def rule(event): if event['id'].get('applicationName') != 'admin': return False details = details_lookup('DOCS_SETTINGS', ['TRANSFER_DOCUMENT_OWNERSHIP'], event) if bool(details): new_owner = param_lookup(details.get('parameters', {}), 'NEW_VALUE') return bool(new_owner) and not any( new_owner.endswith(x) for x in ORG_DOMAINS) return False
def rule(event): if event['id'].get('applicationName') != 'login': return False for details in event.get('events', [{}]): if (details.get('type') == 'login' and details.get('name') != 'logout' and param_lookup(details.get('parameters', {}), 'login_type') not in APPROVED_LOGIN_TYPES): return True return False
def rule(event): if deep_get(event, "id", "applicationName") != "drive": return False for details in event.get("events", [{}]): if (details.get("type") == "acl_change" and param_lookup(details.get("parameters", {}), "visibility_change") == "external"): return True return False
def rule(event): if event['id'].get('applicationName') != 'rules': return False for details in event.get('events', [{}]): if (details.get('type') == 'rule_trigger_type' and details.get('name') == 'rule_trigger' and param_lookup( details.get('parameters', {}), 'severity') == 'HIGH'): return True return False
def rule(event): if event['id'].get('applicationName') != 'mobile': return False for details in event.get('events', [{}]): if (details.get('type') == 'suspicious_activity' and details.get('name') == 'DEVICE_COMPROMISED_EVENT' and param_lookup(details.get('parameters', {}), 'DEVICE_COMPROMISED_STATE') == 'COMPROMISED'): return True return False
def rule(event): if event['id'].get('applicationName') != 'drive': return False for details in event.get('events', [{}]): if (details.get('type') == 'access' and details.get('name') in RESOURCE_CHANGE_EVENTS and param_lookup(details.get('parameters', {}), 'visibility') in PERMISSIVE_VISIBILITY): return True return False
def rule(event): if event['id'].get('applicationName') != 'mobile': return False for details in event.get('events', [{}]): if (details.get('type') == 'suspicious_activity' and details.get('name') == 'FAILED_PASSWORD_ATTEMPTS_EVENT' and int( param_lookup(details.get('parameters', {}), 'FAILED_PASSWD_ATTEMPTS')) > MAX_UNLOCK_ATTEMPTS): return True return False
def rule(event): if event['id'].get('applicationName') != 'admin': return False for details in event.get('events', [{}]): if (details.get('type') == 'DOCS_SETTINGS' and details.get('name') == 'TRANSFER_DOCUMENT_OWNERSHIP'): new_owner = param_lookup(details.get('parameters', {}), 'NEW_VALUE') return bool(new_owner) and not any( new_owner.endswith(x) for x in ORG_DOMAINS) return False
def rule(event): if deep_get(event, "id", "applicationName") != "drive": return False # Events that have the types in INHERITANCE_EVENTS are # changes to documents and folders that occur due to # a change in the parent folder's permission. We ignore # these events to prevent every folder change from # generating multiple alerts. if deep_get(event, "events", "name") in INHERITANCE_EVENTS: return False log = event.get("p_row_id") init_alert_details(log) ######### # for visibility changes that apply to a domain, not a user change_document_visibility = False for details in event.get("events", [{}]): if (details.get("type") == "acl_change" and details.get("name") == "change_document_visibility" and param_lookup(details.get("parameters", {}), "new_value") != ["private"] and param_lookup(details.get( "parameters", {}), "target_domain") not in EXCLUDED_DOMAINS and param_lookup(details.get("parameters", {}), "visibility") in VISIBILITY): ALERT_DETAILS[log]["TARGET_DOMAIN"] = param_lookup( details.get("parameters", {}), "target_domain") ALERT_DETAILS[log]["NEW_VISIBILITY"] = param_lookup( details.get("parameters", {}), "visibility") ALERT_DETAILS[log]["DOC_TITLE"] = param_lookup( details.get("parameters", {}), "doc_title") change_document_visibility = True break # "change_document_visibility" events are always paired with # "change_document_access_scope" events. the "target_domain" and # "visibility" attributes are equivalent. if change_document_visibility: for details in event.get("events", [{}]): if (details.get("type") == "acl_change" and details.get("name") == "change_document_access_scope" and param_lookup(details.get("parameters", {}), "new_value") != ["none"]): ALERT_DETAILS[log]["ACCESS_SCOPE"] = param_lookup( details.get("parameters", {}), "new_value") return True ######### # for visibility changes that apply to a user # there is a change_user_access event for each user # change_user_access and change_document_visibility events are # not found in the same report change_user_access = False for details in event.get("events", [{}]): if (details.get("type") == "acl_change" and details.get("name") == "change_user_access" and param_lookup(details.get("parameters", {}), "new_value") != ["none"] and user_is_external( param_lookup(details.get("parameters", {}), "target_user"))): if ALERT_DETAILS[log]["TARGET_USER_EMAILS"] != ["<UNKNOWN_USER>"]: ALERT_DETAILS[log]["TARGET_USER_EMAILS"].append( param_lookup(details.get("parameters", {}), "target_user")) else: ALERT_DETAILS[log]["TARGET_USER_EMAILS"] = [ param_lookup(details.get("parameters", {}), "target_user") ] ALERT_DETAILS[log]["DOC_TITLE"] = param_lookup( details.get("parameters", {}), "doc_title") ALERT_DETAILS[log]["ACCESS_SCOPE"] = param_lookup( details.get("parameters", {}), "new_value") change_user_access = True return change_user_access