def rule(event):
if event.get("event_type") != "SHIELD_ALERT":
return False
alert_details = box_parse_additional_details(event).get("shield_alert", {})
if alert_details.get("rule_category", "") in SUSPICIOUS_EVENT_TYPES:
if alert_details.get("risk_score", 0) > 50:
return True
return False
def rule(event):
if event.get('event_type') != 'SHIELD_ALERT':
return False
alert_details = box_parse_additional_details(event).get('shield_alert', {})
if alert_details.get('rule_category', '') == 'Anomalous Download':
if alert_details.get('risk_score', 0) > 50:
return True
return False
def rule(event):
if event.get('event_type') != 'SHIELD_ALERT':
return False
alert_details = box_parse_additional_details(event).get('shield_alert', {})
if alert_details.get('rule_category', '') in SUSPICIOUS_EVENT_TYPES:
if alert_details.get('risk_score', 0) > 50:
return True
return False
def rule(event):
if event.get("event_type") != "SHIELD_ALERT":
return False
alert_details = box_parse_additional_details(event).get("shield_alert", {})
if alert_details.get("rule_category", "") == "Anomalous Download":
if alert_details.get("risk_score", 0) > 50:
return True
return False
def title(event):
details = box_parse_additional_details(event)
description = details.get('shield_alert',
{}).get('alert_summary',
{}).get('description', '')
if description:
return description
return 'Anamalous download activity triggered by user [{}].'.format(
event.get('created_by', {}).get('name', '<UNKNOWN_USER>'))
def title(event):
details = box_parse_additional_details(event)
description = details.get('shield_alert',
{}).get('alert_summary',
{}).get('description', '')
if description:
return description
return 'Shield medium to high risk, suspicious event alert triggered for user [{}]'.format(
details.get('shield_alert', {}).get('user', {}).get('email'))
def title(event):
details = box_parse_additional_details(event)
description = deep_get(details, "shield_alert", "alert_summary",
"description")
if description:
return description
return (
f"Anomalous download activity triggered by user "
f"[{deep_get(event, 'created_by', 'name', default='<UNKNOWN_USER>')}]."
)
def rule(event):
# enterprise malicious file alert event
if event.get('event_type') == 'FILE_MARKED_MALICIOUS':
return True
# Box Shield will also alert on malicious content
if event.get('event_type') != 'SHIELD_ALERT':
return False
alert_details = box_parse_additional_details(event).get('shield_alert', {})
if alert_details.get('rule_category', '') == 'Malicious Content':
if alert_details.get('risk_score', 0) > 50:
return True
return False
def rule(event):
# enterprise malicious file alert event
if event.get("event_type") == "FILE_MARKED_MALICIOUS":
return True
# Box Shield will also alert on malicious content
if event.get("event_type") != "SHIELD_ALERT":
return False
alert_details = box_parse_additional_details(event).get("shield_alert", {})
if alert_details.get("rule_category", "") == "Malicious Content":
if alert_details.get("risk_score", 0) > 50:
return True
return False
def title(event):
if event.get('event_type') == 'FILE_MARKED_MALICIOUS':
return 'File [{}], owned by [{}], was marked malicious.'.format(
event.get('source', {}).get('item_name', "<UNKNOWN_FILE>"),
event.get('source', {}).get('owned_by',
{}).get('login', '<UNKNOWN_USER>'))
alert_details = box_parse_additional_details(event).get('shield_alert', {})
return 'File [{}], owned by [{}], was marked malicious.'.format(
alert_details.get('alert_summary',
{}).get('upload_activity',
{}).get('item_name', '<UNKNOWN_FILE_NAME>'),
alert_details.get('user', {}).get('email', '<UNKNOWN_USER>'))
def title(event):
details = box_parse_additional_details(event)
description = deep_get(details,
"shield_alert",
"alert_summary",
"description",
default="")
if description:
return description
return (
f"Shield medium to high risk, suspicious event alert triggered for user "
f"[{deep_get(details, 'shield_alert', 'user', 'email', default='<UNKNOWN_USER>')}]"
)
def title(event):
if event.get("event_type") == "FILE_MARKED_MALICIOUS":
return (
f"File [{deep_get(event, 'source', 'item_name', default='<UNKNOWN_FILE>')}], owned by "
f"[{deep_get(event, 'source', 'owned_by', 'login', default='<UNKNOWN_USER>')}], "
f"was marked malicious.")
alert_details = box_parse_additional_details(event).get("shield_alert", {})
# pylint: disable=line-too-long
return (
f"File [{deep_get(alert_details, 'user', 'email', default='<UNKNOWN_USER>')}], owned by "
f"[{deep_get(alert_details, 'alert_summary', 'upload_activity', 'item_name', default='<UNKNOWN_FILE>')}], "
f"was marked malicious.")