From 5880ea0c751609604084b7728fcf88417ef8960a Mon Sep 17 00:00:00 2001
From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Date: Tue, 6 Feb 2024 17:44:18 +0200
Subject: [PATCH 1/2] BugFix - GCP serviceusage.apiKeys.create Privilege
 Escalation (#66)

* Checking log keypath existence when using Expressions

* BugFix - GCP serviceusage.apiKeys.create Privilege Escalation
---
 ...ge_apikeys_create_privilege_escalation.yml | 59 ++++++++++++++++---
 1 file changed, 50 insertions(+), 9 deletions(-)

diff --git a/rules/gcp_audit_rules/gcp_serviceusage_apikeys_create_privilege_escalation.yml b/rules/gcp_audit_rules/gcp_serviceusage_apikeys_create_privilege_escalation.yml
index e10c86119..5ffdff704 100644
--- a/rules/gcp_audit_rules/gcp_serviceusage_apikeys_create_privilege_escalation.yml
+++ b/rules/gcp_audit_rules/gcp_serviceusage_apikeys_create_privilege_escalation.yml
@@ -18,15 +18,12 @@ Reports:
         - TA0004:T1548  # Abuse Elevation Control Mechanism
 Severity: High
 Detection:
-    - KeyPath: protoPayload.authorizationInfo
-      Condition: AnyElement
-      Expressions:
-        - Key: granted
-          Condition: Equals
-          Value: true
-        - Key: permission
-          Condition: Equals
-          Value: serviceusage.apiKeys.create
+    - KeyPath: protoPayload.authorizationInfo[*].granted
+      Condition: Contains
+      Value: true
+    - KeyPath: protoPayload.authorizationInfo[*].permission
+      Condition: Contains
+      Value: serviceusage.apiKeys.create
     - KeyPath: protoPayload.methodName
       Condition: EndsWith
       Value: ApiKeys.CreateKey
@@ -173,4 +170,48 @@ Tests:
         },
         "severity": "NOTICE",
         "timestamp": "2024-01-25 13:28:18.961519813"
+      }
+  - Name: Log Without authorizationInfo
+    ExpectedResult: false
+    Log:
+      {
+        "logName": "projects/some-project/logs/cloudaudit.googleapis.com%2Factivity",
+        "operation": {
+          "id": "operations/akmf.p7-1028347275902-fe0c0688-44a7-4dca-bc06-8456068e5673",
+          "last": true,
+          "producer": "apikeys.googleapis.com"
+        },
+        "protoPayload": {
+          "at_sign_type": "type.googleapis.com/google.cloud.audit.AuditLog",
+          "authenticationInfo": {
+            "principalEmail": "some.user@some-project.com",
+            "principalSubject": "serviceAccount:some-team@some-project.com",
+            "serviceAccountKeyName": "//iam.googleapis.com/projects/some-project/serviceAccounts/some-team@some-project.gserviceaccount.com/keys/dc5344c246064589v76ec76f66bafc92b093ed41"
+          },
+          "methodName": "google.api.apikeys.v2.ApiKeys.CreateKey",
+          "request": {
+            "@type": "type.googleapis.com/google.api.apikeys.v2.CreateKeyRequest",
+            "parent": "projects/some-project/locations/global"
+          },
+          "requestMetadata": {
+            "callerIP": "189.163.74.177",
+            "callerSuppliedUserAgent": "(gzip),gzip(gfe)",
+            "destinationAttributes": { },
+            "requestAttributes": { }
+          },
+          "resourceName": "projects/1028347245602",
+          "response": {
+            "@type": "type.googleapis.com/google.api.apikeys.v2.Key",
+            "createTime": "1970-01-01T00:00:00Z",
+            "etag": "W/\"DSLGu9UKHwqq2ICm7YPE7g==\"",
+            "name": "projects/1028347245602/locations/global/keys/bf67db25-d748-4335-ae08-7f0e65fnfy02",
+            "updateTime": "1970-01-01T00:00:00Z"
+          },
+          "serviceName": "apikeys.googleapis.com",
+          "status": { }
+        },
+        "receiveTimestamp": "2024-01-25 13:28:18.961519813",
+        "resource": { },
+        "severity": "NOTICE",
+        "timestamp": "2024-01-25 13:28:18.961519813"
       }
\ No newline at end of file

From ec1a5ffa00631b677c7cb70fb48d1509a297998d Mon Sep 17 00:00:00 2001
From: egibs <keybase@egibs.xyz>
Date: Wed, 7 Feb 2024 15:17:47 -0600
Subject: [PATCH 2/2] Appease the linter

---
 rules/okta_rules/okta_potentially_stolen_session.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/okta_rules/okta_potentially_stolen_session.py b/rules/okta_rules/okta_potentially_stolen_session.py
index bd8df773a..7964344ef 100644
--- a/rules/okta_rules/okta_potentially_stolen_session.py
+++ b/rules/okta_rules/okta_potentially_stolen_session.py
@@ -19,7 +19,8 @@ def rule(event):
 
     session_id = deep_get(event, "authenticationContext", "externalSessionId", default="unknown")
 
-    # Some events by Okta admins may appear to have changed IPs and user agents due to internal Okta behavior:
+    # Some events by Okta admins may appear to have changed IPs
+    # and user agents due to internal Okta behavior:
     # https://support.okta.com/help/s/article/okta-integrations-showing-as-rawuseragent-with-okta-ips
     # As such, we ignore certain client ids known to originate from Okta:
     # https://developer.okta.com/docs/api/openapi/okta-myaccount/myaccount/tag/OktaApplications/