-
Notifications
You must be signed in to change notification settings - Fork 29
/
Copy pathairtables.rules
128 lines (126 loc) · 33.7 KB
/
airtables.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
# Sagan airtables.rules
# Copyright (c) 2009-2023. Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
# rules by "Bryant Smith" <bsmith@quadrantsec.com>
# 07/226/2023
# reference: https://airtable.com/developers/web/api/audit-log-event-types
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] createBase event detected"; program:airtable_audit_log_data; json_content:".action","createBase"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013582; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] deleteBase event detected"; program:airtable_audit_log_data; json_content:".action","deleteBase"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013583; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] moveBase event detected"; program:airtable_audit_log_data; json_content:".action","moveBase"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013584; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] duplicateBase event detected"; program:airtable_audit_log_data; json_content:".action","duplicateBase"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013585; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] viewBase event detected"; program:airtable_audit_log_data; json_content:".action","viewBase"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013586; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] restoreBaseFromSnapshot event detected"; program:airtable_audit_log_data; json_content:".action","restoreBaseFromSnapshot"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013587; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] restoreBaseFromTrash event detected"; program:airtable_audit_log_data; json_content:".action","restoreBaseFromTrash"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013588; rev:2;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] downloadAttachment event detected"; program:airtable_audit_log_data; json_content:".action","downloadAttachment"; json_content:!".type","application/pdf"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013589; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] updateBaseName event detected"; program:airtable_audit_log_data; json_content:".action","updateBaseName"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013590; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] updateBaseGuideText event detected"; program:airtable_audit_log_data; json_content:".action","updateBaseGuideText"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013591; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] addBaseInviteLink event detected"; program:airtable_audit_log_data; json_content:".action","addBaseInviteLink"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013592; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] removeBaseInviteLink event detected"; program:airtable_audit_log_data; json_content:".action","removeBaseInviteLink"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013593; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] configureBaseInviteLink event detected"; program:airtable_audit_log_data; json_content:".action","configureBaseInviteLink"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013594; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] inviteBaseCollaborator event detected"; program:airtable_audit_log_data; json_content:".action","inviteBaseCollaborator"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013595; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] addBaseCollaborator event detected"; program:airtable_audit_log_data; json_content:".action","addBaseCollaborator"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013596; rev:2;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] changeBaseCollaboratorPermission event detected"; program:airtable_audit_log_data; json_content:".action","changeBaseCollaboratorPermission"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013597; rev:2;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] changeBaseInvitePermission event detected"; program:airtable_audit_log_data; json_content:".action","changeBaseInvitePermission"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013598; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] uninviteBaseCollaborator event detected"; program:airtable_audit_log_data; json_content:".action","uninviteBaseCollaborator"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013599; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] removeBaseCollaborator event detected"; program:airtable_audit_log_data; json_content:".action","removeBaseCollaborator"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013600; rev:2;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] createGroup event detected"; program:airtable_audit_log_data; json_content:".action","createGroup"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013601; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] deleteGroup event detected"; program:airtable_audit_log_data; json_content:".action","deleteGroup"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013602; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] moveGroup event detected"; program:airtable_audit_log_data; json_content:".action","moveGroup"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013603; rev:2;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] addGroupMember event detected"; program:airtable_audit_log_data; json_content:".action","addGroupMember"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013604; rev:2;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] changeGroupMemberRole event detected"; program:airtable_audit_log_data; json_content:".action","changeGroupMemberRole"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013605; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] removeGroupMember event detected"; program:airtable_audit_log_data; json_content:".action","removeGroupMember"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013606; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] enableShare event detected"; program:airtable_audit_log_data; json_content:".action","enableShare"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013607; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] disableShare event detected"; program:airtable_audit_log_data; json_content:".action","disableShare"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013608; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] configureShare event detected"; program:airtable_audit_log_data; json_content:".action","configureShare"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013609; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] regenerateShare event detected"; program:airtable_audit_log_data; json_content:".action","regenerateShare"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013610; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] viewShare event detected"; program:airtable_audit_log_data; json_content:".action","viewShare"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013611; rev:2;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] loginUser event detected"; program:airtable_audit_log_data; json_content:".action","loginUser"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013612; rev:2;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] claimUser event detected"; program:airtable_audit_log_data; json_content:".action","claimUser"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013613; rev:3;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] unclaimUser event detected"; program:airtable_audit_log_data; json_content:".action","unclaimUser"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013614; rev:2;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] createUser event detected"; program:airtable_audit_log_data; json_content:".action","createUser"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013615; rev:2;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] deleteUser event detected"; program:airtable_audit_log_data; json_content:".action","deleteUser"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013616; rev:2;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] provisionUser event detected"; program:airtable_audit_log_data; json_content:".action","provisionUser"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013617; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] deactivateUser event detected"; program:airtable_audit_log_data; json_content:".action","deactivateUser"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013618; rev:2;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] updateUserEmail event detected"; program:airtable_audit_log_data; json_content:".action","updateUserEmail"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013619; rev:2;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] changePassword event detected"; program:airtable_audit_log_data; json_content:".action","changePassword"; json_map: "src_ip", ".origin.ipAddress"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013620; rev:2; metadata:updated_on 2024_04_19;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] createServiceAccount event detected"; program:airtable_audit_log_data; json_content:".action","createServiceAccount"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013621; rev:2;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] deleteServiceAccount event detected"; program:airtable_audit_log_data; json_content:".action","deleteServiceAccount"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013622; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] updateUserProfilePicture event detected"; program:airtable_audit_log_data; json_content:".action","updateUserProfilePicture"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013623; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] addTwoFactorAuthenticationStrategy event detected"; program:airtable_audit_log_data; json_content:".action","addTwoFactorAuthenticationStrategy"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013624; rev:2;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] removeTwoFactorAuthenticationStrategy event detected"; program:airtable_audit_log_data; json_content:".action","removeTwoFactorAuthenticationStrategy"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013625; rev:2;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] setDefaultTwoFactorAuthenticationStrategy event detected"; program:airtable_audit_log_data; json_content:".action","setDefaultTwoFactorAuthenticationStrategy"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013626; rev:2;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] regenerateTwoFactorAuthenticationBackupCodes event detected"; program:airtable_audit_log_data; json_content:".action","regenerateTwoFactorAuthenticationBackupCodes"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013627; rev:2;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] disableTwoFactorAuthentication event detected"; program:airtable_audit_log_data; json_content:".action","disableTwoFactorAuthentication"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013628; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] createOauthAccessToken event detected"; program:airtable_audit_log_data; json_content:".action","createOauthAccessToken"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013629; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] refreshOauthAccessToken event detected"; program:airtable_audit_log_data; json_content:".action","refreshOauthAccessToken"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013630; rev:2;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] grantEnterpriseAdminAccess event detected"; program:airtable_audit_log_data; json_content:".action","grantEnterpriseAdminAccess"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013631; rev:2;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] grantEnterpriseUpgraderAccess event detected"; program:airtable_audit_log_data; json_content:".action","grantEnterpriseUpgraderAccess"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013632; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] revokeEnterpriseAdminAccess event detected"; program:airtable_audit_log_data; json_content:".action","revokeEnterpriseAdminAccess"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013633; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] revokeEnterpriseUpgraderAccess event detected"; program:airtable_audit_log_data; json_content:".action","revokeEnterpriseUpgraderAccess"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013634; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] updateEnterpriseName event detected"; program:airtable_audit_log_data; json_content:".action","updateEnterpriseName"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013635; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] deleteEnterpriseStripeCard event detected"; program:airtable_audit_log_data; json_content:".action","deleteEnterpriseStripeCard"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013636; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] updateEnterpriseStripeCard event detected"; program:airtable_audit_log_data; json_content:".action","updateEnterpriseStripeCard"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013637; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] updateEnterpriseInvoiceDetails event detected"; program:airtable_audit_log_data; json_content:".action","updateEnterpriseInvoiceDetails"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013638; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] createOrgUnit event detected"; program:airtable_audit_log_data; json_content:".action","createOrgUnit"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013639; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] deleteOrgUnit event detected"; program:airtable_audit_log_data; json_content:".action","deleteOrgUnit"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013640; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] createEdiscoveryExport event detected"; program:airtable_audit_log_data; json_content:".action","createEdiscoveryExport"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013641; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] changeEnterpriseInviteRestrictions event detected"; program:airtable_audit_log_data; json_content:".action","changeEnterpriseInviteRestrictions"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013642; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] changeEnterpriseGlobalShareRestrictions event detected"; program:airtable_audit_log_data; json_content:".action","changeEnterpriseGlobalShareRestrictions"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013643; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] changeEnterpriseGroupCreateRestrictions event detected"; program:airtable_audit_log_data; json_content:".action","changeEnterpriseGroupCreateRestrictions"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013644; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] changeEnterpriseExtensionConfigurationRestrictions event detected"; program:airtable_audit_log_data; json_content:".action","changeEnterpriseExtensionConfigurationRestrictions"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013645; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] updatePublishedDatasetVerificationStatus event detected"; program:airtable_audit_log_data; json_content:".action","updatePublishedDatasetVerificationStatus"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013646; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] createWorkspace event detected"; program:airtable_audit_log_data; json_content:".action","createWorkspace"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013647; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] deleteWorkspace event detected"; program:airtable_audit_log_data; json_content:".action","deleteWorkspace"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013648; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] restoreWorkspaceFromTrash event detected"; program:airtable_audit_log_data; json_content:".action","restoreWorkspaceFromTrash"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013649; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] updateWorkspaceName event detected"; program:airtable_audit_log_data; json_content:".action","updateWorkspaceName"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013650; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] moveWorkspace event detected"; program:airtable_audit_log_data; json_content:".action","moveWorkspace"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013651; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] changeWorkspaceSharingRestrictions event detected"; program:airtable_audit_log_data; json_content:".action","changeWorkspaceSharingRestrictions"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013652; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] addWorkspaceInviteLink event detected"; program:airtable_audit_log_data; json_content:".action","addWorkspaceInviteLink"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013653; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] configureWorkspaceInviteLink event detected"; program:airtable_audit_log_data; json_content:".action","configureWorkspaceInviteLink"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013654; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] removeWorkspaceInviteLink event detected"; program:airtable_audit_log_data; json_content:".action","removeWorkspaceInviteLink"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013655; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] inviteWorkspaceCollaborator event detected"; program:airtable_audit_log_data; json_content:".action","inviteWorkspaceCollaborator"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013656; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] addWorkspaceCollaborator event detected"; program:airtable_audit_log_data; json_content:".action","addWorkspaceCollaborator"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013657; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] changeWorkspaceCollaboratorPermission event detected"; program:airtable_audit_log_data; json_content:".action","changeWorkspaceCollaboratorPermission"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013658; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] changeWorkspaceInvitePermission event detected"; program:airtable_audit_log_data; json_content:".action","changeWorkspaceInvitePermission"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013659; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] uninviteWorkspaceCollaborator event detected"; program:airtable_audit_log_data; json_content:".action","uninviteWorkspaceCollaborator"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013660; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] removeWorkspaceCollaborator event detected"; program:airtable_audit_log_data; json_content:".action","removeWorkspaceCollaborator"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013661; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] createInterface event detected"; program:airtable_audit_log_data; json_content:".action","createInterface"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013662; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] deleteInterface event detected"; program:airtable_audit_log_data; json_content:".action","deleteInterface"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013663; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] restoreInterfaceFromTrash event detected"; program:airtable_audit_log_data; json_content:".action","restoreInterfaceFromTrash"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013664; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] duplicateInterface event detected"; program:airtable_audit_log_data; json_content:".action","duplicateInterface"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013665; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] viewInterface event detected"; program:airtable_audit_log_data; json_content:".action","viewInterface"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013666; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] updateInterfaceName event detected"; program:airtable_audit_log_data; json_content:".action","updateInterfaceName"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013667; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] publishInterface event detected"; program:airtable_audit_log_data; json_content:".action","publishInterface"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013668; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] unpublishInterface event detected"; program:airtable_audit_log_data; json_content:".action","unpublishInterface"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013669; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] publishForm event detected"; program:airtable_audit_log_data; json_content:".action","publishForm"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013670; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] unpublishForm event detected"; program:airtable_audit_log_data; json_content:".action","unpublishForm"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013671; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] inviteInterfaceCollaborator event detected"; program:airtable_audit_log_data; json_content:".action","inviteInterfaceCollaborator"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013672; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] addInterfaceCollaborator event detected"; program:airtable_audit_log_data; json_content:".action","addInterfaceCollaborator"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013673; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] changeInterfaceCollaboratorPermission event detected"; program:airtable_audit_log_data; json_content:".action","changeInterfaceCollaboratorPermission"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013674; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] changeInterfaceInvitePermission event detected"; program:airtable_audit_log_data; json_content:".action","changeInterfaceInvitePermission"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013675; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] uninviteInterfaceCollaborator event detected"; program:airtable_audit_log_data; json_content:".action","uninviteInterfaceCollaborator"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013676; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] removeInterfaceCollaborator event detected"; program:airtable_audit_log_data; json_content:".action","removeInterfaceCollaborator"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013677; rev:2;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] downloadCSV event detected"; program:airtable_audit_log_data; json_content:".action","downloadCSV"; json_map: "src_ip",".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013678; rev:2;)