Slack Detections - EKM (#463)

* Initial commit - Slack EKM * Anonymized IPs * Fixed wording for descritpion on Slack.AuditLogs.EKMSlackbotUnenrolled
panther-labs · Aug 3, 2022 · d89befa · d89befa
1 parent a3b6cfb
commit d89befa
Show file tree

Hide file tree

Showing 6 changed files with 274 additions and 0 deletions.
diff --git a/slack_rules/slack_ekm_config_changed.py b/slack_rules/slack_ekm_config_changed.py
@@ -0,0 +1,11 @@
+from panther_base_helpers import slack_alert_context
+
+
+def rule(event):
+ # Only alert on the `ekm_logging_config_set` action
+ return event.get("action") == "ekm_logging_config_set"
+
+
+def alert_context(event):
+ # TODO: Add details to the context
+ return slack_alert_context(event)
diff --git a/slack_rules/slack_ekm_config_changed.yml b/slack_rules/slack_ekm_config_changed.yml
@@ -0,0 +1,81 @@
+AnalysisType: rule
+Filename: slack_ekm_config_changed.py
+RuleID: Slack.AuditLogs.EKMConfigChanged
+DisplayName: Slack EKM Config Changed
+Enabled: true
+LogTypes:
+ - Slack.AuditLogs
+Tags:
+ - Slack
+Severity: High
+Description: Detects when the logging settings for a workspace's EKM configuration has changed
+Reference: https://api.slack.com/admins/audit-logs
+DedupPeriodMinutes: 60
+Threshold: 1
+SummaryAttributes:
+ - p_any_ip_addresses
+ - p_any_emails
+Tests:
+ -
+ Name: EKM Config Changed
+ ExpectedResult: true
+ Log:
+ {
+ "action": "ekm_logging_config_set",
+ "actor": {
+ "type": "user",
+ "user": {
+ "email": "[email protected]",
+ "id": "A012B3CDEFG",
+ "name": "username",
+ "team": "T01234N56GB"
+ }
+ },
+ "context": {
+ "ip_address": "1.2.3.4",
+ "location": {
+ "domain": "test-workspace",
+ "id": "T01234N56GB",
+ "name": "test-workspace",
+ "type": "workspace"
+ },
+ "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"
+ }
+ }
+ -
+ Name: User Logout
+ ExpectedResult: false
+ Log:
+ {
+ "action": "user_logout",
+ "actor": {
+ "type": "user",
+ "user": {
+ "email": "[email protected]",
+ "id": "W012J3FEWAU",
+ "name": "primary-owner",
+ "team": "T01234N56GB"
+ }
+ },
+ "context": {
+ "ip_address": "1.2.3.4",
+ "location": {
+ "domain": "test-workspace-1",
+ "id": "T01234N56GB",
+ "name": "test-workspace-1",
+ "type": "workspace"
+ },
+ "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"
+ },
+ "date_create": "2022-07-28 15:22:32",
+ "entity": {
+ "type": "user",
+ "user": {
+ "email": "[email protected]",
+ "id": "W012J3FEWAU",
+ "name": "primary-owner",
+ "team": "T01234N56GB"
+ }
+ },
+ "id": "72cac009-9eb3-4dde-bac6-ee49a32a1789"
+ }
diff --git a/slack_rules/slack_ekm_slackbot_unenrolled.py b/slack_rules/slack_ekm_slackbot_unenrolled.py
@@ -0,0 +1,10 @@
+from panther_base_helpers import slack_alert_context
+
+
+def rule(event):
+ # Only alert on the `ekm_slackbot_unenroll_notification_sent` action
+ return event.get("action") == "ekm_slackbot_unenroll_notification_sent"
+
+
+def alert_context(event):
+ return slack_alert_context(event)
diff --git a/slack_rules/slack_ekm_slackbot_unenrolled.yml b/slack_rules/slack_ekm_slackbot_unenrolled.yml
@@ -0,0 +1,81 @@
+AnalysisType: rule
+Filename: slack_ekm_slackbot_unenrolled.py
+RuleID: Slack.AuditLogs.EKMSlackbotUnenrolled
+DisplayName: Slack EKM Slackbot Unenrolled
+Enabled: true
+LogTypes:
+ - Slack.AuditLogs
+Tags:
+ - Slack
+Severity: High
+Description: Detects when a workspace is longer enrolled in EKM
+Reference: https://api.slack.com/admins/audit-logs
+DedupPeriodMinutes: 60
+Threshold: 1
+SummaryAttributes:
+ - p_any_ip_addresses
+ - p_any_emails
+Tests:
+ -
+ Name: EKM Slackbot Unenrolled
+ ExpectedResult: true
+ Log:
+ {
+ "action": "ekm_slackbot_unenroll_notification_sent",
+ "actor": {
+ "type": "user",
+ "user": {
+ "email": "[email protected]",
+ "id": "A012B3CDEFG",
+ "name": "username",
+ "team": "T01234N56GB"
+ }
+ },
+ "context": {
+ "ip_address": "1.2.3.4",
+ "location": {
+ "domain": "test-workspace",
+ "id": "T01234N56GB",
+ "name": "test-workspace",
+ "type": "workspace"
+ },
+ "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"
+ }
+ }
+ -
+ Name: User Logout
+ ExpectedResult: false
+ Log:
+ {
+ "action": "user_logout",
+ "actor": {
+ "type": "user",
+ "user": {
+ "email": "[email protected]",
+ "id": "W012J3FEWAU",
+ "name": "primary-owner",
+ "team": "T01234N56GB"
+ }
+ },
+ "context": {
+ "ip_address": "1.2.3.4",
+ "location": {
+ "domain": "test-workspace-1",
+ "id": "T01234N56GB",
+ "name": "test-workspace-1",
+ "type": "workspace"
+ },
+ "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"
+ },
+ "date_create": "2022-07-28 15:22:32",
+ "entity": {
+ "type": "user",
+ "user": {
+ "email": "[email protected]",
+ "id": "W012J3FEWAU",
+ "name": "primary-owner",
+ "team": "T01234N56GB"
+ }
+ },
+ "id": "72cac009-9eb3-4dde-bac6-ee49a32a1789"
+ }
diff --git a/slack_rules/slack_ekm_unenrolled.py b/slack_rules/slack_ekm_unenrolled.py
@@ -0,0 +1,10 @@
+from panther_base_helpers import slack_alert_context
+
+
+def rule(event):
+ # Only alert on the `ekm_unenrolled` action
+ return event.get("action") == "ekm_unenrolled"
+
+
+def alert_context(event):
+ return slack_alert_context(event)
diff --git a/slack_rules/slack_ekm_unenrolled.yml b/slack_rules/slack_ekm_unenrolled.yml
@@ -0,0 +1,81 @@
+AnalysisType: rule
+Filename: slack_ekm_unenrolled.py
+RuleID: Slack.AuditLogs.EKMUnenrolled
+DisplayName: Slack App Access Expanded
+Enabled: true
+LogTypes:
+ - Slack.AuditLogs
+Tags:
+ - Slack
+Severity: Critical
+Description: Detects when a workspace is no longer enrolled or managed by EKM
+Reference: https://api.slack.com/admins/audit-logs
+DedupPeriodMinutes: 60
+Threshold: 1
+SummaryAttributes:
+ - p_any_ip_addresses
+ - p_any_emails
+Tests:
+ -
+ Name: EKM Unenrolled
+ ExpectedResult: true
+ Log:
+ {
+ "action": "ekm_unenrolled",
+ "actor": {
+ "type": "user",
+ "user": {
+ "email": "[email protected]",
+ "id": "A012B3CDEFG",
+ "name": "username",
+ "team": "T01234N56GB"
+ }
+ },
+ "context": {
+ "ip_address": "1.2.3.4",
+ "location": {
+ "domain": "test-workspace",
+ "id": "T01234N56GB",
+ "name": "test-workspace",
+ "type": "workspace"
+ },
+ "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"
+ }
+ }
+ -
+ Name: User Logout
+ ExpectedResult: false
+ Log:
+ {
+ "action": "user_logout",
+ "actor": {
+ "type": "user",
+ "user": {
+ "email": "[email protected]",
+ "id": "W012J3FEWAU",
+ "name": "primary-owner",
+ "team": "T01234N56GB"
+ }
+ },
+ "context": {
+ "ip_address": "1.2.3.4",
+ "location": {
+ "domain": "test-workspace-1",
+ "id": "T01234N56GB",
+ "name": "test-workspace-1",
+ "type": "workspace"
+ },
+ "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"
+ },
+ "date_create": "2022-07-28 15:22:32",
+ "entity": {
+ "type": "user",
+ "user": {
+ "email": "[email protected]",
+ "id": "W012J3FEWAU",
+ "name": "primary-owner",
+ "team": "T01234N56GB"
+ }
+ },
+ "id": "72cac009-9eb3-4dde-bac6-ee49a32a1789"
+ }