/
asana_service_account_created.yml
78 lines (78 loc) · 2.48 KB
/
asana_service_account_created.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
AnalysisType: rule
Description: An Asana service account was created by someone in your organization.
DisplayName: "Asana Service Account Created"
Enabled: true
Filename: asana_service_account_created.py
Runbook: Confirm this user acted with valid business intent and determine whether this activity was authorized.
Reference: https://help.asana.com/hc/en-us/articles/14217496838427-Service-Accounts
Severity: Medium
Tests:
- ExpectedResult: false
Log:
actor:
actor_type: user
email: homer.simpson@example.io
gid: "12345"
name: Homer Simpson
context:
client_ip_address: 12.12.12.12
context_type: web
user_agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
created_at: "2022-12-16 19:30:26.15"
details:
new_value: test.com
event_category: admin_settings
event_type: workspace_associated_email_domain_added
gid: "12345"
resource:
gid: "12345"
name: Example IO
resource_type: workspace
Name: New domain created
- ExpectedResult: true
Log:
actor:
actor_type: user
email: homer.simpson@panther.io
gid: "12345"
name: Homer Simpson
context:
client_ip_address: 12.12.12.12
context_type: web
user_agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
created_at: "2022-12-16 19:28:18.396"
details: {}
event_category: apps
event_type: service_account_created
gid: "12345"
resource:
gid: "12345"
name: Slack Service Account
resource_type: user
Name: Slack svc acct
- ExpectedResult: true
Log:
actor:
actor_type: user
email: homer.simpson@panther.io
gid: "12345"
name: Homer Simpson
context:
client_ip_address: 12.12.12.12
context_type: web
user_agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
created_at: "2022-12-16 19:28:18.396"
details: {}
event_category: apps
event_type: service_account_created
gid: "12345"
resource:
gid: "12345"
name: Datadog Service Account
resource_type: user
Name: Datadog svc acct
DedupPeriodMinutes: 60
LogTypes:
- Asana.Audit
RuleID: "Asana.Service.Account.Created"
Threshold: 1