-
Notifications
You must be signed in to change notification settings - Fork 27
/
airtables.rules
128 lines (126 loc) · 30 KB
/
airtables.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
# Sagan airtables.rules
# Copyright (c) 2009-2023. Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
# rules by "Bryant Smith" <bsmith@quadrantsec.com>
# 07/226/2023
# reference: https://airtable.com/developers/web/api/audit-log-event-types
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] createBase event detected"; program:airtable_audit_log_data; json_content:".action","createBase"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013582; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] deleteBase event detected"; program:airtable_audit_log_data; json_content:".action","deleteBase"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013583; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] moveBase event detected"; program:airtable_audit_log_data; json_content:".action","moveBase"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013584; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] duplicateBase event detected"; program:airtable_audit_log_data; json_content:".action","duplicateBase"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013585; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] viewBase event detected"; program:airtable_audit_log_data; json_content:".action","viewBase"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013586; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] restoreBaseFromSnapshot event detected"; program:airtable_audit_log_data; json_content:".action","restoreBaseFromSnapshot"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013587; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] restoreBaseFromTrash event detected"; program:airtable_audit_log_data; json_content:".action","restoreBaseFromTrash"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013588; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] downloadAttachment event detected"; program:airtable_audit_log_data; json_content:".action","downloadAttachment"; json_content:!".type","application/pdf"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013589; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] updateBaseName event detected"; program:airtable_audit_log_data; json_content:".action","updateBaseName"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013590; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] updateBaseGuideText event detected"; program:airtable_audit_log_data; json_content:".action","updateBaseGuideText"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013591; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] addBaseInviteLink event detected"; program:airtable_audit_log_data; json_content:".action","addBaseInviteLink"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013592; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] removeBaseInviteLink event detected"; program:airtable_audit_log_data; json_content:".action","removeBaseInviteLink"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013593; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] configureBaseInviteLink event detected"; program:airtable_audit_log_data; json_content:".action","configureBaseInviteLink"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013594; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] inviteBaseCollaborator event detected"; program:airtable_audit_log_data; json_content:".action","inviteBaseCollaborator"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013595; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] addBaseCollaborator event detected"; program:airtable_audit_log_data; json_content:".action","addBaseCollaborator"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013596; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] changeBaseCollaboratorPermission event detected"; program:airtable_audit_log_data; json_content:".action","changeBaseCollaboratorPermission"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013597; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] changeBaseInvitePermission event detected"; program:airtable_audit_log_data; json_content:".action","changeBaseInvitePermission"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013598; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] uninviteBaseCollaborator event detected"; program:airtable_audit_log_data; json_content:".action","uninviteBaseCollaborator"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013599; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] removeBaseCollaborator event detected"; program:airtable_audit_log_data; json_content:".action","removeBaseCollaborator"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013600; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] createGroup event detected"; program:airtable_audit_log_data; json_content:".action","createGroup"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013601; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] deleteGroup event detected"; program:airtable_audit_log_data; json_content:".action","deleteGroup"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013602; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] moveGroup event detected"; program:airtable_audit_log_data; json_content:".action","moveGroup"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013603; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] addGroupMember event detected"; program:airtable_audit_log_data; json_content:".action","addGroupMember"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013604; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] changeGroupMemberRole event detected"; program:airtable_audit_log_data; json_content:".action","changeGroupMemberRole"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013605; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] removeGroupMember event detected"; program:airtable_audit_log_data; json_content:".action","removeGroupMember"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013606; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] enableShare event detected"; program:airtable_audit_log_data; json_content:".action","enableShare"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013607; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] disableShare event detected"; program:airtable_audit_log_data; json_content:".action","disableShare"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013608; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] configureShare event detected"; program:airtable_audit_log_data; json_content:".action","configureShare"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013609; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] regenerateShare event detected"; program:airtable_audit_log_data; json_content:".action","regenerateShare"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013610; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] viewShare event detected"; program:airtable_audit_log_data; json_content:".action","viewShare"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013611; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] loginUser event detected"; program:airtable_audit_log_data; json_content:".action","loginUser"; parse_src_ip: 1; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013612; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] claimUser event detected"; program:airtable_audit_log_data; json_content:".action","claimUser"; parse_src_ip: 1; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013613; rev:2;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] unclaimUser event detected"; program:airtable_audit_log_data; json_content:".action","unclaimUser"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013614; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] createUser event detected"; program:airtable_audit_log_data; json_content:".action","createUser"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013615; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] deleteUser event detected"; program:airtable_audit_log_data; json_content:".action","deleteUser"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013616; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] provisionUser event detected"; program:airtable_audit_log_data; json_content:".action","provisionUser"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013617; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] deactivateUser event detected"; program:airtable_audit_log_data; json_content:".action","deactivateUser"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013618; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] updateUserEmail event detected"; program:airtable_audit_log_data; json_content:".action","updateUserEmail"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013619; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] changePassword event detected"; program:airtable_audit_log_data; json_content:".action","changePassword"; json_map: "src_ip", ".origin.ipAddress"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013620; rev:1; metadata:updated_on 2024_04_19;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] createServiceAccount event detected"; program:airtable_audit_log_data; json_content:".action","createServiceAccount"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013621; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] deleteServiceAccount event detected"; program:airtable_audit_log_data; json_content:".action","deleteServiceAccount"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013622; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] updateUserProfilePicture event detected"; program:airtable_audit_log_data; json_content:".action","updateUserProfilePicture"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013623; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] addTwoFactorAuthenticationStrategy event detected"; program:airtable_audit_log_data; json_content:".action","addTwoFactorAuthenticationStrategy"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013624; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] removeTwoFactorAuthenticationStrategy event detected"; program:airtable_audit_log_data; json_content:".action","removeTwoFactorAuthenticationStrategy"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013625; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] setDefaultTwoFactorAuthenticationStrategy event detected"; program:airtable_audit_log_data; json_content:".action","setDefaultTwoFactorAuthenticationStrategy"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013626; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] regenerateTwoFactorAuthenticationBackupCodes event detected"; program:airtable_audit_log_data; json_content:".action","regenerateTwoFactorAuthenticationBackupCodes"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013627; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] disableTwoFactorAuthentication event detected"; program:airtable_audit_log_data; json_content:".action","disableTwoFactorAuthentication"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013628; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] createOauthAccessToken event detected"; program:airtable_audit_log_data; json_content:".action","createOauthAccessToken"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013629; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] refreshOauthAccessToken event detected"; program:airtable_audit_log_data; json_content:".action","refreshOauthAccessToken"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013630; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] grantEnterpriseAdminAccess event detected"; program:airtable_audit_log_data; json_content:".action","grantEnterpriseAdminAccess"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013631; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] grantEnterpriseUpgraderAccess event detected"; program:airtable_audit_log_data; json_content:".action","grantEnterpriseUpgraderAccess"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013632; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] revokeEnterpriseAdminAccess event detected"; program:airtable_audit_log_data; json_content:".action","revokeEnterpriseAdminAccess"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013633; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] revokeEnterpriseUpgraderAccess event detected"; program:airtable_audit_log_data; json_content:".action","revokeEnterpriseUpgraderAccess"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013634; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] updateEnterpriseName event detected"; program:airtable_audit_log_data; json_content:".action","updateEnterpriseName"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013635; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] deleteEnterpriseStripeCard event detected"; program:airtable_audit_log_data; json_content:".action","deleteEnterpriseStripeCard"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013636; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] updateEnterpriseStripeCard event detected"; program:airtable_audit_log_data; json_content:".action","updateEnterpriseStripeCard"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013637; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] updateEnterpriseInvoiceDetails event detected"; program:airtable_audit_log_data; json_content:".action","updateEnterpriseInvoiceDetails"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013638; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] createOrgUnit event detected"; program:airtable_audit_log_data; json_content:".action","createOrgUnit"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013639; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] deleteOrgUnit event detected"; program:airtable_audit_log_data; json_content:".action","deleteOrgUnit"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013640; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] createEdiscoveryExport event detected"; program:airtable_audit_log_data; json_content:".action","createEdiscoveryExport"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013641; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] changeEnterpriseInviteRestrictions event detected"; program:airtable_audit_log_data; json_content:".action","changeEnterpriseInviteRestrictions"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013642; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] changeEnterpriseGlobalShareRestrictions event detected"; program:airtable_audit_log_data; json_content:".action","changeEnterpriseGlobalShareRestrictions"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013643; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] changeEnterpriseGroupCreateRestrictions event detected"; program:airtable_audit_log_data; json_content:".action","changeEnterpriseGroupCreateRestrictions"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013644; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] changeEnterpriseExtensionConfigurationRestrictions event detected"; program:airtable_audit_log_data; json_content:".action","changeEnterpriseExtensionConfigurationRestrictions"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013645; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] updatePublishedDatasetVerificationStatus event detected"; program:airtable_audit_log_data; json_content:".action","updatePublishedDatasetVerificationStatus"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013646; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] createWorkspace event detected"; program:airtable_audit_log_data; json_content:".action","createWorkspace"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013647; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] deleteWorkspace event detected"; program:airtable_audit_log_data; json_content:".action","deleteWorkspace"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013648; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] restoreWorkspaceFromTrash event detected"; program:airtable_audit_log_data; json_content:".action","restoreWorkspaceFromTrash"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013649; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] updateWorkspaceName event detected"; program:airtable_audit_log_data; json_content:".action","updateWorkspaceName"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013650; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] moveWorkspace event detected"; program:airtable_audit_log_data; json_content:".action","moveWorkspace"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013651; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] changeWorkspaceSharingRestrictions event detected"; program:airtable_audit_log_data; json_content:".action","changeWorkspaceSharingRestrictions"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013652; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] addWorkspaceInviteLink event detected"; program:airtable_audit_log_data; json_content:".action","addWorkspaceInviteLink"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013653; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] configureWorkspaceInviteLink event detected"; program:airtable_audit_log_data; json_content:".action","configureWorkspaceInviteLink"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013654; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] removeWorkspaceInviteLink event detected"; program:airtable_audit_log_data; json_content:".action","removeWorkspaceInviteLink"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013655; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] inviteWorkspaceCollaborator event detected"; program:airtable_audit_log_data; json_content:".action","inviteWorkspaceCollaborator"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013656; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] addWorkspaceCollaborator event detected"; program:airtable_audit_log_data; json_content:".action","addWorkspaceCollaborator"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013657; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] changeWorkspaceCollaboratorPermission event detected"; program:airtable_audit_log_data; json_content:".action","changeWorkspaceCollaboratorPermission"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013658; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] changeWorkspaceInvitePermission event detected"; program:airtable_audit_log_data; json_content:".action","changeWorkspaceInvitePermission"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013659; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] uninviteWorkspaceCollaborator event detected"; program:airtable_audit_log_data; json_content:".action","uninviteWorkspaceCollaborator"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013660; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] removeWorkspaceCollaborator event detected"; program:airtable_audit_log_data; json_content:".action","removeWorkspaceCollaborator"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013661; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] createInterface event detected"; program:airtable_audit_log_data; json_content:".action","createInterface"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013662; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] deleteInterface event detected"; program:airtable_audit_log_data; json_content:".action","deleteInterface"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013663; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] restoreInterfaceFromTrash event detected"; program:airtable_audit_log_data; json_content:".action","restoreInterfaceFromTrash"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013664; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] duplicateInterface event detected"; program:airtable_audit_log_data; json_content:".action","duplicateInterface"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013665; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] viewInterface event detected"; program:airtable_audit_log_data; json_content:".action","viewInterface"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013666; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] updateInterfaceName event detected"; program:airtable_audit_log_data; json_content:".action","updateInterfaceName"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013667; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] publishInterface event detected"; program:airtable_audit_log_data; json_content:".action","publishInterface"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013668; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] unpublishInterface event detected"; program:airtable_audit_log_data; json_content:".action","unpublishInterface"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013669; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] publishForm event detected"; program:airtable_audit_log_data; json_content:".action","publishForm"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013670; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] unpublishForm event detected"; program:airtable_audit_log_data; json_content:".action","unpublishForm"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013671; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] inviteInterfaceCollaborator event detected"; program:airtable_audit_log_data; json_content:".action","inviteInterfaceCollaborator"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013672; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] addInterfaceCollaborator event detected"; program:airtable_audit_log_data; json_content:".action","addInterfaceCollaborator"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013673; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] changeInterfaceCollaboratorPermission event detected"; program:airtable_audit_log_data; json_content:".action","changeInterfaceCollaboratorPermission"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013674; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] changeInterfaceInvitePermission event detected"; program:airtable_audit_log_data; json_content:".action","changeInterfaceInvitePermission"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013675; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] uninviteInterfaceCollaborator event detected"; program:airtable_audit_log_data; json_content:".action","uninviteInterfaceCollaborator"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013676; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] removeInterfaceCollaborator event detected"; program:airtable_audit_log_data; json_content:".action","removeInterfaceCollaborator"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013677; rev:1;)
#alert any $HOME_NET any -> $HOME_NET any (msg:"[AIRTABLES] downloadCSV event detected"; program:airtable_audit_log_data; json_content:".action","downloadCSV"; classtype:system-event; reference:url,airtable.com/developers/web/api/audit-log-event-types; sid:5013678; rev:1;)