From 49c010e654c95e13978fab7eb5f0b81253608d01 Mon Sep 17 00:00:00 2001 From: jpts Date: Wed, 30 Oct 2024 09:57:27 +0000 Subject: [PATCH] Add Wiz actor fn --- global_helpers/panther_wiz_helpers.py | 28 +++++++++++++++++-- ...wiz_cicd_scan_policy_updated_or_deleted.py | 6 ++-- .../wiz_connector_updated_or_deleted.py | 6 ++-- .../wiz_data_classifier_updated_or_deleted.py | 6 ++-- ..._integrity_validator_updated_or_deleted.py | 6 ++-- .../wiz_integration_updated_or_deleted.py | 6 ++-- rules/wiz_rules/wiz_revoke_user_sessions.py | 6 ++-- .../wiz_rotate_service_account_secret.py | 6 ++-- rules/wiz_rules/wiz_rule_change.py | 6 ++-- .../wiz_saml_identity_provider_change.py | 6 ++-- rules/wiz_rules/wiz_service_account_change.py | 6 ++-- rules/wiz_rules/wiz_update_ip_restrictions.py | 6 ++-- rules/wiz_rules/wiz_update_login_settings.py | 6 ++-- .../wiz_rules/wiz_update_scanner_settings.py | 6 ++-- .../wiz_update_support_contact_list.py | 6 ++-- .../wiz_rules/wiz_user_created_or_deleted.py | 6 ++-- .../wiz_user_role_updated_or_deleted.py | 6 ++-- 17 files changed, 90 insertions(+), 34 deletions(-) diff --git a/global_helpers/panther_wiz_helpers.py b/global_helpers/panther_wiz_helpers.py index 39441b50a..96f498fe6 100644 --- a/global_helpers/panther_wiz_helpers.py +++ b/global_helpers/panther_wiz_helpers.py @@ -7,9 +7,33 @@ def wiz_success(event): def wiz_alert_context(event): return { "action": event.get("action", ""), - "user": event.get("user", ""), + "actor": wiz_actor(event), "source_ip": event.get("sourceip", ""), "event_id": event.get("id", ""), - "service_account": event.get("serviceaccount", ""), "action_parameters": event.get("actionparameters", ""), } + + +def wiz_actor(event): + user = event.get("user") + serviceaccount = event.get("serviceAccount") + + if user is not None: + return { + "type": "user", + "id": user.get("id"), + "name": user.get("name"), + } + + if serviceaccount is not None: + return { + "type": "serviceaccount", + "id": serviceaccount.get("id"), + "name": serviceaccount.get("name"), + } + + return { + "type": "unknown", + "id": "", + "name": "", + } diff --git a/rules/wiz_rules/wiz_cicd_scan_policy_updated_or_deleted.py b/rules/wiz_rules/wiz_cicd_scan_policy_updated_or_deleted.py index 30c256af9..6eef0f865 100644 --- a/rules/wiz_rules/wiz_cicd_scan_policy_updated_or_deleted.py +++ b/rules/wiz_rules/wiz_cicd_scan_policy_updated_or_deleted.py @@ -1,4 +1,4 @@ -from panther_wiz_helpers import wiz_alert_context, wiz_success +from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success SUSPICIOUS_ACTIONS = ["DeleteCICDScanPolicy", "UpdateCICDScanPolicy"] @@ -10,9 +10,11 @@ def rule(event): def title(event): + actor = wiz_actor(event) + return ( f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " - f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + f"performed by {actor.get('type')} [{actor.get('name')}]" ) diff --git a/rules/wiz_rules/wiz_connector_updated_or_deleted.py b/rules/wiz_rules/wiz_connector_updated_or_deleted.py index 212d962cd..a45e0a2f7 100644 --- a/rules/wiz_rules/wiz_connector_updated_or_deleted.py +++ b/rules/wiz_rules/wiz_connector_updated_or_deleted.py @@ -1,4 +1,4 @@ -from panther_wiz_helpers import wiz_alert_context, wiz_success +from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success SUSPICIOUS_ACTIONS = ["DeleteConnector", "UpdateConnector"] @@ -10,9 +10,11 @@ def rule(event): def title(event): + actor = wiz_actor(event) + return ( f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " - f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + f"performed by {actor.get('type')} [{actor.get('name')}]" ) diff --git a/rules/wiz_rules/wiz_data_classifier_updated_or_deleted.py b/rules/wiz_rules/wiz_data_classifier_updated_or_deleted.py index 19d531b25..122033d2e 100644 --- a/rules/wiz_rules/wiz_data_classifier_updated_or_deleted.py +++ b/rules/wiz_rules/wiz_data_classifier_updated_or_deleted.py @@ -1,4 +1,4 @@ -from panther_wiz_helpers import wiz_alert_context, wiz_success +from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success SUSPICIOUS_ACTIONS = ["DeleteDataClassifier", "UpdateDataClassifier"] @@ -10,9 +10,11 @@ def rule(event): def title(event): + actor = wiz_actor(event) + return ( f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " - f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + f"performed by {actor.get('type')} [{actor.get('name')}]" ) diff --git a/rules/wiz_rules/wiz_image_integrity_validator_updated_or_deleted.py b/rules/wiz_rules/wiz_image_integrity_validator_updated_or_deleted.py index 6d770523f..2926fe968 100644 --- a/rules/wiz_rules/wiz_image_integrity_validator_updated_or_deleted.py +++ b/rules/wiz_rules/wiz_image_integrity_validator_updated_or_deleted.py @@ -1,4 +1,4 @@ -from panther_wiz_helpers import wiz_alert_context, wiz_success +from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success SUSPICIOUS_ACTIONS = ["DeleteImageIntegrityValidator", "UpdateImageIntegrityValidator"] @@ -10,9 +10,11 @@ def rule(event): def title(event): + actor = wiz_actor(event) + return ( f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " - f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + f"performed by {actor.get('type')} [{actor.get('name')}]" ) diff --git a/rules/wiz_rules/wiz_integration_updated_or_deleted.py b/rules/wiz_rules/wiz_integration_updated_or_deleted.py index 8fa56f2aa..1873b6c90 100644 --- a/rules/wiz_rules/wiz_integration_updated_or_deleted.py +++ b/rules/wiz_rules/wiz_integration_updated_or_deleted.py @@ -1,4 +1,4 @@ -from panther_wiz_helpers import wiz_alert_context, wiz_success +from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success SUSPICIOUS_ACTIONS = ["DeleteIntegration", "UpdateIntegration"] @@ -10,9 +10,11 @@ def rule(event): def title(event): + actor = wiz_actor(event) + return ( f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " - f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + f"performed by {actor.get('type')} [{actor.get('name')}]" ) diff --git a/rules/wiz_rules/wiz_revoke_user_sessions.py b/rules/wiz_rules/wiz_revoke_user_sessions.py index 79a05c4cd..1287af330 100644 --- a/rules/wiz_rules/wiz_revoke_user_sessions.py +++ b/rules/wiz_rules/wiz_revoke_user_sessions.py @@ -1,4 +1,4 @@ -from panther_wiz_helpers import wiz_alert_context, wiz_success +from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success def rule(event): @@ -8,9 +8,11 @@ def rule(event): def title(event): + actor = wiz_actor(event) + return ( f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " - f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + f"performed by {actor.get('type')} [{actor.get('name')}]" ) diff --git a/rules/wiz_rules/wiz_rotate_service_account_secret.py b/rules/wiz_rules/wiz_rotate_service_account_secret.py index 9577440df..076286c81 100644 --- a/rules/wiz_rules/wiz_rotate_service_account_secret.py +++ b/rules/wiz_rules/wiz_rotate_service_account_secret.py @@ -1,4 +1,4 @@ -from panther_wiz_helpers import wiz_alert_context, wiz_success +from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success def rule(event): @@ -8,9 +8,11 @@ def rule(event): def title(event): + actor = wiz_actor(event) + return ( f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " - f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + f"performed by {actor.get('type')} [{actor.get('name')}]" ) diff --git a/rules/wiz_rules/wiz_rule_change.py b/rules/wiz_rules/wiz_rule_change.py index 153fb0a3a..34b6112a5 100644 --- a/rules/wiz_rules/wiz_rule_change.py +++ b/rules/wiz_rules/wiz_rule_change.py @@ -1,4 +1,4 @@ -from panther_wiz_helpers import wiz_alert_context, wiz_success +from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success SUSPICIOUS_ACTIONS = [ "DeleteAutomationRule", @@ -24,9 +24,11 @@ def rule(event): def title(event): + actor = wiz_actor(event) + return ( f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " - f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + f"performed by {actor.get('type')} [{actor.get('name')}]" ) diff --git a/rules/wiz_rules/wiz_saml_identity_provider_change.py b/rules/wiz_rules/wiz_saml_identity_provider_change.py index d183ed51b..b79de176c 100644 --- a/rules/wiz_rules/wiz_saml_identity_provider_change.py +++ b/rules/wiz_rules/wiz_saml_identity_provider_change.py @@ -1,4 +1,4 @@ -from panther_wiz_helpers import wiz_alert_context, wiz_success +from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success SUSPICIOUS_ACTIONS = [ "UpdateSAMLIdentityProvider", @@ -15,9 +15,11 @@ def rule(event): def title(event): + actor = wiz_actor(event) + return ( f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " - f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + f"performed by {actor.get('type')} [{actor.get('name')}]" ) diff --git a/rules/wiz_rules/wiz_service_account_change.py b/rules/wiz_rules/wiz_service_account_change.py index b8faba6fd..474837cc6 100644 --- a/rules/wiz_rules/wiz_service_account_change.py +++ b/rules/wiz_rules/wiz_service_account_change.py @@ -1,4 +1,4 @@ -from panther_wiz_helpers import wiz_alert_context, wiz_success +from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success SUSPICIOUS_ACTIONS = [ "CreateServiceAccount", @@ -14,9 +14,11 @@ def rule(event): def title(event): + actor = wiz_actor(event) + return ( f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " - f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + f"performed by {actor.get('type')} [{actor.get('name')}]" ) diff --git a/rules/wiz_rules/wiz_update_ip_restrictions.py b/rules/wiz_rules/wiz_update_ip_restrictions.py index 85337be52..98fc53b5f 100644 --- a/rules/wiz_rules/wiz_update_ip_restrictions.py +++ b/rules/wiz_rules/wiz_update_ip_restrictions.py @@ -1,4 +1,4 @@ -from panther_wiz_helpers import wiz_alert_context, wiz_success +from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success def rule(event): @@ -8,9 +8,11 @@ def rule(event): def title(event): + actor = wiz_actor(event) + return ( f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " - f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + f"performed by {actor.get('type')} [{actor.get('name')}]" ) diff --git a/rules/wiz_rules/wiz_update_login_settings.py b/rules/wiz_rules/wiz_update_login_settings.py index b5cb8ddf1..9498a607a 100644 --- a/rules/wiz_rules/wiz_update_login_settings.py +++ b/rules/wiz_rules/wiz_update_login_settings.py @@ -1,4 +1,4 @@ -from panther_wiz_helpers import wiz_alert_context, wiz_success +from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success def rule(event): @@ -8,9 +8,11 @@ def rule(event): def title(event): + actor = wiz_actor(event) + return ( f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " - f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + f"performed by {actor.get('type')} [{actor.get('name')}]" ) diff --git a/rules/wiz_rules/wiz_update_scanner_settings.py b/rules/wiz_rules/wiz_update_scanner_settings.py index b033999ab..0d9b61ee1 100644 --- a/rules/wiz_rules/wiz_update_scanner_settings.py +++ b/rules/wiz_rules/wiz_update_scanner_settings.py @@ -1,4 +1,4 @@ -from panther_wiz_helpers import wiz_alert_context, wiz_success +from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success def rule(event): @@ -8,9 +8,11 @@ def rule(event): def title(event): + actor = wiz_actor(event) + return ( f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " - f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + f"performed by {actor.get('type')} [{actor.get('name')}]" ) diff --git a/rules/wiz_rules/wiz_update_support_contact_list.py b/rules/wiz_rules/wiz_update_support_contact_list.py index 00e65ae67..e0bde5d1a 100644 --- a/rules/wiz_rules/wiz_update_support_contact_list.py +++ b/rules/wiz_rules/wiz_update_support_contact_list.py @@ -1,4 +1,4 @@ -from panther_wiz_helpers import wiz_alert_context, wiz_success +from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success def rule(event): @@ -8,9 +8,11 @@ def rule(event): def title(event): + actor = wiz_actor(event) + return ( f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " - f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + f"performed by {actor.get('type')} [{actor.get('name')}]" ) diff --git a/rules/wiz_rules/wiz_user_created_or_deleted.py b/rules/wiz_rules/wiz_user_created_or_deleted.py index 32dd14cfd..e6e38998d 100644 --- a/rules/wiz_rules/wiz_user_created_or_deleted.py +++ b/rules/wiz_rules/wiz_user_created_or_deleted.py @@ -1,4 +1,4 @@ -from panther_wiz_helpers import wiz_alert_context, wiz_success +from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success SUSPICIOUS_ACTIONS = ["CreateUser", "DeleteUser"] @@ -10,9 +10,11 @@ def rule(event): def title(event): + actor = wiz_actor(event) + return ( f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " - f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + f"performed by {actor.get('type')} [{actor.get('name')}]" ) diff --git a/rules/wiz_rules/wiz_user_role_updated_or_deleted.py b/rules/wiz_rules/wiz_user_role_updated_or_deleted.py index ce336fe37..99bc6c61a 100644 --- a/rules/wiz_rules/wiz_user_role_updated_or_deleted.py +++ b/rules/wiz_rules/wiz_user_role_updated_or_deleted.py @@ -1,4 +1,4 @@ -from panther_wiz_helpers import wiz_alert_context, wiz_success +from panther_wiz_helpers import wiz_actor, wiz_alert_context, wiz_success SUSPICIOUS_ACTIONS = ["DeleteUserRole", "UpdateUserRole"] @@ -10,9 +10,11 @@ def rule(event): def title(event): + actor = wiz_actor(event) + return ( f"[Wiz]: [{event.get('action', 'ACTION_NOT_FOUND')}] action " - f"performed by user [{event.deep_get('user', 'name', default='USER_NAME_NOT_FOUND')}]" + f"performed by {actor.get('type')} [{actor.get('name')}]" )