/
box_policy_violation.yml
65 lines (65 loc) · 1.82 KB
/
box_policy_violation.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
AnalysisType: rule
Filename: box_policy_violation.py
RuleID: "Box.Content.Workflow.Policy.Violation"
DisplayName: "Box Content Workflow Policy Violation"
Enabled: true
LogTypes:
- Box.Event
Tags:
- Box
Severity: Low
Description: >
A user violated the content workflow policy.
Reference: https://support.box.com/hc/en-us/articles/360043692594-Creating-a-Security-Policy
Runbook: >
Investigate whether the user continues to violate the policy and take measure to ensure they understand policy.
SummaryAttributes:
- event_type
Tests:
- Name: Regular Event
ExpectedResult: false
Log:
{
"type": "event",
"additional_details": '{"key": "value"}',
"created_by":
{
"id": "12345678",
"type": "user",
"login": "cat@example",
"name": "Bob Cat",
},
"event_type": "DELETE",
}
- Name: Upload Policy Violation
ExpectedResult: true
Log:
{
"type": "event",
"additional_details": '{"key": "value"}',
"created_by":
{
"id": "12345678",
"type": "user",
"login": "cat@example",
"name": "Bob Cat",
},
"event_type": "CONTENT_WORKFLOW_UPLOAD_POLICY_VIOLATION",
"source": { "id": "12345678", "type": "user", "login": "user@example" },
}
- Name: Sharing Policy Violation
ExpectedResult: true
Log:
{
"type": "event",
"additional_details": { "key": "value" },
"created_by":
{
"id": "12345678",
"type": "user",
"login": "cat@example",
"name": "Mountain Lion",
},
"event_type": "CONTENT_WORKFLOW_SHARING_POLICY_VIOLATION",
"source": { "id": "12345678", "type": "user", "login": "user@example" },
}