Alert when the Session Invalidation application is used to terminate …

…a user's sessions (#1646) * First pass through writing an alert to fire when the session invalidation tool is used * Don't fire session_invalidation alert when no terminations took place * Add information about the actor who instigated terminations to alert details * Working on test for AlertSessionInvalidation * Add a blank line before class definition to satisfy linter * Fixed session_invalidation alert
mozilla · Jun 29, 2020 · 5af28d8 · 5af28d8
1 parent 49973b5
commit 5af28d8
Show file tree

Hide file tree

Showing 2 changed files with 157 additions and 0 deletions.
diff --git a/alerts/session_invalidation.py b/alerts/session_invalidation.py
@@ -0,0 +1,80 @@
+#!/usr/bin/env python
+
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at https://mozilla.org/MPL/2.0/.
+# Copyright (c) 2017 Mozilla Corporation
+
+from lib.alerttask import AlertTask
+from mozdef_util.query_models import SearchQuery, TermMatch
+
+
+class AlertSessionInvalidation(AlertTask):
+    '''An alert that fires whenever the Session Invalidation application
+    is invoked to terminate a user's sessions.
+
+    See https://github.com/mozilla/session-invalidation/
+    '''
+
+    def main(self):
+        query = SearchQuery(minutes=15)
+
+        # Search for events from the session invalidation app wherein
+        # an authenticated user terminated a user's sessions.
+        query.add_must([
+            TermMatch('category', 'sessioninvalidation'),
+        ])
+
+        self.filtersManual(query)
+        self.searchEventsAggregated('details.actor', samplesLimit=1000)
+        self.walkAggregations(threshold=1, config=None)
+
+    def onAggregation(self, agg):
+        category = 'sessioninvalidation'
+        tags = ['sessioninvalidation']
+        severity = 'WARNING'
+
+        actor = agg['value']
+        events = agg['events']
+
+        terminations = [
+            {
+                'invalidateduser': event['details']['invalidateduser'],
+                'invalidatedsessions': event['details']['invalidatedsessions'],
+            }
+            for event in [evt['_source'] for evt in events]
+            if event.get('details', {}).get('invalidateduser') is not None
+        ]
+
+        if len(terminations) == 0:
+            return None
+
+        affected_users = [
+            t['invalidateduser']
+            for t in terminations
+        ]
+
+        summary = '{0} terminated sessions for user(s) {1}'.format(
+            actor,
+            ', '.join(affected_users),
+        )
+
+        alert = self.createAlertDict(
+            summary,
+            category,
+            tags,
+            events,
+            severity=severity,
+        )
+
+        details = alert.get('details', {})
+
+        details.update({
+            'actor': actor,
+            'username': actor,
+            'terminations': terminations,
+        })
+
+        alert['details'] = details
+
+        return alert
diff --git a/tests/alerts/test_session_invalidation.py b/tests/alerts/test_session_invalidation.py
@@ -0,0 +1,77 @@
+#!/usr/bin/env python
+
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at https://mozilla.org/MPL/2.0/.
+# Copyright (c) 2017 Mozilla Corporation
+
+from tests.alerts.alert_test_suite import AlertTestSuite
+from tests.alerts.negative_alert_test_case import NegativeAlertTestCase
+from tests.alerts.positive_alert_test_case import PositiveAlertTestCase
+
+
+class TestAlertSessionInvalidation(AlertTestSuite):
+    alert_filename = 'session_invalidation'
+
+    default_event = {
+        '_source': {
+            'category': 'sessioninvalidation',
+            'details': {
+                'actor': 'actor@mozilla.com',
+                'invalidateduser': 'test@mozilla.com',
+                'invalidatedsessions': [
+                    'sso',
+                    'slack',
+                    'gsuite',
+                ],
+            },
+        },
+    }
+
+    no_invalidation_event = {
+        '_source': {
+            'category': 'sessioninvalidation',
+            'details': {
+                'actor': 'actor@mozilla.com',
+                'invalidateduser': None,
+                'invalidatedsessions': None,
+            },
+        },
+    }
+
+    default_alert = {
+        'category': 'sessioninvalidation',
+        'tags': ['sessioninvalidation'],
+        'severity': 'WARNING',
+        'details': {
+            'actor': 'actor@mozilla.com',
+            'username': 'actor@mozilla.com',
+            'terminations': [
+                {
+                    'invalidateduser': 'test@mozilla.com',
+                    'invalidatedsessions': [
+                        'sso',
+                        'slack',
+                        'gsuite',
+                    ],
+                },
+            ],
+        },
+    }
+
+    test_cases = [
+        PositiveAlertTestCase(
+            description='Alert fires when an actor terminates sessions',
+            events=[default_event],
+            expected_alert=default_alert,
+        ),
+        PositiveAlertTestCase(
+            description='Events wherein no termination happened not included',
+            events=[default_event, no_invalidation_event],
+            expected_alert=default_alert,
+        ),
+        NegativeAlertTestCase(
+            description='Alert does not fire when no terminations happened',
+            events=[no_invalidation_event],
+        ),
+    ]