Allow 'applicationName=login` for `GSuite.ExternalMailForwarding`

panther-labs / panther-analysis

Built-in Panther detection rules and policies

https://panther.com/

Apache License 2.0

339 stars 173 forks source link

Allow 'applicationName=login` for `GSuite.ExternalMailForwarding` #1395

Closed ben-githubs closed 3 weeks ago

ben-githubs commented 3 weeks ago

Background

A customer raised an issue with the current detection - email forwarding change events can come from applications with name user_accoutns or login. They observed events where applicationName=login did not raise alerts. We confirmed this behaviour and updated the rule.

Changes

restrict applicationName to login or user_accounts instead of just user_accounts

Testing

used a recent email forwarding event from our own logs as a test case

github-actions[bot] commented 3 weeks ago

:scream: looks like some things could be wrong with the packs

github-actions[bot] commented 3 weeks ago

:scream: looks like some things could be wrong with the packs