Merge branch 'develop' into bp/waf-logging

panther-labs · Oct 22, 2024 · fc3943a · fc3943a
2 parents 2618b1c + 69caf97
commit fc3943a
Show file tree

Hide file tree

Showing 4 changed files with 106 additions and 22 deletions.
diff --git a/rules/gsuite_activityevent_rules/gsuite_external_forwarding.py b/rules/gsuite_activityevent_rules/gsuite_external_forwarding.py
@@ -2,7 +2,7 @@
 
 
 def rule(event):
-    if event.deep_get("id", "applicationName") != "user_accounts":
+    if event.deep_get("id", "applicationName") not in ("user_accounts", "login"):
         return False
 
     if event.get("name") == "email_forwarding_out_of_domain":

diff --git a/rules/gsuite_activityevent_rules/gsuite_external_forwarding.yml b/rules/gsuite_activityevent_rules/gsuite_external_forwarding.yml
@@ -21,7 +21,7 @@ Runbook: >
 SummaryAttributes:
   - p_any_emails
 Tests:
-  - Name: Forwarding to External Address
+  - Name: Forwarding to External Address - applicationName = user_accounts
     ExpectedResult: true
     Log:
       {
@@ -33,6 +33,17 @@ Tests:
           { "email_forwarding_destination_address": "[email protected]" },
       }
 
+  - Name: Forwarding to External Address - applicationName = login
+    ExpectedResult: true
+    Log:
+      {
+        "id": { "applicationName": "login", "customerId": "D12345" },
+        "actor": { "email": "[email protected]" },
+        "type": "email_forwarding_change",
+        "name": "email_forwarding_out_of_domain",
+        "parameters": { "email_forwarding_destination_address": "[email protected]" }
+      }
+
   - Name: Forwarding to External Address - Allowed Domain
     ExpectedResult: false
     Log:

diff --git a/rules/gsuite_reports_rules/gsuite_drive_external_share.py b/rules/gsuite_reports_rules/gsuite_drive_external_share.py
@@ -5,9 +5,8 @@
 COMPANY_DOMAIN = "your-company-name.com"
 EXCEPTION_PATTERNS = {
     # The glob pattern for the document title (lowercased)
-    "document title p*": {
-        # All actors allowed to receive the file share
-        "allowed_for": {
+    "1 document title p*": {  # allow any title "all"
+        "allowed_to_send": {
             "[email protected]",
             "[email protected]",
             "[email protected]",
@@ -17,6 +16,26 @@
             # Allow any user in a specific domain
             # "*@acme.com"
         },
+        "allowed_to_receive": {
+            "[email protected]",
+            "[email protected]",
+            "[email protected]",
+            "[email protected]",
+            # Allow any user
+            # "all"
+            # Allow any user in a specific domain
+            # "*@acme.com"
+        },
+        # The time limit for how long the file share stays valid
+        "allowed_until": datetime.datetime(year=2030, month=6, day=2),
+    },
+    "2 document title p*": {
+        "allowed_to_send": {
+            "[email protected]",
+        },
+        "allowed_to_receive": {
+            "*@acme.com",
+        },
         # The time limit for how long the file share stays valid
         "allowed_until": datetime.datetime(year=2030, month=6, day=2),
     },
@@ -32,7 +51,7 @@ def _check_acl_change_event(actor_email, acl_change_event):
     doc_title = parameters.get("doc_title", "TITLE_UNKNOWN")
     old_visibility = parameters.get("old_visibility", "OLD_VISIBILITY_UNKNOWN")
     new_visibility = parameters.get("visibility", "NEW_VISIBILITY_UNKNOWN")
-    target_user = parameters.get("target_user", "USER_UNKNOWN")
+    target_user = parameters.get("target_user") or parameters.get("target_domain") or "USER_UNKNOWN"
     current_time = datetime.datetime.now()
 
     if (
@@ -41,24 +60,32 @@ def _check_acl_change_event(actor_email, acl_change_event):
         and not target_user.endswith(f"@{COMPANY_DOMAIN}")
     ):
         # This is a dangerous share, check exceptions:
+
         for pattern, details in EXCEPTION_PATTERNS.items():
-            doc_title_match = pattern_match(doc_title.lower(), pattern)
-            allowed_for_match = pattern_match_list(actor_email, details.get("allowed_for"))
-            allowed_for_all_match = details.get("allowed_for") == {"all"}
+            proper_title = pattern_match(doc_title.lower(), pattern) or pattern == "all"
+
+            proper_sender = pattern_match_list(
+                actor_email, details.get("allowed_to_send")
+            ) or details.get("allowed_to_send") == {"all"}
+
+            proper_receiver = pattern_match_list(
+                target_user, details.get("allowed_to_receive")
+            ) or details.get("allowed_to_receive") == {"all"}
 
             if (
-                doc_title_match
-                and (allowed_for_match or allowed_for_all_match)
+                proper_title
+                and proper_sender
+                and proper_receiver
                 and current_time < details.get("allowed_until")
             ):
                 return False
-            # No exceptions match.
-            # Return the event summary (which is True) to alert & use in title.
-            return {
-                "actor": actor_email,
-                "doc_title": doc_title,
-                "target_user": target_user,
-            }
+        # No exceptions match.
+        # Return the event summary (which is True) to alert & use in title.
+        return {
+            "actor": actor_email,
+            "doc_title": doc_title,
+            "target_user": target_user,
+        }
     return False
 
 

diff --git a/rules/gsuite_reports_rules/gsuite_drive_external_share.yml b/rules/gsuite_reports_rules/gsuite_drive_external_share.yml
@@ -48,7 +48,7 @@ Tests:
                   { "name": "old_visibility", "value": "private" },
                   { "name": "doc_id", "value": "1111111111111111111" },
                   { "name": "doc_type", "value": "document" },
-                  { "name": "doc_title", "value": "Document Title Primary" },
+                  { "name": "doc_title", "value": "1 Document Title Primary" },
                   { "name": "visibility", "value": "shared_externally" },
                   {
                     "name": "originating_app_id",
@@ -86,7 +86,7 @@ Tests:
                 [
                   { "name": "primary_event", "boolValue": true },
                   { "name": "visibility_change", "value": "external" },
-                  { "name": "target_user", "value": "alice@external.com" },
+                  { "name": "target_domain", "value": "external.com" },
                   { "name": "old_visibility", "value": "private" },
                   { "name": "doc_id", "value": "1111111111111111111" },
                   { "name": "doc_type", "value": "document" },
@@ -129,11 +129,11 @@ Tests:
                   { "name": "primary_event", "boolValue": true },
                   { "name": "billable", "boolValue": true },
                   { "name": "visibility_change", "value": "external" },
-                  { "name": "target_domain", "value": "acme.com" },
+                  { "name": "target_user", "value": "samuel@abc.com" },
                   { "name": "old_visibility", "value": "private" },
                   { "name": "doc_id", "value": "1111111111111111111" },
                   { "name": "doc_type", "value": "document" },
-                  { "name": "doc_title", "value": "Document Title Pattern" },
+                  { "name": "doc_title", "value": "1 Document Title Pattern" },
                   { "name": "visibility", "value": "shared_externally" },
                   {
                     "name": "originating_app_id",
@@ -150,3 +150,49 @@ Tests:
             },
           ],
       }
+  - Name: Share Allowed by Exception - 2
+    LogType: GSuite.Reports
+    ExpectedResult: false
+    Log:
+      {
+        "kind": "admin#reports#activity",
+        "id":
+          {
+            "time": "2020-07-07T15:50:49.617Z",
+            "uniqueQualifier": "1111111111111111111",
+            "applicationName": "drive",
+            "customerId": "C010qxghg",
+          },
+        "actor":
+          { "email": "[email protected]", "profileId": "1111111111111111111" },
+        "events":
+          [
+            {
+              "type": "acl_change",
+              "name": "change_user_access",
+              "parameters":
+                [
+                  { "name": "primary_event", "boolValue": true },
+                  { "name": "billable", "boolValue": true },
+                  { "name": "visibility_change", "value": "external" },
+                  { "name": "target_user", "value": "[email protected]" },
+                  { "name": "old_visibility", "value": "private" },
+                  { "name": "doc_id", "value": "1111111111111111111" },
+                  { "name": "doc_type", "value": "document" },
+                  { "name": "doc_title", "value": "2 Document Title Pattern" },
+                  { "name": "visibility", "value": "shared_externally" },
+                  {
+                    "name": "originating_app_id",
+                    "value": "1111111111111111111",
+                  },
+                  { "name": "owner_is_shared_drive", "boolValue": false },
+                  { "name": "owner_is_team_drive", "boolValue": false },
+                  { "name": "old_value", "multiValue": [ "none" ] },
+                  {
+                    "name": "new_value",
+                    "multiValue": [ "people_within_domain_with_link" ],
+                  },
+                ],
+            },
+          ],
+      }