From 538c5db4e6f4e3f9a36df98596636d1b1866d0c9 Mon Sep 17 00:00:00 2001
From: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Date: Tue, 9 Apr 2024 17:05:52 +0300
Subject: [PATCH] Add MongoDB.Logging.Toggled rule (#1203)

---
 packs/mongodb.yml                             |  1 +
 .../mongodb_rules/mongodb_logging_toggled.py  | 14 +++++
 .../mongodb_rules/mongodb_logging_toggled.yml | 59 +++++++++++++++++++
 3 files changed, 74 insertions(+)
 create mode 100644 rules/mongodb_rules/mongodb_logging_toggled.py
 create mode 100644 rules/mongodb_rules/mongodb_logging_toggled.yml

diff --git a/packs/mongodb.yml b/packs/mongodb.yml
index b7843c4a5..9dca2905a 100644
--- a/packs/mongodb.yml
+++ b/packs/mongodb.yml
@@ -13,6 +13,7 @@ PackDefinition:
     - MongoDB.2FA.Disabled
     - MongoDB.Identity.Provider.Activity
     - MongoDB.External.UserInvited.NoConfig
+    - MongoDB.Logging.Toggled
     # Globals
     - panther_base_helpers
     - panther_mongodb_helpers
diff --git a/rules/mongodb_rules/mongodb_logging_toggled.py b/rules/mongodb_rules/mongodb_logging_toggled.py
new file mode 100644
index 000000000..18d6c1ba6
--- /dev/null
+++ b/rules/mongodb_rules/mongodb_logging_toggled.py
@@ -0,0 +1,14 @@
+from panther_mongodb_helpers import mongodb_alert_context
+
+
+def rule(event):
+    return event.deep_get("eventTypeName", default="") == "AUDIT_LOG_CONFIGURATION_UPDATED"
+
+
+def title(event):
+    user = event.deep_get("username", default="<USER_NOT_FOUND>")
+    return f"MongoDB: [{user}] has changed logging configuration."
+
+
+def alert_context(event):
+    return mongodb_alert_context(event)
diff --git a/rules/mongodb_rules/mongodb_logging_toggled.yml b/rules/mongodb_rules/mongodb_logging_toggled.yml
new file mode 100644
index 000000000..6c817bc9c
--- /dev/null
+++ b/rules/mongodb_rules/mongodb_logging_toggled.yml
@@ -0,0 +1,59 @@
+AnalysisType: rule
+Description: "MongoDB logging toggled"
+DisplayName: "MongoDB logging toggled"
+Enabled: true
+Filename: mongodb_logging_toggled.py
+Severity: Low
+Reference: https://attack.mitre.org/techniques/T1562/008/
+Tests:
+  - ExpectedResult: false
+    Log:
+      created: "2023-06-07 16:57:55"
+      currentValue: {}
+      eventTypeName: CAT_JUMPED
+      id: 6480b7139bd8a012345ABCDE
+      isGlobalAdmin: false
+      links:
+        - href: https://cloud.mongodb.com/api/atlas/v1.0/orgs/12345xyzlmnce4f17d6e8e130/events/6480b7139bd8a012345ABCDE
+          rel: self
+      orgId: 12345xyzlmnce4f17d6e8e130
+      p_event_time: "2023-06-07 16:57:55"
+      p_log_type: MongoDB.OrganizationEvent
+      p_parse_time: "2023-06-07 17:04:42.59"
+      p_row_id: ea276b16216684d9e198c0d0188a3d
+      p_schema_version: 0
+      p_source_id: 7c3cb124-9c30-492c-99e6-46518c232d73
+      p_source_label: MongoDB
+      remoteAddress: 1.2.3.4
+      targetUsername: insider@company.com
+      userId: 647f654f93bebc69123abc1
+      username: user@company.com
+    Name: Random event
+  - ExpectedResult: true
+    Log:
+      created: "2023-06-07 16:57:55"
+      currentValue: {}
+      eventTypeName: AUDIT_LOG_CONFIGURATION_UPDATED
+      id: 6480b7139bd8a012345ABCDE
+      isGlobalAdmin: false
+      links:
+        - href: https://cloud.mongodb.com/api/atlas/v1.0/orgs/12345xyzlmnce4f17d6e8e130/events/6480b7139bd8a012345ABCDE
+          rel: self
+      orgId: 12345xyzlmnce4f17d6e8e130
+      p_event_time: "2023-06-07 16:57:55"
+      p_log_type: MongoDB.OrganizationEvent
+      p_parse_time: "2023-06-07 17:04:42.59"
+      p_row_id: ea276b16216684d9e198c0d0188a3d
+      p_schema_version: 0
+      p_source_id: 7c3cb124-9c30-492c-99e6-46518c232d73
+      p_source_label: MongoDB
+      remoteAddress: 1.2.3.4
+      targetUsername: insider@company.com
+      userId: 647f654f93bebc69123abc1
+      username: user@company.com
+    Name: Logging toggled
+DedupPeriodMinutes: 60
+LogTypes:
+  - MongoDB.ProjectEvent
+RuleID: "MongoDB.Logging.Toggled"
+Threshold: 1