コード例 #1
0
def store_login_info(key, event):
    # Map the user to the lon/lat and time of the most recent login
    put_string_set(key, [
        dumps({
            'lon':
            event['client']['geographicalContext']['geolocation']['lon'],
            'lat':
            event['client']['geographicalContext']['geolocation']['lat'],
            'time':
            event['p_event_time']
        })
    ])
    # Expire the entry after a week so the table doesn't fill up with past users
    set_key_expiration(key,
                       str((datetime.now() + timedelta(days=7)).timestamp()))
コード例 #2
0
def store_login_info(key, event):
    # Map the user to the lon/lat and time of the most recent login
    put_string_set(
        key,
        [
            dumps({
                "city":
                deep_get(event, "client", "geographicalContext", "city"),
                "lon":
                deep_get(event, "client", "geographicalContext", "geolocation",
                         "lon"),
                "lat":
                deep_get(event, "client", "geographicalContext", "geolocation",
                         "lat"),
                "time":
                event.get("p_event_time"),
            })
        ],
    )
    # Expire the entry after a week so the table doesn't fill up with past users
    set_key_expiration(key,
                       str((datetime.now() + timedelta(days=7)).timestamp()))
コード例 #3
0
def rule(event):

    # Filter events down to successful and failed login events
    if not event.get('user_id') or event.get('event_type_id') not in [5, 6]:
        return False

    event_key = get_key(event)
    # check risk associated with this event
    if event.get('risk_score', 0) > 50:
        # a failed authentication attempt with high risk score
        if event.get('event_type_id') == 6:
            # update a counter for this user's failed login attempts with a high risk score
            increment_counter(event_key)
            set_key_expiration(event_key, time.time() + THRESH_TTL)

    # Trigger alert if this user recently
    # failed a high risk login
    if event.get('event_type_id') == 5:
        if get_counter(event_key) > 0:
            reset_counter(event_key)
            return True
    return False
コード例 #4
0
def rule(event):
    # Pre-filter: event_type_id = 5 is login events.
    if event.get('event_type_id') != 5 or not event.get(
            'ipaddr') or not event.get('user_id'):
        return False
    # We expect to see multiple user logins from these shared, common ip addresses
    if is_ip_in_network(event.get('ipaddr'), SHARED_IP_SPACE):
        return False
    # This tracks multiple successful logins for different accounts from the same ip address
    # First, keep a list of unique user ids that have logged in from this ip address
    event_key = get_key(event)
    user_ids = get_string_set(event_key)
    # the user id of the user that has just logged in
    user_id = str(event.get('user_id'))
    if not user_ids:
        # store this as the first user login from this ip address
        put_string_set(event_key, [user_id])
        set_key_expiration(event_key, int(time.time()) + THRESH_TTL)
        return False
    # add a new username if this is a unique user from this ip address
    if user_id not in user_ids:
        user_ids = add_to_string_set(event_key, user_id)
        set_key_expiration(event_key, int(time.time()) + THRESH_TTL)
    return len(user_ids) > THRESH