Exemple #1
0
def _check_acl_change_event(actor_email, acl_change_event):
    parameters = {
        p.get("name", ""): (p.get("value") or p.get("multiValue"))
        for p in acl_change_event["parameters"]
    }

    doc_title = parameters.get("doc_title", "TITLE_UNKNOWN")
    old_visibility = parameters.get("old_visibility", "OLD_VISIBILITY_UNKNOWN")
    new_visibility = parameters.get("visibility", "NEW_VISIBILITY_UNKNOWN")
    target_user = parameters.get("target_user", "USER_UNKNOWN")
    current_time = datetime.datetime.now()

    if (new_visibility == "shared_externally" and old_visibility == "private"
            and not target_user.endswith(f"@{COMPANY_DOMAIN}")):
        # This is a dangerous share, check exceptions:
        for pattern, details in EXCEPTION_PATTERNS.items():
            doc_title_match = pattern_match(doc_title.lower(), pattern)
            allowed_for_match = pattern_match_list(actor_email,
                                                   details.get("allowed_for"))
            allowed_for_all_match = details.get("allowed_for") == {"all"}

            if (doc_title_match
                    and (allowed_for_match or allowed_for_all_match)
                    and current_time < details.get("allowed_until")):
                return False
            # No exceptions match.
            # Return the event summary (which is True) to alert & use in title.
            return {
                "actor": actor_email,
                "doc_title": doc_title,
                "target_user": target_user,
            }
    return False
Exemple #2
0
def rule(event):
    if event.get("useragent", "").startswith("aws-internal"):
        return False

    return (
        pattern_match(event.get("operation", ""), "REST.*.OBJECT")
        and event.get("httpstatus") in HTTP_STATUS_CODES_TO_MONITOR
    )
Exemple #3
0
def rule(event):
    return pattern_match(event.get("operation", ""),
                         "REST.*.OBJECT") and (not event.get("ciphersuite")
                                               or not event.get("tlsVersion"))
Exemple #4
0
def rule(event):
    return (pattern_match(event.get('operation'), 'REST.*.OBJECT')
            and (not event.get('ciphersuite') or not event.get('tlsVersion')))
Exemple #5
0
def rule(event):
    if event.get('useragent', '').startswith('aws-internal'):
        return False

    return (pattern_match(event.get('operation'), 'REST.*.OBJECT')
            and event.get('httpstatus') in HTTP_STATUS_CODES_TO_MONITOR)