chore: add units to alert_context on standard impossible travel #777
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 2 commits
June 8, 2023 15:33
…leTravel computation
…vel detection, and hints about how to report geolocation inaccuracies
andrea-youwakim
approved these changes
Jun 9, 2023
risto-liftoff
pushed a commit
to risto-liftoff/panther-analysis
that referenced
this pull request
Feb 29, 2024
* Snowflake Query Updates p2 (panther-labs#718) * Snowflake Query Updates p2 * fixing select on admin assigned query * fixing tabs to spaces * Query Fix: Making sure queries use fqtn (panther-labs#719) * query fix: fqtn (panther-labs#720) * gcp bigquery detections (panther-labs#716) * gcp bigquery large query detection * gcp destructive query detection * gcp logging settings modified detection * gcp cloud storage buckets modified or deleted (panther-labs#721) * gcp cloud storage modified or deleted * Double quote names and IDs the way that bulk download does (panther-labs#724) * Added force ttl check option to kv-table functions (panther-labs#725) * added force ttl check functionality to kv-table functions * linting & formatting * pr comment * add ttl column to get requests where missing * Snowflake queries minor fixes (panther-labs#728) * feat: Snyk detections for OU changes and external access changes (panther-labs#729) Co-authored-by: calkim-panther <113376708+calkim-panther@users.noreply.github.com> * Updated Atlassian impersonation detection displayname (panther-labs#730) Co-authored-by: Ed <ed.anderson@panther.io> * Adding Panther.Audit to the Greynoise LUTs (panther-labs#732) * Adding Panther.Audit to the Greynoise LUTs --------- Co-authored-by: Nicholas Kuligoski <nkulig@US-K272KJ4452.localdomain> Co-authored-by: Ed <ed.anderson@panther.io> * Feat/edyesed/snyk roles and svcaccts (panther-labs#731) * feat: snyk rules that look for service accounts * feat: Snyk rules for role changes * New Snowflake Queries (panther-labs#733) * New Snowflake Queries * enriching test cases and alert titles to add context * fix: default val in title * Update queries/snowflake_queries/snowflake_multiple_failed_logins_followed_by_success.yml Co-authored-by: Ed <ed.anderson@panther.io> * Update queries/snowflake_queries/snowflake_multiple_failed_logins_followed_by_success.yml Co-authored-by: Ed <ed.anderson@panther.io> --------- Co-authored-by: Ed <ed.anderson@panther.io> * fix: AWS ELBs now have TLS 1.3 SSL Policies (panther-labs#734) * feat: Allow ELBs using the AWS TLSv1.3 SSL Policies to pass compliance tests * Calkim dropbox (panther-labs#736) * dropbox 2fa disabled * dropbox ownership transfer * dropbox external shares * sign in as session detection * dropbox many downloads many deletes * Snowflake Scheduled Queries (panther-labs#737) * Snowflake Scheduled Queries (panther-labs#737) * updated pat dependency (panther-labs#738) * Slack: User's role changed to User (panther-labs#693) * Slack: Adding new rule to the Slack packs. - Adding Slack.AuditLogs.UserPrivilegeChangedToUser to the pack. * Slack: New rule detecting when a Slack user's role changes to User. - A Slack user could have a role such as Owner or Admin or another type of role that Slack offers. This rule detects whether an account is moved from a non-user role and given the User role. Unfortunently Slack's audit logs do not offer 1) an endpoint like role_change_from... 2) the role that the account previously held, such as the Owner or Admin role. * Slack: Fixed username's default value * Slack: Change severity to High if not role_changed_to_user - Severity is high as the test changes the role to admin. - This case should be caught by other detections. * Slack: Severity is defined in the yml file. * fix formatting * Update rules/slack_rules/slack_privilege_changed_to_user.py Thanks! Tested this and got the same results. Not sure why I made this more complicated than it needed to be :( Co-authored-by: Ed <ed.anderson@panther.io> * Update slack_privilege_changed_to_user.py * Adding a more realistic fake IP address --------- Co-authored-by: Ed <ed.anderson@panther.io> * chore: update github asana action (panther-labs#740) * fix: add Zeek ip addresses to LUTs (panther-labs#739) * feat: More Snyk Detections (panther-labs#741) * feat: more snyk detections, and extension of the snyk pack --------- Co-authored-by: andrea-youwakim <117778222+andrea-youwakim@users.noreply.github.com> * gcp detections (panther-labs#727) * gcp permissions granted to create or manage service account keys * GCP IAP protected service user added * GCP service account or key created * Crowdstrike embargoed (panther-labs#743) * crowdstrike embargoed countries * added crowdstrike data model * cs network connection alert context * crowdstrike parent child process detection (panther-labs#742) crowdstrike system log tampering crowdstrike credential dumping tool crypto mining detection * crowdstrike detections pt2 (panther-labs#744) * crowdstrike remote access tool execution * remove asana github action * crowdstrike reverse shell tool * wmic query detection * missing event in deep_get (panther-labs#746) * Salesforce loginas detection: Alerts when an admin logs in as another user (panther-labs#747) * New Salesforce Detection: Alerts when an admin logs in as another user * linting and fmt * lint * display name fix * Crowdstrike FDR (panther-labs#745) * Additional crowdstrike detections * Crowdstrike FDR UDM * updated udm * added get_process_name * test cases and tuning * minor updates to yml * initial aws dns data model * initial data model * added defang function * corrected method * new rules * linting * removing connection to malicious site * remove suspicious downloads * added process context * linting * small fix * moved to standard directory * linting * updated base64 regex * update logic and title * updated title * linting * Safely handle a potential KeyError inside zoom operation passcode disabled (panther-labs#749) * Safely handle zoom non-update events * chore: downgrades log4j alert severity (panther-labs#751) * chore: there was a little copy-pasta in the global filter yaml file for snyk (panther-labs#752) * Adding global helpers for Auth0 (panther-labs#753) * Adding global helpers for Auth0 * fixing lint * adding test cases in global_helpers * linting- user-agent val too long, removed it from test since it isn't part of any checks * scrubbing event data * feat: Tines.Audit detections and pack (panther-labs#754) * A detection for Tines SSO settings changing and a pack to contain it * feat: Tines detections for API Tokens and CustomCA (panther-labs#755) * bump PAT version to 0.22.1 (panther-labs#756) * removing detections as code owners (panther-labs#757) Co-authored-by: Max Richmond <maxrichmond@panther.com> * New: Auth0 Detections and Pack (panther-labs#758) * New: Auth0 Detections and Pack * json indexing fix * classic fmt * minor changes, log sanitization * chore: add a clickable link to snyk alert_context to identify users (panther-labs#760) * chore: add a clickable link to snyk alert_context to identify users * add fdr detections to pack (panther-labs#748) * Adding credential security pack (panther-labs#761) * Adding credential security pack * Update credential_security.yml * Alphabetize rules Co-authored-by: Ed <ed.anderson@panther.io> * removed disabled detections --------- Co-authored-by: Ed <ed.anderson@panther.io> * chore: update panther_analysis_tool (panther-labs#762) * fix: panther_oss_helpers.set_key_expiration should make an effort to turn epoch_seconds kwarg into an int (panther-labs#764) * fix: panther_oss_helpers.set_key_expiration should make an effort to turn epoch_seconds kwarg into an int * fix: get unit testing and mocks in place for panther_oss_helper functions * fix: some cache ttls were getting stringified, which leads to dynamodb silently not expiring them (panther-labs#763) * feat: a generic approach to impossible travel for login style events (panther-labs#766) * fix: When Snyk users are added via SAML, the userId on the audit log entry is the same as the userid of the added user (panther-labs#768) * fix: When Snyk users are added via SAML, the userId on the record is the same as the userId of the user being added * feat: extend the Standard.ImpossibleTravel.Login detection to include Okta.SystemLog logtype (panther-labs#770) * fix: Tune cloudflare bot alert up to 2req/sec. Disable some cloudflare blocked alerts due to cloudflare having blocked the request (panther-labs#769) * fix: Tune cloudflare bot alert up to 2req/sec. Disable some cloudflare blocked alerts due to cloudflare having blocked the requests * chore: tweak the request volume for cloudflare + bots + greynoise * gcp_alert_context (panther-labs#765) * removing dupe cloudflare test case (panther-labs#773) * Notion Global Helpers and Filters (panther-labs#772) * Notion Global Helpers and Filters * fmt and lint * Update global_filter_notion.py * Improve Greynoise and IPInfo Helpers (panther-labs#759) * improve greynoise helpers add unit tests * checkpoint * more tests, update ipinfo * fix linter complaints * fix linter complaints * fix linter complaints * fix linter complaints * fix linter complaints * fix linter complaints * fix linter complaints * fix linter complaints * respond to PR * respond to PR * update min/max code per @debugmiller suggestion * add crowdstrike data model to pack (panther-labs#775) * New: Notion Detections, Pack, Pat Version Upgrade (panther-labs#774) * New: Notion Detections, Pack, Pat Version Upgrade * update pipfile --------- Co-authored-by: Calvin Kim <calvin.kim@panther.com> * Fix: snyk SAMl IdP initiated user-adds are attributed to the user being added (panther-labs#771) * fix: When Snyk users are added via SAML, the userId on the record is the same as the userId of the user being added * feat: a make target that will configure VSCode in some helpful ways (panther-labs#776) * feat: make vscode-config in order to configure your vscode to work in this repo * chore: add units to alert_context on standard impossible travel (panther-labs#777) * chore: it is helpful for responders to know the units in the ImpossibleTravel computation and hints about how to report geolocation inaccuracies * deprecate dynamo encryption policy (panther-labs#778) * fix: Standard.ImpossibleTravel.Login should not alert on VPN or ApplePrivateRelay (panther-labs#780) * fix: Standard.ImpossibleTravel.Login should not alert on VPN or ApplePrivateRelay * Add detections for GCP DNS zone operations (panther-labs#779) * Rules: Tines Actions Disabled Change (panther-labs#781) * Rules: Adding Tines rule for Actions Disabled Changes. - Detects if the operation_name is ActonsDisabledChange. --------- Co-authored-by: calkim-panther <113376708+calkim-panther@users.noreply.github.com> Co-authored-by: Ed <ed.anderson@panther.io> * fix: impossible travel short distances tweak (panther-labs#783) * fix: add some jitter for likely geoip based inaccuracies * fix: formatting wanted to reorder imports on gcp_dns_zone_modified_or_deleted * add: github rule add org moderator (panther-labs#782) * add: github rule add org moderator * remove dynamo encryption policy from pack (panther-labs#784) * Create detection for GCP firewall rule modifications (panther-labs#785) * Create detection for GCP firewall rule modifications * Address PR comments * fmt * tune embargo country detection to low (panther-labs#790) * fix: tines_actions_disabled should use the global filter (panther-labs#792) * feat: Notion audit log exported detection (panther-labs#793) * feat: Notion audit log exported detection * add: github org moderators add rule to pack (panther-labs#797) * Alias column names with invalid characters (panther-labs#802) * add: notion rule many pages deleted (panther-labs#795) * add: notion rule many pages deleted * nit: tabs * fix: test fixture * refactor: add to pack & severity --------- Co-authored-by: andrea-youwakim <117778222+andrea-youwakim@users.noreply.github.com> * Add detection for GCP firewall rule creations (panther-labs#791) * Add detection for GCP firewall rule deletions (panther-labs#794) * Add detections for GCP logging bucket or sink deletions (panther-labs#798) Co-authored-by: calkim-panther <113376708+calkim-panther@users.noreply.github.com> * Add detections for GCP logging sink modifications (panther-labs#799) * Add detection for denied GCP service account access (panther-labs#801) Co-authored-by: calkim-panther <113376708+calkim-panther@users.noreply.github.com> * Allow for any API version for certain GCP detections (panther-labs#803) * add: notion rule scim token generated (panther-labs#796) * add: notion rule scim token generated * fmt * refactor: add to pack & severity * add: title * feedback * add token id * fmt * lint * Update rules/notion_rules/notion_scim_token_generated.py Co-authored-by: andrea-youwakim <117778222+andrea-youwakim@users.noreply.github.com> * fmt * fixing dot notation attempt in deep_get --------- Co-authored-by: andrea-youwakim <117778222+andrea-youwakim@users.noreply.github.com> Co-authored-by: andrea-youwakim <andrea.youwakim@panther.io> * Rule: Notion public homepage added (panther-labs#806) * Rule: New Notio rule for workspace public page added. * Rule: Updated the RuleID * Rule: Fixed the Log sample for the tests and added a failure case. - The Public page added test included event which caused the notion_alert_context to fail. Removing event from the log resolves this problem. - Removed the deep_get for event as well. - Added a failiure case, Workspace Exported. * formatting * Rule: Added rule ID to Notion pack and resolved review comments. - Added square brackets around interpolated values. - Removed tags from the yml file. * putting the square brackets in the right place --------- Co-authored-by: andrea-youwakim <117778222+andrea-youwakim@users.noreply.github.com> * Update README (panther-labs#808) The initial setup verification isn't quite right. * fix: restore the has_exit_nodes() method to TorExitNodes class (panther-labs#810) Co-authored-by: andrea-youwakim <117778222+andrea-youwakim@users.noreply.github.com> * Tines Rule - Global Resource Destruction (panther-labs#786) * Tines Rule - Global Resource Destruction --------- Co-authored-by: andrea-youwakim <117778222+andrea-youwakim@users.noreply.github.com> * feat: Add detection for Notion SAML SSO configuration change (panther-labs#805) * Added rule: Auth0 User Joined Tenant (panther-labs#807) Co-authored-by: andrea-youwakim <117778222+andrea-youwakim@users.noreply.github.com> * auth0 mfa enabled detection (panther-labs#811) * auth0 mfa enabled detection --------- Co-authored-by: Nick Koukounakis <nick.koukounakis@panther.com> * feat: new auth0_integration_installed detection (panther-labs#815) * feat: new auth0_integration_installed detection --------- Co-authored-by: George Simos <george.simos@panther.com> * Add detection for user invitations to tenants and organizations (panther-labs#816) * add Crowdstrike.Macos.Add.Trusted.Cert (panther-labs#820) * fix: lookuptables base class needs to be in the pack.yml for all artifacts that leverage it (panther-labs#821) * fix: lookuptables base class needs to be in the pack.yml for all artifacts that leverage the lookuptables base class * fix: aws pack included a greynoise importing rule --------- Co-authored-by: calkim-panther <113376708+calkim-panther@users.noreply.github.com> * fix: cloudflare pack also needed panther_base_helpers for deep_get (panther-labs#822) * [sync-from-upstream] Add git_config_pull_rebase: false --------- Co-authored-by: andrea-youwakim <117778222+andrea-youwakim@users.noreply.github.com> Co-authored-by: calkim-panther <113376708+calkim-panther@users.noreply.github.com> Co-authored-by: Dana Katzenelson <dekatzenel@gmail.com> Co-authored-by: Nick Hakmiller <49166439+nhakmiller@users.noreply.github.com> Co-authored-by: Ed <ed.anderson@panther.io> Co-authored-by: mbellifa <mohammed.bellifa@gmail.com> Co-authored-by: nkulig <88459023+nkulig@users.noreply.github.com> Co-authored-by: Nicholas Kuligoski <nkulig@US-K272KJ4452.localdomain> Co-authored-by: Andrew Miotke <8988647+miotke@users.noreply.github.com> Co-authored-by: Lucy Suddenly <43256356+LucySuddenly@users.noreply.github.com> Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: jzandona <79932094+jzandona@users.noreply.github.com> Co-authored-by: allanbreyes <allanbreyes@users.noreply.github.com> Co-authored-by: darwayne <darwaynelynch@gmail.com> Co-authored-by: Max Richmond <46904505+maxrichie5@users.noreply.github.com> Co-authored-by: Max Richmond <maxrichmond@panther.com> Co-authored-by: Russell Leighton <russell.leighton@runpanther.io> Co-authored-by: Calvin Kim <calvin.kim@panther.com> Co-authored-by: Evan Gibler <evan.gibler@panther.com> Co-authored-by: andrea-youwakim <andrea.youwakim@panther.io> Co-authored-by: Jim Kalafut <jim.kalafut@panther.com> Co-authored-by: Josh Esbrook <101294262+josh-panther@users.noreply.github.com> Co-authored-by: Nick Koukounakis <nick.koukounakis@runpanther.io> Co-authored-by: George Simos <admin@georgesimos.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Background
It's helpful for responders to have the units of measurement in the alert context and in the title.
This PR also adds a link in the detection's runbook for how to inform IPInfo that an address has been incorrectly geolocated, should a user report that they are indeed not in some distant geography relative to their last login.
Changes
Testing