Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Google Workspace - New Login IP detection #550

Closed
wants to merge 14 commits into from
Closed

Google Workspace - New Login IP detection #550

wants to merge 14 commits into from

Conversation

josh-panther
Copy link
Contributor

Background

Google Workspace (Gsuite) detection to alert when a new IP has successfully logged into an account.

NOTE: The rest of the rules are prefixed (and named) Gsuite. Should I conform to that naming convention, even though its technically outdated?

Changes

  • 1 new detection

Testing

  • 3 unit tests that mock various dynamo conditions

@josh-panther josh-panther requested review from a team November 4, 2022 16:21
maxrichie5
maxrichie5 previously approved these changes Nov 4, 2022
View reviewed changes
@calkim-panther
Copy link
Contributor

Also should note that this detection will alert on EVERY login once this is enabled. We may want to add logic to allow the first login to not alert and only alert when ip_history > 1

@calkim-panther
Copy link
Contributor

Also new IPs can lead to a lot of false positives. Thoughts on utilizing the new IPInfo LUT and alerting based on new ASNs?

@josh-panther
Copy link
Contributor Author

Also should note that this detection will alert on EVERY login once this is enabled. We may want to add logic to allow the first login to not alert and only alert when ip_history > 1

I thought about this but wasn't sure how to best solve it. I had an idea for cache priming that involved running a sql query, and putting the results in an array (Along with the query ran date) that would prime the cache and enable the 30 day expiration too, but it introduces a decent amount of complexity.

Your solution of just waiting for 1 entry is a solid compromise! cc @natezpanther

@josh-panther josh-panther marked this pull request as draft November 9, 2022 20:50
@josh-panther
Copy link
Contributor Author

Marking as a draft (not honestly sure what that does) because I am going to implement some suggestions.

@josh-panther
Copy link
Contributor Author

Also new IPs can lead to a lot of false positives. Thoughts on utilizing the new IPInfo LUT and alerting based on new ASNs?

Curious - how would I go about mocking the LUT in a unit test?

@josh-panther josh-panther marked this pull request as ready for review November 9, 2022 21:39
@josh-panther
Copy link
Contributor Author

Deer lord, I have finally fixed the linter issues (which were actually disguising failed tests interestingly enough). Fixed those too.

@josh-panther
Copy link
Contributor Author

You can also see it on Papaya Oarfish: https://papaya-junior.runpanther.net/build/detections/rules/Google.Workspace.New.Login.IP/edit/?section=functions

@calkim-panther
Copy link
Contributor

Just needs the check to test that this isn't the first login to alert to prevent an alert storm

@arielkr256 arielkr256 closed this Oct 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@calkim-panther calkim-panther calkim-panther requested changes

@maxrichie5 maxrichie5 maxrichie5 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@josh-panther @calkim-panther @maxrichie5 @arielkr256