def last_updated(self, match_field) -> datetime.date:
return parser.parse(deep_get(self.riot, match_field, "scan_time"))
def is_spoofable(self, match_field) -> str:
return deep_get(self.noise, match_field, "spoofable")
def tags_string(self, match_field, limit: int = 10) -> str:
tags_raw = deep_get(self.noise, match_field, "tags")
if isinstance(tags_raw, list):
return " ".join(tags_raw[:limit])
return tags_raw
def operating_system(self, match_field) -> str:
return deep_get(self.noise, match_field, "metadata", "os")
def is_tor(self, match_field) -> bool:
return deep_get(self.noise, match_field, "metadata", "tor")
def rule(event):
return (deep_get(event, 'userIdentity', 'type') == 'Root'
and event.get('errorMessage') is None
and deep_get(event, 'userIdentity', 'invokedBy') is None
and event.get('eventType') != 'AwsServiceEvent'
and event.get('eventName') not in EVENT_ALLOW_LIST)
def country_code(self, match_field) -> str:
return deep_get(self.noise, match_field, "metadata", "country_code")
def GetGreyNoiseRiotObject(event):
if deep_get(event, "p_enrichment", "greynoise_riot_advanced"):
return GreyNoiseRIOTAdvanced(event)
return GreyNoiseRIOTBasic(event)
def __init__(self, event):
self.noise = deep_get(event, "p_enrichment",
"greynoise_noise_advanced")
self.sublevel = "advanced"
def trust_level(self, match_field) -> int:
return deep_get(self.riot, match_field, "provider", "trust_level")
def GetGreyNoiseObject(event):
if deep_get(event, "p_enrichment", "greynoise_noise_advanced"):
return GreyNoiseAdvanced(event)
return GreyNoiseBasic(event)
def reference(self, match_field) -> str:
return deep_get(self.riot, match_field, "provider", "reference")
def explanation(self, match_field) -> str:
return deep_get(self.riot, match_field, "provider", "explanation")
def description(self, match_field) -> str:
return deep_get(self.riot, match_field, "provider", "description")
def rule(event):
return (deep_get(event, 'outcome', 'result') == 'FAILURE'
and event['eventType'] == 'user.session.start')
def ip_address(self, match_field) -> str:
return deep_get(self.noise, match_field, "ip")
def title(event):
return 'Suspected brute force Okta logins to account {} due to [{}]'.format(
deep_get(event, 'actor', 'alternateId'),
deep_get(event, 'outcome', 'reason'))
def classification(self, match_field) -> str:
return deep_get(self.noise, match_field, "classification")
def city(self, match_field) -> str:
return deep_get(self.noise, match_field, "metadata", "city")
def actor(self, match_field) -> str:
return deep_get(self.noise, match_field, "actor")
def organization(self, match_field) -> str:
return deep_get(self.noise, match_field, "metadata", "organization")
def is_bot(self, match_field) -> bool:
return deep_get(self.noise, match_field, "bot")
def region(self, match_field) -> str:
return deep_get(self.noise, match_field, "metadata", "region")
def cve_string(self, match_field, limit: int = 10) -> str:
cve_raw = deep_get(self.noise, match_field, "cve")
if isinstance(cve_raw, list):
return " ".join(cve_raw[:limit])
return cve_raw
def rev_dns(self, match_field) -> str:
return deep_get(self.noise, match_field, "metadata", "rdns")
def cve_list(self, match_field) -> list:
cve_raw = deep_get(self.noise.get, match_field, "cve")
if isinstance(cve_raw, str):
return [cve_raw]
return cve_raw
def tags_list(self, match_field) -> list:
tags = deep_get(self.noise, match_field, "tags")
if isinstance(tags, str):
return [tags]
return tags
def first_seen(self, match_field) -> datetime.date:
return parser.parse(deep_get(self.noise, match_field, "first_seen"))
def is_vpn(self, match_field) -> bool:
return deep_get(self.noise, match_field, "vpn")
def url(self, match_field) -> str:
ip_stripped = deep_get(self.riot, match_field, "ip_cidr", default="")
return f"https://www.greynoise.io/viz/ip/{ip_stripped.split('/')[0]}"