-
Notifications
You must be signed in to change notification settings - Fork 169
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add: notion rule scim token generated (#796)
* add: notion rule scim token generated * fmt * refactor: add to pack & severity * add: title * feedback * add token id * fmt * lint * Update rules/notion_rules/notion_scim_token_generated.py Co-authored-by: andrea-youwakim <[email protected]> * fmt * fixing dot notation attempt in deep_get --------- Co-authored-by: andrea-youwakim <[email protected]> Co-authored-by: andrea-youwakim <[email protected]>
- Loading branch information
1 parent
624ffd0
commit 564639d
Showing
3 changed files
with
81 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
from global_filter_notion import filter_include_event | ||
from panther_base_helpers import deep_get | ||
from panther_notion_helpers import notion_alert_context | ||
|
||
|
||
def rule(event): | ||
if not filter_include_event(event): | ||
return False | ||
return ( | ||
deep_get(event, "type", default="<NO_EVENT_TYPE_FOUND>") == "workspace.scim_token_generated" | ||
) | ||
|
||
|
||
def title(event): | ||
user = deep_get(event, "actor", "person", "email", default="<NO_USER_FOUND>") | ||
workspace_id = event.get("workspace_id", "<NO_WORKSPACE_ID_FOUND>") | ||
token_id = deep_get(event, "workspace", "scim_token_generated", default="{}") | ||
return ( | ||
f"Notion User [{user}] generated a SCIM token " | ||
f"[{token_id}] for workspace id [{workspace_id}]." | ||
) | ||
|
||
|
||
def alert_context(event): | ||
return notion_alert_context(event) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
AnalysisType: rule | ||
Description: A Notion User generated a SCIM token. | ||
DisplayName: "Notion SCIM Token Generated" | ||
Enabled: true | ||
Filename: notion_scim_token_generated.py | ||
Runbook: Possible Initial Access. Follow up with the Notion User to determine if this was done for a valid business reason. | ||
Severity: Medium | ||
Tags: | ||
- Initial Access:Supply Chain Compromise | ||
Tests: | ||
- ExpectedResult: false | ||
Log: | ||
{ | ||
"id": "...", | ||
"timestamp": "2023-06-02T20:16:41.217Z", | ||
"workspace_id": "123", | ||
"actor": { | ||
"id": "..", | ||
"object": "user", | ||
"type": "person", | ||
"person": { | ||
"email": "[email protected]" | ||
} | ||
}, | ||
"ip_address": "...", | ||
"platform": "mac-desktop", | ||
"type": "workspace.content_exported", | ||
"workspace.content_exported": {} | ||
} | ||
Name: other event | ||
- ExpectedResult: true | ||
Log: | ||
{ | ||
"id": "...", | ||
"timestamp": "2023-06-02T20:21:01.873Z", | ||
"workspace_id": "123", | ||
"actor": { | ||
"id": "..", | ||
"object": "user", | ||
"type": "person", | ||
"person": { | ||
"email": "[email protected]" | ||
} | ||
}, | ||
"ip_address": "...", | ||
"platform": "mac-desktop", | ||
"type": "workspace.scim_token_generated", | ||
"workspace.scim_token_generated": {} | ||
} | ||
Name: Token Generated | ||
DedupPeriodMinutes: 60 | ||
LogTypes: | ||
- Notion.AuditLogs | ||
RuleID: "Notion.Workspace.SCIM.Token.Generated" | ||
Threshold: 1 |