fix: update MongoDB RuleIDs to convention, prefer deep_get over dict.…

…get (#836)

* fix: update MongoDB RuleIDs to convention, prefer deep_get over dict.get

packs/mongodb.yml

@@ -4,7 +4,7 @@ Description: Group of all MongoDB detections
 DisplayName: "Panther MongoDB Atlas Pack"
 PackDefinition:
   IDs:
-    - mongodb_atlas_api_key_created
-    - mongodb_external_user_invited
+    - MongoDB.Atlas.ApiKeyCreated
+    - MongoDB.External.UserInvited
     # Globals
     - panther_base_helpers

rules/mongodb_rules/mongodb_atlas_api_key_created.py

@@ -0,0 +1,22 @@
+from panther_base_helpers import deep_get, deep_walk
+
+
+def rule(event):
+    return deep_get(event, "eventTypeName", default="") == "API_KEY_ACCESS_LIST_ENTRY_ADDED"
+
+
+def title(event):
+    user = deep_get(event, "username", default="<USER_NOT_FOUND>")
+    public_key = deep_get(event, "targetPublicKey", default="<PUBLIC_KEY_NOT_FOUND>")
+    return f"MongoDB Atlas: [{user}] updated the allowed access list for API Key [{public_key}]"
+
+
+def alert_context(event):
+    links = deep_walk(event, "links", "href", return_val="first", default="<LINKS_NOT_FOUND>")
+    return {
+        "links": links,
+        "username": deep_get(event, "username", default="<USER_NOT_FOUND>"),
+        "event_type_name": deep_get(event, "eventTypeName", default="<EVENT_TYPE_NOT_FOUND>"),
+        "org_id": deep_get(event, "orgId", default="<ORG_ID_NOT_FOUND>"),
+        "target_public_key": deep_get(event, "targetPublicKey", default="<PUBLIC_KEY_NOT_FOUND>"),
+    }

rules/mongodb/mongodb_atlas_api_key_created.yml → rules/mongodb_rules/mongodb_atlas_api_key_created.yml

@@ -1,6 +1,6 @@
 AnalysisType: rule
 Description: A MongoDB Atlas api key's access list was updated
-DisplayName: "mongodb_atlas_api_key_created"
+DisplayName: "MongoDB Atlas API Key Created"
 Enabled: true
 Filename: mongodb_atlas_api_key_created.py
 Severity: Medium
@@ -56,5 +56,5 @@ Tests:
 DedupPeriodMinutes: 60
 LogTypes:
     - MongoDB.OrganizationEvent
-RuleID: "mongodb_atlas_api_key_created"
+RuleID: "MongoDB.Atlas.ApiKeyCreated"
 Threshold: 1

rules/mongodb/mongodb_external_user_invited.py → rules/mongodb_rules/mongodb_external_user_invited.py

@@ -1,6 +1,8 @@
 import json
 from unittest.mock import MagicMock
 
+from panther_base_helpers import deep_get
+
 # Set domains allowed to join the organization ie. company.com
 ALLOWED_DOMAINS = []
 
@@ -9,8 +11,8 @@ def rule(event):
     global ALLOWED_DOMAINS  # pylint: disable=global-statement
     if isinstance(ALLOWED_DOMAINS, MagicMock):
         ALLOWED_DOMAINS = json.loads(ALLOWED_DOMAINS())  # pylint: disable=not-callable
-    if event.get("eventTypeName", "") == "INVITED_TO_ORG":
-        target_user = event.get("targetUsername", "")
+    if deep_get(event, "eventTypeName", default="") == "INVITED_TO_ORG":
+        target_user = deep_get(event, "targetUsername", default="")
         target_domain = target_user.split("@")[-1]
         return target_domain not in ALLOWED_DOMAINS
     return False

rules/mongodb/mongodb_external_user_invited.yml → rules/mongodb_rules/mongodb_external_user_invited.yml

@@ -1,6 +1,6 @@
 AnalysisType: rule
 Description: 'An external user has been invited to a MongoDB org. '
-DisplayName: "mongodb_external_user_invited"
+DisplayName: "MongoDB External User Invited"
 Enabled: true
 Filename: mongodb_external_user_invited.py
 Severity: Medium
@@ -68,5 +68,5 @@ Tests:
 DedupPeriodMinutes: 60
 LogTypes:
     - MongoDB.OrganizationEvent
-RuleID: "mongodb_external_user_invited"
+RuleID: "MongoDB.External.UserInvited"
 Threshold: 1