def rule(event):
if event['id'].get('applicationName') != 'admin':
return False
details = details_lookup('DOCS_SETTINGS', ['TRANSFER_DOCUMENT_OWNERSHIP'],
event)
if bool(details):
new_owner = param_lookup(details.get('parameters', {}), 'NEW_VALUE')
return bool(new_owner) and not any(
new_owner.endswith(x) for x in ORG_DOMAINS)
return False
def rule(event):
if event['id'].get('applicationName') != 'login':
return False
for details in event.get('events', [{}]):
if (details.get('type') == 'login' and details.get('name') != 'logout'
and param_lookup(details.get('parameters', {}),
'login_type') not in APPROVED_LOGIN_TYPES):
return True
return False
def rule(event):
if deep_get(event, "id", "applicationName") != "drive":
return False
for details in event.get("events", [{}]):
if (details.get("type") == "acl_change"
and param_lookup(details.get("parameters", {}),
"visibility_change") == "external"):
return True
return False
def rule(event):
if event['id'].get('applicationName') != 'rules':
return False
for details in event.get('events', [{}]):
if (details.get('type') == 'rule_trigger_type'
and details.get('name') == 'rule_trigger' and param_lookup(
details.get('parameters', {}), 'severity') == 'HIGH'):
return True
return False
def rule(event):
if event['id'].get('applicationName') != 'mobile':
return False
for details in event.get('events', [{}]):
if (details.get('type') == 'suspicious_activity'
and details.get('name') == 'DEVICE_COMPROMISED_EVENT'
and param_lookup(details.get('parameters', {}),
'DEVICE_COMPROMISED_STATE') == 'COMPROMISED'):
return True
return False
def rule(event):
if event['id'].get('applicationName') != 'drive':
return False
for details in event.get('events', [{}]):
if (details.get('type') == 'access'
and details.get('name') in RESOURCE_CHANGE_EVENTS
and param_lookup(details.get('parameters', {}),
'visibility') in PERMISSIVE_VISIBILITY):
return True
return False
def rule(event):
if event['id'].get('applicationName') != 'mobile':
return False
for details in event.get('events', [{}]):
if (details.get('type') == 'suspicious_activity' and
details.get('name') == 'FAILED_PASSWORD_ATTEMPTS_EVENT' and int(
param_lookup(details.get('parameters', {}),
'FAILED_PASSWD_ATTEMPTS')) >
MAX_UNLOCK_ATTEMPTS):
return True
return False
def rule(event):
if event['id'].get('applicationName') != 'admin':
return False
for details in event.get('events', [{}]):
if (details.get('type') == 'DOCS_SETTINGS'
and details.get('name') == 'TRANSFER_DOCUMENT_OWNERSHIP'):
new_owner = param_lookup(details.get('parameters', {}),
'NEW_VALUE')
return bool(new_owner) and not any(
new_owner.endswith(x) for x in ORG_DOMAINS)
return False
def rule(event):
if deep_get(event, "id", "applicationName") != "drive":
return False
# Events that have the types in INHERITANCE_EVENTS are
# changes to documents and folders that occur due to
# a change in the parent folder's permission. We ignore
# these events to prevent every folder change from
# generating multiple alerts.
if deep_get(event, "events", "name") in INHERITANCE_EVENTS:
return False
log = event.get("p_row_id")
init_alert_details(log)
#########
# for visibility changes that apply to a domain, not a user
change_document_visibility = False
for details in event.get("events", [{}]):
if (details.get("type") == "acl_change"
and details.get("name") == "change_document_visibility"
and param_lookup(details.get("parameters", {}), "new_value") !=
["private"] and param_lookup(details.get(
"parameters", {}), "target_domain") not in EXCLUDED_DOMAINS
and param_lookup(details.get("parameters", {}),
"visibility") in VISIBILITY):
ALERT_DETAILS[log]["TARGET_DOMAIN"] = param_lookup(
details.get("parameters", {}), "target_domain")
ALERT_DETAILS[log]["NEW_VISIBILITY"] = param_lookup(
details.get("parameters", {}), "visibility")
ALERT_DETAILS[log]["DOC_TITLE"] = param_lookup(
details.get("parameters", {}), "doc_title")
change_document_visibility = True
break
# "change_document_visibility" events are always paired with
# "change_document_access_scope" events. the "target_domain" and
# "visibility" attributes are equivalent.
if change_document_visibility:
for details in event.get("events", [{}]):
if (details.get("type") == "acl_change"
and details.get("name") == "change_document_access_scope"
and param_lookup(details.get("parameters", {}),
"new_value") != ["none"]):
ALERT_DETAILS[log]["ACCESS_SCOPE"] = param_lookup(
details.get("parameters", {}), "new_value")
return True
#########
# for visibility changes that apply to a user
# there is a change_user_access event for each user
# change_user_access and change_document_visibility events are
# not found in the same report
change_user_access = False
for details in event.get("events", [{}]):
if (details.get("type") == "acl_change"
and details.get("name") == "change_user_access"
and param_lookup(details.get("parameters", {}), "new_value") !=
["none"] and user_is_external(
param_lookup(details.get("parameters", {}), "target_user"))):
if ALERT_DETAILS[log]["TARGET_USER_EMAILS"] != ["<UNKNOWN_USER>"]:
ALERT_DETAILS[log]["TARGET_USER_EMAILS"].append(
param_lookup(details.get("parameters", {}), "target_user"))
else:
ALERT_DETAILS[log]["TARGET_USER_EMAILS"] = [
param_lookup(details.get("parameters", {}), "target_user")
]
ALERT_DETAILS[log]["DOC_TITLE"] = param_lookup(
details.get("parameters", {}), "doc_title")
ALERT_DETAILS[log]["ACCESS_SCOPE"] = param_lookup(
details.get("parameters", {}), "new_value")
change_user_access = True
return change_user_access
