Kbroughton/gcp.iam.org folder policy changes #454
Conversation
kbroughton
requested review from
nhakmiller,
lindsey-w,
wey-chiang,
kostaspap and
k-bailey
as code owners
There was a problem hiding this comment.
One small suggestion otherwise LGTM. I'll let @wey-chiang or @k-bailey or @edyesed do final approval & merge
| deep_get(event, | ||
| "protoPayload", | ||
| "requestMetadata", | ||
| "callerSuppliedUserAgent").lower().find('terraform') == -1 |
There was a problem hiding this comment.
Just one thought, is there any value in still alerting in this case but using a custom severity function to set the severity to low or info? If you remove the last condition from here and added something like:
def severity(event):
if "callerSuppliedUserAgent").lower().find('terraform') == -1:
return 'INFO'
return 'HIGH'
Then it would create an alert in either case, but for the terraform ones it would be at INFO severity.
There was a problem hiding this comment.
Accepted change recommendation for severity
|
Hey @kbroughton it looks like there was a minor logic bug that was creating the opposite effect from what you wanted. I adjusted it and will have someone else on the team review and merge next week. Thanks for the submission. Test results pre change: |
|
Any news on this one? |
Background
Add a detection for changes to a GCP IAM organization or folder policy.
The detection checks if the user-agent has the word "terraform" in it.
Although this could be spoofed, it will reduce noise from a lot of valid IaC changes.
Changes
gcp_audit_rules/gcp_iam_org_folder_changes.py
gcp_audit_rules/gcp_iam_org_folder_changes.yml
Testing
This has be deployed for over a month in our Panther instance
and with panther_analysis_tool