-
Notifications
You must be signed in to change notification settings - Fork 176
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Threat-315 Wiz Alert Passthrough (#1251)
* THREAT-315 Wiz Alert passthrough * THREAT-315 Wiz Alert passthrough * THREAT-315 Wiz Alert passthrough - fix formatting * THREAT-315 Wiz Alert passthrough - fix formatting * THREAT-315 Wiz Alert passthrough - updated according to comments --------- Co-authored-by: Ariel Ropek <[email protected]>
- Loading branch information
1 parent
ff7a149
commit 8da5bc9
Showing
3 changed files
with
177 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
AnalysisType: pack | ||
PackID: PantherManaged.Wiz | ||
Description: Group of all Wiz detections | ||
DisplayName: "Panther Wiz Pack" | ||
PackDefinition: | ||
IDs: | ||
- Wiz.Alert.Passthrough |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
from panther_base_helpers import deep_get | ||
|
||
|
||
def rule(event): | ||
return event.get("status") == "OPEN" | ||
|
||
|
||
def title(event): | ||
return ( | ||
f"[Wiz Alert]: " | ||
f"{event.deep_get('sourceRule', 'name', default='ALERT_DESCRIPTION_NOT_FOUND')}" | ||
) | ||
|
||
|
||
def severity(event): | ||
return event.get("severity") | ||
|
||
|
||
def dedup(event): | ||
return event.get("id") | ||
|
||
|
||
def description(event): | ||
return event.deep_get("sourceRule", "controlDescription", default="<DESCRIPTION_NOT_FOUND>") | ||
|
||
|
||
def runbook(event): | ||
return event.deep_get( | ||
"sourceRule", "resolutionRecommendation", default="<RECOMMENDATION_NOT_FOUND>" | ||
) | ||
|
||
|
||
def alert_context(event): | ||
security_subcategories = event.deep_get("sourceRule", "securitySubCategories", default=[{}]) | ||
return { | ||
"id": event.get("id", "<ID_NOT_FOUND>"), | ||
"type": event.get("type", "<TYPE_NOT_FOUND>"), | ||
"entity_snapshot": event.get("entitySnapshot", {}), | ||
"mitre_attack_categories": [ | ||
subcategory | ||
for subcategory in security_subcategories | ||
if deep_get(subcategory, "category", "framework", "name") == "MITRE ATT&CK Matrix" | ||
], | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,126 @@ | ||
AnalysisType: rule | ||
RuleID: Wiz.Alert.Passthrough | ||
Description: This rule enriches and contextualizes security alerts generated by Wiz. | ||
DisplayName: Wiz Alert Passthrough Rule | ||
Runbook: Review the Wiz alert details to determine what malicious behavior was detected, and whether or not it was blocked. | ||
Reference: https://www.wiz.io/product | ||
Enabled: true | ||
Filename: wiz_alert_passthrough.py | ||
Severity: Medium | ||
LogTypes: | ||
- Wiz.Issues | ||
DedupPeriodMinutes: 60 | ||
Threshold: 1 | ||
Tests: | ||
- Name: Open Alert | ||
ExpectedResult: true | ||
Log: | ||
{ | ||
"createdAt": "2024-06-04 02:28:06.763277000", | ||
"entitySnapshot": { | ||
"cloudProviderURL": "", | ||
"externalId": "someExternalId", | ||
"id": "12345", | ||
"name": "someName", | ||
"nativeType": "", | ||
"providerId": "someProviderId", | ||
"region": "", | ||
"resourceGroupExternalId": "", | ||
"subscriptionExternalId": "", | ||
"subscriptionName": "", | ||
"tags": { }, | ||
"type": "DATA_FINDING" | ||
}, | ||
"id": "54321", | ||
"notes": [ ], | ||
"projects": [ | ||
{ | ||
"businessUnit": "", | ||
"id": "45678", | ||
"name": "Project 2", | ||
"riskProfile": { | ||
"businessImpact": "MBI" | ||
}, | ||
"slug": "project-2" | ||
}, | ||
], | ||
"serviceTickets": [ ], | ||
"severity": "HIGH", | ||
"sourceRule": { | ||
"__typename": "Control", | ||
"controlDescription": "Alert Description", | ||
"id": "12345", | ||
"name": "Alert Name", | ||
"resolutionRecommendation": "Alert Resolution Recommendation", | ||
"securitySubCategories": [ | ||
{ | ||
"category": { | ||
"framework": { | ||
"name": "Wiz for Risk Assessment" | ||
}, | ||
"name": "High Profile Threats" | ||
}, | ||
"title": "High-profile vulnerability exploited in the wild" | ||
}, | ||
{ | ||
"category": { | ||
"framework": { | ||
"name": "MITRE ATT&CK Matrix" | ||
}, | ||
"name": "TA0001 Initial Access" | ||
}, | ||
"title": "T1190 Exploit Public-Facing Application" | ||
}, | ||
] | ||
}, | ||
"status": "OPEN", | ||
"statusChangedAt": "2024-06-04 02:28:06.597355000", | ||
"type": "TOXIC_COMBINATION", | ||
"updatedAt": "2024-06-04 02:28:06.763277000" | ||
} | ||
- Name: Resolved Alert | ||
ExpectedResult: false | ||
Log: | ||
{ | ||
"createdAt": "2024-06-04 02:28:06.763277000", | ||
"entitySnapshot": { | ||
"cloudProviderURL": "", | ||
"externalId": "someExternalId", | ||
"id": "12345", | ||
"name": "someName", | ||
"nativeType": "", | ||
"providerId": "someProviderId", | ||
"region": "", | ||
"resourceGroupExternalId": "", | ||
"subscriptionExternalId": "", | ||
"subscriptionName": "", | ||
"tags": { }, | ||
"type": "DATA_FINDING" | ||
}, | ||
"id": "54321", | ||
"notes": [ ], | ||
"projects": [ | ||
{ | ||
"businessUnit": "", | ||
"id": "45678", | ||
"name": "Project 2", | ||
"riskProfile": { | ||
"businessImpact": "MBI" | ||
}, | ||
"slug": "project-2" | ||
}, | ||
], | ||
"serviceTickets": [ ], | ||
"severity": "HIGH", | ||
"sourceRule": { | ||
"__typename": "Control", | ||
"controlDescription": "Alert Description", | ||
"id": "12345", | ||
"name": "Alert Name", | ||
"resolutionRecommendation": "Alert Resolution Recommendation" | ||
}, | ||
"status": "RESOLVED", | ||
"statusChangedAt": "2024-06-04 02:28:06.597355000", | ||
"type": "TOXIC_COMBINATION", | ||
"updatedAt": "2024-06-04 02:28:06.763277000" | ||
} |