Skip to content
This repository has been archived by the owner on Dec 12, 2023. It is now read-only.

Se teleport rules #10

Open
wants to merge 18 commits into
base: main
Choose a base branch
from
Open

Se teleport rules #10

wants to merge 18 commits into from

Conversation

jzandona
Copy link
Contributor

@jzandona jzandona commented Feb 8, 2023
edited
Loading

Background

Initial teleport rules and test cases

Changes

Introduce teleport rules and test cases SDK, introduced legacy_utils to handle cases where deep_get is needed on non PantherEvent objects and pattern_match_filter is used.

Testing

make test, panther_analysis_tool sdk test

jzandona and others added 3 commits February 8, 2023 14:02
@jzandona
Jzandona crowdstrike rules (#8)
259979e 
* crowdstrike rule conversion

* query placeholder

* fix

* fix

* crwdstrike cleanup

* cleanup gsuite detections from branch

* remove file

* Automatically commit format changes

* lint cleanup

* Automatically commit format changes

* initial crowdstrike tests

* initial crowdstrike tests

* initial test cleanup

* fix alert_context

* Automatically commit format changes

* add unit tests

* Automatically commit format changes

* remove non exportables

* Automatically commit format changes

* resolve exportable

* Automatically commit format changes

* fix shared attributes

* Automatically commit format changes

* linting

* revert change

* updated log types

* updated log types schema

* Automatically commit format changes

* refresh

* bumping panther-sdk version

* updated queries to pass test

* Automatically commit format changes

* refresh

---------


Co-authored-by: jzandona <[email protected]>
@jzandona
cleanup tags and _shared
ac1204c
@jzandona
Merge branch 'main' into se-teleport-rules
5ddde6a
@jzandona jzandona marked this pull request as ready for review February 8, 2023 22:59
@jzandona jzandona requested review from a team February 8, 2023 22:59
@darwayne
Copy link

darwayne commented Feb 8, 2023

We recently merged in some changes that should simplify the prefilter interaction in favor of extensions .. see this PR as a reference

Impact on your PR from my understanding is mostly around your pre_filters parameter being changed to extensions

darwayne
darwayne reviewed Feb 15, 2023
View reviewed changes
panther_detections/providers/teleport/__init__.py
from ._shared import *


def use_all_with_defaults() -> List[Union[detection.Rule]]:
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm we shouldn't be returning the rules .. see here

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Made that change due to this comment here https://github.com/panther-labs/panther-detections/pull/9#discussion_r1104687951.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

interesting, yeah any change we make we should be consistent through out the project. @maxrichie5 what was your vision for this change you recommended? Is there plans to circle back and make other calls consistent?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My vision here was that anything a user calls to create content should be returned to the user (most likely so it can be tested, but I think it is good overall)

We should do this going forward and it would awesome to clean up the stuff that hasn't been changed, but there is no planned work for that

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sounds good FYI: @cdzombak

darwayne
darwayne reviewed Feb 15, 2023
View reviewed changes
Copy link

@darwayne darwayne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

other that my comment above I think this looks good

@darwayne darwayne requested a review from cdzombak February 15, 2023 13:45
maxrichie5
maxrichie5 approved these changes Feb 16, 2023
View reviewed changes
Copy link
Contributor

@maxrichie5 maxrichie5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome!!! Thanks for all you do!!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@darwayne darwayne darwayne approved these changes

@maxrichie5 maxrichie5 maxrichie5 approved these changes

@cdzombak cdzombak Awaiting requested review from cdzombak

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jzandona @darwayne @maxrichie5