From f8f78902fadeb6e19fe1ec240e05f57ab69e649a Mon Sep 17 00:00:00 2001
From: ben-githubs <38414634+ben-githubs@users.noreply.github.com>
Date: Mon, 9 Dec 2024 11:40:09 -0600
Subject: [PATCH] Remove Snowflake.Stream.AttemptedLoginByDisabledUser and
 assc. query (#1444)

---
 deprecated.txt                                |  4 +-
 packs/snowflake_streaming.yml                 |  2 -
 ...wflake_attempted_login_by_disabled_user.py | 12 ------
 ...flake_attempted_login_by_disabled_user.yml | 42 -------------------
 ...attempted_login_by_disabled_user_query.yml | 23 ----------
 5 files changed, 3 insertions(+), 80 deletions(-)
 delete mode 100644 queries/snowflake_queries/snowflake_attempted_login_by_disabled_user.py
 delete mode 100644 queries/snowflake_queries/snowflake_attempted_login_by_disabled_user.yml
 delete mode 100644 queries/snowflake_queries/snowflake_attempted_login_by_disabled_user_query.yml

diff --git a/deprecated.txt b/deprecated.txt
index d27153eab..ce48b2300 100644
--- a/deprecated.txt
+++ b/deprecated.txt
@@ -34,4 +34,6 @@ Okta.GeographicallyImprobableAccess
 Okta.BruteForceLogins
 Query.Snowflake.PublicRoleGrant
 Snowflake.PublicRoleGrant
-GCP.K8S.Pot.Create.Or.Modify.Host.Path.Volume.Mount
\ No newline at end of file
+GCP.K8S.Pot.Create.Or.Modify.Host.Path.Volume.Mount
+Snowflake Attempted Login With Disabled User
+Snowflake.Stream.AttemptedLoginByDisabledUser
\ No newline at end of file
diff --git a/packs/snowflake_streaming.yml b/packs/snowflake_streaming.yml
index 1ac61e5f6..e71555e12 100644
--- a/packs/snowflake_streaming.yml
+++ b/packs/snowflake_streaming.yml
@@ -9,13 +9,11 @@ PackDefinition:
     # Helpers
     - panther_snowflake_helpers
     # Queries
-    - Snowflake Attempted Login With Disabled User
     - Snowflake User Daily Query Volume Spike
     - Snowflake User Daily Query Volume Spike - Threat Hunting
     - Suspicious Snowflake Sessions - Unusual Application
     # Rules
     - Snowflake.Stream.AccountAdminGranted
-    - Snowflake.Stream.AttemptedLoginByDisabledUser
     - Snowflake.Stream.BruteForceByIp
     - Snowflake.Stream.BruteForceByUsername
     - Snowflake.Stream.ExternalShares
diff --git a/queries/snowflake_queries/snowflake_attempted_login_by_disabled_user.py b/queries/snowflake_queries/snowflake_attempted_login_by_disabled_user.py
deleted file mode 100644
index f4b75bec2..000000000
--- a/queries/snowflake_queries/snowflake_attempted_login_by_disabled_user.py
+++ /dev/null
@@ -1,12 +0,0 @@
-def rule(_):
-    return True
-
-
-def title(event):
-    source = event.get("p_source_label", "<UNKNOWN SOURCE>")
-    username = event.get("USER_NAME", "<UNKNOWN USER>")
-    return f"{source}: Attempted signin by disabled user {username}"
-
-
-def alert_context(event):
-    return event.get("user")
diff --git a/queries/snowflake_queries/snowflake_attempted_login_by_disabled_user.yml b/queries/snowflake_queries/snowflake_attempted_login_by_disabled_user.yml
deleted file mode 100644
index fb8693488..000000000
--- a/queries/snowflake_queries/snowflake_attempted_login_by_disabled_user.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-AnalysisType: scheduled_rule
-Filename: snowflake_attempted_login_by_disabled_user.py
-RuleID: "Snowflake.Stream.AttemptedLoginByDisabledUser"
-Enabled: true
-ScheduledQueries:
-  - Snowflake Attempted Login With Disabled User
-Severity: Low
-Reports:
-  MITRE ATT&CK:
-    - TA0001:T1078.004
-Description: >
-  Detects when a login is attempted by a disabled user account.
-Tags:
-  - Snowflake
-  - Behavior Analysis
-  - Initial Access:Valid Accounts:Cloud Accounts
-Tests:
-  - Name: Login by Disabled User
-    ExpectedResult: true
-    Log:
-      {
-        "p_source_label": "SF-Prod",
-        "user": {
-          "CREATED_ON": "2024-10-09 19:43:05.083000000",
-          "DEFAULT_ROLE": "PANTHER_AUDIT_VIEW_ROLE",
-          "DISABLED": true,
-          "DISPLAY_NAME":
-          "FORMER_ADMIN",
-          "EXT_AUTHN_DUO": false,
-          "HAS_MFA": false,
-          "HAS_PASSWORD": true,
-          "HAS_RSA_PUBLIC_KEY": false,
-          "LAST_SUCCESS_LOGIN": "2024-10-09 20:59:00.043000000",
-          "LOGIN_NAME": "FORMER_ADMIN",
-          "MUST_CHANGE_PASSWORD": false,
-          "NAME": "FORMER_ADMIN",
-          "OWNER": "ACCOUNTADMIN",
-          "SNOWFLAKE_LOCK": false,
-          "USER_ID": "51"
-        },
-        "USER_NAME": "FORMER_ADMIN"
-      }
diff --git a/queries/snowflake_queries/snowflake_attempted_login_by_disabled_user_query.yml b/queries/snowflake_queries/snowflake_attempted_login_by_disabled_user_query.yml
deleted file mode 100644
index 85ddd0a56..000000000
--- a/queries/snowflake_queries/snowflake_attempted_login_by_disabled_user_query.yml
+++ /dev/null
@@ -1,23 +0,0 @@
-AnalysisType: scheduled_query
-QueryName: Snowflake Attempted Login With Disabled User
-Enabled: false
-Description: >
-  Returns instances where a disabled user's login credentials were used in a login
-  attempt.
-Tags:
-  - Snowflake
-Query: |
-  with disabled_users as (
-      select DATA as USER from panther_logs.public.snowflake_users_variant
-      where USER:DISABLED = true
-  ),
-  logins as (
-      select * from 
-      panther_logs.public.snowflake_loginhistory
-      where p_occurs_since('24h', , p_parse_time)
-  )
-  select * from logins join disabled_users
-  on logins.USER_NAME = disabled_users.USER:NAME
-Schedule:
-  RateMinutes: 1440
-  TimeoutMinutes: 2