THREAT-445 Stratus-GCP-Exfiltration - updated

panther-labs · Mar 7, 2025 · 7dd5b42 · 7dd5b42
1 parent 1cbfc38
commit 7dd5b42
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 9 deletions.
diff --git a/rules/gcp_audit_rules/gcp_iam_corp_email.py b/rules/gcp_audit_rules/gcp_iam_corp_email.py
@@ -1,7 +1,5 @@
 from panther_base_helpers import deep_get
 
-EXPECTED_DOMAIN = "@your-domain.tld"
-
 
 def rule(event):
     if event.deep_get("protoPayload", "methodName") != "SetIamPolicy":
@@ -11,15 +9,19 @@ def rule(event):
     if not service_data:
         return False
 
-    # Reference: bit.ly/2WsJdZS
+    authenticated = event.deep_get(
+        "protoPayload", "authenticationInfo", "principalEmail", default=""
+    )
+    expected_domain = authenticated.split("@")[-1]
+
     binding_deltas = deep_get(service_data, "policyDelta", "bindingDeltas")
     if not binding_deltas:
         return False
 
     for delta in binding_deltas:
         if delta.get("action") != "ADD":
             continue
-        if delta.get("member", "").endswith(EXPECTED_DOMAIN):
+        if delta.get("member", "").endswith(f"@{expected_domain}"):
             return False
     return True
 

diff --git a/rules/gcp_audit_rules/gcp_iam_corp_email.yml b/rules/gcp_audit_rules/gcp_iam_corp_email.yml
@@ -247,7 +247,7 @@ Tests:
                         {
                           "action": "ADD",
                           "role": "roles/viewer",
-                          "member": "user:username@your-domain.tld",
+                          "member": "user:username@runpanther.com",
                         },
                       ],
                   },

diff --git a/rules/gcp_audit_rules/gcp_invite_external_user_as_owner.py b/rules/gcp_audit_rules/gcp_invite_external_user_as_owner.py
@@ -1,7 +1,5 @@
 from panther_gcp_helpers import gcp_alert_context
 
-EXPECTED_DOMAIN = "@your-domain.tld"
-
 
 def rule(event):
     if event.deep_get("protoPayload", "response", "error"):
@@ -11,8 +9,13 @@ def rule(event):
     if method != "InsertProjectOwnershipInvite":
         return False
 
+    authenticated = event.deep_get(
+        "protoPayload", "authenticationInfo", "principalEmail", default=""
+    )
+    expected_domain = authenticated.split("@")[-1]
+
     if event.deep_get("protoPayload", "request", "member", default="MEMBER_NOT_FOUND").endswith(
-        EXPECTED_DOMAIN
+        f"@{expected_domain}"
     ):
         return False
 

diff --git a/rules/gcp_audit_rules/gcp_invite_external_user_as_owner.yml b/rules/gcp_audit_rules/gcp_invite_external_user_as_owner.yml
@@ -24,6 +24,9 @@ Tests:
           "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
           "methodName": "InsertProjectOwnershipInvite",
           "resourceName": "projects/target-project",
+          "authenticationInfo": {
+            "principalEmail": "[email protected]"
+          },
           "request": {
             "member": "user:[email protected]",
             "projectId": "target-project",
@@ -54,8 +57,11 @@ Tests:
           "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
           "methodName": "InsertProjectOwnershipInvite",
           "resourceName": "projects/target-project",
+          "authenticationInfo": {
+            "principalEmail": "[email protected]"
+          },
           "request": {
-            "member": "user:internal-user@your-domain.tld",
+            "member": "user:internal-user@runpanther.com",
             "projectId": "target-project",
             "@type": "type.googleapis.com/google.internal.cloud.resourcemanager.InsertProjectOwnershipInviteRequest"
           },

diff --git a/rules/gcp_audit_rules/gcp_snapshot_insert.yml b/rules/gcp_audit_rules/gcp_snapshot_insert.yml
@@ -7,6 +7,8 @@ RuleID: "GCP.Compute.Snapshot.UnexpectedDomain"
 Severity: Medium
 LogTypes:
   - GCP.AuditLog
+Tags:
+  - Configuration Required
 Description: >
   This rule detects when someone with an unexpected email domain creates a snapshot of a Compute Disk.
 Runbook: >