def rule(event):
# Filter events
if event.get('errorCode') != 'AccessDenied':
return False
if event['userIdentity'].get('type') != 'IAMUser':
return False
# Validate the request came from outside of AWS
try:
ip_address(event.get('sourceIPAddress'))
except ValueError:
return False
# Pattern match this event to the recon actions
for event_source, event_patterns in RECON_ACTIONS.items():
if event['eventSource'].startswith(event_source) and any(
fnmatch(event['eventName'], event_pattern)
for event_pattern in event_patterns):
return evaluate_threshold(
'{}-AccessDeniedCounter'.format(
event['userIdentity'].get('arn')),
THRESH,
THRESH_TTL,
)
return False
def rule(event):
# Filter events
if event['id'].get('applicationName') != 'login':
return False
# Pattern match this event to the recon actions
details = details_lookup('login', ['login_failure'], event)
return bool(details) and evaluate_threshold(
'{}-GSuiteLoginFailedCounter'.format(
event.get('actor', {}).get('email')),
THRESH,
THRESH_TTL,
)
def rule(event):
# Filter events
if event['id'].get('applicationName') != 'login':
return False
# Pattern match this event to the recon actions
for detail in event.get('events', [{}]):
if detail.get('type') == 'login' and detail.get(
'name') == 'login_failure':
return evaluate_threshold(
'{}-GSuiteLoginFailedCounter'.format(
event.get('actor', {}).get('email')),
THRESH,
THRESH_TTL,
)
return False