Merge branch 'k8s-unauthorized-exec-into-pod' of github.com:kbroughto…

…n/panther-analysis into k8s-unauthorized-exec-into-pod * 'k8s-unauthorized-exec-into-pod' of github.com:kbroughton/panther-analysis: (21 commits) fix: greynoise object function call not attribute (panther-labs#479) Packs: Cloudflare & Slack (panther-labs#478) feat: bring additional alert_context to AWS rules which had none (panther-labs#472) feat: cyclomatic complexity linting (panther-labs#474) Tweak - Cloudflare L7 DDoS (panther-labs#475) chore: update test badge to use github actions (panther-labs#471) Combine GSuite High/Medium/Low Rule alerts into one (panther-labs#467) kbailey: remove circleCI (panther-labs#470) Kbroughton/make lint action (panther-labs#452) fix: panther specific github actions should not run on forks (panther-labs#469) Remove managed schemas (panther-labs#421) Slack Detections - User (panther-labs#464) Slack Detections - EKM (panther-labs#463) Slack Detections - App (panther-labs#462) Initial Commit - Slack Detections - File (panther-labs#465) Slack Detections - Channel (panther-labs#461) Slack Detections - Workspace/Org (panther-labs#460) Update GSuite Alerts Rules with Rule Name (panther-labs#440) Add example lookup table and data file (panther-labs#446) Slack Data Models & Alert Context Helper (panther-labs#458) ...
kbroughton · Aug 19, 2022 · eeafd65 · eeafd65
2 parents 2ec6a35 + 4c91635
commit eeafd65
Show file tree

Hide file tree

Showing 245 changed files with 3,246 additions and 15,336 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -2,5 +2,5 @@
 # Each line is a file pattern followed by one or more owners.
 
 # These owners will be the default owners for everything in the repo.
-*       @nhakmiller @lindsey-w @wey-chiang @kostaspap @bseb @k-bailey @panther-labs/detections
-schemas/* @alxarch
+
+*       @nhakmiller @panther-labs/detections @panther-labs/security
diff --git a/.github/workflows/asana.yml b/.github/workflows/asana.yml
@@ -8,7 +8,9 @@ on:
 
 jobs:
   update_task_on_pr_open:
-    if: ${{ github.event.pull_request.state == 'open' }}
+    if: | 
+      github.repository_owner == 'panther-labs' &&
+      github.event.pull_request.state == 'open'
     runs-on: ubuntu-latest
     steps:
       - uses: panther-labs/github-asana-action@v3.0.5
@@ -27,7 +29,9 @@ jobs:
           targets: '[{"projectNameRegex": "(S|s)print", "section": "In Review"}]'
 
   update_task_on_pr_close:
-    if: ${{ github.event.pull_request.state == 'closed' }}
+    if: | 
+      github.repository_owner == 'panther-labs' &&
+      github.event.pull_request.state == 'closed'
     runs-on: ubuntu-latest
     steps:
       - uses: panther-labs/github-asana-action@v3.0.5

diff --git a/.github/workflows/lint-test.yml b/.github/workflows/lint-test.yml
@@ -0,0 +1,46 @@
+# Panther is a Cloud-Native SIEM for the Modern Security Team.
+# Copyright (C) 2020 Panther Labs Inc
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+on: pull_request
+
+jobs:
+  make_lint:
+    name: lint and test
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Source Repo
+        uses: actions/checkout@v2
+
+      - name: Set python version  
+        uses: actions/setup-python@v2
+        with:
+          python-version: '3.9'
+
+      - name: Install pipenv
+        run: pip install pipenv
+
+      - name: Install
+        run: make install
+
+      - name: Setup venv
+        run: make venv
+
+      - name: make lint
+        run: make lint
+
+      - name: make test
+        run: make test
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -24,7 +24,9 @@ on:
 jobs:
   sync_prs_from_community_to_dogfood:
     name: Syncs merged PRs from Panther-Analysis Community to Panther-Analysis-Dogfood
-    if: ${{ github.event.pull_request.merged == true && !contains(github.event.pull_request.labels.*.name, 'dogfood-backport') }}
+    if: | 
+      github.repository_owner == 'panther-labs' && 
+      ( github.event.pull_request.merged == true && !contains(github.event.pull_request.labels.*.name, 'dogfood-backport') )
     runs-on: ubuntu-latest
     env:
       SOURCE_REPO_CHECKOUT_PATH: src

diff --git a/.gitignore b/.gitignore
@@ -63,3 +63,6 @@ dist/
 
 # Vim
 *.swp
+
+# Jetbrains
+.idea
diff --git a/Makefile b/Makefile
@@ -1,12 +1,3 @@
-# Find all *.yml files under schemas/ that are not in a '/tests/' path.
-schema_files := $(shell find schemas/ -type f -name '*.yml' -and -not -wholename '*/tests/*' | sort | xargs)
-# Last release tag
-last_release := $(shell git tag --sort=version:refname --list 'v*' | tail -n1)
-# Revision SHA1 at current commit
-rev := $(shell git rev-parse HEAD)
-# Release tag for current commit
-release := $(shell git tag --points-at=$(rev) --sort=version:refname --list 'v*' | tail -n1)
-
 dirs := $(shell ls | egrep 'policies|rules|helpers|models|templates' | xargs)
 
 ci:
@@ -20,7 +11,10 @@ deps-update:
 
 lint:
 	pipenv run bandit -r $(dirs) --skip B101  # allow assert statements in tests
-	pipenv run pylint $(dirs) --disable=missing-docstring,duplicate-code,import-error,fixme,consider-iterating-dictionary,global-variable-not-assigned --max-line-length=100
+	pipenv run pylint $(dirs) \
+	  --disable=missing-docstring,duplicate-code,import-error,fixme,consider-iterating-dictionary,global-variable-not-assigned \
+	  --load-plugins=pylint.extensions.mccabe \
+	  --max-line-length=100
 
 venv:
 	pipenv install --dev
@@ -31,32 +25,10 @@ pat-update:
 fmt:
 	pipenv run isort --profile=black $(dirs)
 	pipenv run black --line-length=100 $(dirs)
-	prettier -w schemas schemas/**/*.yml
 
 install:
 	pipenv install --dev
 
 test:
 	pipenv run panther_analysis_tool test
 
-managed-schemas:
-	mkdir -p dist/managed-schemas; \
-	for f in $(schema_files); do \
-		echo "---"; \
-		cat "$$f"; \
-	done > "dist/managed-schemas/manifest.yml"; \
-	sha256sum "dist/managed-schemas/manifest.yml" > "dist/managed-schemas/SHA256SUMS";
-
-managed-schemas.zip: managed-schemas
-	rm -f dist/managed-schemas.zip; \
-	if [ "$(release)" != "" ]; then \
-		echo "$(release)"; \
-	else \
-		echo "$(last_release)-$(rev)"; \
-	fi | zip \
-		--archive-comment \
-		--junk-paths \
-		--recurse-paths \
-		-q \
-		--no-dir-entries \
-		dist/managed-schemas.zip "dist/managed-schemas";
diff --git a/README.md b/README.md
@@ -10,7 +10,7 @@
 </p>
 
 <p align="center">
-  <a href="https://circleci.com/gh/panther-labs/panther-analysis"><img src="https://circleci.com/gh/panther-labs/panther-analysis.svg?style=svg" alt="CircleCI"/></a>
+  <a href="https://github.com/panther-labs/panther-analysis/actions/workflows/lint-test.yml"><img src="https://github.com/panther-labs/panther-analysis/actions/workflows/lint-test.yml/badge.svg" alt="GitHub Actions Link"/></a>
   <a href="https://cla-assistant.io/panther-labs/panther-analysis" alt="CLA Assistant"><img src="https://cla-assistant.io/readme/badge/panther-labs/panther-analysis"/></a>
 </p>
 

diff --git a/aws_cloudtrail_rules/aws_ami_modified_for_public_access.py b/aws_cloudtrail_rules/aws_ami_modified_for_public_access.py
@@ -1,5 +1,5 @@
 from panther import aws_cloudtrail_success
-from panther_base_helpers import deep_get
+from panther_base_helpers import deep_get, aws_rule_context
 
 
 def rule(event):
@@ -16,3 +16,7 @@ def rule(event):
             return True
 
     return False
+
+
+def alert_context(event):
+    return aws_rule_context(event)
diff --git a/aws_cloudtrail_rules/aws_cloudtrail_created.py b/aws_cloudtrail_rules/aws_cloudtrail_created.py
@@ -1,5 +1,5 @@
 from panther import aws_cloudtrail_success
-from panther_base_helpers import deep_get
+from panther_base_helpers import deep_get, aws_rule_context
 
 # API calls that are indicative of CloudTrail changes
 CLOUDTRAIL_CREATE_UPDATE = {
@@ -15,3 +15,7 @@ def rule(event):
 
 def title(event):
     return f"CloudTrail [{deep_get(event, 'requestParameters', 'name')}] was created/updated"
+
+
+def alert_context(event):
+    return aws_rule_context(event)
diff --git a/aws_cloudtrail_rules/aws_cloudtrail_stopped.py b/aws_cloudtrail_rules/aws_cloudtrail_stopped.py
@@ -1,5 +1,5 @@
 from panther import aws_cloudtrail_success, lookup_aws_account_name
-from panther_base_helpers import deep_get
+from panther_base_helpers import deep_get, aws_rule_context
 
 # API calls that are indicative of CloudTrail changes
 CLOUDTRAIL_STOP_DELETE = {
@@ -22,3 +22,7 @@ def title(event):
         f"CloudTrail [{dedup(event)}] in account "
         f"[{lookup_aws_account_name(event.get('recipientAccountId'))}] was stopped/deleted"
     )
+
+
+def alert_context(event):
+    return aws_rule_context(event)
diff --git a/aws_cloudtrail_rules/aws_codebuild_made_public.py b/aws_cloudtrail_rules/aws_codebuild_made_public.py
@@ -1,5 +1,5 @@
 from panther import lookup_aws_account_name
-from panther_base_helpers import deep_get
+from panther_base_helpers import deep_get, aws_rule_context
 
 
 def rule(event):
@@ -14,3 +14,7 @@ def title(event):
         f"AWS CodeBuild Project made Public by {deep_get(event, 'userIdentity', 'arn')} "
         f"in account {lookup_aws_account_name(deep_get(event, 'recipientAccountId'))}"
     )
+
+
+def alert_context(event):
+    return aws_rule_context(event)
diff --git a/aws_cloudtrail_rules/aws_config_service_created.py b/aws_cloudtrail_rules/aws_config_service_created.py
@@ -1,4 +1,5 @@
 from panther import aws_cloudtrail_success
+from panther_base_helpers import aws_rule_context
 
 # API calls that are indicative of an AWS Config Service change
 CONFIG_SERVICE_CREATE_EVENTS = {
@@ -10,3 +11,7 @@
 
 def rule(event):
     return aws_cloudtrail_success(event) and event.get("eventName") in CONFIG_SERVICE_CREATE_EVENTS
+
+
+def alert_context(event):
+    return aws_rule_context(event)
diff --git a/aws_cloudtrail_rules/aws_config_service_disabled_deleted.py b/aws_cloudtrail_rules/aws_config_service_disabled_deleted.py
@@ -1,4 +1,5 @@
 from panther import aws_cloudtrail_success
+from panther_base_helpers import aws_rule_context
 
 # API calls that are indicative of an AWS Config Service change
 CONFIG_SERVICE_DISABLE_DELETE_EVENTS = {
@@ -12,3 +13,7 @@ def rule(event):
         aws_cloudtrail_success(event)
         and event.get("eventName") in CONFIG_SERVICE_DISABLE_DELETE_EVENTS
     )
+
+
+def alert_context(event):
+    return aws_rule_context(event)
diff --git a/aws_cloudtrail_rules/aws_console_login_failed.py b/aws_cloudtrail_rules/aws_console_login_failed.py
@@ -1,5 +1,5 @@
 from panther import lookup_aws_account_name
-from panther_base_helpers import deep_get
+from panther_base_helpers import deep_get, aws_rule_context
 
 
 def rule(event):
@@ -14,3 +14,7 @@ def title(event):
     return (
         f"AWS logins failed in account [{lookup_aws_account_name(event.get('recipientAccountId'))}]"
     )
+
+
+def alert_context(event):
+    return aws_rule_context(event)
diff --git a/aws_cloudtrail_rules/aws_console_login_without_mfa.py b/aws_cloudtrail_rules/aws_console_login_without_mfa.py
@@ -2,7 +2,7 @@
 import logging
 
 from panther import lookup_aws_account_name
-from panther_base_helpers import deep_get
+from panther_base_helpers import deep_get, aws_rule_context
 from panther_oss_helpers import check_account_age
 
 # Set to True for environments that permit direct role assumption via external IDP
@@ -84,3 +84,7 @@ def title(event):
         account_string = f"{account_name} account ({account_id})"
 
     return f"AWS login detected without MFA for [{user_string}] in [{account_string}]"
+
+
+def alert_context(event):
+    return aws_rule_context(event)
diff --git a/aws_cloudtrail_rules/aws_console_login_without_saml.py b/aws_cloudtrail_rules/aws_console_login_without_saml.py
@@ -1,5 +1,5 @@
 from panther import lookup_aws_account_name
-from panther_base_helpers import deep_get
+from panther_base_helpers import deep_get, aws_rule_context
 
 
 def rule(event):
@@ -16,3 +16,7 @@ def title(event):
         f"AWS logins without SAML in account "
         f"[{lookup_aws_account_name(event.get('recipientAccountId'))}]"
     )
+
+
+def alert_context(event):
+    return aws_rule_context(event)
diff --git a/aws_cloudtrail_rules/aws_console_root_login_failed.py b/aws_cloudtrail_rules/aws_console_root_login_failed.py
@@ -1,5 +1,5 @@
 from panther import lookup_aws_account_name
-from panther_base_helpers import deep_get
+from panther_base_helpers import deep_get, aws_rule_context
 
 
 def rule(event):
@@ -15,3 +15,7 @@ def title(event):
         f"AWS root login failed from [{event.get('sourceIPAddress')}] in account "
         f"[{lookup_aws_account_name(event.get('recipientAccountId'))}]"
     )
+
+
+def alert_context(event):
+    return aws_rule_context(event)
diff --git a/aws_cloudtrail_rules/aws_ec2_gateway_modified.py b/aws_cloudtrail_rules/aws_ec2_gateway_modified.py
@@ -1,4 +1,5 @@
 from panther import aws_cloudtrail_success
+from panther_base_helpers import aws_rule_context
 
 # API calls that are indicative of an EC2 Network Gateway modification
 EC2_GATEWAY_MODIFIED_EVENTS = {
@@ -17,3 +18,7 @@ def rule(event):
 
 def dedup(event):
     return event.get("recipientAccountId")
+
+
+def alert_context(event):
+    return aws_rule_context(event)
diff --git a/aws_cloudtrail_rules/aws_ec2_manual_security_group_changes.py b/aws_cloudtrail_rules/aws_ec2_manual_security_group_changes.py
@@ -1,5 +1,5 @@
 from panther import aws_cloudtrail_success
-from panther_base_helpers import deep_get, pattern_match_list
+from panther_base_helpers import deep_get, pattern_match_list, aws_rule_context
 
 PROD_ACCOUNT_IDS = {"11111111111111", "112233445566"}
 SG_CHANGE_EVENTS = {
@@ -58,3 +58,7 @@ def title(event):
     title_template = SG_CHANGE_EVENTS[event.get("eventName")]["title"]
     title_fields["actor"] = user
     return title_template.format(**title_fields)
+
+
+def alert_context(event):
+    return aws_rule_context(event)
-Original file line number
+Diff line change
@@ Expand Up / @@ -63,3 +63,6 @@ dist/ @@
     # Vim
     *.swp
+    # Jetbrains
+    .idea