/
mongodb_alerting_disabled.yml
51 lines (51 loc) · 1.54 KB
/
mongodb_alerting_disabled.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
AnalysisType: rule
Description:
MongoDB provides security alerting policies for notifying admins when certain conditions are met.
This rule detects when these policies are disabled or deleted.
DisplayName: "MongoDB security alerts disabled or deleted"
Enabled: true
LogTypes:
- MongoDB.OrganizationEvent
RuleID: "MongoDB.Alerting.Disabled.Or.Deleted"
Filename: mongodb_alerting_disabled.py
Severity: High
Reports:
MITRE ATT&CK:
- TA0005:T1562.001 # Impair Defenses: Disable or Modify Tools
Reference: https://www.mongodb.com/docs/atlas/configure-alerts/
Runbook: Re-enable security alerts
Tests:
- Name: Alert added
ExpectedResult: false
Log:
{
"alertConfigId": "alert_id",
"created": "2024-04-01 11:57:54.000000000",
"currentValue": {},
"eventTypeName": "ALERT_CONFIG_ADDED_AUDIT",
"id": "alert_id",
"isGlobalAdmin": false,
"links": [],
"orgId": "some_org_id",
"remoteAddress": "1.2.3.4",
"userId": "user_id",
"username": "some_user@company.com",
}
- Name: Alert deleted
ExpectedResult: true
Log:
{
"alertConfigId": "alert_id",
"created": "2024-04-01 11:58:52.000000000",
"currentValue": {},
"eventTypeName": "ALERT_CONFIG_DELETED_AUDIT",
"id": "alert_id",
"isGlobalAdmin": false,
"links": [],
"orgId": "some_org_id",
"remoteAddress": "1.2.3.4",
"userId": "user_id",
"username": "some_user@company.com",
}
DedupPeriodMinutes: 60
Threshold: 1