def get_event_type(event):
# currently, only tracking a few event types
# Pattern match this event to the recon actions
if deep_get(event, "id", "applicationName") == "admin":
if bool(
details_lookup("DELEGATED_ADMIN_SETTINGS", ["ASSIGN_ROLE"],
event)):
return event_type.ADMIN_ROLE_ASSIGNED
if details_lookup("login", ["login_failure"], event):
return event_type.FAILED_LOGIN
if deep_get(event, "id", "applicationName") == "login":
return event_type.SUCCESSFUL_LOGIN
return None
def get_event_type(event):
# currently, only tracking a few event types
# Pattern match this event to the recon actions
if deep_get(event, 'id', 'applicationName') == 'admin':
if bool(
details_lookup('DELEGATED_ADMIN_SETTINGS', ['ASSIGN_ROLE'],
event)):
return event_type.ADMIN_ROLE_ASSIGNED
if details_lookup('login', ['login_failure'], event):
return event_type.FAILED_LOGIN
if deep_get(event, 'id', 'applicationName') == 'login':
return event_type.SUCCESSFUL_LOGIN
return None
def rule(event):
if event['id'].get('applicationName') != 'admin':
return False
return bool(
details_lookup('DELEGATED_ADMIN_SETTINGS', PERMISSION_DELEGATED_EVENTS,
event))
def title(event):
details = details_lookup('account_warning', SUSPICOUS_LOGIN_TYPES, event)
user = param_lookup(details.get('parameters', {}),
'affected_email_address')
if not user:
user = '******'
return 'A suspicious login was reported for user [{}]'.format(user)
def rule(event):
if deep_get(event, "id", "applicationName") != "drive":
return False
details = details_lookup("access", RESOURCE_CHANGE_EVENTS, event)
return (bool(details) and param_lookup(details.get(
"parameters", {}), "visibility") in PERMISSIVE_VISIBILITY)
def title(event):
details = details_lookup('account_warning', PASSWORD_LEAKED_EVENTS, event)
user = param_lookup(details.get('paramters', {}), 'affected_email_address')
if not user:
user = '******'
return 'User [{}]\'s account was disabled due to a password leak'.format(
user)
def rule(event):
if event['id'].get('applicationName') != 'rules':
return False
details = details_lookup('rule_trigger_type', ['rule_trigger'], event)
return bool(details) and param_lookup(details.get('parameters', {}),
'severity') == 'LOW'
def rule(event):
# Filter login events
if deep_get(event, "id", "applicationName") != "login":
return False
# Pattern match this event to the recon actions
return bool(details_lookup("login", ["login_failure"], event))
def title(event):
details = details_lookup("account_warning", SUSPICOUS_LOGIN_TYPES, event)
user = param_lookup(details.get("parameters", {}),
"affected_email_address")
if not user:
user = "******"
return f"A suspicious login was reported for user [{user}]"
def rule(event):
if deep_get(event, "id", "applicationName") != "groups_enterprise":
return False
return bool(
details_lookup("moderator_action", ["ban_user_with_moderation"],
event))
def title(event):
details = details_lookup("account_warning", PASSWORD_LEAKED_EVENTS, event)
user = param_lookup(details.get("parameters", {}),
"affected_email_address")
if not user:
user = "******"
return f"User [{user}]'s account was disabled due to a password leak"
def rule(event):
if event['id'].get('applicationName') != 'drive':
return False
details = details_lookup('access', RESOURCE_CHANGE_EVENTS, event)
return bool(details) and param_lookup(details.get(
'parameters', {}), 'visibility') in PERMISSIVE_VISIBILITY
def rule(event):
if deep_get(event, "id", "applicationName") != "admin":
return False
return bool(
details_lookup("DELEGATED_ADMIN_SETTINGS", PERMISSION_DELEGATED_EVENTS,
event))
def rule(event):
if deep_get(event, "id", "applicationName") != "rules":
return False
details = details_lookup("rule_trigger_type", ["rule_trigger"], event)
return bool(details) and param_lookup(details.get("parameters", {}),
"severity") == "MEDIUM"
def rule(event):
if event['id'].get('applicationName') != 'mobile':
return False
return bool(
details_lookup('suspicious_activity', ['SUSPICIOUS_ACTIVITY_EVENT'],
event))
def rule(event):
if deep_get(event, "id", "applicationName") != "mobile":
return False
details = details_lookup("suspicious_activity",
["DEVICE_COMPROMISED_EVENT"], event)
return param_lookup(details.get("parameters", {}),
"DEVICE_COMPROMISED_STATE") == "COMPROMISED"
def rule(event):
if event['id'].get('applicationName') != 'mobile':
return False
details = details_lookup('suspicious_activity',
['DEVICE_COMPROMISED_EVENT'], event)
return bool(details) and param_lookup(details.get(
'parameters', {}), 'DEVICE_COMPROMISED_STATE') == 'COMPROMISED'
def rule(event):
if event['id'].get('applicationName') != 'mobile':
return False
details = details_lookup('suspicious_activity',
['FAILED_PASSWORD_ATTEMPTS_EVENT'], event)
return bool(details) and int(
param_lookup(details.get('parameters', {}),
'FAILED_PASSWD_ATTEMPTS')) > MAX_UNLOCK_ATTEMPTS
def title(event):
doc_title = "UNKNOWN_TITLE"
details = details_lookup("access", RESOURCE_CHANGE_EVENTS, event)
doc_title = param_lookup(details.get("parameters", {}), "doc_title")
share_settings = param_lookup(details.get("parameters", {}), "visibility")
return (
f"User [{deep_get(event, 'actor', 'email', default='<UNKNOWN_EMAIL>')}]"
f" modified a document [{doc_title}] that has overly permissive share"
f" settings [{share_settings}]")
def rule(event):
if deep_get(event, "id", "applicationName") != "mobile":
return False
details = details_lookup("suspicious_activity",
["FAILED_PASSWORD_ATTEMPTS_EVENT"], event)
attempts = param_lookup(details.get("parameters", {}),
"FAILED_PASSWD_ATTEMPTS")
return int(attempts if attempts else 0) > MAX_UNLOCK_ATTEMPTS
def title(event):
details = details_lookup('DELEGATED_ADMIN_SETTINGS',
PERMISSION_DELEGATED_EVENTS, event)
role = param_lookup(details.get('parameters', {}), 'ROLE_NAME')
user = param_lookup(details.get('parameters', {}), 'USER_EMAIL')
if not role:
role = '<UNKNOWN_ROLE>'
if not user:
user = '******'
return 'User [{}] delegated new administrator privileges [{}] to [{}]'.format(
event.get('actor', {}).get('email'), role, user)
def rule(event):
if event['id'].get('applicationName') != 'admin':
return False
details = details_lookup('DOCS_SETTINGS', ['TRANSFER_DOCUMENT_OWNERSHIP'],
event)
if bool(details):
new_owner = param_lookup(details.get('parameters', {}), 'NEW_VALUE')
return bool(new_owner) and not any(
new_owner.endswith(x) for x in ORG_DOMAINS)
return False
def rule(event):
if deep_get(event, "id", "applicationName") != "admin":
return False
details = details_lookup("DOCS_SETTINGS", ["TRANSFER_DOCUMENT_OWNERSHIP"],
event)
if bool(details):
new_owner = param_lookup(details.get("parameters", {}), "NEW_VALUE")
return bool(new_owner) and not any(
new_owner.endswith(x) for x in ORG_DOMAINS)
return False
def title(event):
details = details_lookup("DELEGATED_ADMIN_SETTINGS",
PERMISSION_DELEGATED_EVENTS, event)
role = param_lookup(details.get("parameters", {}), "ROLE_NAME")
user = param_lookup(details.get("parameters", {}), "USER_EMAIL")
if not role:
role = "<UNKNOWN_ROLE>"
if not user:
user = "******"
return (
f"User [{deep_get(event, 'actor', 'email', default='<UNKNOWN_USER>')}] delegated new"
f" administrator privileges [{role}] to [{user}]")
def rule(event):
# Filter events
if event['id'].get('applicationName') != 'login':
return False
# Pattern match this event to the recon actions
details = details_lookup('login', ['login_failure'], event)
return bool(details) and evaluate_threshold(
'{}-GSuiteLoginFailedCounter'.format(
event.get('actor', {}).get('email')),
THRESH,
THRESH_TTL,
)
def rule(event):
if event['id'].get('applicationName') != 'login':
return False
return bool(details_lookup('attack_warning', ['gov_attack_warning'],
event))
def rule(event):
if event['id'].get('applicationName') != 'login':
return False
return bool(details_lookup('account_warning', SUSPICOUS_LOGIN_TYPES,
event))
def rule(event):
if event['id'].get('applicationName') != 'user_accounts':
return False
return bool(details_lookup('titanium_change', ['titanium_unenroll'],
event))
def rule(event):
if deep_get(event, "id", "applicationName") != "user_accounts":
return False
return bool(details_lookup("titanium_change", ["titanium_unenroll"],
event))
def rule(event):
if deep_get(event, "id", "applicationName") != "access_transparency":
return False
return bool(details_lookup("GSUITE_RESOURCE", ["ACCESS"], event))
