-
Notifications
You must be signed in to change notification settings - Fork 176
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'develop' into THREAT-311/cs_eventstreams_passthrough
- Loading branch information
Showing
22 changed files
with
1,385 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -2391,5 +2391,81 @@ def test_change_filed_is_empty_on_update_context(self): | |
) | ||
|
||
|
||
class TestPantherFlowInvestigation(unittest.TestCase): | ||
def test_pantherflow_investigation(self): | ||
# pylint: disable=line-too-long | ||
event = { | ||
"p_any_ip_addresses": ["12.34.56.78"], | ||
"p_source_file": { | ||
"aws_s3_bucket": "threat-research-trail-trail-bucket-0ipb5nzxam", | ||
"aws_s3_key": "AWSLogs/123456789123/CloudTrail/us-east-1/2024/11/25/123456789123_CloudTrail_us-east-1_20241125T1505Z_XLixf09QqBSOD7c4.json.gz", | ||
}, | ||
"p_any_trace_ids": ["ASIAQWERTYUIOPASDFGH"], | ||
"p_any_actor_ids": ["AROAQWERTYUIOPASDFGH", "AROAQWERTYUIOPASDFGH:bob.ross"], | ||
"p_any_aws_account_ids": ["123456789123"], | ||
"p_any_aws_arns": [ | ||
"arn:aws:iam::123456789123:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_DevAdmin", | ||
"arn:aws:sts::123456789123:assumed-role/AWSReservedSSO_DevAdmin/bob.ross", | ||
"arn:aws:iam::123456789123:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_DevAdmin", | ||
], | ||
"p_any_usernames": ["AWSReservedSSO_DevAdmin", "bob.ross"], | ||
"p_event_time": "2024-11-25 15:00:21.000000", | ||
"p_log_type": "AWS.CloudTrail", | ||
"p_parse_time": "2024-11-25 15:05:54.123385", | ||
"p_row_id": "d66379c617d1f7b3b2e7ce9623c104", | ||
"p_schema_version": 0, | ||
"p_source_id": "d0a1e235-6548-4e7f-952a-35063b304007", | ||
"p_source_label": "threat-research-trail-us-east-1", | ||
"p_udm": { | ||
"source": {"address": "12.34.56.78", "ip": "12.34.56.78"}, | ||
"user": { | ||
"arns": [ | ||
"arn:aws:iam::123456789123:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_DevAdmin", | ||
"arn:aws:sts::123456789123:assumed-role/AWSReservedSSO_DevAdmin/bob.ross", | ||
] | ||
}, | ||
}, | ||
} | ||
event = ImmutableCaseInsensitiveDict(event) | ||
query = """union panther_signals.public.correlation_signals | ||
, panther_logs.public.aws_cloudtrail | ||
| where p_event_time between datetime('2024-11-25 15:00:21.000000') - time.parse_timespan('30m') .. datetime('2024-11-25 15:00:21.000000') + time.parse_timespan('30m') | ||
| where arrays.overlap(p_any_ip_addresses, ['12.34.56.78']) | ||
or arrays.overlap(p_any_trace_ids, ['ASIAQWERTYUIOPASDFGH']) | ||
or arrays.overlap(p_any_actor_ids, ['AROAQWERTYUIOPASDFGH', 'AROAQWERTYUIOPASDFGH:bob.ross']) | ||
or arrays.overlap(p_any_aws_arns, ['arn:aws:iam::123456789123:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_DevAdmin', 'arn:aws:sts::123456789123:assumed-role/AWSReservedSSO_DevAdmin/bob.ross', 'arn:aws:iam::123456789123:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_DevAdmin']) | ||
or arrays.overlap(p_any_usernames, ['AWSReservedSSO_DevAdmin', 'bob.ross']) | ||
| sort p_event_time""" | ||
self.assertEqual(p_b_h.pantherflow_investigation(event), query) | ||
|
||
|
||
class TestEmailRegex(unittest.TestCase): | ||
def test_email_regex(self): | ||
email_regex = p_b_h.EMAIL_REGEX | ||
valid_emails = [ | ||
"[email protected]", | ||
"[email protected]", | ||
"ifjlid%[email protected]", | ||
"[email protected]", | ||
"[email protected]", | ||
] | ||
invalid_emails = [ | ||
"asfe@acme", | ||
"[email protected]", | ||
"a@b", | ||
"a@b.", | ||
"[email protected]", | ||
"[email protected].", | ||
"[email protected]", | ||
"[email protected]", | ||
"asdf@", | ||
"a.b@g&g.com", | ||
] | ||
for email in valid_emails: | ||
self.assertTrue(email_regex.match(email)) | ||
for email in invalid_emails: | ||
self.assertFalse(email_regex.match(email)) | ||
|
||
|
||
if __name__ == "__main__": | ||
unittest.main() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
35 changes: 35 additions & 0 deletions
35
rules/aws_cloudtrail_rules/aws_cloudtrail_event_selectors_disabled.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
from panther_aws_helpers import aws_cloudtrail_success, aws_rule_context, lookup_aws_account_name | ||
|
||
# API calls that are indicative of CloudTrail changes | ||
CLOUDTRAIL_EDIT_SELECTORS = {"PutEventSelectors"} | ||
|
||
|
||
def rule(event): | ||
if not (aws_cloudtrail_success(event) and event.get("eventName") in CLOUDTRAIL_EDIT_SELECTORS): | ||
return False | ||
|
||
# Check if management events are included for each selector. | ||
# deep_walk only returns a list if there's more than 1 entry in the nested array, so we must | ||
# enforce it to be a list. | ||
includes = event.deep_walk("requestParameters", "eventSelectors", "includeManagementEvents") | ||
if not isinstance(includes, list): | ||
includes = [includes] | ||
|
||
# Return False all the management events are included, else return True and raise alert | ||
return not all(includes) | ||
|
||
|
||
def dedup(event): | ||
# Merge on the CloudTrail ARN | ||
return event.deep_get("requestParameters", "trailName", default="<UNKNOWN_NAME>") | ||
|
||
|
||
def title(event): | ||
return ( | ||
f"Management events have been exluded from CloudTrail [{dedup(event)}] in account " | ||
f"[{lookup_aws_account_name(event.get('recipientAccountId'))}]" | ||
) | ||
|
||
|
||
def alert_context(event): | ||
return aws_rule_context(event) |
Oops, something went wrong.