diff --git a/global_helpers/panther_config_defaults.py b/global_helpers/panther_config_defaults.py index 6b1a5e70e..87a8f01bb 100644 --- a/global_helpers/panther_config_defaults.py +++ b/global_helpers/panther_config_defaults.py @@ -12,3 +12,4 @@ GSUITE_TRUSTED_OWNERSHIP_DOMAINS = ORGANIZATION_DOMAINS MS_EXCHANGE_ALLOWED_FORWARDING_DESTINATION_DOMAINS = ORGANIZATION_DOMAINS MS_EXCHANGE_ALLOWED_FORWARDING_DESTINATION_EMAILS = ["postmaster@" + ORGANIZATION_DOMAINS[0]] +TELEPORT_ORGANIZATION_DOMAINS = ORGANIZATION_DOMAINS diff --git a/rules/gravitational_teleport_rules/teleport_company_domain_login_without_saml.py b/rules/gravitational_teleport_rules/teleport_company_domain_login_without_saml.py new file mode 100644 index 000000000..b9cb6470b --- /dev/null +++ b/rules/gravitational_teleport_rules/teleport_company_domain_login_without_saml.py @@ -0,0 +1,22 @@ +import re + +from panther_config import config + +TELEPORT_ORGANIZATION_DOMAINS_REGEX = r"@(" + "|".join(config.TELEPORT_ORGANIZATION_DOMAINS) + r")$" + + +def rule(event): + return bool( + event.get("event") == "user.login" + and event.get("success") is True + and bool(re.search(TELEPORT_ORGANIZATION_DOMAINS_REGEX, event.get("user"))) + and event.get("method") != "saml" + ) + + +def title(event): + return ( + f"User [{event.get('user', '')}] logged into " + f"[{event.get('cluster_name', '')}] without " + f"using SAML" + ) diff --git a/rules/gravitational_teleport_rules/teleport_company_domain_login_without_saml.yml b/rules/gravitational_teleport_rules/teleport_company_domain_login_without_saml.yml new file mode 100644 index 000000000..3ac8dd71b --- /dev/null +++ b/rules/gravitational_teleport_rules/teleport_company_domain_login_without_saml.yml @@ -0,0 +1,63 @@ +AnalysisType: rule +Filename: teleport_company_domain_login_without_saml.py +RuleID: Teleport.CompanyDomainLoginWithoutSAML +DisplayName: "A User from the company domain(s) Logged in without SAML" +Enabled: true +LogTypes: + - Gravitational.TeleportAudit +Tags: + - Teleport +Severity: High +Description: "A User from the company domain(s) Logged in without SAML" +DedupPeriodMinutes: 60 +Reports: + MITRE ATT&CK: + - TA0005:T1562 +Reference: https://goteleport.com/docs/management/admin/ +Runbook: > + A User from the company domain(s) Logged in without SAML +SummaryAttributes: + - event + - code + - user + - method + - mfa_device +Tests: + - + Name: A User from the company domain(s) logged in with SAML + ExpectedResult: false + Log: + { + "attributes": { + "firstName": [ + "" + ], + "groups": [ + "employees" + ] + }, + "cluster_name": "teleport.example.com", + "code": "T1001I", + "ei": 0, + "event": "user.login", + "method": "saml", + "success": true, + "time": "2023-09-18 00:00:00", + "uid": "88888888-4444-4444-4444-222222222222", + "user": "jane.doe@example.com" + } + - + Name: A User from the company domain(s) logged in without SAML + ExpectedResult: true + Log: + { + "cluster_name": "teleport.example.com", + "code": "T1001I", + "ei": 0, + "event": "user.login", + "method": "local", + "success": true, + "time": "2023-09-18 00:00:00", + "uid": "88888888-4444-4444-4444-222222222222", + "user": "jane.doe@example.com" + } diff --git a/rules/gravitational_teleport_rules/teleport_saml_login_not_company_domain.py b/rules/gravitational_teleport_rules/teleport_saml_login_not_company_domain.py new file mode 100644 index 000000000..c80a9298a --- /dev/null +++ b/rules/gravitational_teleport_rules/teleport_saml_login_not_company_domain.py @@ -0,0 +1,23 @@ +import re + +from panther_config import config + +TELEPORT_COMPANY_DOMAINS_REGEX = r"@(" + "|".join(config.TELEPORT_ORGANIZATION_DOMAINS) + r")$" + + +def rule(event): + return ( + event.get("event") == "user.login" + and event.get("success") is True + and event.get("method") == "saml" + and not re.search(TELEPORT_COMPANY_DOMAINS_REGEX, event.get("user")) + ) + + +def title(event): + return ( + f"User [{event.get('user', '')}] logged into " + f"[{event.get('cluster_name', '')}] using " + f"SAML, but not from a known company domain in " + f"({','.join(config.TELEPORT_ORGANIZATION_DOMAINS)})" + ) diff --git a/rules/gravitational_teleport_rules/teleport_saml_login_not_company_domain.yml b/rules/gravitational_teleport_rules/teleport_saml_login_not_company_domain.yml new file mode 100644 index 000000000..a8765293f --- /dev/null +++ b/rules/gravitational_teleport_rules/teleport_saml_login_not_company_domain.yml @@ -0,0 +1,63 @@ +AnalysisType: rule +Filename: teleport_saml_login_not_company_domain.py +RuleID: Teleport.SAMLLoginWithoutCompanyDomain +DisplayName: "A user authenticated with SAML, but from an unknown company domain" +Enabled: true +LogTypes: + - Gravitational.TeleportAudit +Tags: + - Teleport +Severity: High +Description: "A user authenticated with SAML, but from an unknown company domain" +DedupPeriodMinutes: 60 +Reports: + MITRE ATT&CK: + - TA0003:T1098 +Reference: https://goteleport.com/docs/management/admin/ +Runbook: > + A user authenticated with SAML, but from an unknown company domain +SummaryAttributes: + - event + - code + - user + - method + - mfa_device +Tests: + - + Name: A user authenticated with SAML, but from a known company domain + ExpectedResult: false + Log: + { + "attributes": { + "firstName": [ + "" + ], + "groups": [ + "employees" + ] + }, + "cluster_name": "teleport.example.com", + "code": "T1001I", + "ei": 0, + "event": "user.login", + "method": "saml", + "success": true, + "time": "2023-09-18 00:00:00", + "uid": "88888888-4444-4444-4444-222222222222", + "user": "jane.doe@example.com" + } + - + Name: A user authenticated with SAML, but not from a company domain + ExpectedResult: true + Log: + { + "cluster_name": "teleport.example.com", + "code": "T1001I", + "ei": 0, + "event": "user.login", + "method": "saml", + "success": true, + "time": "2023-09-18 00:00:00", + "uid": "88888888-4444-4444-4444-222222222222", + "user": "wtf.how@omghax.gravitational.io" + }