Add references to rules (netskope_rules) (#1021)

panther-labs · Dec 12, 2023 · 21ec5cc · 21ec5cc
1 parent 5c73412
commit 21ec5cc
Show file tree

Hide file tree

Showing 5 changed files with 5 additions and 0 deletions.
diff --git a/rules/netskope_rules/netskope_admin_logged_out.yml b/rules/netskope_rules/netskope_admin_logged_out.yml
@@ -21,6 +21,7 @@ Description: An admin was logged out because of successive login failures.
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: An admin was logged out because of successive login failures.  This could indicate brute force activity against this account.
+Reference: https://docs.netskope.com/en/netskope-help/admin-console/administration/audit-log/
 Tests:
     - Name: True positive
       ExpectedResult: true

diff --git a/rules/netskope_rules/netskope_admin_user_change.yml b/rules/netskope_rules/netskope_admin_user_change.yml
@@ -27,6 +27,7 @@ Tags:
 Reports:
   MITRE ATT&CK: 
     - TA0004:T1098
+Reference: https://docs.netskope.com/en/netskope-help/admin-console/administration/managing-administrators/
 Severity: High
 DynamicSeverities:
   - ChangeTo: Critical

diff --git a/rules/netskope_rules/netskope_many_deletes.yml b/rules/netskope_rules/netskope_many_deletes.yml
@@ -22,6 +22,7 @@ Description: A user deleted a large number of objects in a short period of time.
 DedupPeriodMinutes: 60
 Threshold: 10
 Runbook: A user deleted a large number of objects in a short period of time.  Validate that this activity is expected and authorized.
+Reference: https://docs.netskope.com/en/netskope-help/admin-console/administration/audit-log/
 Tests:
     - Name: True positive
       ExpectedResult: true

diff --git a/rules/netskope_rules/netskope_personnel_action.yml b/rules/netskope_rules/netskope_personnel_action.yml
@@ -21,6 +21,7 @@ Description: An action was performed by Netskope personnel.
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: Action taken by Netskope Personnel.  Validate that this action was authorized.
+Reference: https://docs.netskope.com/en/netskope-help/admin-console/administration/audit-log/#filters-1
 Tests:
     - Name: True positive
       ExpectedResult: true

diff --git a/rules/netskope_rules/netskope_unauthorized_api_calls.yml b/rules/netskope_rules/netskope_unauthorized_api_calls.yml
@@ -22,6 +22,7 @@ Description: Many unauthorized API calls were observed for a user in a short per
 DedupPeriodMinutes: 60
 Threshold: 10
 Runbook: An account is making many unauthorized API calls.  This could indicate brute force activity, or expired service account credentials.
+Reference: https://docs.netskope.com/en/netskope-help/data-security/netskope-private-access/private-access-rest-apis/
 Tests:
     - Name: True positive
       ExpectedResult: true