Add MongoDB.Logging.Toggled rule (#1203)

panther-labs · Apr 9, 2024 · 538c5db · 538c5db
1 parent 3754885
commit 538c5db
Show file tree

Hide file tree

Showing 3 changed files with 74 additions and 0 deletions.
diff --git a/packs/mongodb.yml b/packs/mongodb.yml
@@ -13,6 +13,7 @@ PackDefinition:
     - MongoDB.2FA.Disabled
     - MongoDB.Identity.Provider.Activity
     - MongoDB.External.UserInvited.NoConfig
+    - MongoDB.Logging.Toggled
     # Globals
     - panther_base_helpers
     - panther_mongodb_helpers

diff --git a/rules/mongodb_rules/mongodb_logging_toggled.py b/rules/mongodb_rules/mongodb_logging_toggled.py
@@ -0,0 +1,14 @@
+from panther_mongodb_helpers import mongodb_alert_context
+
+
+def rule(event):
+    return event.deep_get("eventTypeName", default="") == "AUDIT_LOG_CONFIGURATION_UPDATED"
+
+
+def title(event):
+    user = event.deep_get("username", default="<USER_NOT_FOUND>")
+    return f"MongoDB: [{user}] has changed logging configuration."
+
+
+def alert_context(event):
+    return mongodb_alert_context(event)
diff --git a/rules/mongodb_rules/mongodb_logging_toggled.yml b/rules/mongodb_rules/mongodb_logging_toggled.yml
@@ -0,0 +1,59 @@
+AnalysisType: rule
+Description: "MongoDB logging toggled"
+DisplayName: "MongoDB logging toggled"
+Enabled: true
+Filename: mongodb_logging_toggled.py
+Severity: Low
+Reference: https://attack.mitre.org/techniques/T1562/008/
+Tests:
+  - ExpectedResult: false
+    Log:
+      created: "2023-06-07 16:57:55"
+      currentValue: {}
+      eventTypeName: CAT_JUMPED
+      id: 6480b7139bd8a012345ABCDE
+      isGlobalAdmin: false
+      links:
+        - href: https://cloud.mongodb.com/api/atlas/v1.0/orgs/12345xyzlmnce4f17d6e8e130/events/6480b7139bd8a012345ABCDE
+          rel: self
+      orgId: 12345xyzlmnce4f17d6e8e130
+      p_event_time: "2023-06-07 16:57:55"
+      p_log_type: MongoDB.OrganizationEvent
+      p_parse_time: "2023-06-07 17:04:42.59"
+      p_row_id: ea276b16216684d9e198c0d0188a3d
+      p_schema_version: 0
+      p_source_id: 7c3cb124-9c30-492c-99e6-46518c232d73
+      p_source_label: MongoDB
+      remoteAddress: 1.2.3.4
+      targetUsername: insider@company.com
+      userId: 647f654f93bebc69123abc1
+      username: user@company.com
+    Name: Random event
+  - ExpectedResult: true
+    Log:
+      created: "2023-06-07 16:57:55"
+      currentValue: {}
+      eventTypeName: AUDIT_LOG_CONFIGURATION_UPDATED
+      id: 6480b7139bd8a012345ABCDE
+      isGlobalAdmin: false
+      links:
+        - href: https://cloud.mongodb.com/api/atlas/v1.0/orgs/12345xyzlmnce4f17d6e8e130/events/6480b7139bd8a012345ABCDE
+          rel: self
+      orgId: 12345xyzlmnce4f17d6e8e130
+      p_event_time: "2023-06-07 16:57:55"
+      p_log_type: MongoDB.OrganizationEvent
+      p_parse_time: "2023-06-07 17:04:42.59"
+      p_row_id: ea276b16216684d9e198c0d0188a3d
+      p_schema_version: 0
+      p_source_id: 7c3cb124-9c30-492c-99e6-46518c232d73
+      p_source_label: MongoDB
+      remoteAddress: 1.2.3.4
+      targetUsername: insider@company.com
+      userId: 647f654f93bebc69123abc1
+      username: user@company.com
+    Name: Logging toggled
+DedupPeriodMinutes: 60
+LogTypes:
+  - MongoDB.ProjectEvent
+RuleID: "MongoDB.Logging.Toggled"
+Threshold: 1