From d071b43f5549d5a0fe6cd61ae0a54b1b8bcc1250 Mon Sep 17 00:00:00 2001 From: Weyland <71197790+wey-chiang@users.noreply.github.com> Date: Wed, 3 Aug 2022 18:50:06 -0400 Subject: [PATCH] Slack Detections - User (#464) * Initial commit - Slack Detections - User * Anonymized IP * Downgraded user priv esc to High and updated comment --- slack_rules/slack_passthrough_anomaly.py | 10 ++ slack_rules/slack_passthrough_anomaly.yml | 80 +++++++++ .../slack_user_privilege_escalation.py | 30 ++++ .../slack_user_privilege_escalation.yml | 159 ++++++++++++++++++ 4 files changed, 279 insertions(+) create mode 100644 slack_rules/slack_passthrough_anomaly.py create mode 100644 slack_rules/slack_passthrough_anomaly.yml create mode 100644 slack_rules/slack_user_privilege_escalation.py create mode 100644 slack_rules/slack_user_privilege_escalation.yml diff --git a/slack_rules/slack_passthrough_anomaly.py b/slack_rules/slack_passthrough_anomaly.py new file mode 100644 index 000000000..3ce457d00 --- /dev/null +++ b/slack_rules/slack_passthrough_anomaly.py @@ -0,0 +1,10 @@ +from panther_base_helpers import slack_alert_context + + +def rule(event): + return event.get("action") == "anomaly" + + +def alert_context(event): + # TODO: Add more details to context + return slack_alert_context(event) diff --git a/slack_rules/slack_passthrough_anomaly.yml b/slack_rules/slack_passthrough_anomaly.yml new file mode 100644 index 000000000..0f79233a3 --- /dev/null +++ b/slack_rules/slack_passthrough_anomaly.yml @@ -0,0 +1,80 @@ +AnalysisType: rule +Filename: slack_passthrough_anomaly.py +RuleID: Slack.AuditLogs.PassthroughAnomaly +DisplayName: Slack Anomaly Detected +Enabled: true +LogTypes: + - Slack.AuditLogs +Tags: + - Slack +Severity: Critical +Description: Passthrough for anomalies detected by Slack +Reference: https://api.slack.com/admins/audit-logs +DedupPeriodMinutes: 60 +Threshold: 1 +SummaryAttributes: + - p_any_ip_addresses + - p_any_emails +Tests: + - + Name: Name + ExpectedResult: true + Log: + { + "action": "anomaly", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace-1", + "id": "T01234N56GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } + - Name: User Logout + ExpectedResult: false + Log: + { + "action": "user_logout", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace-1", + "id": "T01234N56GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + }, + "date_create": "2022-07-28 15:22:32", + "entity": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "id": "72cac009-9eb3-4dde-bac6-ee49a32a1789" + } diff --git a/slack_rules/slack_user_privilege_escalation.py b/slack_rules/slack_user_privilege_escalation.py new file mode 100644 index 000000000..ee97d2fcd --- /dev/null +++ b/slack_rules/slack_user_privilege_escalation.py @@ -0,0 +1,30 @@ +from panther_base_helpers import slack_alert_context + +USER_PRIV_ESC_ACTIONS = { + "owner_transferred": "Slack Owner Transferred", + "permissions_assigned": "Slack User Assigned Permissions", + "role_change_to_admin": "Slack User Made Admin", + "role_change_to_owner": "Slack User Made Owner", +} + + +def rule(event): + return event.get("action") in USER_PRIV_ESC_ACTIONS + + +def title(event): + if event.get("action") in USER_PRIV_ESC_ACTIONS: + return USER_PRIV_ESC_ACTIONS.get(event.get("action")) + return "Slack User Privilege Escalation" + + +def severity(event): + # Downgrade severity for users assigned permissions + # TODO: Add case to check for admin privileges to escalate to Critical + if event.get("action") == "permissions_assigned": + return "Medium" + return "High" + + +def alert_context(event): + return slack_alert_context(event) diff --git a/slack_rules/slack_user_privilege_escalation.yml b/slack_rules/slack_user_privilege_escalation.yml new file mode 100644 index 000000000..a44a4aa3d --- /dev/null +++ b/slack_rules/slack_user_privilege_escalation.yml @@ -0,0 +1,159 @@ +AnalysisType: rule +Filename: slack_user_privilege_escalation.py +RuleID: Slack.AuditLogs.UserPrivilegeEscalation +DisplayName: Slack User Privilege Escalation +Enabled: true +LogTypes: + - Slack.AuditLogs +Tags: + - Slack +Severity: High +Description: Detects when a Slack App has had its permission scopes expanded +Reference: https://api.slack.com/admins/audit-logs +DedupPeriodMinutes: 60 +Threshold: 1 +SummaryAttributes: + - p_any_ip_addresses + - p_any_emails +Tests: + - + Name: Owner Transferred + ExpectedResult: true + Log: + { + "action": "owner_transferred", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } + - + Name: Permissions Assigned + ExpectedResult: true + Log: + { + "action": "permissions_assigned", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } + - + Name: Role Changed to Admin + ExpectedResult: true + Log: + { + "action": "role_change_to_admin", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } + - + Name: Role Changed to Owner + ExpectedResult: true + Log: + { + "action": "role_change_to_owner", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } + - + Name: User Logout + ExpectedResult: false + Log: + { + "action": "user_logout", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace-1", + "id": "T01234N56GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + }, + "date_create": "2022-07-28 15:22:32", + "entity": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "id": "72cac009-9eb3-4dde-bac6-ee49a32a1789" + }