diff --git a/Makefile b/Makefile index 9ca4f6963..417939375 100644 --- a/Makefile +++ b/Makefile @@ -9,13 +9,19 @@ deps: deps-update: pipenv update -lint: +lint: lint-pylint lint-fmt + +lint-pylint: pipenv run bandit -r $(dirs) --skip B101 # allow assert statements in tests pipenv run pylint $(dirs) \ --disable=missing-docstring,duplicate-code,import-error,fixme,consider-iterating-dictionary,global-variable-not-assigned \ --load-plugins=pylint.extensions.mccabe \ --max-line-length=100 +lint-fmt: + @echo Checking python file formatting with the black code style checker + pipenv run black --line-length=100 --check $(dirs) + venv: pipenv install --dev diff --git a/aws_cloudtrail_rules/aws_ami_modified_for_public_access.py b/aws_cloudtrail_rules/aws_ami_modified_for_public_access.py index b85892638..dccb64cba 100644 --- a/aws_cloudtrail_rules/aws_ami_modified_for_public_access.py +++ b/aws_cloudtrail_rules/aws_ami_modified_for_public_access.py @@ -1,5 +1,5 @@ from panther import aws_cloudtrail_success -from panther_base_helpers import deep_get, aws_rule_context +from panther_base_helpers import aws_rule_context, deep_get def rule(event): diff --git a/aws_cloudtrail_rules/aws_cloudtrail_created.py b/aws_cloudtrail_rules/aws_cloudtrail_created.py index 4a5fa636c..c0f304eab 100644 --- a/aws_cloudtrail_rules/aws_cloudtrail_created.py +++ b/aws_cloudtrail_rules/aws_cloudtrail_created.py @@ -1,5 +1,5 @@ from panther import aws_cloudtrail_success -from panther_base_helpers import deep_get, aws_rule_context +from panther_base_helpers import aws_rule_context, deep_get # API calls that are indicative of CloudTrail changes CLOUDTRAIL_CREATE_UPDATE = { diff --git a/aws_cloudtrail_rules/aws_cloudtrail_stopped.py b/aws_cloudtrail_rules/aws_cloudtrail_stopped.py index fb2841971..96a4d3135 100644 --- a/aws_cloudtrail_rules/aws_cloudtrail_stopped.py +++ b/aws_cloudtrail_rules/aws_cloudtrail_stopped.py @@ -1,5 +1,5 @@ from panther import aws_cloudtrail_success, lookup_aws_account_name -from panther_base_helpers import deep_get, aws_rule_context +from panther_base_helpers import aws_rule_context, deep_get # API calls that are indicative of CloudTrail changes CLOUDTRAIL_STOP_DELETE = { diff --git a/aws_cloudtrail_rules/aws_codebuild_made_public.py b/aws_cloudtrail_rules/aws_codebuild_made_public.py index 4f739aba8..8d4acdf56 100644 --- a/aws_cloudtrail_rules/aws_codebuild_made_public.py +++ b/aws_cloudtrail_rules/aws_codebuild_made_public.py @@ -1,5 +1,5 @@ from panther import lookup_aws_account_name -from panther_base_helpers import deep_get, aws_rule_context +from panther_base_helpers import aws_rule_context, deep_get def rule(event): diff --git a/aws_cloudtrail_rules/aws_console_login_failed.py b/aws_cloudtrail_rules/aws_console_login_failed.py index fd927180f..744a1abe0 100644 --- a/aws_cloudtrail_rules/aws_console_login_failed.py +++ b/aws_cloudtrail_rules/aws_console_login_failed.py @@ -1,5 +1,5 @@ from panther import lookup_aws_account_name -from panther_base_helpers import deep_get, aws_rule_context +from panther_base_helpers import aws_rule_context, deep_get def rule(event): diff --git a/aws_cloudtrail_rules/aws_console_login_without_mfa.py b/aws_cloudtrail_rules/aws_console_login_without_mfa.py index 68964157b..8d6b7f39d 100644 --- a/aws_cloudtrail_rules/aws_console_login_without_mfa.py +++ b/aws_cloudtrail_rules/aws_console_login_without_mfa.py @@ -2,7 +2,7 @@ import logging from panther import lookup_aws_account_name -from panther_base_helpers import deep_get, aws_rule_context +from panther_base_helpers import aws_rule_context, deep_get from panther_oss_helpers import check_account_age # Set to True for environments that permit direct role assumption via external IDP diff --git a/aws_cloudtrail_rules/aws_console_login_without_saml.py b/aws_cloudtrail_rules/aws_console_login_without_saml.py index 7d458ffab..648d84d22 100644 --- a/aws_cloudtrail_rules/aws_console_login_without_saml.py +++ b/aws_cloudtrail_rules/aws_console_login_without_saml.py @@ -1,5 +1,5 @@ from panther import lookup_aws_account_name -from panther_base_helpers import deep_get, aws_rule_context +from panther_base_helpers import aws_rule_context, deep_get def rule(event): diff --git a/aws_cloudtrail_rules/aws_console_root_login_failed.py b/aws_cloudtrail_rules/aws_console_root_login_failed.py index 369a5af39..7b75bffab 100644 --- a/aws_cloudtrail_rules/aws_console_root_login_failed.py +++ b/aws_cloudtrail_rules/aws_console_root_login_failed.py @@ -1,5 +1,5 @@ from panther import lookup_aws_account_name -from panther_base_helpers import deep_get, aws_rule_context +from panther_base_helpers import aws_rule_context, deep_get def rule(event): diff --git a/aws_cloudtrail_rules/aws_ec2_manual_security_group_changes.py b/aws_cloudtrail_rules/aws_ec2_manual_security_group_changes.py index a8be33b51..917104273 100644 --- a/aws_cloudtrail_rules/aws_ec2_manual_security_group_changes.py +++ b/aws_cloudtrail_rules/aws_ec2_manual_security_group_changes.py @@ -1,5 +1,5 @@ from panther import aws_cloudtrail_success -from panther_base_helpers import deep_get, pattern_match_list, aws_rule_context +from panther_base_helpers import aws_rule_context, deep_get, pattern_match_list PROD_ACCOUNT_IDS = {"11111111111111", "112233445566"} SG_CHANGE_EVENTS = { diff --git a/aws_cloudtrail_rules/aws_iam_assume_role_blocklist_ignored.py b/aws_cloudtrail_rules/aws_iam_assume_role_blocklist_ignored.py index 9e060b7b2..802c2dd12 100644 --- a/aws_cloudtrail_rules/aws_iam_assume_role_blocklist_ignored.py +++ b/aws_cloudtrail_rules/aws_iam_assume_role_blocklist_ignored.py @@ -1,5 +1,5 @@ from panther import aws_cloudtrail_success -from panther_base_helpers import deep_get, aws_rule_context +from panther_base_helpers import aws_rule_context, deep_get # This is a list of role ARNs that should not be assumed by users in normal operations ASSUME_ROLE_BLOCKLIST = [ diff --git a/aws_cloudtrail_rules/aws_iam_entity_created_without_cloudformation.py b/aws_cloudtrail_rules/aws_iam_entity_created_without_cloudformation.py index 5aa808ad1..aa5379f38 100644 --- a/aws_cloudtrail_rules/aws_iam_entity_created_without_cloudformation.py +++ b/aws_cloudtrail_rules/aws_iam_entity_created_without_cloudformation.py @@ -1,7 +1,7 @@ import re from panther import aws_cloudtrail_success -from panther_base_helpers import deep_get, aws_rule_context +from panther_base_helpers import aws_rule_context, deep_get # The role dedicated for IAM administration IAM_ADMIN_ROLES = { diff --git a/aws_cloudtrail_rules/aws_iam_user_recon_denied.py b/aws_cloudtrail_rules/aws_iam_user_recon_denied.py index 51fe6eda1..0aa91225d 100644 --- a/aws_cloudtrail_rules/aws_iam_user_recon_denied.py +++ b/aws_cloudtrail_rules/aws_iam_user_recon_denied.py @@ -1,7 +1,7 @@ from ipaddress import ip_address from panther import lookup_aws_account_name -from panther_base_helpers import deep_get, aws_rule_context +from panther_base_helpers import aws_rule_context, deep_get # service/event patterns to monitor RECON_ACTIONS = { diff --git a/aws_cloudtrail_rules/aws_key_compromised.py b/aws_cloudtrail_rules/aws_key_compromised.py index 14a961e83..72100aa88 100644 --- a/aws_cloudtrail_rules/aws_key_compromised.py +++ b/aws_cloudtrail_rules/aws_key_compromised.py @@ -1,4 +1,4 @@ -from panther_base_helpers import deep_get, aws_rule_context +from panther_base_helpers import aws_rule_context, deep_get EXPOSED_CRED_POLICY = "AWSExposedCredentialPolicy_DO_NOT_REMOVE" diff --git a/aws_cloudtrail_rules/aws_network_acl_permissive_entry.py b/aws_cloudtrail_rules/aws_network_acl_permissive_entry.py index f5f61b7a4..c4f148333 100644 --- a/aws_cloudtrail_rules/aws_network_acl_permissive_entry.py +++ b/aws_cloudtrail_rules/aws_network_acl_permissive_entry.py @@ -1,5 +1,5 @@ from panther import aws_cloudtrail_success -from panther_base_helpers import deep_get, aws_rule_context +from panther_base_helpers import aws_rule_context, deep_get def rule(event): diff --git a/aws_cloudtrail_rules/aws_resource_made_public.py b/aws_cloudtrail_rules/aws_resource_made_public.py index d7bcfd351..2eb79fab6 100644 --- a/aws_cloudtrail_rules/aws_resource_made_public.py +++ b/aws_cloudtrail_rules/aws_resource_made_public.py @@ -1,7 +1,7 @@ import json from panther import aws_cloudtrail_success -from panther_base_helpers import deep_get, aws_rule_context +from panther_base_helpers import aws_rule_context, deep_get from policyuniverse.policy import Policy diff --git a/aws_cloudtrail_rules/aws_root_access_key_created.py b/aws_cloudtrail_rules/aws_root_access_key_created.py index 11bf9bde8..0304333ec 100644 --- a/aws_cloudtrail_rules/aws_root_access_key_created.py +++ b/aws_cloudtrail_rules/aws_root_access_key_created.py @@ -1,4 +1,4 @@ -from panther_base_helpers import deep_get, aws_rule_context +from panther_base_helpers import aws_rule_context, deep_get def rule(event): diff --git a/aws_cloudtrail_rules/aws_root_console_login.py b/aws_cloudtrail_rules/aws_root_console_login.py index bb4b08583..cbfd686ad 100644 --- a/aws_cloudtrail_rules/aws_root_console_login.py +++ b/aws_cloudtrail_rules/aws_root_console_login.py @@ -1,4 +1,4 @@ -from panther_base_helpers import deep_get, aws_rule_context +from panther_base_helpers import aws_rule_context, deep_get def rule(event): diff --git a/aws_cloudtrail_rules/aws_root_failed_console_login.py b/aws_cloudtrail_rules/aws_root_failed_console_login.py index eee1195b8..4435c25cc 100644 --- a/aws_cloudtrail_rules/aws_root_failed_console_login.py +++ b/aws_cloudtrail_rules/aws_root_failed_console_login.py @@ -1,4 +1,4 @@ -from panther_base_helpers import deep_get, aws_rule_context +from panther_base_helpers import aws_rule_context, deep_get def rule(event): diff --git a/aws_cloudtrail_rules/aws_root_password_changed.py b/aws_cloudtrail_rules/aws_root_password_changed.py index 1ccdb862c..59b76cb69 100644 --- a/aws_cloudtrail_rules/aws_root_password_changed.py +++ b/aws_cloudtrail_rules/aws_root_password_changed.py @@ -1,4 +1,4 @@ -from panther_base_helpers import deep_get, aws_rule_context +from panther_base_helpers import aws_rule_context, deep_get def rule(event): diff --git a/aws_cloudtrail_rules/aws_s3_activity_greynoise.py b/aws_cloudtrail_rules/aws_s3_activity_greynoise.py index 856381855..9a27b8b79 100644 --- a/aws_cloudtrail_rules/aws_s3_activity_greynoise.py +++ b/aws_cloudtrail_rules/aws_s3_activity_greynoise.py @@ -3,7 +3,6 @@ from panther_base_helpers import deep_get, pattern_match_list from panther_greynoise_helpers import GetGreyNoiseObject, GetGreyNoiseRiotObject - # pylint: disable=too-many-return-statements,invalid-name,unused-argument,global-at-module-level,global-variable-undefined # Monitor for GetObject events from S3. @@ -57,8 +56,8 @@ def rule(event): # Filter: Roles that generate FP's if used from AWS IP Space if pattern_match_list(deep_get(event, "userIdentity", "arn"), _ALLOWED_ROLES): # Only Greynoise advanced provides AS organization info - if NOISE.subscription_level() == 'advanced': - if NOISE.organization() == 'Amazon.com, Inc.': + if NOISE.subscription_level() == "advanced": + if NOISE.organization() == "Amazon.com, Inc.": return False # return false if the role is seen and we are not able to valide the AS organization else: diff --git a/aws_cloudtrail_rules/aws_s3_bucket_deleted.py b/aws_cloudtrail_rules/aws_s3_bucket_deleted.py index dc0ea2527..cb05b41dd 100644 --- a/aws_cloudtrail_rules/aws_s3_bucket_deleted.py +++ b/aws_cloudtrail_rules/aws_s3_bucket_deleted.py @@ -1,5 +1,5 @@ from panther import aws_cloudtrail_success -from panther_base_helpers import deep_get, aws_rule_context +from panther_base_helpers import aws_rule_context, deep_get def rule(event): diff --git a/aws_cloudtrail_rules/aws_s3_bucket_policy_modified.py b/aws_cloudtrail_rules/aws_s3_bucket_policy_modified.py index e5042d551..245ac1988 100644 --- a/aws_cloudtrail_rules/aws_s3_bucket_policy_modified.py +++ b/aws_cloudtrail_rules/aws_s3_bucket_policy_modified.py @@ -1,5 +1,5 @@ from panther import aws_cloudtrail_success -from panther_base_helpers import deep_get, aws_rule_context +from panther_base_helpers import aws_rule_context, deep_get # API calls that are indicative of KMS CMK Deletion S3_POLICY_CHANGE_EVENTS = { diff --git a/aws_cloudtrail_rules/aws_security_configuration_change.py b/aws_cloudtrail_rules/aws_security_configuration_change.py index 08f425f55..a0dad4dcf 100644 --- a/aws_cloudtrail_rules/aws_security_configuration_change.py +++ b/aws_cloudtrail_rules/aws_security_configuration_change.py @@ -1,7 +1,7 @@ from fnmatch import fnmatch from panther import aws_cloudtrail_success -from panther_base_helpers import deep_get, aws_rule_context +from panther_base_helpers import aws_rule_context, deep_get SECURITY_CONFIG_ACTIONS = { "DeleteAccountPublicAccessBlock", diff --git a/aws_cloudtrail_rules/aws_snapshot_made_public.py b/aws_cloudtrail_rules/aws_snapshot_made_public.py index e1554778b..096b2f1c9 100644 --- a/aws_cloudtrail_rules/aws_snapshot_made_public.py +++ b/aws_cloudtrail_rules/aws_snapshot_made_public.py @@ -1,7 +1,7 @@ from collections.abc import Mapping from panther import aws_cloudtrail_success -from panther_base_helpers import deep_get, aws_rule_context +from panther_base_helpers import aws_rule_context, deep_get def rule(event): diff --git a/aws_cloudtrail_rules/aws_unauthorized_api_call.py b/aws_cloudtrail_rules/aws_unauthorized_api_call.py index e2669698a..a4997895e 100644 --- a/aws_cloudtrail_rules/aws_unauthorized_api_call.py +++ b/aws_cloudtrail_rules/aws_unauthorized_api_call.py @@ -1,6 +1,6 @@ from ipaddress import ip_address -from panther_base_helpers import aws_strip_role_session_id, deep_get, aws_rule_context +from panther_base_helpers import aws_rule_context, aws_strip_role_session_id, deep_get # Do not alert on these access denied errors for these events. # Events could be exceptions because they are particularly noisy and provide little to no value, diff --git a/aws_cloudtrail_rules/aws_update_credentials.py b/aws_cloudtrail_rules/aws_update_credentials.py index ab2b1284e..3f7d1c972 100644 --- a/aws_cloudtrail_rules/aws_update_credentials.py +++ b/aws_cloudtrail_rules/aws_update_credentials.py @@ -1,5 +1,5 @@ from panther import aws_cloudtrail_success -from panther_base_helpers import deep_get, aws_rule_context +from panther_base_helpers import aws_rule_context, deep_get UPDATE_EVENTS = {"ChangePassword", "CreateAccessKey", "CreateLoginProfile", "CreateUser"} diff --git a/aws_guardduty_rules/aws_guardduty_high_sev_findings.py b/aws_guardduty_rules/aws_guardduty_high_sev_findings.py index 3f309abb7..f5c20d413 100644 --- a/aws_guardduty_rules/aws_guardduty_high_sev_findings.py +++ b/aws_guardduty_rules/aws_guardduty_high_sev_findings.py @@ -1,4 +1,6 @@ from panther_base_helpers import aws_rule_context + + def rule(event): return 7.0 <= float(event.get("severity", 0)) <= 8.9 diff --git a/aws_guardduty_rules/aws_guardduty_low_sev_findings.py b/aws_guardduty_rules/aws_guardduty_low_sev_findings.py index 00d69a41d..be0e02a59 100644 --- a/aws_guardduty_rules/aws_guardduty_low_sev_findings.py +++ b/aws_guardduty_rules/aws_guardduty_low_sev_findings.py @@ -1,4 +1,6 @@ from panther_base_helpers import aws_rule_context + + def rule(event): return 0.1 <= float(event.get("severity", 0)) <= 3.9 diff --git a/aws_guardduty_rules/aws_guardduty_med_sev_findings.py b/aws_guardduty_rules/aws_guardduty_med_sev_findings.py index 8eb43b32f..50b2b75d1 100644 --- a/aws_guardduty_rules/aws_guardduty_med_sev_findings.py +++ b/aws_guardduty_rules/aws_guardduty_med_sev_findings.py @@ -1,4 +1,6 @@ from panther_base_helpers import aws_rule_context + + def rule(event): return 4.0 <= float(event.get("severity", 0)) <= 6.9 diff --git a/aws_s3_rules/aws_s3_access_error.py b/aws_s3_rules/aws_s3_access_error.py index 104d9b4e3..8978097df 100644 --- a/aws_s3_rules/aws_s3_access_error.py +++ b/aws_s3_rules/aws_s3_access_error.py @@ -1,4 +1,4 @@ -from panther_base_helpers import pattern_match, aws_rule_context +from panther_base_helpers import aws_rule_context, pattern_match # https://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html HTTP_STATUS_CODES_TO_MONITOR = { diff --git a/aws_s3_rules/aws_s3_access_ip_allowlist.py b/aws_s3_rules/aws_s3_access_ip_allowlist.py index a276df3e6..9b4737549 100644 --- a/aws_s3_rules/aws_s3_access_ip_allowlist.py +++ b/aws_s3_rules/aws_s3_access_ip_allowlist.py @@ -1,4 +1,5 @@ from ipaddress import ip_network + from panther_base_helpers import aws_rule_context BUCKETS_TO_MONITOR = { diff --git a/aws_s3_rules/aws_s3_insecure_access.py b/aws_s3_rules/aws_s3_insecure_access.py index 3314952aa..b6402c615 100644 --- a/aws_s3_rules/aws_s3_insecure_access.py +++ b/aws_s3_rules/aws_s3_insecure_access.py @@ -1,4 +1,4 @@ -from panther_base_helpers import pattern_match, aws_rule_context +from panther_base_helpers import aws_rule_context, pattern_match def rule(event): diff --git a/aws_s3_rules/aws_s3_unauthenticated_access.py b/aws_s3_rules/aws_s3_unauthenticated_access.py index d61a7035b..359f26c8c 100644 --- a/aws_s3_rules/aws_s3_unauthenticated_access.py +++ b/aws_s3_rules/aws_s3_unauthenticated_access.py @@ -1,4 +1,5 @@ from panther_base_helpers import aws_rule_context + # A list of buckets where authenticated access is expected AUTH_BUCKETS = {"example-bucket"} diff --git a/aws_s3_rules/aws_s3_unknown_requester_get_object.py b/aws_s3_rules/aws_s3_unknown_requester_get_object.py index deaab813c..6e0a62617 100644 --- a/aws_s3_rules/aws_s3_unknown_requester_get_object.py +++ b/aws_s3_rules/aws_s3_unknown_requester_get_object.py @@ -1,4 +1,5 @@ from fnmatch import fnmatch + from panther_base_helpers import aws_rule_context # pylint: disable=line-too-long diff --git a/aws_vpc_flow_rules/aws_vpc_healthy_log_status.py b/aws_vpc_flow_rules/aws_vpc_healthy_log_status.py index 53a3caf63..9ba16def7 100644 --- a/aws_vpc_flow_rules/aws_vpc_healthy_log_status.py +++ b/aws_vpc_flow_rules/aws_vpc_healthy_log_status.py @@ -1,4 +1,6 @@ from panther_base_helpers import aws_rule_context + + def rule(event): return event.get("log-status") == "SKIPDATA" diff --git a/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_allowlist.py b/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_allowlist.py index 3a7e8bde9..51d8e091e 100644 --- a/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_allowlist.py +++ b/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_allowlist.py @@ -1,4 +1,5 @@ from ipaddress import ip_network + from panther_base_helpers import aws_rule_context APPROVED_PORTS = { diff --git a/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_blocklist.py b/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_blocklist.py index 0dc0c0f9f..cb2ea4491 100644 --- a/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_blocklist.py +++ b/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_blocklist.py @@ -1,4 +1,5 @@ from ipaddress import ip_network + from panther_base_helpers import aws_rule_context CONTROLLED_PORTS = { diff --git a/aws_vpc_flow_rules/aws_vpc_unapproved_outbound_dns.py b/aws_vpc_flow_rules/aws_vpc_unapproved_outbound_dns.py index 135b6c551..4519f7637 100644 --- a/aws_vpc_flow_rules/aws_vpc_unapproved_outbound_dns.py +++ b/aws_vpc_flow_rules/aws_vpc_unapproved_outbound_dns.py @@ -1,4 +1,5 @@ from ipaddress import ip_network + from panther_base_helpers import aws_rule_context APPROVED_DNS_SERVERS = { diff --git a/data_models/gcp_data_model.py b/data_models/gcp_data_model.py index 5464bf8ce..2dfab6dd7 100644 --- a/data_models/gcp_data_model.py +++ b/data_models/gcp_data_model.py @@ -2,8 +2,8 @@ from fnmatch import fnmatch import panther_event_type_helpers as event_type -from panther_base_helpers import get_binding_deltas from panther_analysis_tool.enriched_event import PantherEvent +from panther_base_helpers import get_binding_deltas ADMIN_ROLES = { # Primitive Rolesx diff --git a/gcp_audit_rules/gcp_iam_org_folder_changes.py b/gcp_audit_rules/gcp_iam_org_folder_changes.py index 0603037e4..3943ff40b 100644 --- a/gcp_audit_rules/gcp_iam_org_folder_changes.py +++ b/gcp_audit_rules/gcp_iam_org_folder_changes.py @@ -1,12 +1,15 @@ from panther_base_helpers import deep_get + def rule(event): # Return True to match the log event and trigger an alert. logname = deep_get(event, "logName") - return deep_get(event, "protoPayload", "methodName") == "SetIamPolicy" and \ - (logname.startswith("organizations") or \ - logname.startswith("folder") ) and \ - logname.endswith("/logs/cloudaudit.googleapis.com%2Factivity") + return ( + deep_get(event, "protoPayload", "methodName") == "SetIamPolicy" + and (logname.startswith("organizations") or logname.startswith("folder")) + and logname.endswith("/logs/cloudaudit.googleapis.com%2Factivity") + ) + def title(event): # use unified data model field in title @@ -14,18 +17,22 @@ def title(event): f"{event.get('p_log_type')}: [{event.udm('actor_user')}] made manual changes to Org policy" ) + def alert_context(event): return { "actor": event.udm("actor_user"), - "policy_change": deep_get(event, "protoPayload", "serviceData", "policyDelta"), + "policy_change": deep_get(event, "protoPayload", "serviceData", "policyDelta"), "caller_ip": deep_get(event, "protoPayload", "requestMetadata", "callerIP"), - "user_agent": deep_get(event, "protoPayload", "requestMetadata", "callerSuppliedUserAgent") + "user_agent": deep_get(event, "protoPayload", "requestMetadata", "callerSuppliedUserAgent"), } + def severity(event): - if deep_get(event, - "protoPayload", - "requestMetadata", - "callerSuppliedUserAgent").lower().find('terraform') != -1: - return 'INFO' - return 'HIGH' + if ( + deep_get(event, "protoPayload", "requestMetadata", "callerSuppliedUserAgent") + .lower() + .find("terraform") + != -1 + ): + return "INFO" + return "HIGH" diff --git a/global_helpers/panther_base_helpers.py b/global_helpers/panther_base_helpers.py index d1f81933e..7a0644d65 100644 --- a/global_helpers/panther_base_helpers.py +++ b/global_helpers/panther_base_helpers.py @@ -226,7 +226,7 @@ def slack_alert_context(event: dict): "actor-name": deep_get(event, "actor", "user", "name", default=""), "actor-email": deep_get(event, "actor", "user", "email", default=""), "actor-ip": deep_get(event, "context", "ip_address", default=""), - "user-agent": deep_get(event, "context", "ua", default="") + "user-agent": deep_get(event, "context", "ua", default=""), } diff --git a/global_helpers/panther_cloudflare_helpers.py b/global_helpers/panther_cloudflare_helpers.py index 8a517b259..3cf157c42 100644 --- a/global_helpers/panther_cloudflare_helpers.py +++ b/global_helpers/panther_cloudflare_helpers.py @@ -18,7 +18,7 @@ "botManagement": "Bot Management", "dlp": "Data Loss Prevention", "firewallManaged": "Firewall Managed Rules", - "firewallCustom": "Firewall Custom Rulesets" + "firewallCustom": "Firewall Custom Rulesets", } diff --git a/gsuite_activityevent_rules/gsuite_rule.py b/gsuite_activityevent_rules/gsuite_rule.py index bc3f7a7a1..33b0eee09 100644 --- a/gsuite_activityevent_rules/gsuite_rule.py +++ b/gsuite_activityevent_rules/gsuite_rule.py @@ -1,21 +1,26 @@ from panther_base_helpers import deep_get + def rule(event): if deep_get(event, "id", "applicationName") != "rules": return False - if not ( - deep_get(event, "parameters", "triggered_actions") - ): + if not deep_get(event, "parameters", "triggered_actions"): return False return True + def title(event): rule_severity = deep_get(event, "parameters", "severity") if deep_get(event, "parameters", "rule_name"): - return "GSuite " + rule_severity + " Severity Rule Triggered: " \ + return ( + "GSuite " + + rule_severity + + " Severity Rule Triggered: " + deep_get(event, "parameters", "rule_name") + ) return "GSuite " + rule_severity + " Severity Rule Triggered" + def severity(event): return deep_get(event, "parameters", "severity", default="INFO") diff --git a/slack_rules/slack_app_access_expanded.py b/slack_rules/slack_app_access_expanded.py index 81e178070..0003f5ddb 100644 --- a/slack_rules/slack_app_access_expanded.py +++ b/slack_rules/slack_app_access_expanded.py @@ -13,8 +13,10 @@ def rule(event): def title(event): - return f"Slack App [{deep_get(event, 'entity', 'app', 'name')}] " \ - f"Access Expanded by [{deep_get(event, 'actor', 'user', 'name')}]" + return ( + f"Slack App [{deep_get(event, 'entity', 'app', 'name')}] " + f"Access Expanded by [{deep_get(event, 'actor', 'user', 'name')}]" + ) def alert_context(event): diff --git a/slack_rules/slack_app_added.py b/slack_rules/slack_app_added.py index b2418ecd3..204eb2a4a 100644 --- a/slack_rules/slack_app_added.py +++ b/slack_rules/slack_app_added.py @@ -12,8 +12,10 @@ def rule(event): def title(event): - return f"Slack App [{deep_get(event, 'entity', 'app', 'name')}] " \ - f"Added by [{deep_get(event, 'actor', 'user', 'name')}]" + return ( + f"Slack App [{deep_get(event, 'entity', 'app', 'name')}] " + f"Added by [{deep_get(event, 'actor', 'user', 'name')}]" + ) def alert_context(event): diff --git a/slack_rules/slack_app_removed.py b/slack_rules/slack_app_removed.py index 19aaa7521..effe84cad 100644 --- a/slack_rules/slack_app_removed.py +++ b/slack_rules/slack_app_removed.py @@ -12,8 +12,10 @@ def rule(event): def title(event): - return f"Slack App [{deep_get(event, 'entity', 'app', 'name')}] " \ - f"Removed by [{deep_get(event, 'actor', 'user', 'name')}]" + return ( + f"Slack App [{deep_get(event, 'entity', 'app', 'name')}] " + f"Removed by [{deep_get(event, 'actor', 'user', 'name')}]" + ) def alert_context(event): diff --git a/slack_rules/slack_idp_configuration_change.py b/slack_rules/slack_idp_configuration_change.py index 5ebc6a039..62bc69312 100644 --- a/slack_rules/slack_idp_configuration_change.py +++ b/slack_rules/slack_idp_configuration_change.py @@ -1,6 +1,6 @@ from panther_base_helpers import slack_alert_context -IDP_CHANGE_ACTIONS ={ +IDP_CHANGE_ACTIONS = { "idp_configuration_added": "Slack IDP Configuration Added", "idp_configuration_deleted": "Slack IDP Configuration Deleted", "idp_prod_configuration_updated": "Slack IDP Configuration Updated", diff --git a/slack_rules/slack_legal_hold_policy_modified.py b/slack_rules/slack_legal_hold_policy_modified.py index 91fe849b7..26fc66eb3 100644 --- a/slack_rules/slack_legal_hold_policy_modified.py +++ b/slack_rules/slack_legal_hold_policy_modified.py @@ -15,8 +15,10 @@ def rule(event): def title(event): # Only the `legal_hold_policy_updated` event includes relevant data to deduplicate if event.get("action") == "legal_hold_policy_updated": - return f"Slack Legal Hold Updated " \ - f"[{deep_get(event, 'details', 'old_legal_hold_policy', 'name')}]" + return ( + f"Slack Legal Hold Updated " + f"[{deep_get(event, 'details', 'old_legal_hold_policy', 'name')}]" + ) if event.get("action") in LEGAL_HOLD_POLICY_ACTIONS: return LEGAL_HOLD_POLICY_ACTIONS.get(event.get("action")) return "Slack Legal Hold Policy Modified" diff --git a/slack_rules/slack_mfa_settings_changed.py b/slack_rules/slack_mfa_settings_changed.py index a96b813a9..5f4c4213d 100644 --- a/slack_rules/slack_mfa_settings_changed.py +++ b/slack_rules/slack_mfa_settings_changed.py @@ -1,5 +1,6 @@ from panther_base_helpers import slack_alert_context + def rule(event): return event.get("action") == "pref.two_factor_auth_changed"