-
Notifications
You must be signed in to change notification settings - Fork 0
/
example.py
76 lines (56 loc) · 2.89 KB
/
example.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
from datetime import datetime, timedelta
from porlock.mixins import BaseRiskMixin
from porlock.rules import registry
test_rules = [
["Password Change After OTP Login", "otp login", "followed by", "any", ["password change"], "after", "2d", "user", ["password change"], "before", "1h", "14d", "30d"]
# ["Password Change After OTP Login", "otp login", "followed by", "all", ["password change", "password reset", "account locked"], "after", "2d", "user", ["password change"], "before", "1h", "14d", "30d"]
]
for rule in test_rules:
registry.register(rule[0], rule[1:])
events = []
print(registry.rules)
class Event(BaseRiskMixin):
event_type_field = 'event'
event_date_field = 'event_date'
event_actor_field = None
event_instance_field = 'user'
def __init__(self, **kwargs):
for item, value in kwargs.items():
setattr(self, item, value)
def __str__(self):
return f"{self.event} for user {self.user}: [{self.event_date}]"
@classmethod
def load_related_events(cls, ruleset, match):
matching_events = []
for event in events:
if event.user == match.user:
matching_events.append(event)
return matching_events
def load_events_for_analysis():
""" Load an initial set of rules """
return events
def load_related_events(ruleset, event):
""" Load more rules based on the criteria in the matching event """
return events
events.append(Event(event="otp login", event_date=datetime.now(), user=1))
events.append(Event(event="password change", event_date=datetime.now() + timedelta(minutes=20), user=1))
events.append(Event(event="password change", event_date=datetime.now() + timedelta(days=5), user=1))
events.append(Event(event="password reset", event_date=datetime.now() + timedelta(days=5), user=1))
events.append(Event(event="account locked", event_date=datetime.now() + timedelta(days=5), user=1))
events.append(Event(event="otp2 login", event_date=datetime.now() + timedelta(days=5), user=2))
events.append(Event(event="password change", event_date=datetime.now() + timedelta(days=13), user=1))
events.append(Event(event="password change", event_date=datetime.now() + timedelta(days=5), user=2))
events.append(Event(event="password change", event_date=datetime.now() + timedelta(days=20), user=1))
print("=============================")
for rule, original_event, risk_event in Event.identify_risk(load_events_for_analysis()):
print(rule)
print(" ", original_event)
print(" ", risk_event.event, risk_event.event_date)
print("=============================")
print("=============================")
for rule, original_event, risk_event in Event.identify_risk(load_events_for_analysis(), aggregate_events=True):
print(rule)
print(" ", original_event)
for event in risk_event:
print(" ", event.event, event.event_date)
print("=============================")