Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

added get_actor_user method to data model #1343

Merged
merged 1 commit into from
Sep 9, 2024
Merged

added get_actor_user method to data model #1343

merged 1 commit into from
Sep 9, 2024

Conversation

biancafu-panther
Copy link
Contributor

@biancafu-panther biancafu-panther commented Sep 6, 2024
edited
Loading

Background

A customer was receiving alerts from the out-of-the-box (OOTB) detection GCP IAM serviceAccounts getAccessToken Privilege Escalation. The alert message included [GCP]: [<ACTOR_NOT_FOUND>] performed [GenerateAccessToken] on project, which indicated that Panther's data model did not recognize the actor correctly.

Upon investigation, we found that the issue arose because the GCP Audit schema in Panther was only mapping the principalEmail field as the actor_user, while for third-party identity callers, GCP populates the principalSubject field instead of principalEmail. This behavior is confirmed by the GCP documentation.

Changes

  • Added a method get_actor_user to use principalSubject for actor_user field when principalEmail is not present
  • Applied the get_actor_user method to 'username' field since it was also mapping to principalEmail previously
  • Modified alert title of GCP IAM serviceAccounts getAccessToken Privilege Escalation to use the actor_user udm field

Testing

  • make lint, make test
  • added the unit test Principal Subject Used

@biancafu-panther biancafu-panther requested a review from a team as a code owner September 6, 2024 15:32
@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 6, 2024

😱
looks like some things could be wrong with the packs

[INFO][root]: ignoring file dependabot.yml

@ben-githubs ben-githubs merged commit dfa4abf into release Sep 9, 2024
6 checks passed
@ben-githubs ben-githubs deleted the bianca-update_gcp_data_model branch September 9, 2024 16:02
@arielkr256 arielkr256 added the bug Something isn't working label Sep 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ben-githubs ben-githubs ben-githubs approved these changes

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@biancafu-panther @ben-githubs @arielkr256