def _check_acl_change_event(actor_email, acl_change_event):
parameters = {
p.get("name", ""): (p.get("value") or p.get("multiValue"))
for p in acl_change_event["parameters"]
}
doc_title = parameters.get("doc_title", "TITLE_UNKNOWN")
old_visibility = parameters.get("old_visibility", "OLD_VISIBILITY_UNKNOWN")
new_visibility = parameters.get("visibility", "NEW_VISIBILITY_UNKNOWN")
target_user = parameters.get("target_user", "USER_UNKNOWN")
current_time = datetime.datetime.now()
if (new_visibility == "shared_externally" and old_visibility == "private"
and not target_user.endswith(f"@{COMPANY_DOMAIN}")):
# This is a dangerous share, check exceptions:
for pattern, details in EXCEPTION_PATTERNS.items():
doc_title_match = pattern_match(doc_title.lower(), pattern)
allowed_for_match = pattern_match_list(actor_email,
details.get("allowed_for"))
allowed_for_all_match = details.get("allowed_for") == {"all"}
if (doc_title_match
and (allowed_for_match or allowed_for_all_match)
and current_time < details.get("allowed_until")):
return False
# No exceptions match.
# Return the event summary (which is True) to alert & use in title.
return {
"actor": actor_email,
"doc_title": doc_title,
"target_user": target_user,
}
return False
def rule(event):
# Filter: Non-S3 events
if event.get("eventSource") != "s3.amazonaws.com":
return False
# Filter: Errors
if event.get("errorCode"):
return False
# Filter: Internal AWS
if deep_get(event, "userIdentity", "type") in ("AWSAccount", "AWSService"):
return False
# Filter: Non "Get" events
if not pattern_match_list(event.get("eventName"), _S3_EVENT_LIST):
return False
# Validate the IP is actually an IP (sometimes it's a string)
try:
ip_address(event.get("sourceIPAddress"))
except ValueError:
return False
# Create GreyNoise Objects
global NOISE
NOISE = GetGreyNoiseObject(event)
riot = GetGreyNoiseRiotObject(event)
# If IP is in RIOT dataset we can assume safe, do not alert
if riot.is_riot("sourceIPAddress"):
return False
# Check that the IP is classified as 'malicious'
if NOISE.classification("sourceIPAddress") == "malicious":
return True
return False
def rule(event):
return (
event.get('eventName') in SG_CHANGE_EVENTS.keys() and
event.get('recipientAccountId') in PROD_ACCOUNT_IDS and
# Validate the deployment mechanism (Console, CloudFormation, or Terraform)
not (pattern_match_list(event.get('userAgent'), ALLOWED_USER_AGENTS) and
# Validate the IAM Role used is in our acceptable list
any(role in deep_get(event, 'userIdentity', 'arn')
for role in ALLOWED_ROLE_NAMES)))
def rule(event):
return aws_cloudtrail_success(event) and (
event.get("eventName") in SG_CHANGE_EVENTS.keys()
and event.get("recipientAccountId") in PROD_ACCOUNT_IDS and
# Validate the deployment mechanism (Console, CloudFormation, or Terraform)
not (pattern_match_list(event.get("userAgent"), ALLOWED_USER_AGENTS)
and
# Validate the IAM Role used is in our acceptable list
any(role in deep_get(event, "userIdentity", "arn")
for role in ALLOWED_ROLE_NAMES)))
def rule(event):
# Filter the events
if event['event'] != 'session.command':
return False
# Check that the program matches our list above
return pattern_match_list(event.get('program', ''), USER_CREATE_PATTERNS)
def rule(event):
# Filter the events
if event.get("event") != "session.command":
return False
# Check that the program matches our list above
return pattern_match_list(event.get("program", ""), USER_CREATE_PATTERNS)