forked from panther-labs/panther-analysis
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathgithub_team_modified.py
28 lines (26 loc) · 1.22 KB
/
github_team_modified.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
def rule(event):
if not event.get("action").startswith("team"):
return False
return (
event.get("action") == "team.add_member"
or event.get("action") == "team.add_repository"
or event.get("action") == "team.change_parent_team"
or event.get("action") == "team.create"
or event.get("action") == "team.destroy"
or event.get("action") == "team.remove_member"
or event.get("action") == "team.remove_repository"
)
def title(event):
action_mappings = {
"create": "created team",
"destroy": "deleted team",
"add_member": f"added member [{event.get('user')}] to team",
"remove_member": f"removed member [{event.get('user')}] from team",
"add_repository": f"added repository [{event.get('repo')}] to team",
"removed_repository": f"removed repository [{event.get('repo')}] from team",
"change_parent_team": "changed parent team for team",
}
action_key = event.get("action").split(".")[1]
action = action_mappings.get(action_key, event.get("action"))
team_name = event.get("team") if "team" in event else "<MISSING_TEAM>"
return f"GitHub.Audit: User [{event.udm('actor_user')}] {action} [{team_name}]"