cursor panthergen rule

[jacknagz]

Background

Add best practices for rule gen!

Changes

• Add a Cursor Rule for rule gen

Testing

• Wrote an osquery rule successfully using this!

def rule(event):
    # Check if this is from the apps table query
    if "apps" not in event.get("name", ""):
        return False

    # Check if this is a new app being added
    if event.get("action") != "added":
        return False

    # Check if the app name contains Cursor
    app_name = event.deep_get("columns", "name", default="").lower()
    return "cursor" in app_name


def title(event):
    hostname = event.get("hostIdentifier", "UNKNOWN_HOST")
    return f"Cursor IDE installation detected on [{hostname}]"


def alert_context(event):
    return {
        "hostname": event.get("hostIdentifier"),
        "app_name": event.deep_get("columns", "name"),
        "bundle_name": event.deep_get("columns", "bundle_name"),
        "bundle_version": event.deep_get("columns", "bundle_version"),
        "path": event.deep_get("columns", "path")
    } 

AnalysisType: rule
Filename: osquery_cursor_installation.py
RuleID: "Osquery.Mac.CursorInstallation"
DisplayName: "Cursor IDE Installation Detected"
Enabled: true
LogTypes:
  - Osquery.Differential
Tags:
  - Osquery
  - MacOS
  - Software Installation
  - Initial Access:Valid Accounts
Reports:
  MITRE ATT&CK:
    - TA0001:T1078
Severity: Medium
Description: >
  Detects when the Cursor IDE is installed on a MacOS system. Cursor is an AI-powered code editor
  that should be monitored as it may have access to sensitive code and development environments.
Runbook: >
  1. Verify if the installation was authorized and performed by the user
  2. Check if the installation complies with organization's software policies
  3. If unauthorized, remove the application and investigate how it was installed
Reference: https://cursor.sh/
SummaryAttributes:
  - name
  - hostIdentifier
  - action
Tests:
  - Name: Cursor Installation Detected
    ExpectedResult: true
    Log:
      {
        "name": "pack_apps_macos_apps",
        "action": "added",
        "hostIdentifier": "test-mac.local",
        "columns": {
          "name": "Cursor",
          "bundle_name": "sh.cursor.Cursor",
          "bundle_version": "1.0.0",
          "path": "/Applications/Cursor.app"
        }
      }
  - Name: Non-Cursor App Installation
    ExpectedResult: false
    Log:
      {
        "name": "pack_apps_macos_apps",
        "action": "added",
        "hostIdentifier": "test-mac.local",
        "columns": {
          "name": "Visual Studio Code",
          "bundle_name": "com.microsoft.VSCode",
          "bundle_version": "1.80.0",
          "path": "/Applications/Visual Studio Code.app"
        }
      }
  - Name: Wrong Query Name
    ExpectedResult: false
    Log:
      {
        "name": "pack_processes_running",
        "action": "added",
        "hostIdentifier": "test-mac.local",
        "columns": {
          "name": "Cursor",
          "path": "/Applications/Cursor.app/Contents/MacOS/Cursor"
        }
      } 

[ben-githubs]

Looks cool!