Merge branch 'main' into notion-updates

panther-labs · Jan 16, 2024 · 8e06a57 · 8e06a57
2 parents a519c40 + c63982e
commit 8e06a57
Show file tree

Hide file tree

Showing 198 changed files with 1,290 additions and 216 deletions.
diff --git a/.github/workflows/lint-test.yml → .github/workflows/lint.yml b/.github/workflows/lint-test.yml → .github/workflows/lint.yml
@@ -17,8 +17,8 @@
 on: pull_request
 
 jobs:
-  make_lint:
-    name: lint and test
+  lint:
+    name: Lint
     runs-on: ubuntu-latest
 
     steps:
@@ -41,6 +41,3 @@ jobs:
 
       - name: make lint
         run: make lint
-
-      - name: make test
-        run: make test
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -0,0 +1,28 @@
+on: pull_request
+
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout panther-analysis
+        uses: actions/checkout@v4
+
+      - name: Set python version  
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.9'
+
+      - name: Install pipenv
+        run: pip install pipenv
+
+      - name: Install
+        run: make install
+
+      - name: Setup venv
+        run: make venv
+
+      - name: test
+        run: |
+          pipenv run panther_analysis_tool test --api-host ${{ secrets.API_HOST }} --api-token ${{ secrets.API_TOKEN }}
diff --git a/.github/workflows/upload.yml b/.github/workflows/upload.yml
@@ -0,0 +1,39 @@
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  upload:
+    name: 
+    runs-on: ubuntu-latest
+    env:
+      API_HOST: ${{ secrets.API_HOST }}
+      API_TOKEN: ${{ secrets.API_TOKEN }}
+    steps:
+      - name: Validate Secrets
+        if: ${{ env.API_HOST == '' || env.API_TOKEN == '' }}
+        run: |
+          echo "API_HOST or API_TOKEN not set"
+          exit 0
+
+      - name: Checkout panther-analysis
+        uses: actions/checkout@v4
+
+      - name: Set python version  
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.9'
+
+      - name: Install pipenv
+        run: pip install pipenv
+
+      - name: Install
+        run: make install
+
+      - name: Setup venv
+        run: make venv
+
+      - name: upload
+        run: |
+            pipenv run panther_analysis_tool upload --api-host ${{ env.API_HOST }} --api-token ${{ env.API_TOKEN }}
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
@@ -0,0 +1,36 @@
+on: pull_request
+
+jobs:
+  validate:
+    name: Validate
+    runs-on: ubuntu-latest
+    env:
+      API_HOST: ${{ secrets.API_HOST }}
+      API_TOKEN: ${{ secrets.API_TOKEN }}
+    steps:
+      - name: Validate Secrets
+        if: ${{ env.API_HOST == '' || env.API_TOKEN == '' }}
+        run: |
+          echo "API_HOST or API_TOKEN not set"
+          exit 0
+
+      - name: Checkout panther-analysis
+        uses: actions/checkout@v4
+
+      - name: Set python version  
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.9'
+
+      - name: Install pipenv
+        run: pip install pipenv
+
+      - name: Install
+        run: make install
+
+      - name: Setup venv
+        run: make venv
+
+      - name: validate
+        run: |
+            pipenv run panther_analysis_tool validate --api-host ${{ env.API_HOST }} --api-token ${{ env.API_TOKEN }}
diff --git a/global_helpers/panther_base_helpers.py b/global_helpers/panther_base_helpers.py
@@ -7,6 +7,7 @@
 from functools import reduce
 from ipaddress import ip_address, ip_network
 from typing import Any, List, Optional, Sequence, Union
+from panther_config import config
 
 # # # # # # # # # # # # # #
 #       Exceptions        #
@@ -35,47 +36,36 @@ def in_pci_scope_tags(resource):
     return resource["Tags"].get(CDE_TAG_KEY) == CDE_TAG_VALUE
 
 
+PCI_NETWORKS = config.PCI_NETWORKS
 # Expects a string in cidr notation (e.g. '10.0.0.0/24') indicating the ip range being checked
 # Returns True if any ip in the range is marked as in scope
-PCI_NETWORKS = [
-    ip_network("10.0.0.0/24"),
-]
-
-
 def is_pci_scope_cidr(ip_range):
     return any(ip_network(ip_range).overlaps(pci_network) for pci_network in PCI_NETWORKS)
 
 
+DMZ_NETWORKS = config.DMZ_NETWORKS
 # Expects a string in cidr notation (e.g. '10.0.0.0/24') indicating the ip range being checked
 # Returns True if any ip in the range is marked as DMZ space.
-DMZ_NETWORKS = [
-    ip_network("10.1.0.0/24"),
-    ip_network("100.1.0.0/24"),
-]
-
-
 def is_dmz_cidr(ip_range):
     """This function determines whether a given IP range is within the defined DMZ IP range."""
     return any(ip_network(ip_range).overlaps(dmz_network) for dmz_network in DMZ_NETWORKS)
 
 
-DMZ_TAG_KEY = "environment"
-DMZ_TAG_VALUE = "dmz"
-
-
 # Defaults to False to assume something is not a DMZ if it is not tagged
-def is_dmz_tags(resource):
+def is_dmz_tags(resource, dmz_tags):
     """This function determines whether a given resource is tagged as existing in a DMZ."""
     if resource["Tags"] is None:
         return False
-    return resource["Tags"].get(DMZ_TAG_KEY) == DMZ_TAG_VALUE
+    for key, value in dmz_tags:
+        if resource["Tags"].get(key) == value:
+            return True
+    return False
 
 
 # Function variables here so that implementation details of these functions can be changed without
 # having to rename the function in all locations its used, or having an outdated name on the actual
 # function being used, etc.
 IN_PCI_SCOPE = in_pci_scope_tags
-IS_DMZ = is_dmz_tags
 
 # # # # # # # # # # # # # #
 #      GSuite Helpers     #

diff --git a/global_helpers/panther_config_defaults.py b/global_helpers/panther_config_defaults.py
@@ -13,3 +13,17 @@
 MS_EXCHANGE_ALLOWED_FORWARDING_DESTINATION_DOMAINS = ORGANIZATION_DOMAINS
 MS_EXCHANGE_ALLOWED_FORWARDING_DESTINATION_EMAILS = ["postmaster@" + ORGANIZATION_DOMAINS[0]]
 TELEPORT_ORGANIZATION_DOMAINS = ORGANIZATION_DOMAINS
+
+DMZ_NETWORKS = [
+    # ip_network("10.1.0.0/24"),
+]
+
+DMZ_TAGS = set(
+    [
+        ("environment", "dmz"),
+    ]
+)
+
+PCI_NETWORKS = [
+    # ip_network("10.0.0.0/24"),
+]
diff --git a/lookup_tables/greynoise/advanced/noise_advanced.yml b/lookup_tables/greynoise/advanced/noise_advanced.yml
@@ -422,16 +422,6 @@ LogTypeMap:
     - LogType: Sysdig.Audit
       Selectors:
         - "$.content.userOriginIP"
-    - LogType: Tailscale.Network
-      Selectors:
-        - "$.event.virtualTraffic[].srcIp"
-        - "$.event.virtualTraffic[].dstIp"
-        - "$.event.subnetTraffic[].srcIp"
-        - "$.event.subnetTraffic[].dstIp"
-        - "$.event.exitTraffic[].srcIp"
-        - "$.event.exitTraffic[].dstIp"
-        - "$.event.physicalTraffic[].srcIp"
-        - "$.event.physicalTraffic[].dstIp"
     - LogType: Tines.Audit
       Selectors:
         - "request_ip"

diff --git a/lookup_tables/greynoise/advanced/riot_advanced.yml b/lookup_tables/greynoise/advanced/riot_advanced.yml
@@ -422,16 +422,6 @@ LogTypeMap:
     - LogType: Sysdig.Audit
       Selectors:
         - "$.content.userOriginIP"
-    - LogType: Tailscale.Network
-      Selectors:
-        - "$.event.virtualTraffic[].srcIp"
-        - "$.event.virtualTraffic[].dstIp"
-        - "$.event.subnetTraffic[].srcIp"
-        - "$.event.subnetTraffic[].dstIp"
-        - "$.event.exitTraffic[].srcIp"
-        - "$.event.exitTraffic[].dstIp"
-        - "$.event.physicalTraffic[].srcIp"
-        - "$.event.physicalTraffic[].dstIp"
     - LogType: Tines.Audit
       Selectors:
         - "request_ip"

diff --git a/lookup_tables/greynoise/basic/noise_basic.yml b/lookup_tables/greynoise/basic/noise_basic.yml
@@ -422,16 +422,6 @@ LogTypeMap:
     - LogType: Sysdig.Audit
       Selectors:
         - "$.content.userOriginIP"
-    - LogType: Tailscale.Network
-      Selectors:
-        - "$.event.virtualTraffic[].srcIp"
-        - "$.event.virtualTraffic[].dstIp"
-        - "$.event.subnetTraffic[].srcIp"
-        - "$.event.subnetTraffic[].dstIp"
-        - "$.event.exitTraffic[].srcIp"
-        - "$.event.exitTraffic[].dstIp"
-        - "$.event.physicalTraffic[].srcIp"
-        - "$.event.physicalTraffic[].dstIp"
     - LogType: Tines.Audit
       Selectors:
         - "request_ip"

diff --git a/lookup_tables/greynoise/basic/riot_basic.yml b/lookup_tables/greynoise/basic/riot_basic.yml
@@ -422,16 +422,6 @@ LogTypeMap:
     - LogType: Sysdig.Audit
       Selectors:
         - "$.content.userOriginIP"
-    - LogType: Tailscale.Network
-      Selectors:
-        - "$.event.virtualTraffic[].srcIp"
-        - "$.event.virtualTraffic[].dstIp"
-        - "$.event.subnetTraffic[].srcIp"
-        - "$.event.subnetTraffic[].dstIp"
-        - "$.event.exitTraffic[].srcIp"
-        - "$.event.exitTraffic[].dstIp"
-        - "$.event.physicalTraffic[].srcIp"
-        - "$.event.physicalTraffic[].dstIp"
     - LogType: Tines.Audit
       Selectors:
         - "request_ip"

diff --git a/lookup_tables/ipinfo/ipinfo_asn.yml b/lookup_tables/ipinfo/ipinfo_asn.yml
@@ -422,16 +422,6 @@ LogTypeMap:
     - LogType: Sysdig.Audit
       Selectors:
         - "$.content.userOriginIP"
-    - LogType: Tailscale.Network
-      Selectors:
-        - "$.event.virtualTraffic[].srcIp"
-        - "$.event.virtualTraffic[].dstIp"
-        - "$.event.subnetTraffic[].srcIp"
-        - "$.event.subnetTraffic[].dstIp"
-        - "$.event.exitTraffic[].srcIp"
-        - "$.event.exitTraffic[].dstIp"
-        - "$.event.physicalTraffic[].srcIp"
-        - "$.event.physicalTraffic[].dstIp"
     - LogType: Tines.Audit
       Selectors:
         - "request_ip"

diff --git a/lookup_tables/ipinfo/ipinfo_asn_datalake.yml b/lookup_tables/ipinfo/ipinfo_asn_datalake.yml
@@ -422,16 +422,6 @@ LogTypeMap:
     - LogType: Sysdig.Audit
       Selectors:
         - "$.content.userOriginIP"
-    - LogType: Tailscale.Network
-      Selectors:
-        - "$.event.virtualTraffic[].srcIp"
-        - "$.event.virtualTraffic[].dstIp"
-        - "$.event.subnetTraffic[].srcIp"
-        - "$.event.subnetTraffic[].dstIp"
-        - "$.event.exitTraffic[].srcIp"
-        - "$.event.exitTraffic[].dstIp"
-        - "$.event.physicalTraffic[].srcIp"
-        - "$.event.physicalTraffic[].dstIp"
     - LogType: Tines.Audit
       Selectors:
         - "request_ip"

diff --git a/lookup_tables/ipinfo/ipinfo_location.yml b/lookup_tables/ipinfo/ipinfo_location.yml
@@ -422,16 +422,6 @@ LogTypeMap:
     - LogType: Sysdig.Audit
       Selectors:
         - "$.content.userOriginIP"
-    - LogType: Tailscale.Network
-      Selectors:
-        - "$.event.virtualTraffic[].srcIp"
-        - "$.event.virtualTraffic[].dstIp"
-        - "$.event.subnetTraffic[].srcIp"
-        - "$.event.subnetTraffic[].dstIp"
-        - "$.event.exitTraffic[].srcIp"
-        - "$.event.exitTraffic[].dstIp"
-        - "$.event.physicalTraffic[].srcIp"
-        - "$.event.physicalTraffic[].dstIp"
     - LogType: Tines.Audit
       Selectors:
         - "request_ip"

diff --git a/lookup_tables/ipinfo/ipinfo_location_datalake.yml b/lookup_tables/ipinfo/ipinfo_location_datalake.yml
@@ -422,16 +422,6 @@ LogTypeMap:
     - LogType: Sysdig.Audit
       Selectors:
         - "$.content.userOriginIP"
-    - LogType: Tailscale.Network
-      Selectors:
-        - "$.event.virtualTraffic[].srcIp"
-        - "$.event.virtualTraffic[].dstIp"
-        - "$.event.subnetTraffic[].srcIp"
-        - "$.event.subnetTraffic[].dstIp"
-        - "$.event.exitTraffic[].srcIp"
-        - "$.event.exitTraffic[].dstIp"
-        - "$.event.physicalTraffic[].srcIp"
-        - "$.event.physicalTraffic[].dstIp"
     - LogType: Tines.Audit
       Selectors:
         - "request_ip"

diff --git a/lookup_tables/ipinfo/ipinfo_privacy.yml b/lookup_tables/ipinfo/ipinfo_privacy.yml
@@ -422,16 +422,6 @@ LogTypeMap:
     - LogType: Sysdig.Audit
       Selectors:
         - "$.content.userOriginIP"
-    - LogType: Tailscale.Network
-      Selectors:
-        - "$.event.virtualTraffic[].srcIp"
-        - "$.event.virtualTraffic[].dstIp"
-        - "$.event.subnetTraffic[].srcIp"
-        - "$.event.subnetTraffic[].dstIp"
-        - "$.event.exitTraffic[].srcIp"
-        - "$.event.exitTraffic[].dstIp"
-        - "$.event.physicalTraffic[].srcIp"
-        - "$.event.physicalTraffic[].dstIp"
     - LogType: Tines.Audit
       Selectors:
         - "request_ip"

diff --git a/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml b/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml
@@ -422,16 +422,6 @@ LogTypeMap:
     - LogType: Sysdig.Audit
       Selectors:
         - "$.content.userOriginIP"
-    - LogType: Tailscale.Network
-      Selectors:
-        - "$.event.virtualTraffic[].srcIp"
-        - "$.event.virtualTraffic[].dstIp"
-        - "$.event.subnetTraffic[].srcIp"
-        - "$.event.subnetTraffic[].dstIp"
-        - "$.event.exitTraffic[].srcIp"
-        - "$.event.exitTraffic[].dstIp"
-        - "$.event.physicalTraffic[].srcIp"
-        - "$.event.physicalTraffic[].dstIp"
     - LogType: Tines.Audit
       Selectors:
         - "request_ip"

diff --git a/lookup_tables/tor/tor_exit_nodes.yml b/lookup_tables/tor/tor_exit_nodes.yml
@@ -422,16 +422,6 @@ LogTypeMap:
     - LogType: Sysdig.Audit
       Selectors:
         - "$.content.userOriginIP"
-    - LogType: Tailscale.Network
-      Selectors:
-        - "$.event.virtualTraffic[].srcIp"
-        - "$.event.virtualTraffic[].dstIp"
-        - "$.event.subnetTraffic[].srcIp"
-        - "$.event.subnetTraffic[].dstIp"
-        - "$.event.exitTraffic[].srcIp"
-        - "$.event.exitTraffic[].dstIp"
-        - "$.event.physicalTraffic[].srcIp"
-        - "$.event.physicalTraffic[].dstIp"
     - LogType: Tines.Audit
       Selectors:
         - "request_ip"

diff --git a/packs/asana.yml b/packs/asana.yml
@@ -16,4 +16,7 @@ PackDefinition:
     # Globals used in these detections
     - panther_asana_helpers
     - panther_base_helpers
+    - panther_config
+    - panther_config_defaults
+    - panther_config_overrides
 DisplayName: "Panther Asana Pack"