diff --git a/slack_rules/slack_ekm_config_changed.py b/slack_rules/slack_ekm_config_changed.py new file mode 100644 index 000000000..996f245b3 --- /dev/null +++ b/slack_rules/slack_ekm_config_changed.py @@ -0,0 +1,11 @@ +from panther_base_helpers import slack_alert_context + + +def rule(event): + # Only alert on the `ekm_logging_config_set` action + return event.get("action") == "ekm_logging_config_set" + + +def alert_context(event): + # TODO: Add details to the context + return slack_alert_context(event) diff --git a/slack_rules/slack_ekm_config_changed.yml b/slack_rules/slack_ekm_config_changed.yml new file mode 100644 index 000000000..e230bdf4c --- /dev/null +++ b/slack_rules/slack_ekm_config_changed.yml @@ -0,0 +1,81 @@ +AnalysisType: rule +Filename: slack_ekm_config_changed.py +RuleID: Slack.AuditLogs.EKMConfigChanged +DisplayName: Slack EKM Config Changed +Enabled: true +LogTypes: + - Slack.AuditLogs +Tags: + - Slack +Severity: High +Description: Detects when the logging settings for a workspace's EKM configuration has changed +Reference: https://api.slack.com/admins/audit-logs +DedupPeriodMinutes: 60 +Threshold: 1 +SummaryAttributes: + - p_any_ip_addresses + - p_any_emails +Tests: + - + Name: EKM Config Changed + ExpectedResult: true + Log: + { + "action": "ekm_logging_config_set", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } + - + Name: User Logout + ExpectedResult: false + Log: + { + "action": "user_logout", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace-1", + "id": "T01234N56GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + }, + "date_create": "2022-07-28 15:22:32", + "entity": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "id": "72cac009-9eb3-4dde-bac6-ee49a32a1789" + } diff --git a/slack_rules/slack_ekm_slackbot_unenrolled.py b/slack_rules/slack_ekm_slackbot_unenrolled.py new file mode 100644 index 000000000..71459da86 --- /dev/null +++ b/slack_rules/slack_ekm_slackbot_unenrolled.py @@ -0,0 +1,10 @@ +from panther_base_helpers import slack_alert_context + + +def rule(event): + # Only alert on the `ekm_slackbot_unenroll_notification_sent` action + return event.get("action") == "ekm_slackbot_unenroll_notification_sent" + + +def alert_context(event): + return slack_alert_context(event) diff --git a/slack_rules/slack_ekm_slackbot_unenrolled.yml b/slack_rules/slack_ekm_slackbot_unenrolled.yml new file mode 100644 index 000000000..b70a7e0f6 --- /dev/null +++ b/slack_rules/slack_ekm_slackbot_unenrolled.yml @@ -0,0 +1,81 @@ +AnalysisType: rule +Filename: slack_ekm_slackbot_unenrolled.py +RuleID: Slack.AuditLogs.EKMSlackbotUnenrolled +DisplayName: Slack EKM Slackbot Unenrolled +Enabled: true +LogTypes: + - Slack.AuditLogs +Tags: + - Slack +Severity: High +Description: Detects when a workspace is longer enrolled in EKM +Reference: https://api.slack.com/admins/audit-logs +DedupPeriodMinutes: 60 +Threshold: 1 +SummaryAttributes: + - p_any_ip_addresses + - p_any_emails +Tests: + - + Name: EKM Slackbot Unenrolled + ExpectedResult: true + Log: + { + "action": "ekm_slackbot_unenroll_notification_sent", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } + - + Name: User Logout + ExpectedResult: false + Log: + { + "action": "user_logout", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace-1", + "id": "T01234N56GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + }, + "date_create": "2022-07-28 15:22:32", + "entity": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "id": "72cac009-9eb3-4dde-bac6-ee49a32a1789" + } diff --git a/slack_rules/slack_ekm_unenrolled.py b/slack_rules/slack_ekm_unenrolled.py new file mode 100644 index 000000000..7b5d8e1a4 --- /dev/null +++ b/slack_rules/slack_ekm_unenrolled.py @@ -0,0 +1,10 @@ +from panther_base_helpers import slack_alert_context + + +def rule(event): + # Only alert on the `ekm_unenrolled` action + return event.get("action") == "ekm_unenrolled" + + +def alert_context(event): + return slack_alert_context(event) diff --git a/slack_rules/slack_ekm_unenrolled.yml b/slack_rules/slack_ekm_unenrolled.yml new file mode 100644 index 000000000..5067e6a53 --- /dev/null +++ b/slack_rules/slack_ekm_unenrolled.yml @@ -0,0 +1,81 @@ +AnalysisType: rule +Filename: slack_ekm_unenrolled.py +RuleID: Slack.AuditLogs.EKMUnenrolled +DisplayName: Slack App Access Expanded +Enabled: true +LogTypes: + - Slack.AuditLogs +Tags: + - Slack +Severity: Critical +Description: Detects when a workspace is no longer enrolled or managed by EKM +Reference: https://api.slack.com/admins/audit-logs +DedupPeriodMinutes: 60 +Threshold: 1 +SummaryAttributes: + - p_any_ip_addresses + - p_any_emails +Tests: + - + Name: EKM Unenrolled + ExpectedResult: true + Log: + { + "action": "ekm_unenrolled", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "A012B3CDEFG", + "name": "username", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace", + "id": "T01234N56GB", + "name": "test-workspace", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + } + } + - + Name: User Logout + ExpectedResult: false + Log: + { + "action": "user_logout", + "actor": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "context": { + "ip_address": "1.2.3.4", + "location": { + "domain": "test-workspace-1", + "id": "T01234N56GB", + "name": "test-workspace-1", + "type": "workspace" + }, + "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" + }, + "date_create": "2022-07-28 15:22:32", + "entity": { + "type": "user", + "user": { + "email": "user@example.com", + "id": "W012J3FEWAU", + "name": "primary-owner", + "team": "T01234N56GB" + } + }, + "id": "72cac009-9eb3-4dde-bac6-ee49a32a1789" + }