def rule(event): if event.get("event_type") != "SHIELD_ALERT": return False alert_details = box_parse_additional_details(event).get("shield_alert", {}) if alert_details.get("rule_category", "") in SUSPICIOUS_EVENT_TYPES: if alert_details.get("risk_score", 0) > 50: return True return False
def rule(event): if event.get('event_type') != 'SHIELD_ALERT': return False alert_details = box_parse_additional_details(event).get('shield_alert', {}) if alert_details.get('rule_category', '') == 'Anomalous Download': if alert_details.get('risk_score', 0) > 50: return True return False
def rule(event): if event.get('event_type') != 'SHIELD_ALERT': return False alert_details = box_parse_additional_details(event).get('shield_alert', {}) if alert_details.get('rule_category', '') in SUSPICIOUS_EVENT_TYPES: if alert_details.get('risk_score', 0) > 50: return True return False
def rule(event): if event.get("event_type") != "SHIELD_ALERT": return False alert_details = box_parse_additional_details(event).get("shield_alert", {}) if alert_details.get("rule_category", "") == "Anomalous Download": if alert_details.get("risk_score", 0) > 50: return True return False
def title(event): details = box_parse_additional_details(event) description = details.get('shield_alert', {}).get('alert_summary', {}).get('description', '') if description: return description return 'Anamalous download activity triggered by user [{}].'.format( event.get('created_by', {}).get('name', '<UNKNOWN_USER>'))
def title(event): details = box_parse_additional_details(event) description = details.get('shield_alert', {}).get('alert_summary', {}).get('description', '') if description: return description return 'Shield medium to high risk, suspicious event alert triggered for user [{}]'.format( details.get('shield_alert', {}).get('user', {}).get('email'))
def title(event): details = box_parse_additional_details(event) description = deep_get(details, "shield_alert", "alert_summary", "description") if description: return description return ( f"Anomalous download activity triggered by user " f"[{deep_get(event, 'created_by', 'name', default='<UNKNOWN_USER>')}]." )
def rule(event): # enterprise malicious file alert event if event.get('event_type') == 'FILE_MARKED_MALICIOUS': return True # Box Shield will also alert on malicious content if event.get('event_type') != 'SHIELD_ALERT': return False alert_details = box_parse_additional_details(event).get('shield_alert', {}) if alert_details.get('rule_category', '') == 'Malicious Content': if alert_details.get('risk_score', 0) > 50: return True return False
def rule(event): # enterprise malicious file alert event if event.get("event_type") == "FILE_MARKED_MALICIOUS": return True # Box Shield will also alert on malicious content if event.get("event_type") != "SHIELD_ALERT": return False alert_details = box_parse_additional_details(event).get("shield_alert", {}) if alert_details.get("rule_category", "") == "Malicious Content": if alert_details.get("risk_score", 0) > 50: return True return False
def title(event): if event.get('event_type') == 'FILE_MARKED_MALICIOUS': return 'File [{}], owned by [{}], was marked malicious.'.format( event.get('source', {}).get('item_name', "<UNKNOWN_FILE>"), event.get('source', {}).get('owned_by', {}).get('login', '<UNKNOWN_USER>')) alert_details = box_parse_additional_details(event).get('shield_alert', {}) return 'File [{}], owned by [{}], was marked malicious.'.format( alert_details.get('alert_summary', {}).get('upload_activity', {}).get('item_name', '<UNKNOWN_FILE_NAME>'), alert_details.get('user', {}).get('email', '<UNKNOWN_USER>'))
def title(event): details = box_parse_additional_details(event) description = deep_get(details, "shield_alert", "alert_summary", "description", default="") if description: return description return ( f"Shield medium to high risk, suspicious event alert triggered for user " f"[{deep_get(details, 'shield_alert', 'user', 'email', default='<UNKNOWN_USER>')}]" )
def title(event): if event.get("event_type") == "FILE_MARKED_MALICIOUS": return ( f"File [{deep_get(event, 'source', 'item_name', default='<UNKNOWN_FILE>')}], owned by " f"[{deep_get(event, 'source', 'owned_by', 'login', default='<UNKNOWN_USER>')}], " f"was marked malicious.") alert_details = box_parse_additional_details(event).get("shield_alert", {}) # pylint: disable=line-too-long return ( f"File [{deep_get(alert_details, 'user', 'email', default='<UNKNOWN_USER>')}], owned by " f"[{deep_get(alert_details, 'alert_summary', 'upload_activity', 'item_name', default='<UNKNOWN_FILE>')}], " f"was marked malicious.")