Skip to content

Commit

Permalink
THREAT-411 ZIA AdminAuditRules - Password, Log, Backup
Browse files Browse the repository at this point in the history
  • Loading branch information
@akozlovets098
akozlovets098 committed Nov 13, 2024
1 parent 2b3990c commit 2af4d15
Show file tree
Hide file tree
Showing 2 changed files with 190 additions and 0 deletions.
31 changes: 31 additions & 0 deletions rules/zscaler_rules/zia/zia_log_streaming_disabled.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
from panther_zscaler_helpers import zia_alert_context, zia_success
from pygments.lexer import default


def rule(event):
if not zia_success(event):
return False
action = event.deep_get("event", "action", default="ACTION_NOT_FOUND")
category = event.deep_get("event", "category", default="CATEGORY_NOT_FOUND")
if action == "DELETE" and category == "NSS":
return True
return False


def title(event):
cloud_connection_url = event.deep_get(
"event",
"preaction",
"cloudNssSiemConfiguration",
"connectionURL",
default="<CLOUD_CONNECTION_URL_NOT_FOUND>",
)
return (
f"[Zscaler.ZIA]: Log streaming for location [{cloud_connection_url}] "
f"was deleted by admin with id "
f"[{event.deep_get('event', 'adminid', default='<ADMIN_ID_NOT_FOUND>')}]"
)


def alert_context(event):
return zia_alert_context(event)
159 changes: 159 additions & 0 deletions rules/zscaler_rules/zia/zia_log_streaming_disabled.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,159 @@
AnalysisType: rule
RuleID: ZIA.Log.Streaming.Disabled
Description: This rule detects when ZIA log streaming was disabled.
DisplayName: ZIA Log Streaming Disabled
Runbook: Verify that this change was planned. If not, make sure to restore previous settings.
Reference: https://help.zscaler.com/zia/about-nss-feeds
Enabled: true
Filename: zia_log_streaming_disabled.py
Severity: Medium
Reports:
MITRE ATT&CK:
- TA0005:T1562.008 # Disable or Modify Cloud Logs
LogTypes:
- Zscaler.ZIA.AdminAuditLog
DedupPeriodMinutes: 60
Threshold: 1
Tests:
- Name: Log streaming disabled (NSS deleted)
ExpectedResult: true
Log:
{
"event": {
"action": "DELETE",
"adminid": "[email protected]",
"auditlogtype": "ZIA",
"category": "NSS",
"clientip": "1.2.3.4",
"errorcode": "None",
"interface": "UI",
"postaction": { },
"preaction": {
"cloudNss": true,
"cloudNssSiemConfiguration": {
"connectionHeaders": [
"123:123"
],
"connectionURL": "https://logs.company.net/http/a7adc684-f65c-42af-9519-0a0786656f20",
"lastSuccessFullTest": 0,
"maxBatchSize": 512,
"nssType": "NSS_FOR_WEB",
"oAuthAuthentication": false,
"siemType": "OTHER",
"testConnectivityCode": 0
},
"customEscapedCharacter": [
"ASCII_44",
"ASCII_92",
"ASCII_34"
],
"duplicateLogs": 0,
"epsRateLimit": 0,
"feedOutputFormat": "\\{ \"sourcetype\" : \"zscalernss-web\", \"event\" : \\{\"datetime\":\"%d{yy}-%02d{mth}-%02d{dd} %02d{hh}:%02d{mm}:%02d{ss}\",\"reason\":\"%s{reason}\",\"event_id\":\"%d{recordid}\",\"protocol\":\"%s{proto}\",\"action\":\"%s{action}\",\"transactionsize\":\"%d{totalsize}\",\"responsesize\":\"%d{respsize}\",\"requestsize\":\"%d{reqsize}\",\"urlcategory\":\"%s{urlcat}\",\"serverip\":\"%s{sip}\",\"requestmethod\":\"%s{reqmethod}\",\"refererURL\":\"%s{ereferer}\",\"useragent\":\"%s{eua}\",\"product\":\"NSS\",\"location\":\"%s{elocation}\",\"ClientIP\":\"%s{cip}\",\"status\":\"%s{respcode}\",\"user\":\"%s{elogin}\",\"url\":\"%s{eurl}\",\"vendor\":\"Zscaler\",\"hostname\":\"%s{ehost}\",\"clientpublicIP\":\"%s{cintip}\",\"threatcategory\":\"%s{malwarecat}\",\"threatname\":\"%s{threatname}\",\"filetype\":\"%s{filetype}\",\"appname\":\"%s{appname}\",\"app_status\":\"%s{app_status}\",\"pagerisk\":\"%d{riskscore}\",\"threatseverity\":\"%s{threatseverity}\",\"department\":\"%s{edepartment}\",\"urlsupercategory\":\"%s{urlsupercat}\",\"appclass\":\"%s{appclass}\",\"dlpengine\":\"%s{dlpeng}\",\"urlclass\":\"%s{urlclass}\",\"threatclass\":\"%s{malwareclass}\",\"dlpdictionaries\":\"%s{dlpdict}\",\"fileclass\":\"%s{fileclass}\",\"bwthrottle\":\"%s{bwthrottle}\",\"contenttype\":\"%s{contenttype}\",\"unscannabletype\":\"%s{unscannabletype}\",\"deviceowner\":\"%s{deviceowner}\",\"devicehostname\":\"%s{devicehostname}\",\"keyprotectiontype\":\"%s{keyprotectiontype}\"\\}\\}\n",
"feedStatus": "ENABLED",
"id": 2898,
"jsonArrayToggle": true,
"name": "test-feed-2",
"nssFeedType": "JSON",
"nssFilter": {
"securityFeedFilter": false
},
"nssLogType": "WEBLOG",
"timeZone": "GMT",
"userObfuscation": "DISABLED"
},
"recordid": "371",
"resource": "test-feed-2",
"result": "SUCCESS",
"subcategory": "NSS_FEED",
"time": "2024-11-04 16:34:34.000000000"
},
"sourcetype": "zscalernss-audit"
}
- Name: NSS created
ExpectedResult: false
Log:
{
"event": {
"action": "CREATE",
"adminid": "[email protected]",
"auditlogtype": "ZIA",
"category": "NSS",
"clientip": "1.2.3.4",
"errorcode": "None",
"interface": "UI",
"postaction": {
"cloudNss": true,
"cloudNssSiemConfiguration": {
"clientSecret": "******",
"connectionHeaders": [
"123:123"
],
"connectionURL": "https://logs.company.net/http/a7adc684-f65c-42af-9519-0a0786656f20",
"lastSuccessFullTest": 0,
"maxBatchSize": 512,
"nssType": "NSS_FOR_WEB",
"oAuthAuthentication": false,
"siemType": "OTHER",
"testConnectivityCode": 0
},
"customEscapedCharacter": [
"ASCII_44",
"ASCII_92",
"ASCII_34"
],
"duplicateLogs": 0,
"epsRateLimit": 0,
"feedOutputFormat": "\\{ \"sourcetype\" : \"zscalernss-web\", \"event\" : \\{\"datetime\":\"%d{yy}-%02d{mth}-%02d{dd} %02d{hh}:%02d{mm}:%02d{ss}\",\"reason\":\"%s{reason}\",\"event_id\":\"%d{recordid}\",\"protocol\":\"%s{proto}\",\"action\":\"%s{action}\",\"transactionsize\":\"%d{totalsize}\",\"responsesize\":\"%d{respsize}\",\"requestsize\":\"%d{reqsize}\",\"urlcategory\":\"%s{urlcat}\",\"serverip\":\"%s{sip}\",\"requestmethod\":\"%s{reqmethod}\",\"refererURL\":\"%s{ereferer}\",\"useragent\":\"%s{eua}\",\"product\":\"NSS\",\"location\":\"%s{elocation}\",\"ClientIP\":\"%s{cip}\",\"status\":\"%s{respcode}\",\"user\":\"%s{elogin}\",\"url\":\"%s{eurl}\",\"vendor\":\"Zscaler\",\"hostname\":\"%s{ehost}\",\"clientpublicIP\":\"%s{cintip}\",\"threatcategory\":\"%s{malwarecat}\",\"threatname\":\"%s{threatname}\",\"filetype\":\"%s{filetype}\",\"appname\":\"%s{appname}\",\"app_status\":\"%s{app_status}\",\"pagerisk\":\"%d{riskscore}\",\"threatseverity\":\"%s{threatseverity}\",\"department\":\"%s{edepartment}\",\"urlsupercategory\":\"%s{urlsupercat}\",\"appclass\":\"%s{appclass}\",\"dlpengine\":\"%s{dlpeng}\",\"urlclass\":\"%s{urlclass}\",\"threatclass\":\"%s{malwareclass}\",\"dlpdictionaries\":\"%s{dlpdict}\",\"fileclass\":\"%s{fileclass}\",\"bwthrottle\":\"%s{bwthrottle}\",\"contenttype\":\"%s{contenttype}\",\"unscannabletype\":\"%s{unscannabletype}\",\"deviceowner\":\"%s{deviceowner}\",\"devicehostname\":\"%s{devicehostname}\",\"keyprotectiontype\":\"%s{keyprotectiontype}\"\\}\\}\n",
"feedStatus": "ENABLED",
"id": 2898,
"jsonArrayToggle": true,
"name": "test-feed-2",
"nssFeedType": "JSON",
"nssFilter": {
"securityFeedFilter": false
},
"nssLogType": "WEBLOG",
"timeZone": "GMT",
"userObfuscation": "DISABLED"
},
"preaction": {
"cloudNss": true,
"cloudNssSiemConfiguration": {
"connectionHeaders": [
"123:123"
],
"connectionURL": "https://logs.company.net/http/a7adc684-f65c-42af-9519-0a0786621f20",
"maxBatchSize": 524288,
"nssType": "NSS_FOR_WEB",
"oAuthAuthentication": false,
"siemType": "OTHER"
},
"customEscapedCharacter": [
"ASCII_44",
"ASCII_92",
"ASCII_34"
],
"duplicateLogs": 0,
"epsRateLimit": 0,
"feedOutputFormat": "\\{ \"sourcetype\" : \"zscalernss-web\", \"event\" : \\{\"datetime\":\"%d{yy}-%02d{mth}-%02d{dd} %02d{hh}:%02d{mm}:%02d{ss}\",\"reason\":\"%s{reason}\",\"event_id\":\"%d{recordid}\",\"protocol\":\"%s{proto}\",\"action\":\"%s{action}\",\"transactionsize\":\"%d{totalsize}\",\"responsesize\":\"%d{respsize}\",\"requestsize\":\"%d{reqsize}\",\"urlcategory\":\"%s{urlcat}\",\"serverip\":\"%s{sip}\",\"requestmethod\":\"%s{reqmethod}\",\"refererURL\":\"%s{ereferer}\",\"useragent\":\"%s{eua}\",\"product\":\"NSS\",\"location\":\"%s{elocation}\",\"ClientIP\":\"%s{cip}\",\"status\":\"%s{respcode}\",\"user\":\"%s{elogin}\",\"url\":\"%s{eurl}\",\"vendor\":\"Zscaler\",\"hostname\":\"%s{ehost}\",\"clientpublicIP\":\"%s{cintip}\",\"threatcategory\":\"%s{malwarecat}\",\"threatname\":\"%s{threatname}\",\"filetype\":\"%s{filetype}\",\"appname\":\"%s{appname}\",\"app_status\":\"%s{app_status}\",\"pagerisk\":\"%d{riskscore}\",\"threatseverity\":\"%s{threatseverity}\",\"department\":\"%s{edepartment}\",\"urlsupercategory\":\"%s{urlsupercat}\",\"appclass\":\"%s{appclass}\",\"dlpengine\":\"%s{dlpeng}\",\"urlclass\":\"%s{urlclass}\",\"threatclass\":\"%s{malwareclass}\",\"dlpdictionaries\":\"%s{dlpdict}\",\"fileclass\":\"%s{fileclass}\",\"bwthrottle\":\"%s{bwthrottle}\",\"contenttype\":\"%s{contenttype}\",\"unscannabletype\":\"%s{unscannabletype}\",\"deviceowner\":\"%s{deviceowner}\",\"devicehostname\":\"%s{devicehostname}\",\"keyprotectiontype\":\"%s{keyprotectiontype}\"\\}\\}\n",
"feedStatus": "ENABLED",
"id": 0,
"jsonArrayToggle": true,
"name": "test-feed-2",
"nssFeedType": "JSON",
"nssFilter": {
"securityFeedFilter": false
},
"nssLogType": "WEBLOG",
"siemConfiguration": { },
"timeZone": "GMT"
},
"recordid": "370",
"resource": "test-feed-2",
"result": "SUCCESS",
"subcategory": "NSS_FEED",
"time": "2024-11-04 16:33:48.000000000"
},
"sourcetype": "zscalernss-audit"
}

0 comments on commit 2af4d15

Please sign in to comment.