This repository contains a set of custom helpers designed to facilitate integration between Panther SIEM and Axonius (initially announced in a blog post and presented in a webinar). These custom helpers provide a variety of functions for user and device search operations that can be used to leverage the Axonius API.
Follow the instructions in the following table to set up and use the Axonius custom helpers in Panther:
-
Retrieve the API Key and API Secret from Axonius. In Role, select Viewer.
-
Incorporate the Axonius API into AWS Secrets Manager. Save your Axonius URL, API key, and API secret in AWS Secrets Manager. It should look like this:
{
"url": "https://your-axonius-url.com",
"api_key": "AXONIUS_API_KEY",
"api_secret": "AXONIUS_API_SECRET"
}- Create an AWS role with sufficient permissions to fetch secrets from AWS Secrets Manager.
For example, if the secret was named
Panther/axonius_secrets:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:Region:AccountId:secret:Panther/axonius_secrets"
}
}-
Provide the role ARN to Panther support. Panther will provide two ARN roles: one for the detections engine and one for the Python tests engine.
-
Add the ARNs received from Panther to the trust policy within the role you created in AWS.
-
Incorporate AWS secrets helper into Panther. Open the AWS secrets helper
custom_aws_secrets_helper.pyand enter relevant values for the following :AWS_REGIONAWS_ROLE_ARNAWS_ROLE_SESSION_NAME
-
Add the AWS secrets helper code to your global_helpers folder in Panther.
-
Fetch secrets from AWS Use the get_secret(SECRET_NAME) function in the AWS secrets helper to fetch secrets from AWS.
-
Test that you are able to fetch secrets from AWS by running a Python test in Panther during the creation of a new detection rule.
-
Add Axonius Helpers to your Panther Environment Open
custom_axonius_helpers.pyand enter relevant values for the following:AX_API_SECRET_NAMEAX_ADDITIONAL_HEADERS(this is optional)
-
Add the helper code to the global_helpers folder in your Panther environment.
-
Test that you are able to query Axonius from AWS: Run a Python test in Panther during the creation of a new detection rule.
-
Use Axonius Helper Functions. You can now utilize the functions from
axonius_helperswithin any rule as required.
-
Root/Admin user was used: A user connected via root/admin user to a system. We don’t know which user logged in, but have the public IP. In this case, we can use the
find_ip()function to find the user based on the public IP address. -
Sensitive Action: A user performed a sensitive action or connected to a sensitive resource. In this situation, we can verify if the IP address fits the user in Axonius by using the
find_ip()orfind_username()function. This can help us check if that user has used the given public IP before. -
Data Enrichment: By adding the output of the
find_username()orfind_hostname()functions to the alert context in Panther, we can get more information about the user or device. This can be useful for investigations and incident response.
Here is a list of the custom helper functions and their descriptions:
This function accepts a user's full name or email address as input and runs a user query in Axonius. It returns pertinent information about the user, if found.
This function accepts a device name as input and runs a device query in Axonius. It returns valuable information about the device, if located.
This function accepts an IP address and runs a query in Axonius. It will return important details about the address, if discovered.
This function accepts a cloud instance ID and runs a query in Axonius. It returns critical information about any identified cloud provider machine.
This function accepts an IP address and a username/user email and executes a query in Axonius. It returns True if the user has previously connected with this IP address, and False otherwise.
This function accepts a device name as input and carries out a device query in Axonius. It returns all vulnerabilities associated with this device.
Note This function is only relevant if you are using CrowdStrike and it is connected to your Axonius tenant.
This function takes a CrowdStrike AID and runs a query in Axonius. It returns details about this AID, including device name and user, if found.