This repository has been archived by the owner on Dec 12, 2023. It is now read-only.
Atlassian conversion #6
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…nversion' into nkulig-atlassian-conversion Syncing updates from main into branch
maxrichie5
reviewed
Feb 6, 2023
| from typing import Literal | ||
|
|
||
| from . import queries, rules, sample_logs | ||
| from ._shared import * |
There was a problem hiding this comment.
I would remove this from here as the _ prefix implies it should not be exported
| return { | ||
| "Timestamp": event.deep_get("attributes", "time", default="<unknown-time>"), | ||
| "Actor": event.deep_get("attributes", "actor", "email", default="<unknown-actor-email>"), | ||
| "Impersonated user": event.deep_get("attributes", "context", default=[{}])[0] |
There was a problem hiding this comment.
Does deep get not work with list indexes?
| overrides=detection.RuleOverrides(name=name_override) | ||
| ) | ||
|
|
||
| self.assertIsInstance(rule, detection.Rule) |
There was a problem hiding this comment.
This test will fail won't it?
It would also be good to add a test for the title function 😄
darwayne
reviewed
Feb 7, 2023
jzandona
reviewed
Feb 8, 2023
| overrides=overrides, | ||
| name="Atlassian user logged in as user", | ||
| rule_id="Atlassian.User.LoggedInAsUser", | ||
| log_types=[SYSTEM_LOG_TYPE], |
There was a problem hiding this comment.
with the latest version of SDK, we can now use schema.LogTypeAtlassianAudit instead.
|
There have been some updates to the standard of how to write detections in this repo. Mainly 2:
Please make sure to pull in Thanks again for all your work on this!!! |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Background
This branch contains the changes necessary to bring the Atlassian rules from panther-analysis over to panther-detections.
Changes
An Atlassian folder was added under the Providers folder that contains the folder structure necessary to move forward with additional rules in the future. For now, there is only one rule to convert, and that has been added.
Testing
Tests are included under tests/providers/atlassian and I verified that the rule works correctly by running:
pipenv run panther_analysis_tool --debug sdk test