Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: user and roles query in GCP data model #480

Merged
merged 2 commits into from
Aug 29, 2022
Merged

fix: user and roles query in GCP data model #480

merged 2 commits into from
Aug 29, 2022

Conversation

Jeffreyhung
Copy link
Contributor

Background

Previously the GCP Data Model has an incorrect mapping for users and roles, which makes detection rules like Standard.AdminRoleAssigned to throw an incorrect title when it comes to GCP Admin Assigned alerts.
For example, the tests in the Standard.AdminRoleAssigned rule will throw the following alert title:

GCP.AuditLog: [bob@example.com] assigned admin privileges [["cat@example.com"]] to [["roles/resourcemanager.organizationAdmin"]]
GCP.AuditLog: [bob@example.com] assigned admin privileges [["cat@example.com", "dog@example.com"]] to [["roles/resourcemanager.organizationAdmin", "roles/owner"]]

Changes

The query in gcp_data_model.py for get_modified_users and get_iam_roles are reversed, swapping them fixed the issue.
Previously:

def get_modified_users(event):
    roles_assigned = get_admin_map(event)

    return json.dumps(list(roles_assigned.values()), default=PantherEvent.json_encoder)


def get_iam_roles(event):
    roles_assigned = get_admin_map(event)

    return json.dumps(list(roles_assigned.keys()), default=PantherEvent.json_encoder)

After changes:

def get_modified_users(event):
    roles_assigned = get_admin_map(event)

    return json.dumps(list(roles_assigned.keys()), default=PantherEvent.json_encoder)


def get_iam_roles(event):
    roles_assigned = get_admin_map(event)

    return json.dumps(list(roles_assigned.values()), default=PantherEvent.json_encoder)

Testing

After the changes, the Standard.AdminRoleAssigned rule will now show the correct title for test GCP alerts:

GCP.AuditLog: [bob@example.com] assigned admin privileges [["roles/resourcemanager.organizationAdmin"]] to [["cat@example.com"]]
GCP.AuditLog: [bob@example.com] assigned admin privileges [["roles/resourcemanager.organizationAdmin", "roles/owner"]] to [["cat@example.com", "dog@example.com"]]

@Jeffreyhung Jeffreyhung requested review from a team August 18, 2022 19:50
@Jeffreyhung Jeffreyhung changed the title Fix user and roles query in GCP data model fix: user and roles query in GCP data model Aug 18, 2022
edyesed
edyesed approved these changes Aug 29, 2022
View reviewed changes
Copy link
Contributor

@edyesed edyesed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this submission

@edyesed edyesed merged commit bcb4026 into panther-labs:master Aug 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@edyesed edyesed edyesed approved these changes

@nhakmiller nhakmiller Awaiting requested review from nhakmiller

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Jeffreyhung @edyesed