Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add GCP SSO persistence rules #954

Merged
merged 6 commits into from
Nov 17, 2023
Merged

Add GCP SSO persistence rules #954

merged 6 commits into from
Nov 17, 2023

Conversation

egibs
Copy link
Contributor

@egibs egibs commented Nov 17, 2023

Background

Adds three new GCP SSO persistence rules that cover creations and updates:

  • GCP.Inbound.SSO.Profile.Created
  • GCP.Workforce.Pool.Created.or.Updated
  • GCP.Workload.Identity.Pool.Created.or.Updated

Changes

  • Adds the three aforementioned rules
  • Updates the gcp_audit pack to include the new rules

Testing

Tests pass as expected:

$ make test TEST_ARGS="--path rules/gcp_audit_rules/"
pipenv run python -m unittest global_helpers/*_test.py
.............................................................................................................................................
----------------------------------------------------------------------
Ran 141 tests in 7.125s

OK
pipenv run panther_analysis_tool test --path rules/gcp_audit_rules/
[INFO][root]: Testing analysis items in rules/gcp_audit_rules/

GCP.Access.Attempts.Violating.VPC.Service.Controls
        [PASS] Other Event
                [PASS] [rule] false
        [PASS] VPC control violation
                [PASS] [rule] true
                [PASS] [title] GCP: [[email protected]] performed a [google.storage.objects.get] request that violates VPC Service Controls
                [PASS] [dedup] GCP: [[email protected]] performed a [google.storage.objects.get] request that violates VPC Service Controls

GCP.BigQuery.Large.Scan
        [PASS] small query
                [PASS] [rule] false
        [PASS] Large Query
                [PASS] [rule] true
                [PASS] [title] GCP: [[email protected]] ran a large BigQuery query of [3097493504] bytes.
                [PASS] [dedup] GCP: [[email protected]] ran a large BigQuery query of [3097493504] bytes.
                [PASS] [alertContext] {"query": "-- This query shows a list of the daily top Google Search terms.\nSELECT\n   *\nFROM `bigquery-public-data.google_trends.top_terms`", "actor": "[email protected]", "query_size": "3097493504"}

GCP.Cloud.Storage.Buckets.Modified.Or.Deleted
        [PASS] other event
                [PASS] [rule] false
        [PASS] bucket update
                [PASS] [rule] true
                [PASS] [title] GCP: [[email protected]] performed a [storage.buckets.update] on bucket [my-bucket] in project [gcp-project1].
                [PASS] [dedup] GCP: [[email protected]] performed a [storage.buckets.update] on bucket [my-bucket] in project [gcp-project1].

GCP.Destructive.Queries
        [PASS] Drop Table Event
                [PASS] [rule] true
                [PASS] [title] GCP: [[email protected]] performed a destructive BigQuery [DROP_TABLE] query on [projects/gcp-project1/datasets/test1/tables/newtable].
                [PASS] [dedup] GCP: [[email protected]] performed a destructive BigQuery [DROP_TABLE] query on [projects/gcp-project1/datasets/test1/tables/newtable].
                [PASS] [alertContext] {"query": "DROP TABLE test1.newtable", "actor": "[email protected]", "statement": "DROP_TABLE", "table": "projects/gcp-project1/datasets/test1/tables/newtable"}
        [PASS] TableDeletion
                [PASS] [rule] true
                [PASS] [title] GCP: [[email protected]] performed a destructive BigQuery [<STATEMENT_NOT_FOUND>] query on [projects/gcp-project1/datasets/test1/tables/newtable].
                [PASS] [dedup] GCP: [[email protected]] performed a destructive BigQuery [<STATEMENT_NOT_FOUND>] query on [projects/gcp-project1/datasets/test1/tables/newtable].
                [PASS] [alertContext] {"query": "<QUERY_NOT_FOUND>", "actor": "[email protected]", "statement": "<STATEMENT_NOT_FOUND>", "table": "projects/gcp-project1/datasets/test1/tables/newtable"}

GCP.DNS.Zone.Modified.or.Deleted
        [PASS] dns.managedZones.delete-should-alert
                [PASS] [rule] true
                [PASS] [title] [GCP]: [[email protected]] modified managed DNS zone [managedZones/test-zone]
                [PASS] [dedup] [GCP]: [[email protected]] modified managed DNS zone [managedZones/test-zone]
                [PASS] [alertContext] {"project": "test-project-123456", "principal": "[email protected]", "caller_ip": "12.12.12.12", "methodName": "dns.managedZones.delete", "resourceName": "managedZones/test-zone", "serviceName": "dns.googleapis.com"}
        [PASS] dns.managedZones.patch-should-alert
                [PASS] [rule] true
                [PASS] [title] [GCP]: [[email protected]] modified managed DNS zone [managedZones/test-zone]
                [PASS] [dedup] [GCP]: [[email protected]] modified managed DNS zone [managedZones/test-zone]
                [PASS] [alertContext] {"project": "test-project-123456", "principal": "[email protected]", "caller_ip": "12.12.12.12", "methodName": "dns.managedZones.patch", "resourceName": "managedZones/test-zone", "serviceName": "dns.googleapis.com"}
        [PASS] dns.managedZones.update-should-alert
                [PASS] [rule] true
                [PASS] [title] [GCP]: [[email protected]] modified managed DNS zone [managedZones/test-zone]
                [PASS] [dedup] [GCP]: [[email protected]] modified managed DNS zone [managedZones/test-zone]
                [PASS] [alertContext] {"project": "test-project-123456", "principal": "[email protected]", "caller_ip": "12.12.12.12", "methodName": "dns.changes.create", "resourceName": "managedZones/test-zone", "serviceName": "dns.googleapis.com"}
        [PASS] dns.managedZones.get-should-not-alert
                [PASS] [rule] false

GCP.Firewall.Rule.Created
        [PASS] compute.firewalls.create-should-alert
                [PASS] [rule] true
                [PASS] [title] [GCP]: [[email protected]] created firewall rule with resource ID [6563507997690081088]
                [PASS] [dedup] [GCP]: [[email protected]] created firewall rule with resource ID [6563507997690081088]
                [PASS] [alertContext] {"project": "test-project-123456", "principal": "[email protected]", "caller_ip": "12.12.12.12", "methodName": "v1.compute.firewalls.insert", "resourceName": "projects/test-project-123456/global/firewalls/firewall-create", "serviceName": "compute.googleapis.com"}
        [PASS] appengine.firewall.create-should-alert
                [PASS] [rule] true
                [PASS] [title] [GCP]: [[email protected]] created firewall rule for resource [apps/test-project-123456]
                [PASS] [dedup] [GCP]: [[email protected]] created firewall rule for resource [apps/test-project-123456]
                [PASS] [alertContext] {"project": "test-project-123456", "principal": "[email protected]", "caller_ip": "12.12.12.12", "methodName": "google.appengine.v1.Firewall.CreateIngressRule", "resourceName": "apps/test-project-123456", "serviceName": "appengine.googleapis.com"}
        [PASS] compute.non-create.firewall.method-should-not-alert
                [PASS] [rule] false
        [PASS] appengine.compute.non-create.firewall.method-should-not-alert
                [PASS] [rule] false
        [PASS] randomservice.firewall-create.method-should-alert
                [PASS] [rule] true
                [PASS] [title] [GCP]: [[email protected]] created firewall rule with resource ID [6563507997690081088]
                [PASS] [dedup] [GCP]: [[email protected]] created firewall rule with resource ID [6563507997690081088]
                [PASS] [alertContext] {"project": "test-project-123456", "principal": "[email protected]", "caller_ip": "12.12.12.12", "methodName": "randomservice.compute.v1.Firewall.CreateIngressRule", "resourceName": "randomservice/test-project-123456/firewall/ingressRules/1000", "serviceName": ""}

GCP.Firewall.Rule.Deleted
        [PASS] compute.firewalls-delete-should-alert
                [PASS] [rule] true
                [PASS] [title] [GCP]: [[email protected]] deleted firewall rule with resource ID [6563507997690081088]
                [PASS] [dedup] [GCP]: [[email protected]] deleted firewall rule with resource ID [6563507997690081088]
                [PASS] [alertContext] {"project": "test-project-123456", "principal": "[email protected]", "caller_ip": "12.12.12.12", "methodName": "v1.compute.firewalls.delete", "resourceName": "projects/test-project-123456/global/firewalls/firewall-create", "serviceName": "compute.googleapis.com"}
        [PASS] appengine.firewall.delete-should-alert
                [PASS] [rule] true
                [PASS] [title] [GCP]: [[email protected]] deleted firewall rule for resource [apps/test-project-123456/firewall/ingressRules/1000]
                [PASS] [dedup] [GCP]: [[email protected]] deleted firewall rule for resource [apps/test-project-123456/firewall/ingressRules/1000]
                [PASS] [alertContext] {"project": "test-project-123456", "principal": "[email protected]", "caller_ip": "12.12.12.12", "methodName": "google.appengine.v1.Firewall.DeleteIngressRule", "resourceName": "apps/test-project-123456/firewall/ingressRules/1000", "serviceName": "appengine.googleapis.com"}
        [PASS] compute.non-delete.firewall.method-should-not-alert
                [PASS] [rule] false
        [PASS] appengine.non-delete.firewall.method-should-not-alert
                [PASS] [rule] false
        [PASS] randomservice.firewall-delete.method-should-alert
                [PASS] [rule] true
                [PASS] [title] [GCP]: [[email protected]] deleted firewall rule with resource ID [6563507997690081088]
                [PASS] [dedup] [GCP]: [[email protected]] deleted firewall rule with resource ID [6563507997690081088]
                [PASS] [alertContext] {"project": "test-project-123456", "principal": "[email protected]", "caller_ip": "12.12.12.12", "methodName": "randomservice.compute.v1.Firewall.DeleteIngressRule", "resourceName": "randomservice/test-project-123456/firewall/ingressRules/1000", "serviceName": ""}

GCP.Firewall.Rule.Modified
        [PASS] compute.firewalls.update-should-alert
                [PASS] [rule] true
                [PASS] [title] [GCP]: [[email protected]] modified firewall rule on [projects/test-project-123456/global/firewalls/firewall-create]
                [PASS] [dedup] [GCP]: [[email protected]] modified firewall rule on [projects/test-project-123456/global/firewalls/firewall-create]
                [PASS] [alertContext] {"project": "test-project-123456", "principal": "[email protected]", "caller_ip": "12.12.12.12", "methodName": "v1.compute.firewalls.patch", "resourceName": "projects/test-project-123456/global/firewalls/firewall-create", "serviceName": "compute.googleapis.com"}
        [PASS] appengine.firewall.update-should-alert
                [PASS] [rule] true
                [PASS] [title] [GCP]: [[email protected]] modified firewall rule on [apps/test-project-123456/firewall/ingressRules/1000]
                [PASS] [dedup] [GCP]: [[email protected]] modified firewall rule on [apps/test-project-123456/firewall/ingressRules/1000]
                [PASS] [alertContext] {"project": "test-project-123456", "principal": "[email protected]", "caller_ip": "12.12.12.12", "methodName": "google.appengine.v1.Firewall.UpdateIngressRule", "resourceName": "apps/test-project-123456/firewall/ingressRules/1000", "serviceName": "appengine.googleapis.com"}
        [PASS] compute.non-update.firewall.method-should-not-alert
                [PASS] [rule] false
        [PASS] appengine.compute.non-update.firewall.method-should-not-alert
                [PASS] [rule] false
        [PASS] randomservice.firewall-update.method-should-alert
                [PASS] [rule] true
                [PASS] [title] [GCP]: [[email protected]] modified firewall rule on [randomservice/test-project-123456/firewall/ingressRules/1000]
                [PASS] [dedup] [GCP]: [[email protected]] modified firewall rule on [randomservice/test-project-123456/firewall/ingressRules/1000]
                [PASS] [alertContext] {"project": "test-project-123456", "principal": "[email protected]", "caller_ip": "12.12.12.12", "methodName": "randomservice.compute.v1.Firewall.UpdateIngressRule", "resourceName": "randomservice/test-project-123456/firewall/ingressRules/1000", "serviceName": ""}

GCP.GCS.IAMChanges
        [PASS] GCS IAM Change
                [PASS] [rule] true
                [PASS] [dedup] western-verve-123456

GCP.GCS.Public
        [PASS] GCS AllUsers Read Permission
                [PASS] [rule] true
                [PASS] [title] GCS bucket [jacks-test-bucket] made public
                [PASS] [dedup] GCS bucket [jacks-test-bucket] made public

GCP.IAM.AdminRoleAssigned
        [PASS] Service Admin Role Assigned
                [PASS] [rule] true
                [PASS] [title] An admin role has been configured in GCP project eastern-nurve-222999
                [PASS] [dedup] An admin role has been configured in GCP project eastern-nurve-222999
        [PASS] Admin Role Assigned
                [PASS] [rule] true
                [PASS] [title] An admin role has been configured in GCP project eastern-nurve-222999
                [PASS] [dedup] An admin role has been configured in GCP project eastern-nurve-222999
        [PASS] Browser Role Assigned
                [PASS] [rule] false

GCP.IAM.CorporateEmail
        [PASS] Gmail account added
                [PASS] [rule] true
                [PASS] [title] A GCP IAM account has been created with a Gmail email in western-verve-123456
                [PASS] [dedup] A GCP IAM account has been created with a Gmail email in western-verve-123456
        [PASS] Runpanther account added
                [PASS] [rule] false

GCP.IAM.CustomRoleChanges
        [PASS] Custom Role Created
                [PASS] [rule] true
                [PASS] [dedup] western-verve-123456

GCP.IAM.OrgFolderIAMChanges
        [PASS] Terraform User Agent
                [PASS] [rule] true
                [PASS] [title] GCP.AuditLog: [[email protected]] made manual changes to Org policy
                [PASS] [dedup] GCP.AuditLog: [[email protected]] made manual changes to Org policy
                [PASS] [alertContext] {"actor": "[email protected]", "policy_change": {"bindingDeltas": [{"action": "ADD", "member": "user:[email protected]", "role": "roles/owner"}]}, "caller_ip": "100.100.100.100", "user_agent": "Terraform/0.13.2 terraform-provider-google/3.90.1"}
                [PASS] [severity] INFO
        [PASS] Manual Change
                [PASS] [rule] true
                [PASS] [title] GCP.AuditLog: [[email protected]] made manual changes to Org policy
                [PASS] [dedup] GCP.AuditLog: [[email protected]] made manual changes to Org policy
                [PASS] [alertContext] {"actor": "[email protected]", "policy_change": {"bindingDeltas": [{"action": "REMOVE", "member": "serviceAccount:[email protected]", "role": "roles/owner"}]}, "caller_ip": "38.38.38.38", "user_agent": "Mozilla/5.0 Chrome/98.0.4758.102"}
                [PASS] [severity] HIGH

GCP.Inbound.SSO.Profile.Created
        [PASS] InboundSsoProfileDeleted-False
                [PASS] [rule] false
        [PASS] InboundSsoProfileUpdated-True
                [PASS] [rule] true
                [PASS] [title] GCP: [user@@example.com] performed INBOUND_SSO_PROFILE_UPDATED in organization 123456789012
                [PASS] [dedup] GCP: [user@@example.com] performed INBOUND_SSO_PROFILE_UPDATED in organization 123456789012
                [PASS] [alertContext] {"resourceName": "organizations/123456789012/inboundSsoSettings", "serviceName": "admin.googleapis.com"}
        [PASS] InboundSsoProfileCreated-True
                [PASS] [rule] true
                [PASS] [title] GCP: [[email protected]] performed INBOUND_SSO_PROFILE_CREATED in organization 123456789012
                [PASS] [dedup] GCP: [[email protected]] performed INBOUND_SSO_PROFILE_CREATED in organization 123456789012
                [PASS] [alertContext] {"resourceName": "organizations/123456789012/inboundSsoSettings", "serviceName": "admin.googleapis.com"}

GCP.Log.Bucket.Or.Sink.Deleted
        [PASS] logging-bucket.deleted-should-alert
                [PASS] [rule] true
                [PASS] [title] [GCP]: [[email protected]] deleted logging bucket or sink [projects/test-project-123456/locations/global/buckets/testloggingbucket]
                [PASS] [dedup] [GCP]: [[email protected]] deleted logging bucket or sink [projects/test-project-123456/locations/global/buckets/testloggingbucket]
                [PASS] [alertContext] {"project": "test-project-123456", "principal": "[email protected]", "caller_ip": "12.12.12.12", "methodName": "google.logging.v2.ConfigServiceV2.DeleteBucket", "resourceName": "projects/test-project-123456/locations/global/buckets/testloggingbucket", "serviceName": "logging.googleapis.com"}
        [PASS] logging-sink.deleted-should-alert
                [PASS] [rule] true
                [PASS] [title] [GCP]: [[email protected]] deleted logging bucket or sink [projects/test-project-123456/sinks/test-1]
                [PASS] [dedup] [GCP]: [[email protected]] deleted logging bucket or sink [projects/test-project-123456/sinks/test-1]
                [PASS] [alertContext] {"project": "test-project-123456", "principal": "[email protected]", "caller_ip": "12.12.12.12", "methodName": "google.logging.v2.ConfigServiceV2.DeleteSink", "resourceName": "projects/test-project-123456/sinks/test-1", "serviceName": "logging.googleapis.com"}
        [PASS] logging-bucket.non-deletion-should-not-alert
                [PASS] [rule] false
        [PASS] logging-sink.non-deletion-should-not-alert
                [PASS] [rule] false

GCP.Logging.Settings.Modified
        [PASS] Other Event
                [PASS] [rule] false
        [PASS] Sink Update Event
                [PASS] [rule] true
                [PASS] [title] GCP [projects/gcp-project1/sinks/log-sink] logging settings modified by [[email protected]].
                [PASS] [dedup] GCP [projects/gcp-project1/sinks/log-sink] logging settings modified by [[email protected]].
                [PASS] [alertContext] {"resource": "projects/gcp-project1/sinks/log-sink", "actor": "[email protected]", "method": "google.logging.v2.ConfigServiceV2.UpdateSink"}

GCP.Logging.Sink.Modified
        [PASS] logging-sink.modifed-should-alert
                [PASS] [rule] true
                [PASS] [title] [GCP]: [[email protected]] updated logging sink [projects/test-project-123456/sinks/test-1]
                [PASS] [dedup] [GCP]: [[email protected]] updated logging sink [projects/test-project-123456/sinks/test-1]
                [PASS] [alertContext] {"project": "test-project-123456", "principal": "[email protected]", "caller_ip": "12.12.12.12", "methodName": "google.logging.v2.ConfigServiceV2.UpdateSink", "resourceName": "projects/test-project-123456/sinks/test-1", "serviceName": "logging.googleapis.com"}
        [PASS] logging-sink.non-modified-should-not-alert
                [PASS] [rule] false

GCP.Permissions.Granted.to.Create.or.Manage.Service.Account.Key
        [PASS] other event
                [PASS] [rule] false
        [PASS] service account match
                [PASS] [rule] true
                [PASS] [title] GCP: [[email protected]] granted permissions to create or manage service account keys to [[email protected]]
                [PASS] [dedup] GCP: [[email protected]] granted permissions to create or manage service account keys to [[email protected]]
                [PASS] [alertContext] {"resource": {"labels": {"email_id": "[email protected]", "project_id": "gcp-project1", "unique_id": "105537103139416651075"}, "type": "service_account"}, "serviceData": {"@type": "type.googleapis.com/google.iam.v1.logging.AuditData", "policyDelta": {"bindingDeltas": [{"action": "ADD", "member": "serviceAccount:[email protected]", "role": "roles/iam.serviceAccountTokenCreator"}, {"action": "ADD", "member": "serviceAccount:[email protected]", "role": "roles/iam.serviceAccountUser"}]}}}

GCP.Service.Account.Access.Denied
        [PASS] service-account.access-denied-should-alert
                [PASS] [rule] true
                [PASS] [title] [GCP]: [[email protected]] performed multiple requests resulting in [IAM_PERMISSION_DENIED]
                [PASS] [dedup] [GCP]: [[email protected]] performed multiple requests resulting in [IAM_PERMISSION_DENIED]
                [PASS] [alertContext] {"project": "test-project-123456", "principal": "[email protected]", "caller_ip": "12.12.12.12", "methodName": "google.iam.admin.v1.CreateServiceAccount", "resourceName": "projects/test-project-123456", "serviceName": "iam.googleapis.com"}
        [PASS] service-account.access-grated-should-not-alert
                [PASS] [rule] false

GCP.Service.Account.or.Keys.Created
        [PASS] Created Service Account Key
                [PASS] [rule] true
                [PASS] [title] GCP: [[email protected]] created Service Account Key for [[email protected]] in project [gcp-project1]
                [PASS] [dedup] GCP: [[email protected]] created Service Account Key for [[email protected]] in project [gcp-project1]
        [PASS] Created Service Account
                [PASS] [rule] true
                [PASS] [title] GCP: [[email protected]] created Service Account [[email protected]] in project [gcp-project1]
                [PASS] [dedup] GCP: [[email protected]] created Service Account [[email protected]] in project [gcp-project1]
        [PASS] Other
                [PASS] [rule] false

GCP.SQL.ConfigChanges
        [PASS] Sql Instance Change
                [PASS] [rule] true
                [PASS] [dedup] western-verve-123456

GCP.UnusedRegions
        [PASS] GCE Instance Terminated
                [PASS] [rule] false
        [PASS] GCE Create Instance in SouthAmerica
                [PASS] [rule] true
                [PASS] [title] GCP resource(s) created in unused region/zone in project western-verve-123456
                [PASS] [dedup] GCP resource(s) created in unused region/zone in project western-verve-123456
        [PASS] Create GCS in Asia
                [PASS] [rule] true
                [PASS] [title] GCP resource(s) created in unused region/zone in project western-verve-123456
                [PASS] [dedup] GCP resource(s) created in unused region/zone in project western-verve-123456
        [PASS] BigQuery access log (does not have standard attribute: resource.labels.location)
                [PASS] [rule] false

GCP.User.Added.to.IAP.Protected.Service
        [PASS] other
                [PASS] [rule] false
        [PASS] Other IAP Event
                [PASS] [rule] true
                [PASS] [title] GCP: [[email protected]] modified user access to IAP Protected Service [projects/123456789012/iap_web/compute/services/7312383563505470445]
                [PASS] [dedup] GCP: [[email protected]] modified user access to IAP Protected Service [projects/123456789012/iap_web/compute/services/7312383563505470445]
                [PASS] [alertContext] {"bindings": [{}]}
        [PASS] Add User to IAP
                [PASS] [rule] true
                [PASS] [title] GCP: [[email protected]] modified user access to IAP Protected Service [projects/123456789012/iap_web/compute/services/7312383563505470445]
                [PASS] [dedup] GCP: [[email protected]] modified user access to IAP Protected Service [projects/123456789012/iap_web/compute/services/7312383563505470445]
                [PASS] [alertContext] {"bindings": [{"members": ["serviceAccount:[email protected]"], "role": "roles/viewer"}]}

GCP.VPC.Flow.Logs.Disabled
        [PASS] Disable Flow Logs Event
                [PASS] [rule] true
                [PASS] [title] GCP: [[email protected]] disabled VPC Flow Logs for [projects/gcp-project/regions/us-central1/subnetworks/default]
                [PASS] [dedup] GCP: [[email protected]] disabled VPC Flow Logs for [projects/gcp-project/regions/us-central1/subnetworks/default]
        [PASS] Enable Flow Logs Event
                [PASS] [rule] false

GCP.Workforce.Pool.Created.or.Updated
        [PASS] DeleteWorkforcePool-False
                [PASS] [rule] false
        [PASS] UpdateWorkforcePool-True
                [PASS] [rule] true
                [PASS] [title] GCP: [[email protected]] created or updated workforce pool [test-pool] in organization [123456789012]
                [PASS] [dedup] GCP: [[email protected]] created or updated workforce pool [test-pool] in organization [123456789012]
                [PASS] [alertContext] {"description": "Test pool to facilitate detection writing", "displayName": "Test Pool", "name": "locations/global/workforcePools/test-pool", "sessionDuration": "43200s"}
        [PASS] CreateWorkforcePool-True
                [PASS] [rule] true
                [PASS] [title] GCP: [[email protected]] created or updated workforce pool [test-pool] in organization [123456789012]
                [PASS] [dedup] GCP: [[email protected]] created or updated workforce pool [test-pool] in organization [123456789012]
                [PASS] [alertContext] {"description": "Test pool", "displayName": "Test Pool", "name": "locations/global/workforcePools/test-pool", "parent": "organizations/325169835352", "sessionDuration": "3600s", "state": "ACTIVE"}

GCP.Workload.Identity.Pool.Created.or.Updated
        [PASS] DeleteWorkloadIdentityPoolProvider-False
                [PASS] [rule] false
        [PASS] UpdateWorkloadIdentityPoolProvider-True
                [PASS] [rule] true
                [PASS] [title] GCP: [[email protected]] created or updated workforce pool [test-pool] in project [test-project]
                [PASS] [dedup] GCP: [[email protected]] created or updated workforce pool [test-pool] in project [test-project]
                [PASS] [alertContext] {"attributeCondition": "'admins' in google.groups", "attributeMapping": {"attribute.aws_role": "assertion.arn.contains('assumed-role') ? assertion.arn.extract('{account_arn}assumed-role/') + 'assumed-role/' + assertion.arn.extract('assumed-role/{role_name}/') : assertion.arn", "google.subject": "assertion.arn"}, "aws": {"accountId": "123456789012"}, "disabled": false, "displayName": "Test Provider", "name": "projects/test-project/locations/global/workloadIdentityPools/test-pool/providers/test-project"}
        [PASS] CreateWorkloadIdentityPoolProvider-True
                [PASS] [rule] true
                [PASS] [title] GCP: [[email protected]] created or updated workforce pool [test-pool] in project [test-project]
                [PASS] [dedup] GCP: [[email protected]] created or updated workforce pool [test-pool] in project [test-project]
                [PASS] [alertContext] {"attributeCondition": "", "attributeMapping": {"attribute.aws_role": "assertion.arn.contains('assumed-role') ? assertion.arn.extract('{account_arn}assumed-role/') + 'assumed-role/' + assertion.arn.extract('assumed-role/{role_name}/') : assertion.arn", "google.subject": "assertion.arn"}, "aws": {"accountId": "123456789012"}, "disabled": false, "displayName": "Test Provider"}

--------------------------
Panther CLI Test Summary
        Path: rules/gcp_audit_rules/
        Passed: 27
        Failed: 0
        Invalid: 0

@egibs egibs requested a review from a team November 17, 2023 21:39
@egibs egibs changed the title Creating common ancestor commit Add GCP SSO persistence rules Nov 17, 2023
egibs
egibs commented Nov 17, 2023
View reviewed changes
packs/gcp_audit.yml
@@ -3,22 +3,25 @@ PackID: PantherManaged.GCP.Audit
Description: Group of all Google Cloud Platform (GCP) Audit detections
PackDefinition:
IDs:
- GCP.Access.Attempts.Violating.IAP.Access.Controls
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The +/- in this file are from me sorting the IDs alphabetically.

arielkr256
arielkr256 requested changes Nov 17, 2023
View reviewed changes
Copy link
Contributor

@arielkr256 arielkr256 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add the reference link to each rule otherwise looks awesome!

https://medium.com/google-cloud/detection-of-inbound-sso-persistence-techniques-in-gcp-c56f7b2a588b

@egibs
Copy link
Contributor Author

egibs commented Nov 17, 2023

Please add the reference link to each rule otherwise looks awesome!

medium.com/google-cloud/detection-of-inbound-sso-persistence-techniques-in-gcp-c56f7b2a588b

Addressed in a8cde95 and b923716.

@egibs egibs requested a review from arielkr256 November 17, 2023 22:13
@egibs egibs merged commit 3d5ead9 into main Nov 17, 2023
1 check passed
@egibs egibs deleted the egibs-gcp-sso-persistence-rules branch November 17, 2023 22:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arielkr256 arielkr256 arielkr256 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@egibs @arielkr256