From 21ec5cc241114fa2b145e0a0b5563f44bfbe851d Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Tue, 12 Dec 2023 16:02:14 +0200 Subject: [PATCH] Add references to rules (netskope_rules) (#1021) --- rules/netskope_rules/netskope_admin_logged_out.yml | 1 + rules/netskope_rules/netskope_admin_user_change.yml | 1 + rules/netskope_rules/netskope_many_deletes.yml | 1 + rules/netskope_rules/netskope_personnel_action.yml | 1 + rules/netskope_rules/netskope_unauthorized_api_calls.yml | 1 + 5 files changed, 5 insertions(+) diff --git a/rules/netskope_rules/netskope_admin_logged_out.yml b/rules/netskope_rules/netskope_admin_logged_out.yml index 993033c96..b0e6cf9c2 100644 --- a/rules/netskope_rules/netskope_admin_logged_out.yml +++ b/rules/netskope_rules/netskope_admin_logged_out.yml @@ -21,6 +21,7 @@ Description: An admin was logged out because of successive login failures. DedupPeriodMinutes: 60 Threshold: 1 Runbook: An admin was logged out because of successive login failures. This could indicate brute force activity against this account. +Reference: https://docs.netskope.com/en/netskope-help/admin-console/administration/audit-log/ Tests: - Name: True positive ExpectedResult: true diff --git a/rules/netskope_rules/netskope_admin_user_change.yml b/rules/netskope_rules/netskope_admin_user_change.yml index f98513b87..abc84d284 100644 --- a/rules/netskope_rules/netskope_admin_user_change.yml +++ b/rules/netskope_rules/netskope_admin_user_change.yml @@ -27,6 +27,7 @@ Tags: Reports: MITRE ATT&CK: - TA0004:T1098 +Reference: https://docs.netskope.com/en/netskope-help/admin-console/administration/managing-administrators/ Severity: High DynamicSeverities: - ChangeTo: Critical diff --git a/rules/netskope_rules/netskope_many_deletes.yml b/rules/netskope_rules/netskope_many_deletes.yml index 6663338eb..c89c54fe6 100644 --- a/rules/netskope_rules/netskope_many_deletes.yml +++ b/rules/netskope_rules/netskope_many_deletes.yml @@ -22,6 +22,7 @@ Description: A user deleted a large number of objects in a short period of time. DedupPeriodMinutes: 60 Threshold: 10 Runbook: A user deleted a large number of objects in a short period of time. Validate that this activity is expected and authorized. +Reference: https://docs.netskope.com/en/netskope-help/admin-console/administration/audit-log/ Tests: - Name: True positive ExpectedResult: true diff --git a/rules/netskope_rules/netskope_personnel_action.yml b/rules/netskope_rules/netskope_personnel_action.yml index 53fb387a0..cd3b2f389 100644 --- a/rules/netskope_rules/netskope_personnel_action.yml +++ b/rules/netskope_rules/netskope_personnel_action.yml @@ -21,6 +21,7 @@ Description: An action was performed by Netskope personnel. DedupPeriodMinutes: 60 Threshold: 1 Runbook: Action taken by Netskope Personnel. Validate that this action was authorized. +Reference: https://docs.netskope.com/en/netskope-help/admin-console/administration/audit-log/#filters-1 Tests: - Name: True positive ExpectedResult: true diff --git a/rules/netskope_rules/netskope_unauthorized_api_calls.yml b/rules/netskope_rules/netskope_unauthorized_api_calls.yml index 6fe10496f..74758ed4f 100644 --- a/rules/netskope_rules/netskope_unauthorized_api_calls.yml +++ b/rules/netskope_rules/netskope_unauthorized_api_calls.yml @@ -22,6 +22,7 @@ Description: Many unauthorized API calls were observed for a user in a short per DedupPeriodMinutes: 60 Threshold: 10 Runbook: An account is making many unauthorized API calls. This could indicate brute force activity, or expired service account credentials. +Reference: https://docs.netskope.com/en/netskope-help/data-security/netskope-private-access/private-access-rest-apis/ Tests: - Name: True positive ExpectedResult: true