From 4cca9977acd3d0dd7e6c87a1c7cf84c6a0bf6aa6 Mon Sep 17 00:00:00 2001 From: jzandona <79932094+jzandona@users.noreply.github.com> Date: Tue, 14 May 2024 07:56:02 -0700 Subject: [PATCH] AppOmni Alert passthrough (#1211) * alert passthrough * Deprecate GreyNoise detections (#1205) * Deprecate GreyNoise detections * Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml * Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml * Update cloudflare_httpreq_bot_high_volume_greynoise.yml --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * fix - Notion Login From New Location - NoneType error (#1206) * fix - Notion Login From New Location - NoneType error * fix - Notion Login From New Location - NoneType error - linter fix * remove codeowners (#1208) * linting * fix - GCP rules - AttributeError (#1210) * fix - GCP rules - AttributeError * fix - GCP rules - AttributeError - linter fix * MITRE ATT&CK Mappings for MS Rules (#1209) * added MITRE mappings for microsoft rules * fixed formatting on some helper files --------- Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * traildiscover enrichment with managed schema (#1177) * traildiscover enrichment with managed schema * Add npm install in dockerfile (#1172) * add npm install in dockerfile * Remove Python optimizations; add prettier to PATH --------- Co-authored-by: egibs * schema name: TrailDiscover.CloudTrail * Fix Dockerfile; add Workflow to test image * updated data set * Add MongoDB.2FA.Disabled rule (#1190) Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> * lint and fmt * fmt * add OCSF selector * additional OCSF mappings * Fix Pipfile * Rebase changes --------- Co-authored-by: Panos Sakkos Co-authored-by: egibs Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> * Update PAT to 0.46.0 (#1216) * add file/host state to msft graph alert context (#1220) * fix timestamps (#1219) * Update PAT to 0.46.1 (#1222) * pack for traildiscover LUT (#1221) * use event.deep_get and remove InlineFilters * add pack --------- Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com> Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Co-authored-by: Panos Sakkos Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com> Co-authored-by: egibs Co-authored-by: Evan Gibler Co-authored-by: Nick Hakmiller <49166439+nhakmiller@users.noreply.github.com> Co-authored-by: Ariel Ropek --- packs/appomni.yml | 7 + .../appomni_alert_passthrough.py | 35 +++ .../appomni_alert_passthrough.yml | 232 ++++++++++++++++++ 3 files changed, 274 insertions(+) create mode 100644 packs/appomni.yml create mode 100644 rules/appomni_rules/appomni_alert_passthrough.py create mode 100644 rules/appomni_rules/appomni_alert_passthrough.yml diff --git a/packs/appomni.yml b/packs/appomni.yml new file mode 100644 index 000000000..eaf6b9da7 --- /dev/null +++ b/packs/appomni.yml @@ -0,0 +1,7 @@ +AnalysisType: pack +PackID: PantherManaged.AppOmni +Description: Group of all AppOmni detections +PackDefinition: + IDs: + - AppOmni.Alert.Passthrough +DisplayName: "Panther AppOmni Pack" diff --git a/rules/appomni_rules/appomni_alert_passthrough.py b/rules/appomni_rules/appomni_alert_passthrough.py new file mode 100644 index 000000000..9cbc07a6b --- /dev/null +++ b/rules/appomni_rules/appomni_alert_passthrough.py @@ -0,0 +1,35 @@ +def rule(event): + # Only alert where event.kind == "alert" + if event.deep_get("event", "kind") == "alert": + return True + return False + + +def title(event): + # Create title that includes severity and message + sev_dict = {0: "Critical", 1: "High", 2: "Medium", 3: "Low", 4: "Informational"} + sev = sev_dict[event.deep_get("event", "severity")] + + # Use type service in title if only one field, label as 'Multiple Services' if more than one. + if len(event.deep_get("related", "services", "type")) == 1: + service = event.deep_get("related", "services", "type")[0] + else: + service = "Multiple Services" + + return f'[{sev}] - {service} - {event.get("message")}' + + +def severity(event): + # Update Panther alert severity based on severity from AppOmni Alert + sev = {0: "Critical", 1: "High", 2: "Medium", 3: "Low", 4: "Informational"} + return sev[event.deep_get("event", "severity")] + + +def dedup(event): + # Dedup by the events alert id, make sure we alert each time a new AppOmni alert is logged + return f'Event ID: {event.deep_get("appomni", "event", "id")}' + + +def alert_context(event): + # 'Threat' and 'related' data to be included in the alert sent to the alert destination + return {"threat": event.deep_get("rule", "threat"), "related": event.deep_get("related")} diff --git a/rules/appomni_rules/appomni_alert_passthrough.yml b/rules/appomni_rules/appomni_alert_passthrough.yml new file mode 100644 index 000000000..4a46eee49 --- /dev/null +++ b/rules/appomni_rules/appomni_alert_passthrough.yml @@ -0,0 +1,232 @@ +AnalysisType: rule +Filename: appomni_alert_passthrough.py +RuleID: "AppOmni.Alert.Passthrough" +DisplayName: "AppOmni Alert Passthrough" +Enabled: true +LogTypes: + - AppOmni.Alerts +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0001:T1566 + - TA0001:T1528 + - TA0001:T1190 + - TA0001:T1078 + - TA0001:T1199 + - TA0004:T1548 + - TA0005:T1562 + - TA0005:T1090 + - TA0005:T1564 + - TA0005:T1556 + - TA0005:T1550 + - TA0005:T1078 + - TA0006:T1110 + - TA0006:T1111 + - TA0006:T1550 + - TA0006:T1528 + - TA0006:T1552 + - TA0006:T1539 + - TA0040:T1486 + - TA0040:T1565 + - TA0040:T1485 + - TA0040:T1531 + - TA0002:T1204 + - TA0003:T1114 + - TA0003:T1098 + - TA0003:T1556 + - TA0003:T1078 + - TA0003:T1136 + - TA0004:T1484 + - TA0007:T1518 + - TA0007:T1087 + - TA0008:T1550 + - TA0042:T1608 + - TA0009:T1530 + - TA0009:T1213 + - TA0009:T1114 + - TA0004:T1078 + - TA0010:T1537 + - TA0010:T1567 +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: Alert Type Severity 2 + ExpectedResult: true + Log: + appomni: + alert: + channel: prod + event: + dataset: appomni_alert + id: 2ae1e281-4df1-5d26-81e2-7b75589e5dd4 + sortable_event_id: 01HQ6JKJ5VE68CAT71JM27Z1D2 + sortable_ingest_id: 01HQ6KGT23SN874A9ATHZCM1JH + organization: + id: 285 + event: + created: "2024-02-21T19:50:42.499Z" + kind: alert + severity: 2 + message: Security issue detected in GitHub repository 'appomni/ao_factory_interfaces' + related: + event: + - cf8e782f-1657-5a4e-bdc2-cff1d147c912 + services: + id: + - 12477 + type: + - github + rule: + name: Repository Security Issue Detected + ruleset: 1423ff39-3250-4d53-aafb-142e740668bd + threat: + framework: MITRE ATT&CK + tactic: + id: + - TA0001 + name: + - Initial Access + technique: + id: + - T1195 + name: + - Supply Chain Compromise + uuid: 6d873f19-4847-4412-9b70-6dca598ee64c + version: "1" + timestamp: "2024-02-21T19:34:44.155Z" + version: 2.0.0 + - Name: Event Type + ExpectedResult: false + Log: + appomni: + event: + collected_time: "2024-02-28T19:53:34.266Z" + dataset: ao_auditlogs + id: e4431a54-e57d-5cab-8b24-af194d49ebec + ingestion_time: "2024-02-28T19:53:34.298Z" + organization: + id: 6 + service: + account_id: "6" + id: 0 + name: AppOmni + type: appomni + event: + action: update_token + category: + - authentication + code: access_token_refreshed_refreshtoken + created: "2024-02-28T19:53:34.266Z" + dataset: ao_auditlogs + id: b90b4447-ae6a-4257-95fe-a3f9c5577158 + ingested: "2024-02-28T19:53:34.298Z" + kind: event + module: appomni + original: '{"action_at":"2024-02-28T19:53:34.256900+00:00","action_data":{"md_kind":"core.aoaudit.auditdata","md_version":1},"action_type":"access_token_refreshed_refreshtoken","log_id":"b90b4447-ae6a-4257-95fe-a3f9c5577158","org_id":6,"perspective_id":1487,"service_id":34,"service_type":"workday"}' + type: + - change + timestamp: "2024-02-28T19:53:34.256Z" + version: 2.0.0 + - Name: External App Install - Severity 3 + ExpectedResult: true + Log: + "@timestamp": "2024-02-26T18:02:09.044Z" + appomni: + alert: + channel: prod + event: + dataset: appomni_alert + id: e927e832-bfb1-55d7-9159-0e5cd84dcc65 + sortable_event_id: 01HQK99M8MZKWGZG24B5WV4JDK + sortable_ingest_id: 01HQK9DFC5DS5MYM0YEFFW7PF8 + organization: + id: 6 + event: + created: "2024-02-26T18:04:15.109Z" + kind: alert + severity: 3 + message: An external application has been installed by appomni_int_justinz in Workday + related: + event: + - cb786453-a105-5438-97a6-903d15e0cb7e + ip: + - 71.218.228.62 + services: + id: + - 34 + type: + - workday + user: + - appomni_int_justinz + rule: + name: External Application Installed + ruleset: 1423ff39-3250-4d53-aafb-142e740668bd + threat: + framework: MITRE ATT&CK + tactic: + id: + - TA0005 + - TA0008 + - TA0010 + name: + - Defense Evasion + - Lateral Movement + - Exfiltration + technique: + id: + - T1550 + - T1550 + - T1567 + name: + - Use Alternate Authentication Material + - Use Alternate Authentication Material + - Exfiltration Over Web Service + uuid: 2aadaafd-4ec5-4a09-be6e-c2d70b555d19 + version: "1" + version: 2.0.0 + - Name: Multiple Services + ExpectedResult: true + Log: + appomni: + alert: + channel: prod + event: + dataset: appomni_alert + id: 2ae1e281-4df1-5d26-81e2-7b75589e5dd4 + sortable_event_id: 01HQ6JKJ5VE68CAT71JM27Z1D2 + sortable_ingest_id: 01HQ6KGT23SN874A9ATHZCM1JH + organization: + id: 285 + event: + created: "2024-02-21T19:50:42.499Z" + kind: alert + severity: 2 + message: Security issue detected in GitHub repository 'appomni/ao_factory_interfaces' + related: + event: + - cf8e782f-1657-5a4e-bdc2-cff1d147c912 + services: + id: + - 12477 + type: + - github + - workday + rule: + name: Repository Security Issue Detected + ruleset: 1423ff39-3250-4d53-aafb-142e740668bd + threat: + framework: MITRE ATT&CK + tactic: + id: + - TA0001 + name: + - Initial Access + technique: + id: + - T1195 + name: + - Supply Chain Compromise + uuid: 6d873f19-4847-4412-9b70-6dca598ee64c + version: "1" + timestamp: "2024-02-21T19:34:44.155Z" + version: 2.0.0