def get_event_type(event): # currently, only tracking a few event types # Pattern match this event to the recon actions if deep_get(event, "id", "applicationName") == "admin": if bool( details_lookup("DELEGATED_ADMIN_SETTINGS", ["ASSIGN_ROLE"], event)): return event_type.ADMIN_ROLE_ASSIGNED if details_lookup("login", ["login_failure"], event): return event_type.FAILED_LOGIN if deep_get(event, "id", "applicationName") == "login": return event_type.SUCCESSFUL_LOGIN return None
def get_event_type(event): # currently, only tracking a few event types # Pattern match this event to the recon actions if deep_get(event, 'id', 'applicationName') == 'admin': if bool( details_lookup('DELEGATED_ADMIN_SETTINGS', ['ASSIGN_ROLE'], event)): return event_type.ADMIN_ROLE_ASSIGNED if details_lookup('login', ['login_failure'], event): return event_type.FAILED_LOGIN if deep_get(event, 'id', 'applicationName') == 'login': return event_type.SUCCESSFUL_LOGIN return None
def rule(event): if event['id'].get('applicationName') != 'admin': return False return bool( details_lookup('DELEGATED_ADMIN_SETTINGS', PERMISSION_DELEGATED_EVENTS, event))
def title(event): details = details_lookup('account_warning', SUSPICOUS_LOGIN_TYPES, event) user = param_lookup(details.get('parameters', {}), 'affected_email_address') if not user: user = '******' return 'A suspicious login was reported for user [{}]'.format(user)
def rule(event): if deep_get(event, "id", "applicationName") != "drive": return False details = details_lookup("access", RESOURCE_CHANGE_EVENTS, event) return (bool(details) and param_lookup(details.get( "parameters", {}), "visibility") in PERMISSIVE_VISIBILITY)
def title(event): details = details_lookup('account_warning', PASSWORD_LEAKED_EVENTS, event) user = param_lookup(details.get('paramters', {}), 'affected_email_address') if not user: user = '******' return 'User [{}]\'s account was disabled due to a password leak'.format( user)
def rule(event): if event['id'].get('applicationName') != 'rules': return False details = details_lookup('rule_trigger_type', ['rule_trigger'], event) return bool(details) and param_lookup(details.get('parameters', {}), 'severity') == 'LOW'
def rule(event): # Filter login events if deep_get(event, "id", "applicationName") != "login": return False # Pattern match this event to the recon actions return bool(details_lookup("login", ["login_failure"], event))
def title(event): details = details_lookup("account_warning", SUSPICOUS_LOGIN_TYPES, event) user = param_lookup(details.get("parameters", {}), "affected_email_address") if not user: user = "******" return f"A suspicious login was reported for user [{user}]"
def rule(event): if deep_get(event, "id", "applicationName") != "groups_enterprise": return False return bool( details_lookup("moderator_action", ["ban_user_with_moderation"], event))
def title(event): details = details_lookup("account_warning", PASSWORD_LEAKED_EVENTS, event) user = param_lookup(details.get("parameters", {}), "affected_email_address") if not user: user = "******" return f"User [{user}]'s account was disabled due to a password leak"
def rule(event): if event['id'].get('applicationName') != 'drive': return False details = details_lookup('access', RESOURCE_CHANGE_EVENTS, event) return bool(details) and param_lookup(details.get( 'parameters', {}), 'visibility') in PERMISSIVE_VISIBILITY
def rule(event): if deep_get(event, "id", "applicationName") != "admin": return False return bool( details_lookup("DELEGATED_ADMIN_SETTINGS", PERMISSION_DELEGATED_EVENTS, event))
def rule(event): if deep_get(event, "id", "applicationName") != "rules": return False details = details_lookup("rule_trigger_type", ["rule_trigger"], event) return bool(details) and param_lookup(details.get("parameters", {}), "severity") == "MEDIUM"
def rule(event): if event['id'].get('applicationName') != 'mobile': return False return bool( details_lookup('suspicious_activity', ['SUSPICIOUS_ACTIVITY_EVENT'], event))
def rule(event): if deep_get(event, "id", "applicationName") != "mobile": return False details = details_lookup("suspicious_activity", ["DEVICE_COMPROMISED_EVENT"], event) return param_lookup(details.get("parameters", {}), "DEVICE_COMPROMISED_STATE") == "COMPROMISED"
def rule(event): if event['id'].get('applicationName') != 'mobile': return False details = details_lookup('suspicious_activity', ['DEVICE_COMPROMISED_EVENT'], event) return bool(details) and param_lookup(details.get( 'parameters', {}), 'DEVICE_COMPROMISED_STATE') == 'COMPROMISED'
def rule(event): if event['id'].get('applicationName') != 'mobile': return False details = details_lookup('suspicious_activity', ['FAILED_PASSWORD_ATTEMPTS_EVENT'], event) return bool(details) and int( param_lookup(details.get('parameters', {}), 'FAILED_PASSWD_ATTEMPTS')) > MAX_UNLOCK_ATTEMPTS
def title(event): doc_title = "UNKNOWN_TITLE" details = details_lookup("access", RESOURCE_CHANGE_EVENTS, event) doc_title = param_lookup(details.get("parameters", {}), "doc_title") share_settings = param_lookup(details.get("parameters", {}), "visibility") return ( f"User [{deep_get(event, 'actor', 'email', default='<UNKNOWN_EMAIL>')}]" f" modified a document [{doc_title}] that has overly permissive share" f" settings [{share_settings}]")
def rule(event): if deep_get(event, "id", "applicationName") != "mobile": return False details = details_lookup("suspicious_activity", ["FAILED_PASSWORD_ATTEMPTS_EVENT"], event) attempts = param_lookup(details.get("parameters", {}), "FAILED_PASSWD_ATTEMPTS") return int(attempts if attempts else 0) > MAX_UNLOCK_ATTEMPTS
def title(event): details = details_lookup('DELEGATED_ADMIN_SETTINGS', PERMISSION_DELEGATED_EVENTS, event) role = param_lookup(details.get('parameters', {}), 'ROLE_NAME') user = param_lookup(details.get('parameters', {}), 'USER_EMAIL') if not role: role = '<UNKNOWN_ROLE>' if not user: user = '******' return 'User [{}] delegated new administrator privileges [{}] to [{}]'.format( event.get('actor', {}).get('email'), role, user)
def rule(event): if event['id'].get('applicationName') != 'admin': return False details = details_lookup('DOCS_SETTINGS', ['TRANSFER_DOCUMENT_OWNERSHIP'], event) if bool(details): new_owner = param_lookup(details.get('parameters', {}), 'NEW_VALUE') return bool(new_owner) and not any( new_owner.endswith(x) for x in ORG_DOMAINS) return False
def rule(event): if deep_get(event, "id", "applicationName") != "admin": return False details = details_lookup("DOCS_SETTINGS", ["TRANSFER_DOCUMENT_OWNERSHIP"], event) if bool(details): new_owner = param_lookup(details.get("parameters", {}), "NEW_VALUE") return bool(new_owner) and not any( new_owner.endswith(x) for x in ORG_DOMAINS) return False
def title(event): details = details_lookup("DELEGATED_ADMIN_SETTINGS", PERMISSION_DELEGATED_EVENTS, event) role = param_lookup(details.get("parameters", {}), "ROLE_NAME") user = param_lookup(details.get("parameters", {}), "USER_EMAIL") if not role: role = "<UNKNOWN_ROLE>" if not user: user = "******" return ( f"User [{deep_get(event, 'actor', 'email', default='<UNKNOWN_USER>')}] delegated new" f" administrator privileges [{role}] to [{user}]")
def rule(event): # Filter events if event['id'].get('applicationName') != 'login': return False # Pattern match this event to the recon actions details = details_lookup('login', ['login_failure'], event) return bool(details) and evaluate_threshold( '{}-GSuiteLoginFailedCounter'.format( event.get('actor', {}).get('email')), THRESH, THRESH_TTL, )
def rule(event): if event['id'].get('applicationName') != 'login': return False return bool(details_lookup('attack_warning', ['gov_attack_warning'], event))
def rule(event): if event['id'].get('applicationName') != 'login': return False return bool(details_lookup('account_warning', SUSPICOUS_LOGIN_TYPES, event))
def rule(event): if event['id'].get('applicationName') != 'user_accounts': return False return bool(details_lookup('titanium_change', ['titanium_unenroll'], event))
def rule(event): if deep_get(event, "id", "applicationName") != "user_accounts": return False return bool(details_lookup("titanium_change", ["titanium_unenroll"], event))
def rule(event): if deep_get(event, "id", "applicationName") != "access_transparency": return False return bool(details_lookup("GSUITE_RESOURCE", ["ACCESS"], event))