def store_login_info(key, event):
# Map the user to the lon/lat and time of the most recent login
put_string_set(key, [
dumps({
'lon':
event['client']['geographicalContext']['geolocation']['lon'],
'lat':
event['client']['geographicalContext']['geolocation']['lat'],
'time':
event['p_event_time']
})
])
# Expire the entry after a week so the table doesn't fill up with past users
set_key_expiration(key,
str((datetime.now() + timedelta(days=7)).timestamp()))
def store_login_info(key, event):
# Map the user to the lon/lat and time of the most recent login
put_string_set(
key,
[
dumps({
"city":
deep_get(event, "client", "geographicalContext", "city"),
"lon":
deep_get(event, "client", "geographicalContext", "geolocation",
"lon"),
"lat":
deep_get(event, "client", "geographicalContext", "geolocation",
"lat"),
"time":
event.get("p_event_time"),
})
],
)
# Expire the entry after a week so the table doesn't fill up with past users
set_key_expiration(key,
str((datetime.now() + timedelta(days=7)).timestamp()))
def rule(event):
# Filter events down to successful and failed login events
if not event.get('user_id') or event.get('event_type_id') not in [5, 6]:
return False
event_key = get_key(event)
# check risk associated with this event
if event.get('risk_score', 0) > 50:
# a failed authentication attempt with high risk score
if event.get('event_type_id') == 6:
# update a counter for this user's failed login attempts with a high risk score
increment_counter(event_key)
set_key_expiration(event_key, time.time() + THRESH_TTL)
# Trigger alert if this user recently
# failed a high risk login
if event.get('event_type_id') == 5:
if get_counter(event_key) > 0:
reset_counter(event_key)
return True
return False
def rule(event):
# Pre-filter: event_type_id = 5 is login events.
if event.get('event_type_id') != 5 or not event.get(
'ipaddr') or not event.get('user_id'):
return False
# We expect to see multiple user logins from these shared, common ip addresses
if is_ip_in_network(event.get('ipaddr'), SHARED_IP_SPACE):
return False
# This tracks multiple successful logins for different accounts from the same ip address
# First, keep a list of unique user ids that have logged in from this ip address
event_key = get_key(event)
user_ids = get_string_set(event_key)
# the user id of the user that has just logged in
user_id = str(event.get('user_id'))
if not user_ids:
# store this as the first user login from this ip address
put_string_set(event_key, [user_id])
set_key_expiration(event_key, int(time.time()) + THRESH_TTL)
return False
# add a new username if this is a unique user from this ip address
if user_id not in user_ids:
user_ids = add_to_string_set(event_key, user_id)
set_key_expiration(event_key, int(time.time()) + THRESH_TTL)
return len(user_ids) > THRESH