panther-labs · arielkr256 · May 21, 2024 · Apr 15, 2024 · May 21, 2024
diff --git a/rules/push_security_rules/push_security_app_banner_acknowledged.py b/rules/push_security_rules/push_security_app_banner_acknowledged.py
@@ -0,0 +1,24 @@
+from panther_base_helpers import deep_get
+
+
+def rule(event):
+    if event.get("object") != "APP_BANNER":
+        return False
+
+    if deep_get(event, "new", "action") == "ACKNOWLEDGED":
+        return True
+
+    return False
+
+
+def title(event):
+    return f"{deep_get(event, 'new', 'appType')} accessed by {deep_get(event, 'new', 'employee', 'email')}"
+
+
+def alert_context(event):
+    return {
+        "Push Security app banner": deep_get(event, "new", "appBanner", "mode"),
+        "Title": deep_get(event, "new", "appBanner", "title"),
+        "Subtext": deep_get(event, "new", "appBanner", "subtext"),
+        "Button": deep_get(event, "new", "appBanner", "buttonText"),
+    }
diff --git a/rules/push_security_rules/push_security_app_banner_acknowledged.yml b/rules/push_security_rules/push_security_app_banner_acknowledged.yml
@@ -0,0 +1,98 @@
+AnalysisType: rule
+Filename: push_security_app_banner_acknowledged.py
+RuleID: "Push.Security.App.Banner.Acknowledged"
+DisplayName: "Push Security App Banner Acknowledged"
+Enabled: true
+LogTypes:
+    - Custom.PushSecurity.Activity
+Severity: Low
+DedupPeriodMinutes: 60
+Threshold: 1
+Tests:
+    - Name: App Banner Acknowledged
+      ExpectedResult: true
+      Log:
+        id: c478966c-f927-411c-b919-179832d3d50c
+        new:
+            action: ACKNOWLEDGED
+            appBanner:
+                buttonText: Proceed anyway
+                mode: ACKNOWLEDGE
+                subtext: This app is not approved, please use Google Drive instead.
+                title: This app is not approved for use
+            appType: DROPBOX
+            browser: CHROME
+            employee:
+                chatopsEnabled: true
+                creationTimestamp: 1.698669223e+09
+                department: Security Engineering
+                email: john.hill@example.com
+                firstName: John
+                id: 2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0
+                lastName: Hill
+                licensed: true
+                location: New York
+            os: WINDOWS
+            sourceIpAddress: 8.158.25.38
+            userAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299
+        object: APP_BANNER
+        timestamp: 1.698604061e+09
+        version: "1"
+    - Name: App Banner Displayed
+      ExpectedResult: false
+      Log:
+        id: c478966c-f927-411c-b919-179832d3d50c
+        new:
+            action: DISPLAYED
+            appBanner:
+                buttonText: Proceed anyway
+                mode: ACKNOWLEDGE
+                subtext: This app is not approved, please use Google Drive instead.
+                title: This app is not approved for use
+            appType: DROPBOX
+            browser: CHROME
+            employee:
+                chatopsEnabled: true
+                creationTimestamp: 1.698669223e+09
+                department: Security Engineering
+                email: john.hill@example.com
+                firstName: John
+                id: 2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0
+                lastName: Hill
+                licensed: true
+                location: New York
+            os: WINDOWS
+            sourceIpAddress: 8.158.25.38
+            userAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299
+        object: APP_BANNER
+        timestamp: 1.698604061e+09
+        version: "1"
+    - Name: App Banner Inform Mode
+      ExpectedResult: false
+      Log:
+        id: c478966c-f927-411c-b919-179832d3d50c
+        new:
+            action: DISPLAYED
+            appBanner:
+                buttonText: null
+                mode: INFORM
+                subtext: This app is not approved, please use Google Drive instead.
+                title: This app is not approved for use
+            appType: DROPBOX
+            browser: CHROME
+            employee:
+                chatopsEnabled: true
+                creationTimestamp: 1.698669223e+09
+                department: Security Engineering
+                email: john.hill@example.com
+                firstName: John
+                id: 2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0
+                lastName: Hill
+                licensed: true
+                location: New York
+            os: WINDOWS
+            sourceIpAddress: 8.158.25.38
+            userAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299
+        object: APP_BANNER
+        timestamp: 1.698604061e+09
+        version: "1"
diff --git a/rules/push_security_rules/push_security_mfa_method_changed.py b/rules/push_security_rules/push_security_mfa_method_changed.py
@@ -0,0 +1,31 @@
+from panther_base_helpers import deep_get
+
+
+def rule(event):
+    if event.get("object") != "ACCOUNT":
+        return False
+
+    if event.get("old") == None:
+        return False
+
+    new_mfa_methods = set(deep_get(event, "new", "mfaMethods"))
+    old_mfa_methods = set(deep_get(event, "old", "mfaMethods", default=[]))
+
+    if new_mfa_methods != old_mfa_methods:
+        return True
+
+    return False
+
+
+def severity(event):
+    if deep_get(event, "new", "mfaMethods") == []:
+        return "HIGH"
+    return "LOW"
+
+
+def title(event):
+    mfa_methods = ", ".join(deep_get(event, "new", "mfaMethods", default="No MFA"))
+
+    if mfa_methods == "":
+        return f"{deep_get(event, 'new', 'email')} removed all MFA methods on {deep_get(event, 'new', 'appType')}"
+    return f"{deep_get(event, 'new', 'email')} changed MFA method to {mfa_methods} on {deep_get(event, 'new', 'appType')}"
diff --git a/rules/push_security_rules/push_security_mfa_method_changed.yml b/rules/push_security_rules/push_security_mfa_method_changed.yml
@@ -0,0 +1,167 @@
+AnalysisType: rule
+Filename: push_security_mfa_method_changed.py
+RuleID: "Push.Security.MFA.Method.Changed"
+DisplayName: "Push Security SaaS App MFA Method Changed"
+Enabled: true
+LogTypes:
+    - Custom.PushSecurity.Entities
+Severity: Info
+Description: MFA method on SaaS app changed
+DedupPeriodMinutes: 60
+Threshold: 1
+Tests:
+    - Name: All MFA methods removed
+      ExpectedResult: true
+      Log:
+        id: d1e5794f-666d-4cba-abae-c6d889ca1903
+        new:
+            appId: 67ef5c13-b5e6-4945-af7b-c11ac98f630f
+            appType: CONTENTFUL
+            creationTimestamp: 1.707775048e+09
+            email: jet.black@issp.com
+            employeeId: ca6cf7ce-90e6-4eb5-a262-7899bc48c39c
+            id: 5e15ce4c-6b93-4fbf-aed9-1890775efa90
+            lastUsedTimestamp: null
+            loginMethods:
+                oidcLogin: null
+                oktaSwaLogin: false
+                passwordLogin: false
+                samlLogin: null
+            mfaMethods: []
+            mfaRegistered: false
+            passwordId: null
+        object: ACCOUNT
+        old:
+            appId: 67ef5c13-b5e6-4945-af7b-c11ac98f630f
+            appType: CONTENTFUL
+            creationTimestamp: 1.707775048e+09
+            email: jet.black@issp.com
+            employeeId: ca6cf7ce-90e6-4eb5-a262-7899bc48c39c
+            id: 5e15ce4c-6b93-4fbf-aed9-1890775efa90
+            lastUsedTimestamp: null
+            loginMethods:
+                oidcLogin: null
+                oktaSwaLogin: false
+                passwordLogin: false
+                samlLogin: null
+            mfaMethods:
+                - SMS
+            mfaRegistered: false
+            passwordId: null
+        timestamp: 1.707775049e+09
+        type: CREATE
+        version: "1"
+    - Name: First seen
+      ExpectedResult: false
+      Log:
+        id: d1e5794f-666d-4cba-abae-c6d889ca1903
+        new:
+            appId: 67ef5c13-b5e6-4945-af7b-c11ac98f630f
+            appType: CONTENTFUL
+            creationTimestamp: 1.707775048e+09
+            email: jet.black@issp.com
+            employeeId: ca6cf7ce-90e6-4eb5-a262-7899bc48c39c
+            id: 5e15ce4c-6b93-4fbf-aed9-1890775efa90
+            lastUsedTimestamp: null
+            loginMethods:
+                oidcLogin: null
+                oktaSwaLogin: false
+                passwordLogin: false
+                samlLogin: null
+            mfaMethods:
+                - SMS
+                - APP_OTP
+            mfaRegistered: false
+            passwordId: null
+        object: ACCOUNT
+        old: null
+        timestamp: 1.707775049e+09
+        type: CREATE
+        version: "1"
+    - Name: MFA method added
+      ExpectedResult: true
+      Log:
+        id: d1e5794f-666d-4cba-abae-c6d889ca1903
+        new:
+            appId: 67ef5c13-b5e6-4945-af7b-c11ac98f630f
+            appType: CONTENTFUL
+            creationTimestamp: 1.707775048e+09
+            email: jet.black@issp.com
+            employeeId: ca6cf7ce-90e6-4eb5-a262-7899bc48c39c
+            id: 5e15ce4c-6b93-4fbf-aed9-1890775efa90
+            lastUsedTimestamp: null
+            loginMethods:
+                oidcLogin: null
+                oktaSwaLogin: false
+                passwordLogin: false
+                samlLogin: null
+            mfaMethods:
+                - SMS
+                - APP_OTP
+            mfaRegistered: false
+            passwordId: null
+        object: ACCOUNT
+        old:
+            appId: 67ef5c13-b5e6-4945-af7b-c11ac98f630f
+            appType: CONTENTFUL
+            creationTimestamp: 1.707775048e+09
+            email: jet.black@issp.com
+            employeeId: ca6cf7ce-90e6-4eb5-a262-7899bc48c39c
+            id: 5e15ce4c-6b93-4fbf-aed9-1890775efa90
+            lastUsedTimestamp: null
+            loginMethods:
+                oidcLogin: null
+                oktaSwaLogin: false
+                passwordLogin: false
+                samlLogin: null
+            mfaMethods:
+                - SMS
+            mfaRegistered: false
+            passwordId: null
+        timestamp: 1.707775049e+09
+        type: CREATE
+        version: "1"
+    - Name: No MFA method change
+      ExpectedResult: false
+      Log:
+        id: d1e5794f-666d-4cba-abae-c6d889ca1903
+        new:
+            appId: 67ef5c13-b5e6-4945-af7b-c11ac98f630f
+            appType: CONTENTFUL
+            creationTimestamp: 1.707775048e+09
+            email: jet.black@issp.com
+            employeeId: ca6cf7ce-90e6-4eb5-a262-7899bc48c39c
+            id: 5e15ce4c-6b93-4fbf-aed9-1890775efa90
+            lastUsedTimestamp: null
+            loginMethods:
+                oidcLogin: null
+                oktaSwaLogin: false
+                passwordLogin: false
+                samlLogin: null
+            mfaMethods:
+                - SMS
+                - APP_OTP
+            mfaRegistered: false
+            passwordId: null
+        object: ACCOUNT
+        old:
+            appId: 67ef5c13-b5e6-4945-af7b-c11ac98f630f
+            appType: CONTENTFUL
+            creationTimestamp: 1.707775048e+09
+            email: jet.black@issp.com
+            employeeId: ca6cf7ce-90e6-4eb5-a262-7899bc48c39c
+            id: 5e15ce4c-6b93-4fbf-aed9-1890775efa90
+            lastUsedTimestamp: null
+            loginMethods:
+                oidcLogin: null
+                oktaSwaLogin: false
+                passwordLogin: false
+                samlLogin: null
+            mfaMethods:
+                - SMS
+                - APP_OTP
+            mfaRegistered: false
+            passwordId: null
+        timestamp: 1.707775049e+09
+        type: CREATE
+        version: "1"
diff --git a/rules/push_security_rules/push_security_new_app_detected.py b/rules/push_security_rules/push_security_new_app_detected.py
@@ -0,0 +1,15 @@
+from panther_base_helpers import deep_get
+
+
+def rule(event):
+    if event.get("object") != "APP":
+        return False
+
+    if event.get("type") == "CREATE":
+        return True
+
+    return False
+
+
+def title(event):
+    return f"New app in use: {deep_get(event, 'new', 'type')}"
diff --git a/rules/push_security_rules/push_security_new_app_detected.yml b/rules/push_security_rules/push_security_new_app_detected.yml
@@ -0,0 +1,54 @@
+AnalysisType: rule
+Filename: push_security_new_app_detected.py
+RuleID: "Push.Security.New.App.Detected"
+DisplayName: "Push Security New App Detected"
+Enabled: true
+LogTypes:
+    - Custom.PushSecurity.Entities
+Severity: Info
+DedupPeriodMinutes: 60
+Threshold: 1
+Tests:
+    - Name: New App
+      ExpectedResult: true
+      Log:
+        id: c478966c-f927-411c-b919-179832d3d50c
+        new:
+            approvalStatus: null
+            creationTimestamp: 1.698064423e+09
+            id: 2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0
+            notes: ""
+            ownerId: null
+            sensitivityLevel: null
+            type: ZAPIER
+        object: APP
+        old: null
+        timestamp: 1.698604061e+09
+        type: CREATE
+        version: "1"
+    - Name: App Updated
+      ExpectedResult: false
+      Log:
+        id: c478966c-f927-411c-b919-179832d3d50c
+        new:
+            approvalStatus: APPROVED
+            creationTimestamp: 1.698064423e+09
+            id: 2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0
+            notes: |
+                Last security audit: 16 January 2023.
+            ownerId: 87569da6-fb7a-4df7-8ce2-246c14044911
+            sensitivityLevel: HIGH
+            type: ZAPIER
+        object: APP
+        old:
+            approvalStatus: UNDER_REVIEW
+            creationTimestamp: 1.698064423e+09
+            id: 2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0
+            notes: |
+                Initial submission for review.
+            ownerId: 87569da6-fb7a-4df7-8ce2-246c14044911
+            sensitivityLevel: MEDIUM
+            type: ZAPIER
+        timestamp: 1.698604061e+09
+        type: UPDATE
+        version: "1"