github-actions[bot]
commented
2 months ago :scream: looks like some things could be wrong with the packs
[INFO][root]: ignoring file dependabot.ymlClosed biancafu-panther closed 2 months ago
github-actions[bot]
commented
2 months ago :scream: looks like some things could be wrong with the packs
[INFO][root]: ignoring file dependabot.yml
Background
A customer was receiving alerts from the out-of-the-box (OOTB) detection
GCP IAM serviceAccounts getAccessToken Privilege Escalation. The alert message included[GCP]: [<ACTOR_NOT_FOUND>] performed [GenerateAccessToken] on project, which indicated that Panther's data model did not recognize the actor correctly.Upon investigation, we found that the issue arose because the GCP Audit schema in Panther was only mapping the
principalEmailfield as theactor_user, while for third-party identity callers, GCP populates theprincipalSubjectfield instead ofprincipalEmail. This behavior is confirmed by the GCP documentation.Changes
get_actor_userto useprincipalSubjectforactor_userfield whenprincipalEmailis not presentget_actor_usermethod to 'username' field since it was also mapping toprincipalEmailpreviouslyGCP IAM serviceAccounts getAccessToken Privilege Escalationto use theactor_userudm fieldTesting
make lint,make testPrincipal Subject Used