-
Notifications
You must be signed in to change notification settings - Fork 169
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Initial commit - Slack Detections - User * Anonymized IP * Downgraded user priv esc to High and updated comment
- Loading branch information
1 parent
d89befa
commit d071b43
Showing
4 changed files
with
279 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| from panther_base_helpers import slack_alert_context | ||
|
|
||
|
|
||
| def rule(event): | ||
| return event.get("action") == "anomaly" | ||
|
|
||
|
|
||
| def alert_context(event): | ||
| # TODO: Add more details to context | ||
| return slack_alert_context(event) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| AnalysisType: rule | ||
| Filename: slack_passthrough_anomaly.py | ||
| RuleID: Slack.AuditLogs.PassthroughAnomaly | ||
| DisplayName: Slack Anomaly Detected | ||
| Enabled: true | ||
| LogTypes: | ||
| - Slack.AuditLogs | ||
| Tags: | ||
| - Slack | ||
| Severity: Critical | ||
| Description: Passthrough for anomalies detected by Slack | ||
| Reference: https://api.slack.com/admins/audit-logs | ||
| DedupPeriodMinutes: 60 | ||
| Threshold: 1 | ||
| SummaryAttributes: | ||
| - p_any_ip_addresses | ||
| - p_any_emails | ||
| Tests: | ||
| - | ||
| Name: Name | ||
| ExpectedResult: true | ||
| Log: | ||
| { | ||
| "action": "anomaly", | ||
| "actor": { | ||
| "type": "user", | ||
| "user": { | ||
| "email": "[email protected]", | ||
| "id": "W012J3FEWAU", | ||
| "name": "primary-owner", | ||
| "team": "T01234N56GB" | ||
| } | ||
| }, | ||
| "context": { | ||
| "ip_address": "1.2.3.4", | ||
| "location": { | ||
| "domain": "test-workspace-1", | ||
| "id": "T01234N56GB", | ||
| "name": "test-workspace-1", | ||
| "type": "workspace" | ||
| }, | ||
| "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" | ||
| } | ||
| } | ||
| - Name: User Logout | ||
| ExpectedResult: false | ||
| Log: | ||
| { | ||
| "action": "user_logout", | ||
| "actor": { | ||
| "type": "user", | ||
| "user": { | ||
| "email": "[email protected]", | ||
| "id": "W012J3FEWAU", | ||
| "name": "primary-owner", | ||
| "team": "T01234N56GB" | ||
| } | ||
| }, | ||
| "context": { | ||
| "ip_address": "1.2.3.4", | ||
| "location": { | ||
| "domain": "test-workspace-1", | ||
| "id": "T01234N56GB", | ||
| "name": "test-workspace-1", | ||
| "type": "workspace" | ||
| }, | ||
| "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" | ||
| }, | ||
| "date_create": "2022-07-28 15:22:32", | ||
| "entity": { | ||
| "type": "user", | ||
| "user": { | ||
| "email": "[email protected]", | ||
| "id": "W012J3FEWAU", | ||
| "name": "primary-owner", | ||
| "team": "T01234N56GB" | ||
| } | ||
| }, | ||
| "id": "72cac009-9eb3-4dde-bac6-ee49a32a1789" | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| from panther_base_helpers import slack_alert_context | ||
|
|
||
| USER_PRIV_ESC_ACTIONS = { | ||
| "owner_transferred": "Slack Owner Transferred", | ||
| "permissions_assigned": "Slack User Assigned Permissions", | ||
| "role_change_to_admin": "Slack User Made Admin", | ||
| "role_change_to_owner": "Slack User Made Owner", | ||
| } | ||
|
|
||
|
|
||
| def rule(event): | ||
| return event.get("action") in USER_PRIV_ESC_ACTIONS | ||
|
|
||
|
|
||
| def title(event): | ||
| if event.get("action") in USER_PRIV_ESC_ACTIONS: | ||
| return USER_PRIV_ESC_ACTIONS.get(event.get("action")) | ||
| return "Slack User Privilege Escalation" | ||
|
|
||
|
|
||
| def severity(event): | ||
| # Downgrade severity for users assigned permissions | ||
| # TODO: Add case to check for admin privileges to escalate to Critical | ||
| if event.get("action") == "permissions_assigned": | ||
| return "Medium" | ||
| return "High" | ||
|
|
||
|
|
||
| def alert_context(event): | ||
| return slack_alert_context(event) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,159 @@ | ||
| AnalysisType: rule | ||
| Filename: slack_user_privilege_escalation.py | ||
| RuleID: Slack.AuditLogs.UserPrivilegeEscalation | ||
| DisplayName: Slack User Privilege Escalation | ||
| Enabled: true | ||
| LogTypes: | ||
| - Slack.AuditLogs | ||
| Tags: | ||
| - Slack | ||
| Severity: High | ||
| Description: Detects when a Slack App has had its permission scopes expanded | ||
| Reference: https://api.slack.com/admins/audit-logs | ||
| DedupPeriodMinutes: 60 | ||
| Threshold: 1 | ||
| SummaryAttributes: | ||
| - p_any_ip_addresses | ||
| - p_any_emails | ||
| Tests: | ||
| - | ||
| Name: Owner Transferred | ||
| ExpectedResult: true | ||
| Log: | ||
| { | ||
| "action": "owner_transferred", | ||
| "actor": { | ||
| "type": "user", | ||
| "user": { | ||
| "email": "[email protected]", | ||
| "id": "A012B3CDEFG", | ||
| "name": "username", | ||
| "team": "T01234N56GB" | ||
| } | ||
| }, | ||
| "context": { | ||
| "ip_address": "1.2.3.4", | ||
| "location": { | ||
| "domain": "test-workspace", | ||
| "id": "T01234N56GB", | ||
| "name": "test-workspace", | ||
| "type": "workspace" | ||
| }, | ||
| "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" | ||
| } | ||
| } | ||
| - | ||
| Name: Permissions Assigned | ||
| ExpectedResult: true | ||
| Log: | ||
| { | ||
| "action": "permissions_assigned", | ||
| "actor": { | ||
| "type": "user", | ||
| "user": { | ||
| "email": "[email protected]", | ||
| "id": "A012B3CDEFG", | ||
| "name": "username", | ||
| "team": "T01234N56GB" | ||
| } | ||
| }, | ||
| "context": { | ||
| "ip_address": "1.2.3.4", | ||
| "location": { | ||
| "domain": "test-workspace", | ||
| "id": "T01234N56GB", | ||
| "name": "test-workspace", | ||
| "type": "workspace" | ||
| }, | ||
| "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" | ||
| } | ||
| } | ||
| - | ||
| Name: Role Changed to Admin | ||
| ExpectedResult: true | ||
| Log: | ||
| { | ||
| "action": "role_change_to_admin", | ||
| "actor": { | ||
| "type": "user", | ||
| "user": { | ||
| "email": "[email protected]", | ||
| "id": "A012B3CDEFG", | ||
| "name": "username", | ||
| "team": "T01234N56GB" | ||
| } | ||
| }, | ||
| "context": { | ||
| "ip_address": "1.2.3.4", | ||
| "location": { | ||
| "domain": "test-workspace", | ||
| "id": "T01234N56GB", | ||
| "name": "test-workspace", | ||
| "type": "workspace" | ||
| }, | ||
| "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" | ||
| } | ||
| } | ||
| - | ||
| Name: Role Changed to Owner | ||
| ExpectedResult: true | ||
| Log: | ||
| { | ||
| "action": "role_change_to_owner", | ||
| "actor": { | ||
| "type": "user", | ||
| "user": { | ||
| "email": "[email protected]", | ||
| "id": "A012B3CDEFG", | ||
| "name": "username", | ||
| "team": "T01234N56GB" | ||
| } | ||
| }, | ||
| "context": { | ||
| "ip_address": "1.2.3.4", | ||
| "location": { | ||
| "domain": "test-workspace", | ||
| "id": "T01234N56GB", | ||
| "name": "test-workspace", | ||
| "type": "workspace" | ||
| }, | ||
| "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" | ||
| } | ||
| } | ||
| - | ||
| Name: User Logout | ||
| ExpectedResult: false | ||
| Log: | ||
| { | ||
| "action": "user_logout", | ||
| "actor": { | ||
| "type": "user", | ||
| "user": { | ||
| "email": "[email protected]", | ||
| "id": "W012J3FEWAU", | ||
| "name": "primary-owner", | ||
| "team": "T01234N56GB" | ||
| } | ||
| }, | ||
| "context": { | ||
| "ip_address": "1.2.3.4", | ||
| "location": { | ||
| "domain": "test-workspace-1", | ||
| "id": "T01234N56GB", | ||
| "name": "test-workspace-1", | ||
| "type": "workspace" | ||
| }, | ||
| "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" | ||
| }, | ||
| "date_create": "2022-07-28 15:22:32", | ||
| "entity": { | ||
| "type": "user", | ||
| "user": { | ||
| "email": "[email protected]", | ||
| "id": "W012J3FEWAU", | ||
| "name": "primary-owner", | ||
| "team": "T01234N56GB" | ||
| } | ||
| }, | ||
| "id": "72cac009-9eb3-4dde-bac6-ee49a32a1789" | ||
| } |