Slack.AuditLogs.ApplicationDoS -> threshold rule

rules/slack_rules/slack_application_dos.py

@@ -1,8 +1,4 @@
-from datetime import timedelta
-from json import dumps
-
 from panther_base_helpers import deep_get, slack_alert_context
-from panther_detection_helpers.caching import get_string_set, put_string_set
 
 DENIAL_OF_SERVICE_ACTIONS = [
     "bulk_session_reset_by_admin",
@@ -16,40 +12,12 @@ def rule(event):
     if event.get("action") not in DENIAL_OF_SERVICE_ACTIONS:
         return False
 
-    # Generate a unique cache key for each user
-    user_key = gen_key(event)
-
-    # Retrieve prior entries from the cache, if any
-    last_reset = get_string_set(user_key)
-
-    # Store the reset info for future use
-    store_reset_info(user_key, event)
-
-    # If this is the first reset for the user, don't alert
-    if not last_reset:
-        return False
-
     return True
 
 
-def alert_context(event):
-    return slack_alert_context(event)
-
-
-def gen_key(event):
+def dedup(event):
     return f"Slack.AuditLogs.ApplicationDoS{deep_get(event, 'entity', 'user', 'name')}"
 
 
-def store_reset_info(key, event):
-    # Map the user to the most recent reset
-    put_string_set(
-        key,
-        [
-            dumps(
-                {
-                    "time": event.get("p_event_time"),
-                }
-            )
-        ],
-        epoch_seconds=event.event_time_epoch() + timedelta(days=1).total_seconds(),
-    )
+def alert_context(event):
+    return slack_alert_context(event)

rules/slack_rules/slack_application_dos.yml

@@ -14,22 +14,17 @@ Reports:
   MITRE ATT&CK:
     - TA0040:T1499.003
 Severity: Critical
-Description: Detects when slack admin invalidates user session(s) more than once in a 24 hour period which can lead to DoS
+Description: Detects when slack admin invalidates user session(s). If it happens more than once in a 24 hour period it can lead to DoS
 Reference: https://slack.com/intl/en-gb/help/articles/115005223763-Manage-session-duration-#pro-and-business+-subscriptions-2
-DedupPeriodMinutes: 60
+DedupPeriodMinutes: 1440
 Threshold: 60
 SummaryAttributes:
   - action
   - p_any_ip_addresses
   - p_any_emails
 Tests:
-  - Name: User Session Reset - First time
-    ExpectedResult: false
-    Mocks:
-      - objectName: get_string_set
-        returnValue: ""
-      - objectName: put_string_set
-        returnValue: ""
+  - Name: User Session Reset
+    ExpectedResult: true
     Log:
       {
         "action": "user_session_reset_by_admin",
@@ -57,24 +52,19 @@ Tests:
             "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36",
           },
       }
-  - Name: User Session Reset - Multiple Times
-    ExpectedResult: true
-    Mocks:
-      - objectName: get_string_set
-        returnValue: '{"time":"2021-06-08 22:24:43"}'
-      - objectName: put_string_set
-        returnValue: ""
+  - Name: Other action
+    ExpectedResult: false
     Log:
       {
-        "action": "user_session_reset_by_admin",
+        "action": "organization_created",
         "actor":
           {
             "type": "user",
             "user":
               {
                 "email": "user@example.com",
-                "id": "W012J3FEWAU",
-                "name": "primary-owner",
+                "id": "A012B3CDEFG",
+                "name": "username",
                 "team": "T01234N56GB",
               },
           },
@@ -83,9 +73,9 @@ Tests:
             "ip_address": "1.2.3.4",
             "location":
               {
-                "domain": "test-workspace-1",
+                "domain": "test-workspace",
                 "id": "T01234N56GB",
-                "name": "test-workspace-1",
+                "name": "test-workspace",
                 "type": "workspace",
               },
             "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36",