Skip to content

Commit

Permalink
dropbox external shares
Browse files Browse the repository at this point in the history
  • Loading branch information
@calkim-panther
calkim-panther committed Apr 19, 2023
1 parent e947054 commit a164a2f
Show file tree
Hide file tree
Showing 2 changed files with 177 additions and 0 deletions.
25 changes: 25 additions & 0 deletions rules/dropbox_rules/dropbox_external_share.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
from panther_base_helpers import deep_get

ALLOWED_DOMAINS = ["example.com"]


def rule(event):
if deep_get(event, "event_type", "_tag", default="") == "shared_content_add_member":
participants = event.get("participants", [{}])
for participant in participants:
email = participant.get("user", {}).get("email", "")
if email.split("@")[-1] not in ALLOWED_DOMAINS:
return True
return False


def title(event):
actor = deep_get(event, "actor", "user", "email", default="<ACTOR_NOT_FOUND>")
assets = [e.get("display_name", "") for e in event.get("assets", [{}])]
participants = event.get("participants", [{}])
external_participants = []
for participant in participants:
email = participant.get("user", {}).get("email", "")
if email.split("@")[-1] not in ALLOWED_DOMAINS:
external_participants.append(email)
return f"Dropbox: [{actor}] shared [{assets}] with external user [{external_participants}]."
152 changes: 152 additions & 0 deletions rules/dropbox_rules/dropbox_external_share.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,152 @@
AnalysisType: rule
Description: Dropbox item shared externally
DisplayName: "Dropbox External Share"
Enabled: true
Filename: dropbox_external_share.py
Severity: Medium
Tests:
- ExpectedResult: false
Log:
actor:
_tag: user
user:
_tag: team_member
account_id: dbid:AAACjvKy90uezyOiLRadIuCy66dK5d1vGGw
display_name: Alice Bob
email: alice.bob@company.com
team_member_id: dbmid:AADSERs2cAsByYt8yQEDU4_qdNQiSdxgCl8
assets:
- .tag: file
display_name: paper1.paper
file_id: id:lUP4ZxMYmc4AAAAAAAAAaA
path:
contextual: /pathtest/paper1.paper
namespace_relative:
is_shared_namespace: true
ns_id: "3590048721"
relative_path: /paper1.paper
context:
_tag: team_member
account_id: dbid:AAACjvKy90uezyOiLRadIuCy66dK5d1vGGw
display_name: Alice Bob
email: alice.bob@company.com
team_member_id: dbmid:AADSERs2cAsByYt8yQEDU4_qdNQiSdxgCl8
details:
.tag: shared_content_add_member_details
shared_content_access_level:
.tag: viewer
event_category:
_tag: sharing
event_type:
_tag: shared_content_add_member
description: Added users and/or groups to shared file/folder
involve_non_team_member: true
origin:
access_method:
.tag: end_user
end_user:
.tag: web
session_id: dbwsid:237034608707419186011941491025532848312
geo_location:
city: Austin
country: US
ip_address: 1.2.3.4
region: Texas
p_any_emails:
- david.davidson@david.co
- alice.bob@company.com
p_any_ip_addresses:
- 1.2.3.4
p_any_usernames:
- Alice Bob
- david davidson
p_event_time: "2023-04-18 22:31:03"
p_log_type: Dropbox.TeamEvent
p_parse_time: "2023-04-18 22:32:46.967"
p_row_id: fe2163f14b45f3c1b9a49fd31799a504
p_schema_version: 0
p_source_id: b09c205e-42af-4933-8b18-b910985eb7fb
p_source_label: dropbox1
participants:
- user:
_tag: non_team_member
account_id: dbid:AABbWylBrTJ3Je-M37jeWShWuMAFHchEsKM
display_name: david davidson
email: david.davidson@example.com
timestamp: "2023-04-18 22:31:03"
Name: Test-5a3236
- ExpectedResult: true
Log:
actor:
_tag: user
user:
_tag: team_member
account_id: dbid:AAACjvKy90uezyOiLRadIuCy66dK5d1vGGw
display_name: Alice Bob
email: alice.bob@company.com
team_member_id: dbmid:AADSERs2cAsByYt8yQEDU4_qdNQiSdxgCl8
assets:
- .tag: file
display_name: paper1.paper
file_id: id:lUP4ZxMYmc4AAAAAAAAAaA
path:
contextual: /pathtest/paper1.paper
namespace_relative:
is_shared_namespace: true
ns_id: "3590048721"
relative_path: /paper1.paper
context:
_tag: team_member
account_id: dbid:AAACjvKy90uezyOiLRadIuCy66dK5d1vGGw
display_name: Alice Bob
email: alice.bob@company.com
team_member_id: dbmid:AADSERs2cAsByYt8yQEDU4_qdNQiSdxgCl8
details:
.tag: shared_content_add_member_details
shared_content_access_level:
.tag: viewer
event_category:
_tag: sharing
event_type:
_tag: shared_content_add_member
description: Added users and/or groups to shared file/folder
involve_non_team_member: true
origin:
access_method:
.tag: end_user
end_user:
.tag: web
session_id: dbwsid:237034608707419186011941491025532848312
geo_location:
city: Austin
country: US
ip_address: 1.2.3.4
region: Texas
p_any_emails:
- david.davidson@david.co
- alice.bob@company.com
p_any_ip_addresses:
- 1.2.3.4
p_any_usernames:
- Alice Bob
- david davidson
p_event_time: "2023-04-18 22:31:03"
p_log_type: Dropbox.TeamEvent
p_parse_time: "2023-04-18 22:32:46.967"
p_row_id: fe2163f14b45f3c1b9a49fd31799a504
p_schema_version: 0
p_source_id: b09c205e-42af-4933-8b18-b910985eb7fb
p_source_label: dropbox1
participants:
- user:
_tag: non_team_member
account_id: dbid:AABbWylBrTJ3Je-M37jeWShWuMAFHchEsKM
display_name: david davidson
email: david.davidson@david.co
timestamp: "2023-04-18 22:31:03"
Name: external share
DedupPeriodMinutes: 60
LogTypes:
- Dropbox.TeamEvent
RuleID: "Dropbox.External.Share"
Threshold: 1

0 comments on commit a164a2f

Please sign in to comment.