From 6d95214059b2a92d8d382d472c32ecb24faa09ec Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Wed, 13 Dec 2023 00:11:21 +0200 Subject: [PATCH] Add references to rules (zendesk_rules) (#1034) * Add references to rules (zendesk_rules) * Add references to rules (zendesk_rules) --------- Co-authored-by: Evan Gibler --- rules/zendesk_rules/zendesk_mobile_app_access.yml | 1 + rules/zendesk_rules/zendesk_new_api_token.yml | 1 + rules/zendesk_rules/zendesk_new_owner.yml | 1 + rules/zendesk_rules/zendesk_sensitive_data_redaction.yml | 1 + rules/zendesk_rules/zendesk_user_assumption.yml | 1 + rules/zendesk_rules/zendesk_user_role.yml | 1 + rules/zendesk_rules/zendesk_user_suspension.yml | 1 + 7 files changed, 7 insertions(+) diff --git a/rules/zendesk_rules/zendesk_mobile_app_access.yml b/rules/zendesk_rules/zendesk_mobile_app_access.yml index 48c78101b..e14dbebca 100644 --- a/rules/zendesk_rules/zendesk_mobile_app_access.yml +++ b/rules/zendesk_rules/zendesk_mobile_app_access.yml @@ -14,6 +14,7 @@ Reports: - TA0003:T1078 Severity: Medium Description: A user updated account setting that enabled or disabled mobile app access. +Reference: https://support.zendesk.com/hc/en-us/articles/4408846407066-About-the-Zendesk-Support-mobile-app#:~:text=More%20settings.-,Configuring%20the%20mobile%20app,-Activate%20the%20new SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/zendesk_rules/zendesk_new_api_token.yml b/rules/zendesk_rules/zendesk_new_api_token.yml index b384d5256..cafcb2bdd 100644 --- a/rules/zendesk_rules/zendesk_new_api_token.yml +++ b/rules/zendesk_rules/zendesk_new_api_token.yml @@ -15,6 +15,7 @@ Reports: - TA0006:T1528 Description: A user created a new API token to be used with Zendesk. Runbook: Validate the api token was created for valid use case, otherwise delete the token immediately. +Reference: https://support.zendesk.com/hc/en-us/articles/4408889192858-Managing-access-to-the-Zendesk-API#topic_bsw_lfg_mmb:~:text=enable%20token%20access.-,Generating%20API%20tokens,-To%20generate%20an SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/zendesk_rules/zendesk_new_owner.yml b/rules/zendesk_rules/zendesk_new_owner.yml index 9e5cb5657..cc4ddb6d4 100644 --- a/rules/zendesk_rules/zendesk_new_owner.yml +++ b/rules/zendesk_rules/zendesk_new_owner.yml @@ -14,6 +14,7 @@ Reports: MITRE ATT&CK: - TA0004:T1078 Description: Only one admin user can be the account owner. Ensure the change in ownership is expected. +Reference: https://support.zendesk.com/hc/en-us/articles/4408822084634-Changing-the-account-owner SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/zendesk_rules/zendesk_sensitive_data_redaction.yml b/rules/zendesk_rules/zendesk_sensitive_data_redaction.yml index 0f050887a..36e31095c 100644 --- a/rules/zendesk_rules/zendesk_sensitive_data_redaction.yml +++ b/rules/zendesk_rules/zendesk_sensitive_data_redaction.yml @@ -15,6 +15,7 @@ Reports: Severity: High Description: A user updated account setting that disabled credit card redaction. Runbook: Re-enable credit card redaction. +Reference: https://support.zendesk.com/hc/en-us/articles/4408822124314-Automatically-redacting-credit-card-numbers-from-tickets SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/zendesk_rules/zendesk_user_assumption.yml b/rules/zendesk_rules/zendesk_user_assumption.yml index fbc40da9e..12b3ef138 100644 --- a/rules/zendesk_rules/zendesk_user_assumption.yml +++ b/rules/zendesk_rules/zendesk_user_assumption.yml @@ -15,6 +15,7 @@ Severity: Medium Description: User enabled or disabled zendesk support user assumption. Runbook: > Investigate whether allowing zendesk support to assume users is necessary. If not, disable the feature. +Reference: https://support.zendesk.com/hc/en-us/articles/4408894200474-Assuming-end-users#:~:text=In%20Support%2C%20click%20the%20Customers,user%20in%20the%20information%20dialog SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/zendesk_rules/zendesk_user_role.yml b/rules/zendesk_rules/zendesk_user_role.yml index 70205aeac..731f41c53 100644 --- a/rules/zendesk_rules/zendesk_user_role.yml +++ b/rules/zendesk_rules/zendesk_user_role.yml @@ -8,6 +8,7 @@ LogTypes: - Zendesk.Audit Severity: Info Description: A user's Zendesk role was changed +Reference: https://support.zendesk.com/hc/en-us/articles/4408824375450-Setting-roles-and-access-in-Zendesk-Admin-Center SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/zendesk_rules/zendesk_user_suspension.yml b/rules/zendesk_rules/zendesk_user_suspension.yml index 08f1a1410..b0c3f4a18 100644 --- a/rules/zendesk_rules/zendesk_user_suspension.yml +++ b/rules/zendesk_rules/zendesk_user_suspension.yml @@ -15,6 +15,7 @@ Reports: Severity: High Description: A user's Zendesk suspension status was changed. Runbook: Ensure the user's suspension status is appropriate. +Reference: https://support.zendesk.com/hc/en-us/articles/4408889293978-Suspending-a-user#:~:text=select%20Unsuspend%20access.-,Identifying%20suspended%20users,name%20on%20the%20Customers%20page SummaryAttributes: - p_any_ip_addresses Tests: