Merge branch 'release' into THREAT-274-OCSF-data-model,-CloudTrail

Dockerfile

@@ -11,8 +11,6 @@ RUN apk update \
  git \
  libffi-dev \
  ncurses-dev \
- nodejs \
- npm \
  openssl-dev \
  readline-dev \
  sqlite-dev \
@@ -49,12 +47,6 @@ COPY Pipfile.lock .
 RUN pipenv uninstall --all
 RUN pipenv sync --dev
 
-COPY package.json .
-COPY package-lock.json .
-RUN npm install
-
-ENV PATH="/home/panther-analysis/node_modules/.bin:$PATH"
-
 # Remove pipfile so it doesn't interfere with local files after install
 RUN rm Pipfile
 RUN rm Pipfile.lock

Makefile

@@ -42,7 +42,6 @@ lint-pylint:
 lint-fmt:
  @echo Checking python file formatting with the black code style checker
  pipenv run black --line-length=100 --check $(dirs)
- npx prettier . --check
 
 venv:
  pipenv sync --dev
@@ -53,12 +52,9 @@ pat-update:
 fmt:
  pipenv run isort --profile=black $(dirs)
  pipenv run black --line-length=100 $(dirs)
- npx prettier . --write --list-different
 
 install:
  pipenv sync --dev
- # install prettier for formatting YAML and Markdown files
- npm install
 
 test: global-helpers-unit-test
  pipenv run panther_analysis_tool test $(TEST_ARGS)

README.md

@@ -1,5 +1,9 @@
 <p align="center">
- <a href="https://panther.com"><img src=".img/panther-logo-github-highres.png" width=40% alt="Panther Logo"/></a>
+ <a href="https://panther.com"><picture>
+ <source media="(prefers-color-scheme: dark)" srcset=".img/panther-logo-github-highres-light.png" width=75%>
+ <source media="(prefers-color-scheme: light)" srcset=".img/panther-logo-github-highres-dark.png" width=75%>
+ <img alt="Displays the dark Panther logo in light mode an the light Panther logo in dark mode.">
+ </picture></a>
 </p>
 
 <h3 align="center">Built-in Panther Detections</h3>
@@ -255,6 +259,14 @@ git pull panther-upstream main
 git push
 ```
 
+# Remove Deprecated Formatters
+
+Previously, Node, NPM and Prettier were used for formatting Markdown and YAML files; these are no longer in use.
+
+Depending on how Node is managed, it will need to be uninstalled or removed if it is no longer needed elsewhere. Refer to your system/package manager's documentation for instructions on removing Node.
+
+Otherwise, running `npm unintall prettier` will remove Prettier.
+
 # License
 
 This repository is licensed under [Apache License, Version 2.0](https://github.com/panther-labs/panther-analysis/blob/main/LICENSE.txt).

packs/push_security.yml

@@ -0,0 +1,13 @@
+AnalysisType: pack
+PackID: PantherManaged.PushSecurity
+Description: Group of all Push Security detections
+PackDefinition:
+ IDs:
+ - Push.Security.App.Banner.Acknowledged
+ - Push.Security.MFA.Method.Changed
+ - Push.Security.New.App.Detected
+ - Push.Security.New.SaaS.Account.Created
+ - Push.Security.Open.Security.Finding
+ - Push.Security.Phishable.MFA.Method
+ - Push.Security.Phishing.Attack
+DisplayName: "Panther Push Security Pack"

rules/push_security_rules/push_security_app_banner_acknowledged.py

@@ -0,0 +1,23 @@
+def rule(event):
+ if event.get("object") != "APP_BANNER":
+ return False
+
+ if event.deep_get("new", "action") == "ACKNOWLEDGED":
+ return True
+
+ return False
+
+
+def title(event):
+ app_type = event.deep_get("new", "appType")
+ employee_email = event.deep_get("new", "employee", "email")
+ return f"{app_type} accessed by {employee_email}"
+
+
+def alert_context(event):
+ return {
+ "Push Security app banner": event.deep_get("new", "appBanner", "mode"),
+ "Title": event.deep_get("new", "appBanner", "title"),
+ "Subtext": event.deep_get("new", "appBanner", "subtext"),
+ "Button": event.deep_get("new", "appBanner", "buttonText"),
+ }

rules/push_security_rules/push_security_app_banner_acknowledged.yml

@@ -0,0 +1,98 @@
+AnalysisType: rule
+Filename: push_security_app_banner_acknowledged.py
+RuleID: "Push.Security.App.Banner.Acknowledged"
+DisplayName: "Push Security App Banner Acknowledged"
+Enabled: true
+LogTypes:
+ - PushSecurity.Activity
+Severity: Low
+DedupPeriodMinutes: 60
+Threshold: 1
+Tests:
+ - Name: App Banner Acknowledged
+ ExpectedResult: true
+ Log:
+ id: c478966c-f927-411c-b919-179832d3d50c
+ new:
+ action: ACKNOWLEDGED
+ appBanner:
+ buttonText: Proceed anyway
+ mode: ACKNOWLEDGE
+ subtext: This app is not approved, please use Google Drive instead.
+ title: This app is not approved for use
+ appType: DROPBOX
+ browser: CHROME
+ employee:
+ chatopsEnabled: true
+ creationTimestamp: 1.698669223e+09
+ department: Security Engineering
+ email: [email protected]
+ firstName: John
+ id: 2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0
+ lastName: Hill
+ licensed: true
+ location: New York
+ os: WINDOWS
+ sourceIpAddress: 8.158.25.38
+ userAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299
+ object: APP_BANNER
+ timestamp: 1.698604061e+09
+ version: "1"
+ - Name: App Banner Displayed
+ ExpectedResult: false
+ Log:
+ id: c478966c-f927-411c-b919-179832d3d50c
+ new:
+ action: DISPLAYED
+ appBanner:
+ buttonText: Proceed anyway
+ mode: ACKNOWLEDGE
+ subtext: This app is not approved, please use Google Drive instead.
+ title: This app is not approved for use
+ appType: DROPBOX
+ browser: CHROME
+ employee:
+ chatopsEnabled: true
+ creationTimestamp: 1.698669223e+09
+ department: Security Engineering
+ email: [email protected]
+ firstName: John
+ id: 2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0
+ lastName: Hill
+ licensed: true
+ location: New York
+ os: WINDOWS
+ sourceIpAddress: 8.158.25.38
+ userAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299
+ object: APP_BANNER
+ timestamp: 1.698604061e+09
+ version: "1"
+ - Name: App Banner Inform Mode
+ ExpectedResult: false
+ Log:
+ id: c478966c-f927-411c-b919-179832d3d50c
+ new:
+ action: DISPLAYED
+ appBanner:
+ buttonText: null
+ mode: INFORM
+ subtext: This app is not approved, please use Google Drive instead.
+ title: This app is not approved for use
+ appType: DROPBOX
+ browser: CHROME
+ employee:
+ chatopsEnabled: true
+ creationTimestamp: 1.698669223e+09
+ department: Security Engineering
+ email: [email protected]
+ firstName: John
+ id: 2a2197de-ad2c-47e4-8dcb-fb0f04cf83e0
+ lastName: Hill
+ licensed: true
+ location: New York
+ os: WINDOWS
+ sourceIpAddress: 8.158.25.38
+ userAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299
+ object: APP_BANNER
+ timestamp: 1.698604061e+09
+ version: "1"

rules/push_security_rules/push_security_mfa_method_changed.py

@@ -0,0 +1,30 @@
+def rule(event):
+ if event.get("object") != "ACCOUNT":
+ return False
+
+ if event.get("old") is None:
+ return False
+
+ new_mfa_methods = set(event.deep_get("new", "mfaMethods"))
+ old_mfa_methods = set(event.deep_get("old", "mfaMethods", default=[]))
+
+ if new_mfa_methods != old_mfa_methods:
+ return True
+
+ return False
+
+
+def severity(event):
+ if event.deep_get("new", "mfaMethods") == []:
+ return "HIGH"
+ return "LOW"
+
+
+def title(event):
+ mfa_methods = ", ".join(event.deep_get("new", "mfaMethods", default="No MFA"))
+ new_email = event.deep_get("new", "email")
+ new_apptype = event.deep_get("new", "appType")
+
+ if mfa_methods == "":
+ return f"{new_email} removed all MFA methods on {new_apptype}"
+ return f"{new_email} changed MFA method to {mfa_methods} on {new_apptype}"