From 0ad792fa61de847e6f72be67c5b96b56ded42d19 Mon Sep 17 00:00:00 2001 From: Ben Airey Date: Mon, 21 Oct 2024 09:50:33 -0500 Subject: [PATCH] allow 'login' applicationName for `GSuite.ExternalMailForwarding` --- .../gsuite_external_forwarding.py | 2 +- .../gsuite_external_forwarding.yml | 13 ++++++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/rules/gsuite_activityevent_rules/gsuite_external_forwarding.py b/rules/gsuite_activityevent_rules/gsuite_external_forwarding.py index c7f3b0c8c..3db4dc6c0 100644 --- a/rules/gsuite_activityevent_rules/gsuite_external_forwarding.py +++ b/rules/gsuite_activityevent_rules/gsuite_external_forwarding.py @@ -2,7 +2,7 @@ def rule(event): - if event.deep_get("id", "applicationName") != "user_accounts": + if event.deep_get("id", "applicationName") not in ("user_accounts", "login"): return False if event.get("name") == "email_forwarding_out_of_domain": diff --git a/rules/gsuite_activityevent_rules/gsuite_external_forwarding.yml b/rules/gsuite_activityevent_rules/gsuite_external_forwarding.yml index ffdef7f2e..ac59594a6 100644 --- a/rules/gsuite_activityevent_rules/gsuite_external_forwarding.yml +++ b/rules/gsuite_activityevent_rules/gsuite_external_forwarding.yml @@ -21,7 +21,7 @@ Runbook: > SummaryAttributes: - p_any_emails Tests: - - Name: Forwarding to External Address + - Name: Forwarding to External Address - applicationName = user_accounts ExpectedResult: true Log: { @@ -33,6 +33,17 @@ Tests: { "email_forwarding_destination_address": "HSimpson@gmail.com" }, } + - Name: Forwarding to External Address - applicationName = login + ExpectedResult: true + Log: + { + "id": { "applicationName": "login", "customerId": "D12345" }, + "actor": { "email": "homer.simpson@springfield.io" }, + "type": "email_forwarding_change", + "name": "email_forwarding_out_of_domain", + "parameters": { "email_forwarding_destination_address": "HSimpsone@gmail.com" } + } + - Name: Forwarding to External Address - Allowed Domain ExpectedResult: false Log: