diff --git a/rules/gcp_audit_rules/gcp_dns_zone_modified_or_deleted.py b/rules/gcp_audit_rules/gcp_dns_zone_modified_or_deleted.py index 372f32f44..aa551a960 100644 --- a/rules/gcp_audit_rules/gcp_dns_zone_modified_or_deleted.py +++ b/rules/gcp_audit_rules/gcp_dns_zone_modified_or_deleted.py @@ -1,5 +1,5 @@ -from panther_base_helpers import deep_get from gcp_base_helpers import gcp_alert_context +from panther_base_helpers import deep_get def rule(event): diff --git a/rules/standard_rules/impossible_travel_login.py b/rules/standard_rules/impossible_travel_login.py index 84644f875..fa6837a0b 100644 --- a/rules/standard_rules/impossible_travel_login.py +++ b/rules/standard_rules/impossible_travel_login.py @@ -181,4 +181,13 @@ def alert_context(event): def severity(_): if IS_VPN or IS_APPLE_PRIVATE_RELAY: return "INFO" + # time = distance/speed + distance = deep_get(EVENT_CITY_TRACKING, "distance", default=None) + speed = deep_get(EVENT_CITY_TRACKING, "speed", default=None) + if speed and distance: + time = distance / speed + # time of 0.1666 is 10 minutes + if time < 0.1666 and distance < 50: + # This is likely a GEOIP inaccuracy + return "LOW" return "HIGH" diff --git a/rules/standard_rules/impossible_travel_login.yml b/rules/standard_rules/impossible_travel_login.yml index 5f22ab0f9..255dd9320 100644 --- a/rules/standard_rules/impossible_travel_login.yml +++ b/rules/standard_rules/impossible_travel_login.yml @@ -553,3 +553,93 @@ Tests: "uuid": "79999999-ffff-eeee-bbbb-222222222222", "version": "0" } + - Name: Short Distances and Short Timedeltas + ExpectedResult: true + Mocks: + - objectName: put_string_set + returnValue: "" + - objectName: get_string_set + returnValue: >- + [ + { + "city": "Los Angeles", + "country": "US", + "lat": "34.05223", + "lng": "-118.24368", + "p_event_time": "2023-06-12T22:23:51.964000", + "postal_code": "90009", + "region": "California", + "region_code": "CA", + "source_ip": "12.12.12.12", + "timezone": "America/Los_Angeles" + } + ] + Log: + { + "actor": { + "alternateId": "homer.simpson@company.com", + "displayName": "Homer Simpson", + "id": "00uwuwuwuwuwuwuwuwuw", + "type": "User" + }, + "authenticationContext": { + "authenticationStep": 0, + "externalSessionId": "idx1234" + }, + "client": { + "device": "Computer", + "ipAddress": "12.12.12.12", + "userAgent": { + "browser": "CHROME", + "os": "Mac OS X", + "rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36" + }, + "zone": "null" + }, + "debugContext": { + "debugData": { + } + }, + "device": { + }, + "displayMessage": "User login to Okta", + "eventType": "user.session.start", + "legacyEventType": "core.user_auth.login_success", + "outcome": { + "result": "SUCCESS" + }, + "p_event_time": "2023-06-12T22:26:01.951000", + "p_enrichment": { + "ipinfo_location": { + "client.ipAddress": { + "city": "Anaheim", + "country": "US", + "lat": "33.8085", + "lng": "-117.9228", + "p_event_time": "2023-06-12T22:26:01.951000", + "postal_code": "92802", + "region": "California", + "region_code": "CA", + "source_ip": "12.12.12.11", + "timezone": "America/Los_Angeles" + } + } + }, + "p_log_type": "Okta.SystemLog", + "p_source_label": "Okta Logs", + "p_parse_time": "2023-06-12T22:29:01.951000", + "published": "2023-06-12 22:26:01.951000", + "request": { + "ipChain": [ + ] + }, + "securityContext": { + }, + "severity": "INFO", + "target": [ + ], + "transaction": { + }, + "uuid": "79999999-ffff-eeee-bbbb-222222222222", + "version": "0" + } \ No newline at end of file