Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Teleport: Update Rules #966

Merged
merged 12 commits into from
Nov 27, 2023
Merged

Teleport: Update Rules #966

merged 12 commits into from
Nov 27, 2023

Conversation

jof
Copy link
Contributor

@jof jof commented Nov 22, 2023

This PR updates the Gravitational Teleport rule set.

  • The documentation links for existing rules needed some updating to new locations
  • Added the name of the Teleport cluster into some of titles (useful for multi-cluster organizations)
  • Added a Rule to detect local user logins without using multi-factor auth
  • Added a Rule to detect the creation of Teleport Locks (used to pre-emptively disable previously-issued certificates)
  • Added a Rule to detect the creation of abnormally long-lived certificates
  • Added a Rule to detect when Roles are created
  • Added a Rule to detect logins as root
  • Added a Rule to detect the creation of SAML connectors

@jof jof mentioned this pull request Nov 22, 2023
Merged
@jof jof marked this pull request as ready for review November 22, 2023 19:04
@jof jof requested review from a team November 22, 2023 19:04
arielkr256
arielkr256 reviewed Nov 22, 2023
View reviewed changes
Copy link
Contributor

@arielkr256 arielkr256 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks great! Made a couple of suggestions to use event.deep_get() instead of chained gets. https://github.com/panther-labs/panther-analysis/blob/main/global_helpers/panther_base_helpers.py#L301

rules/gravitational_teleport_rules/teleport_long_lived_certs.py Outdated Show resolved Hide resolved
rules/gravitational_teleport_rules/teleport_long_lived_certs.py Outdated Show resolved Hide resolved
rules/gravitational_teleport_rules/teleport_long_lived_certs.py Outdated Show resolved Hide resolved
packs/gravitational_teleport.yml Outdated Show resolved Hide resolved
@jof jof force-pushed the jof/public/teleport_rules_no_config branch from 7c68923 to c003b17 Compare November 23, 2023 00:09
@jof
Copy link
Contributor Author

jof commented Nov 23, 2023

@arielkr256 -- good call on the .deep_get() access style; way more readable. Added your suggestions.

arielkr256
arielkr256 reviewed Nov 27, 2023
View reviewed changes
Copy link
Contributor

@arielkr256 arielkr256 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

appease the linter

rules/gravitational_teleport_rules/teleport_long_lived_certs.py Outdated Show resolved Hide resolved
rules/gravitational_teleport_rules/teleport_long_lived_certs.py Show resolved Hide resolved
rules/gravitational_teleport_rules/teleport_long_lived_certs.py Outdated Show resolved Hide resolved
@arielkr256 arielkr256 merged commit 1f8841b into panther-labs:main Nov 27, 2023
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arielkr256 arielkr256 arielkr256 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jof @arielkr256