THREAT-315 Wiz Alert passthrough - updated according to comments

panther-labs · Jun 28, 2024 · a64f187 · a64f187
1 parent 4ed5f30
commit a64f187
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 8 deletions.
diff --git a/packs/wiz.yml b/packs/wiz.yml
@@ -0,0 +1,7 @@
+AnalysisType: pack
+PackID: PantherManaged.Wiz
+Description: Group of all Wiz detections
+DisplayName: "Panther Wiz Pack"
+PackDefinition:
+  IDs:
+    - Wiz.Alert.Passthrough
diff --git a/rules/wiz_rules/wiz_alert_passthrough.py b/rules/wiz_rules/wiz_alert_passthrough.py
@@ -1,3 +1,6 @@
+from panther_base_helpers import deep_get
+
+
 def rule(event):
     return event.get("status") == "OPEN"
 
@@ -17,16 +20,25 @@ def dedup(event):
     return event.get("id")
 
 
+def description(event):
+    return event.deep_get("sourceRule", "controlDescription", default="<DESCRIPTION_NOT_FOUND>")
+
+
+def runbook(event):
+    return event.deep_get(
+        "sourceRule", "resolutionRecommendation", default="<RECOMMENDATION_NOT_FOUND>"
+    )
+
+
 def alert_context(event):
+    security_subcategories = event.deep_get("sourceRule", "securitySubCategories", default=[{}])
     return {
         "id": event.get("id", "<ID_NOT_FOUND>"),
         "type": event.get("type", "<TYPE_NOT_FOUND>"),
-        "description": event.deep_get(
-            "sourceRule", "controlDescription", default="<DESCRIPTION_NOT_FOUND>"
-        ),
-        "resolution_recommendation": event.deep_get(
-            "sourceRule", "resolutionRecommendation", default="<RECOMMENDATION_NOT_FOUND>"
-        ),
-        "severity": event.get("severity", "<SEVERITY_NOT_FOUND>"),
         "entity_snapshot": event.get("entitySnapshot", {}),
+        "mitre_attack_categories": [
+            subcategory
+            for subcategory in security_subcategories
+            if deep_get(subcategory, "category", "framework", "name") == "MITRE ATT&CK Matrix"
+        ],
     }
diff --git a/rules/wiz_rules/wiz_alert_passthrough.yml b/rules/wiz_rules/wiz_alert_passthrough.yml
@@ -51,7 +51,27 @@ Tests:
               "controlDescription": "Alert Description",
               "id": "12345",
               "name": "Alert Name",
-              "resolutionRecommendation": "Alert Resolution Recommendation"
+              "resolutionRecommendation": "Alert Resolution Recommendation",
+              "securitySubCategories": [
+                {
+                  "category": {
+                    "framework": {
+                      "name": "Wiz for Risk Assessment"
+                    },
+                    "name": "High Profile Threats"
+                  },
+                  "title": "High-profile vulnerability exploited in the wild"
+                },
+                {
+                  "category": {
+                    "framework": {
+                      "name": "MITRE ATT&CK Matrix"
+                    },
+                    "name": "TA0001 Initial Access"
+                  },
+                  "title": "T1190 Exploit Public-Facing Application"
+                },
+              ]
           },
           "status": "OPEN",
           "statusChangedAt": "2024-06-04 02:28:06.597355000",