Skip to content

Handle outside td #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 8 commits into from
Jun 24, 2020
Merged

Handle outside td #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
8a3d222
Handle outside td
Jun 22, 2020
0279867
To prove that it wont bomb on unsupported types
Jun 23, 2020
8ab51e4
Save
Jun 23, 2020
7f4d82a
Handle no cats
Jun 23, 2020
5f514ec
Create integ yml
Jun 23, 2020
cebc8f3
Handle unsupported ets better
Jun 24, 2020
dbff2a0
Fix comment
Jun 24, 2020
662c7e8
Gen yml
Jun 24, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 27 additions & 9 deletions Packs/Code42/Integrations/Code42/Code42.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -338,10 +338,20 @@ def _create_category_filter(file_type):
class ObservationToSecurityQueryMapper(object):
"""Class to simplify the process of mapping observation data to query objects."""

# Exfiltration consts
_ENDPOINT_TYPE = "FedEndpointExfiltration"
_CLOUD_TYPE = "FedCloudSharePermissions"

# Query consts
_PUBLIC_SEARCHABLE = "PublicSearchableShare"
_PUBLIC_LINK = "PublicLinkShare"
_OUTSIDE_TRUSTED_DOMAINS = "SharedOutsideTrustedDomain"

exposure_type_map = {
"PublicSearchableShare": ExposureType.IS_PUBLIC,
"PublicLinkShare": ExposureType.SHARED_VIA_LINK,
"SharedOutsideTrustedDomain": "OutsideTrustedDomains"
}

def __init__(self, observation, actor):
self._obs = observation
Expand Down Expand Up @@ -390,19 +400,26 @@ def _create_search_args(self):

return filters

@logger
def _create_exposure_filters(self, exposure_types):
"""Determine exposure types based on alert type"""

exp_types = []
if self._is_cloud_exfiltration:
exp_types = []
if self._PUBLIC_SEARCHABLE in exposure_types:
exp_types.append(ExposureType.IS_PUBLIC)
if self._PUBLIC_LINK in exposure_types:
exp_types.append(ExposureType.SHARED_VIA_LINK)
return [ExposureType.is_in(exp_types)]
for t in exposure_types:
exp_type = self.exposure_type_map.get(t)
if exp_type:
exp_types.append(exp_type)
else:
LOG("Received unsupported exposure type {0}.".format(t))
if exp_types:
return [ExposureType.is_in(exp_types)]
Copy link

@alanag13 alanag13 Jun 23, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if the exp_types is empty due to it being unsupported, this will result in an ffs query of all events in the given time frame. If we returned [ExposureType.not_in(exp_types)], this would actually return the result set for the events they were looking for (unless we have two or more types of unsupported events, in which theres a case it would be a mix between those two).

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand.

Copy link
Author

@antazoey antazoey Jun 24, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why would we return [ExposureType.not_in(exp_types)] is exp_types is empty?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if we find an alert that was triggered by an unsupported type, doing not_in(list_of_supported_types) would return only the not supported ones

else:
# If not given a support exposure type, search for all unsupported exposure types
supported_exp_types = list(self.exposure_type_map.values())
return [ExposureType.not_in(supported_exp_types)]
elif self._is_endpoint_exfiltration:
return [
EventType.is_in(["CREATED", "MODIFIED", "READ_BY_APP"]),
EventType.is_in([EventType.CREATED, EventType.MODIFIED, EventType.READ_BY_APP]),
ExposureType.is_in(exposure_types),
]
return []
Expand All @@ -411,7 +428,8 @@ def _create_file_category_filters(self):
"""Determine if file categorization is significant"""
observed_file_categories = self._observation_data["fileCategories"]
categories = [c["category"].upper() for c in observed_file_categories if c["isSignificant"]]
return FileCategory.is_in(categories)
if categories:
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another missed bug that was messing up fetch (this one was my fault though)

return FileCategory.is_in(categories)


def map_observation_to_security_query(observation, actor):
Expand Down
Loading