectedResult: true + Log: + { + "id": "ac5630ca-2dd9-40a5-8137-140443cd8087", + "action": "DeleteServiceAccount", + "requestId": "a9291dc4-a17c-4af7-bb9e-17905082221f", + "status": "SUCCESS", + "timestamp": "2024-07-09T14:16:02.836387Z", + "actionParameters": { + "input": { + "id": "rsao..." + }, + "selection": [ + "__typename", + "_stub" + ] + }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", + "sourceIP": "12.34.56.78", + "serviceAccount": null, + "user": { + "__typename": "User", + "id": "test.user@company.com", + "name": "user@company.com" + } + } + - Name: CreateUser + ExpectedResult: false + Log: + { + "id": "220d23be-f07c-4d97-b4a6-87ad04eddb14", + "action": "CreateUser", + "requestId": "0d9521b2-c3f8-4a73-bf7c-20257788752e", + "status": "SUCCESS", + "timestamp": "2024-07-29T09:40:15.66643Z", + "actionParameters": { + "input": { + "assignedProjectIds": null, + "email": "testy@company.com", + "expiresAt": null, + "name": "Test User", + "role": "GLOBAL_ADMIN" + }, + "selection": [ + "__typename", + { + "user": [ + "__typename", + "id" + ] + } + ] + }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", + "sourceIP": "8.8.8.8", + "serviceAccount": null, + "user": { + "id": "someuser@company.com", + "name": "someuser@company.com" + } + } + - Name: DeleteServiceAccount - Fail + ExpectedResult: false + Log: + { + "id": "ac5630ca-2dd9-40a5-8137-140443cd8087", + "action": "DeleteServiceAccount", + "requestId": "a9291dc4-a17c-4af7-bb9e-17905082221f", + "status": "FAILED", + "timestamp": "2024-07-09T14:16:02.836387Z", + "actionParameters": { }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", + "sourceIP": "12.34.56.78", + "serviceAccount": null, + "user": { + "__typename": "User", + "id": "test.user@company.com", + "name": "user@company.com" + } + } diff --git a/rules/wiz_rules/wiz_update_ip_restrictions.py b/rules/wiz_rules/wiz_update_ip_restrictions.py new file mode 100644 index 000000000..85337be52 --- /dev/null +++ b/rules/wiz_rules/wiz_update_ip_restrictions.py @@ -0,0 +1,22 @@ +from panther_wiz_helpers import wiz_alert_context, wiz_success + + +def rule(event): + if not wiz_success(event): + return False + return event.get("action", "ACTION_NOT_FOUND") == "UpdateIPRestrictions" + + +def title(event): + return ( + f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " + f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + ) + + +def dedup(event): + return event.get("id") + + +def alert_context(event): + return wiz_alert_context(event) diff --git a/rules/wiz_rules/wiz_update_ip_restrictions.yml b/rules/wiz_rules/wiz_update_ip_restrictions.yml new file mode 100644 index 000000000..51f8e5e66 --- /dev/null +++ b/rules/wiz_rules/wiz_update_ip_restrictions.yml @@ -0,0 +1,105 @@ +AnalysisType: rule +RuleID: Wiz.Update.IP.Restrictions +Description: This rule detects updates of IP restrictions. +DisplayName: Wiz Update IP Restrictions +Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again. +Reference: https://support.wix.com/en/article/wix-enterprise-managing-access-to-your-sites-using-ip-allowlisting +Enabled: true +Filename: wiz_update_ip_restrictions.py +Severity: High +Reports: + MITRE ATT&CK: + - TA0003:T1556.009 # Modify Authentication Process: Conditional Access Policies +LogTypes: + - Wiz.Audit +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: UpdateIPRestrictions + ExpectedResult: true + Log: + { + "id": "66aa29d4-7a2e-4b09-a46c-ff72b2c55425", + "action": "UpdateIPRestrictions", + "requestId": "22681d26-0ba0-4730-8f05-0b2c3adefe1b", + "status": "SUCCESS", + "timestamp": "2024-07-31T18:10:33.436381Z", + "actionParameters": { + "input": { + "serviceAccountAccessAllowedIPs": [ + "0.0.0.0/0" + ], + "userAccessAllowedIPs": [ ] + }, + "selection": [ + "__typename", + { + "ipRestrictions": [ + "__typename", + "userAccessAllowedIPs", + "serviceAccountAccessAllowedIPs" + ] + } + ] + }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", + "sourceIP": "12.34.56.78", + "serviceAccount": null, + "user": { + "id": "test.user@company.com", + "name": "user@company.com" + } + } + - Name: CreateUser + ExpectedResult: false + Log: + { + "id": "220d23be-f07c-4d97-b4a6-87ad04eddb14", + "action": "CreateUser", + "requestId": "0d9521b2-c3f8-4a73-bf7c-20257788752e", + "status": "SUCCESS", + "timestamp": "2024-07-29T09:40:15.66643Z", + "actionParameters": { + "input": { + "assignedProjectIds": null, + "email": "testy@company.com", + "expiresAt": null, + "name": "Test User", + "role": "GLOBAL_ADMIN" + }, + "selection": [ + "__typename", + { + "user": [ + "__typename", + "id" + ] + } + ] + }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", + "sourceIP": "8.8.8.8", + "serviceAccount": null, + "user": { + "id": "someuser@company.com", + "name": "someuser@company.com" + } + } + - Name: UpdateIPRestrictions - Fail + ExpectedResult: false + Log: + { + "id": "66aa29d4-7a2e-4b09-a46c-ff72b2c55425", + "action": "UpdateIPRestrictions", + "requestId": "22681d26-0ba0-4730-8f05-0b2c3adefe1b", + "status": "FAILED", + "timestamp": "2024-07-31T18:10:33.436381Z", + "actionParameters": { }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", + "sourceIP": "12.34.56.78", + "serviceAccount": null, + "user": { + "id": "test.user@company.com", + "name": "user@company.com" + } + } diff --git a/rules/wiz_rules/wiz_update_login_settings.py b/rules/wiz_rules/wiz_update_login_settings.py new file mode 100644 index 000000000..b5cb8ddf1 --- /dev/null +++ b/rules/wiz_rules/wiz_update_login_settings.py @@ -0,0 +1,22 @@ +from panther_wiz_helpers import wiz_alert_context, wiz_success + + +def rule(event): + if not wiz_success(event): + return False + return event.get("action", "ACTION_NOT_FOUND") == "UpdateLoginSettings" + + +def title(event): + return ( + f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " + f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + ) + + +def dedup(event): + return event.get("id") + + +def alert_context(event): + return wiz_alert_context(event) diff --git a/rules/wiz_rules/wiz_update_login_settings.yml b/rules/wiz_rules/wiz_update_login_settings.yml new file mode 100644 index 000000000..f8df6c50a --- /dev/null +++ b/rules/wiz_rules/wiz_update_login_settings.yml @@ -0,0 +1,105 @@ +AnalysisType: rule +RuleID: Wiz.Update.Login.Settings +Description: This rule detects updates of Wiz login settings. +DisplayName: Wiz Update Login Settings +Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again. +Reference: https://support.wiz.io/hc/en-us/categories/5311977085340-User-Management +Enabled: true +Filename: wiz_update_login_settings.py +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0006:T1556 # Modify Authentication Process +LogTypes: + - Wiz.Audit +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: UpdateLoginSettings + ExpectedResult: true + Log: + { + "id": "f77a8e1e-5674-42d1-9f1e-8a259dc736cd", + "action": "UpdateLoginSettings", + "requestId": "417f1751-bcc1-4d38-86aa-eb781790bdd6", + "status": "SUCCESS", + "timestamp": "2024-06-16T13:14:22.291227Z", + "actionParameters": { + "input": { + "patch": { + "approvedUserDomains": [ + "abc.com", + ] + } + }, + "selection": [ + "__typename", + { + "loginSettings": [ + "__typename", + "approvedUserDomains" + ] + } + ] + }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", + "sourceIP": "12.34.56.78", + "serviceAccount": null, + "user": { + "id": "", + "name": "user@company.com" + } + } + - Name: CreateUser + ExpectedResult: false + Log: + { + "id": "220d23be-f07c-4d97-b4a6-87ad04eddb14", + "action": "CreateUser", + "requestId": "0d9521b2-c3f8-4a73-bf7c-20257788752e", + "status": "SUCCESS", + "timestamp": "2024-07-29T09:40:15.66643Z", + "actionParameters": { + "input": { + "assignedProjectIds": null, + "email": "testy@company.com", + "expiresAt": null, + "name": "Test User", + "role": "GLOBAL_ADMIN" + }, + "selection": [ + "__typename", + { + "user": [ + "__typename", + "id" + ] + } + ] + }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", + "sourceIP": "8.8.8.8", + "serviceAccount": null, + "user": { + "id": "someuser@company.com", + "name": "someuser@company.com" + } + } + - Name: UpdateLoginSettings - Fail + ExpectedResult: false + Log: + { + "id": "f77a8e1e-5674-42d1-9f1e-8a259dc736cd", + "action": "UpdateLoginSettings", + "requestId": "417f1751-bcc1-4d38-86aa-eb781790bdd6", + "status": "FAILED", + "timestamp": "2024-06-16T13:14:22.291227Z", + "actionParameters": { }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", + "sourceIP": "12.34.56.78", + "serviceAccount": null, + "user": { + "id": "", + "name": "user@company.com" + } + } diff --git a/rules/wiz_rules/wiz_update_scanner_settings.py b/rules/wiz_rules/wiz_update_scanner_settings.py new file mode 100644 index 000000000..b033999ab --- /dev/null +++ b/rules/wiz_rules/wiz_update_scanner_settings.py @@ -0,0 +1,22 @@ +from panther_wiz_helpers import wiz_alert_context, wiz_success + + +def rule(event): + if not wiz_success(event): + return False + return event.get("action", "ACTION_NOT_FOUND") == "UpdateScannerSettings" + + +def title(event): + return ( + f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " + f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + ) + + +def dedup(event): + return event.get("id") + + +def alert_context(event): + return wiz_alert_context(event) diff --git a/rules/wiz_rules/wiz_update_scanner_settings.yml b/rules/wiz_rules/wiz_update_scanner_settings.yml new file mode 100644 index 000000000..a265c3298 --- /dev/null +++ b/rules/wiz_rules/wiz_update_scanner_settings.yml @@ -0,0 +1,114 @@ +AnalysisType: rule +RuleID: Wiz.Update.Scanner.Settings +Description: This rule detects updates of Wiz scanner settings. +DisplayName: Wiz Update Scanner Settings +Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again. +Reference: https://www.wiz.io/academy/secret-scanning +Enabled: true +Filename: wiz_update_scanner_settings.py +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0005:T1562.001 # Impair Defenses: Disable or Modify Tools +LogTypes: + - Wiz.Audit +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: UpdateScannerSettings + ExpectedResult: true + Log: + { + "id": "dd48b7fe-576d-453d-a0d0-1f61425b1bb7", + "action": "UpdateScannerSettings", + "requestId": "d5c55350-0d54-46eb-88ee-4942f80e700c", + "status": "SUCCESS", + "timestamp": "2024-06-18T12:09:33.985762Z", + "actionParameters": { + "input": { + "patch": { + "computeResourceGroupMemberScanSamplingEnabled": true, + "maxComputeResourceGroupMemberScanCount": 2, + "prioritizeActiveComputeResourceGroupMembers": true + } + }, + "selection": [ + "__typename", + { + "scannerSettings": [ + "__typename", + "computeResourceGroupMemberScanSamplingEnabled", + "maxComputeResourceGroupMemberScanCount", + { + "customFileDetectionList": [ + "__typename", + "id", + "url", + "fileDetectionCount" + ] + } + ] + } + ] + }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36", + "sourceIP": "12.34.56.78", + "serviceAccount": null, + "user": { + "id": "test.user@company.com", + "name": "user@company.com" + } + } + - Name: CreateUser + ExpectedResult: false + Log: + { + "id": "220d23be-f07c-4d97-b4a6-87ad04eddb14", + "action": "CreateUser", + "requestId": "0d9521b2-c3f8-4a73-bf7c-20257788752e", + "status": "SUCCESS", + "timestamp": "2024-07-29T09:40:15.66643Z", + "actionParameters": { + "input": { + "assignedProjectIds": null, + "email": "testy@company.com", + "expiresAt": null, + "name": "Test User", + "role": "GLOBAL_ADMIN" + }, + "selection": [ + "__typename", + { + "user": [ + "__typename", + "id" + ] + } + ] + }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", + "sourceIP": "8.8.8.8", + "serviceAccount": null, + "user": { + "id": "someuser@company.com", + "name": "someuser@company.com" + } + } + - Name: UpdateScannerSettings - Fail + ExpectedResult: false + Log: + { + "id": "dd48b7fe-576d-453d-a0d0-1f61425b1bb7", + "action": "UpdateScannerSettings", + "requestId": "d5c55350-0d54-46eb-88ee-4942f80e700c", + "status": "FAILED", + "timestamp": "2024-06-18T12:09:33.985762Z", + "actionParameters": { }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36", + "sourceIP": "12.34.56.78", + "serviceAccount": null, + "user": { + "id": "test.user@company.com", + "name": "user@company.com" + } + } diff --git a/rules/wiz_rules/wiz_update_support_contact_list.py b/rules/wiz_rules/wiz_update_support_contact_list.py new file mode 100644 index 000000000..00e65ae67 --- /dev/null +++ b/rules/wiz_rules/wiz_update_support_contact_list.py @@ -0,0 +1,22 @@ +from panther_wiz_helpers import wiz_alert_context, wiz_success + + +def rule(event): + if not wiz_success(event): + return False + return event.get("action", "ACTION_NOT_FOUND") == "UpdateSupportContactList" + + +def title(event): + return ( + f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " + f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + ) + + +def dedup(event): + return event.get("id") + + +def alert_context(event): + return wiz_alert_context(event) diff --git a/rules/wiz_rules/wiz_update_support_contact_list.yml b/rules/wiz_rules/wiz_update_support_contact_list.yml new file mode 100644 index 000000000..89bd32a3e --- /dev/null +++ b/rules/wiz_rules/wiz_update_support_contact_list.yml @@ -0,0 +1,110 @@ +AnalysisType: rule +RuleID: Wiz.Update.Support.Contact.List +Description: This rule detects updates of Wiz support contact list. +DisplayName: Wiz Update Support Contact List +Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again. +Reference: https://www.wiz.io/ +Enabled: true +Filename: wiz_update_support_contact_list.py +Severity: Low +Reports: + MITRE ATT&CK: + - TA0035:T1636.003 # Protected User Data: Contact List +LogTypes: + - Wiz.Audit +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: UpdateSupportContactList + ExpectedResult: true + Log: + { + "id": "3a9d0fc8-8466-4e79-a2cd-014a068b985c", + "action": "UpdateSupportContactList", + "requestId": "fddf46ff-c69a-4f5b-a06d-c05ec95dbb21", + "status": "SUCCESS", + "timestamp": "2024-07-23T10:16:54.517212Z", + "actionParameters": { + "input": { + "patch": { + "contacts": [ + "test.user@company.com" + ] + } + }, + "selection": [ + "__typename", + { + "supportContactList": [ + "__typename", + { + "contacts": [ + "__typename", + "id" + ] + } + ] + } + ] + }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", + "sourceIP": "12.34.56.78", + "serviceAccount": null, + "user": { + "id": "test.user@company.com", + "name": "user@company.com" + } + } + - Name: CreateUser + ExpectedResult: false + Log: + { + "id": "220d23be-f07c-4d97-b4a6-87ad04eddb14", + "action": "CreateUser", + "requestId": "0d9521b2-c3f8-4a73-bf7c-20257788752e", + "status": "SUCCESS", + "timestamp": "2024-07-29T09:40:15.66643Z", + "actionParameters": { + "input": { + "assignedProjectIds": null, + "email": "testy@company.com", + "expiresAt": null, + "name": "Test User", + "role": "GLOBAL_ADMIN" + }, + "selection": [ + "__typename", + { + "user": [ + "__typename", + "id" + ] + } + ] + }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", + "sourceIP": "8.8.8.8", + "serviceAccount": null, + "user": { + "id": "someuser@company.com", + "name": "someuser@company.com" + } + } + - Name: UpdateSupportContactList - Fail + ExpectedResult: false + Log: + { + "id": "3a9d0fc8-8466-4e79-a2cd-014a068b985c", + "action": "UpdateSupportContactList", + "requestId": "fddf46ff-c69a-4f5b-a06d-c05ec95dbb21", + "status": "FAILED", + "timestamp": "2024-07-23T10:16:54.517212Z", + "actionParameters": { }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", + "sourceIP": "12.34.56.78", + "serviceAccount": null, + "user": { + "id": "test.user@company.com", + "name": "user@company.com" + } + } diff --git a/rules/wiz_rules/wiz_user_created_or_deleted.py b/rules/wiz_rules/wiz_user_created_or_deleted.py new file mode 100644 index 000000000..32dd14cfd --- /dev/null +++ b/rules/wiz_rules/wiz_user_created_or_deleted.py @@ -0,0 +1,24 @@ +from panther_wiz_helpers import wiz_alert_context, wiz_success + +SUSPICIOUS_ACTIONS = ["CreateUser", "DeleteUser"] + + +def rule(event): + if not wiz_success(event): + return False + return event.get("action", "ACTION_NOT_FOUND") in SUSPICIOUS_ACTIONS + + +def title(event): + return ( + f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " + f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + ) + + +def dedup(event): + return event.get("id") + + +def alert_context(event): + return wiz_alert_context(event) diff --git a/rules/wiz_rules/wiz_user_created_or_deleted.yml b/rules/wiz_rules/wiz_user_created_or_deleted.yml new file mode 100644 index 000000000..aecc58380 --- /dev/null +++ b/rules/wiz_rules/wiz_user_created_or_deleted.yml @@ -0,0 +1,98 @@ +AnalysisType: rule +RuleID: Wiz.User.Created.Or.Deleted +Description: This rule detects creations and deletions of Wiz users. +DisplayName: Wiz User Created Or Deleted +Runbook: Verify that this change was planned. +Reference: https://support.wiz.io/hc/en-us/categories/5311977085340-User-Management +Enabled: true +Filename: wiz_user_created_or_deleted.py +Severity: Low +Reports: + MITRE ATT&CK: + - TA0003:T1136.003 # Create Account + - TA0005:T1070.009 # Indicator Removal +LogTypes: + - Wiz.Audit +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: Deleted rule + ExpectedResult: false + Log: + { + "action": "DeleteCloudConfigurationRule", + "actionparameters": { + "input": { + "id": "12345-3fd7-4063-8e06-12345" + }, + "selection": [ + "__typename", + "_stub" + ] + }, + "id": "12345-0301-491d-9fe6-12345", + "log_type": "auditLogEntries", + "requestid": "12345-c18f-4ce0-9288-12345", + "serviceaccount": null, + "sourceip": "8.8.8.8", + "status": "SUCCESS", + "timestamp": "2024-03-24 10:58:31.347", + "user": { + "id": "testy@company.com", + "name": "testy@company.com" + }, + "useragent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" + } + - Name: CreateUser + ExpectedResult: true + Log: + { + "id": "220d23be-f07c-4d97-b4a6-87ad04eddb14", + "action": "CreateUser", + "requestId": "0d9521b2-c3f8-4a73-bf7c-20257788752e", + "status": "SUCCESS", + "timestamp": "2024-07-29T09:40:15.66643Z", + "actionParameters": { + "input": { + "assignedProjectIds": null, + "email": "testy@company.com", + "expiresAt": null, + "name": "Test User", + "role": "GLOBAL_ADMIN" + }, + "selection": [ + "__typename", + { + "user": [ + "__typename", + "id" + ] + } + ] + }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", + "sourceIP": "8.8.8.8", + "serviceAccount": null, + "user": { + "id": "someuser@company.com", + "name": "someuser@company.com" + } + } + - Name: CreateUser - Fail + ExpectedResult: false + Log: + { + "id": "220d23be-f07c-4d97-b4a6-87ad04eddb14", + "action": "CreateUser", + "requestId": "0d9521b2-c3f8-4a73-bf7c-20257788752e", + "status": "FAILED", + "timestamp": "2024-07-29T09:40:15.66643Z", + "actionParameters": { }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", + "sourceIP": "8.8.8.8", + "serviceAccount": null, + "user": { + "id": "someuser@company.com", + "name": "someuser@company.com" + } + } diff --git a/rules/wiz_rules/wiz_user_role_updated_or_deleted.py b/rules/wiz_rules/wiz_user_role_updated_or_deleted.py new file mode 100644 index 000000000..ce336fe37 --- /dev/null +++ b/rules/wiz_rules/wiz_user_role_updated_or_deleted.py @@ -0,0 +1,31 @@ +from panther_wiz_helpers import wiz_alert_context, wiz_success + +SUSPICIOUS_ACTIONS = ["DeleteUserRole", "UpdateUserRole"] + + +def rule(event): + if not wiz_success(event): + return False + return event.get("action", "ACTION_NOT_FOUND") in SUSPICIOUS_ACTIONS + + +def title(event): + return ( + f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " + f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + ) + + +def dedup(event): + return event.get("id") + + +def alert_context(event): + return wiz_alert_context(event) + + +def severity(event): + action = event.get("action", "ACTION_NOT_FOUND") + if "Delete" in action: + return "High" + return "Default" diff --git a/rules/wiz_rules/wiz_user_role_updated_or_deleted.yml b/rules/wiz_rules/wiz_user_role_updated_or_deleted.yml new file mode 100644 index 000000000..7fa6981eb --- /dev/null +++ b/rules/wiz_rules/wiz_user_role_updated_or_deleted.yml @@ -0,0 +1,96 @@ +AnalysisType: rule +RuleID: Wiz.User.Role.Updated.Or.Deleted +Description: This rule detects updates and deletions of Wiz user roles. +DisplayName: Wiz User Role Updated Or Deleted +Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again. Review privileges given to accounts to ensure the principle of minimal privilege +Reference: https://www.wiz.io/blog/cloud-security-custom-roles-democratization +Enabled: true +Filename: wiz_user_role_updated_or_deleted.py +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0003:T1098.001 # Account Manipulation +LogTypes: + - Wiz.Audit +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: DeleteUserRole + ExpectedResult: true + Log: + { + "id": "671d8e2d-1ca8-47eb-bf1c-d46cd3f0d737", + "action": "DeleteUserRole", + "requestId": "a83aba82-c707-4a2f-9761-fe9ee723b703", + "status": "SUCCESS", + "timestamp": "2024-07-31T18:09:28.790129Z", + "actionParameters": { + "input": { + "id": "b92c4032-9af8-4e2d-b6dc-3bf2005bb7ad" + }, + "selection": [ + "__typename", + "_stub" + ] + }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", + "sourceIP": "12.34.56.78", + "serviceAccount": null, + "user": { + "id": "test.user@company.com", + "name": "user@company.com" + } + } + - Name: CreateUser + ExpectedResult: false + Log: + { + "id": "220d23be-f07c-4d97-b4a6-87ad04eddb14", + "action": "CreateUser", + "requestId": "0d9521b2-c3f8-4a73-bf7c-20257788752e", + "status": "SUCCESS", + "timestamp": "2024-07-29T09:40:15.66643Z", + "actionParameters": { + "input": { + "assignedProjectIds": null, + "email": "testy@company.com", + "expiresAt": null, + "name": "Test User", + "role": "GLOBAL_ADMIN" + }, + "selection": [ + "__typename", + { + "user": [ + "__typename", + "id" + ] + } + ] + }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", + "sourceIP": "8.8.8.8", + "serviceAccount": null, + "user": { + "id": "someuser@company.com", + "name": "someuser@company.com" + } + } + - Name: DeleteUserRole - Fail + ExpectedResult: false + Log: + { + "id": "671d8e2d-1ca8-47eb-bf1c-d46cd3f0d737", + "action": "DeleteUserRole", + "requestId": "a83aba82-c707-4a2f-9761-fe9ee723b703", + "status": "FAILED", + "timestamp": "2024-07-31T18:09:28.790129Z", + "actionParameters": { }, + "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", + "sourceIP": "12.34.56.78", + "serviceAccount": null, + "user": { + "id": "test.user@company.com", + "name": "user@company.com" + } + }