updated severity, system user returns info (#38)

panther-labs · Jan 16, 2024 · 3eb588d · 3eb588d
1 parent 6969de8
commit 3eb588d
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 0 deletions.
diff --git a/global_helpers/panther_base_helpers.py b/global_helpers/panther_base_helpers.py
@@ -7,6 +7,7 @@
 from functools import reduce
 from ipaddress import ip_address, ip_network
 from typing import Any, List, Optional, Sequence, Union
+
 from panther_config import config
 
 # # # # # # # # # # # # # #

diff --git a/rules/panther_audit_rules/panther_user_modified.py b/rules/panther_audit_rules/panther_user_modified.py
@@ -36,4 +36,6 @@ def severity(event):
     user = event.udm("actor_user")
     if user == "scim":
         return "INFO"
+    if event.deep_get("actor", "id") == "00000000-0000-4000-8000-000000000000":
+        return "INFO"
     return "DEFAULT"