diff --git a/global_helpers/panther_zscaler_helpers.py b/global_helpers/panther_zscaler_helpers.py new file mode 100644 index 000000000..a085e7459 --- /dev/null +++ b/global_helpers/panther_zscaler_helpers.py @@ -0,0 +1,19 @@ +def zia_success(event): + if ( + event.deep_get("event", "errorcode", default="") == "None" + and event.deep_get("event", "result", default="") == "SUCCESS" + ): + return True + return False + + +def zia_alert_context(event): + event_data = event.get("event", {}) + return { + "action": event_data.get("action", ""), + "admin_id": event_data.get("adminid", ""), + "category": event_data.get("category", ""), + "client_ip": event_data.get("clientip", ""), + "preaction": event_data.get("preaction", ""), + "postaction": event_data.get("postaction", ""), + } diff --git a/global_helpers/panther_zscaler_helpers.yml b/global_helpers/panther_zscaler_helpers.yml new file mode 100644 index 000000000..674367e94 --- /dev/null +++ b/global_helpers/panther_zscaler_helpers.yml @@ -0,0 +1,5 @@ +AnalysisType: global +Filename: panther_zscaler_helpers.py +GlobalID: "panther_zscaler_helpers" +Description: > + Used to define global helpers for Zscaler events diff --git a/rules/zscaler_rules/zia_account_access_removal.py b/rules/zscaler_rules/zia_account_access_removal.py new file mode 100644 index 000000000..6d437d232 --- /dev/null +++ b/rules/zscaler_rules/zia_account_access_removal.py @@ -0,0 +1,24 @@ +from panther_zscaler_helpers import zia_alert_context, zia_success + +SENSITIVE_CATEGORIES = ["ADMINISTRATOR_MANAGEMENT", "ROLE_MANAGEMENT"] + + +def rule(event): + if not zia_success(event): + return False + event_data = event.get("event", {}) + return ( + event_data.get("action", "ACTION_NOT_FOUND") == "DELETE" + and event_data.get("category", "CATEGORY_NOT_FOUND") in SENSITIVE_CATEGORIES + ) + + +def title(event): + return ( + f"[Zscaler.ZIA]: Admin account was deleted by admin with id " + f"[{event.deep_get('event', 'adminid', default='')}]" + ) + + +def alert_context(event): + return zia_alert_context(event) diff --git a/rules/zscaler_rules/zia_account_access_removal.yml b/rules/zscaler_rules/zia_account_access_removal.yml new file mode 100644 index 000000000..49c4aff2d --- /dev/null +++ b/rules/zscaler_rules/zia_account_access_removal.yml @@ -0,0 +1,324 @@ +AnalysisType: rule +RuleID: ZIA.Account.Access.Removed +Description: This rule detects when and admin user/role was deleted. +DisplayName: ZIA Account Access Removed +Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again. +Reference: https://help.zscaler.com/zia/authentication-administration/administrator-role-management +Enabled: true +Filename: zia_account_access_removal.py +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0040:T1531 # Account Access removal +LogTypes: + - Zscaler.ZIA.AdminAuditLog +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: Administration > User Management > Add User, remove from Service Admin group + ExpectedResult: false + Log: + { + "event": { + "action": "UPDATE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "USER_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { + "adminUser": false, + "department": { + "id": 19752838, + "isDeleted": false, + "isForUnauthenticatedUser": false, + "isNonEditable": false, + "name": "test" + }, + "email": "johndoe@dev-company.com", + "groups": [ + { + "id": 19631231, + "isNonEditable": false, + "name": "test" + } + ], + "id": 19752821, + "isNonEditable": false, + "miscflags": 0, + "name": "johndoe", + "systemDefinedGroups": [ ] + }, + "preaction": { + "adminUser": false, + "authType": "SAFECHANNEL_DIR", + "department": { + "id": 16991313, + "isDeleted": false, + "isForUnauthenticatedUser": false, + "isNonEditable": false, + "name": "Service Admin" + }, + "email": "johndoe@dev-company.com", + "groups": [ + { + "id": 16991312, + "isNonEditable": false, + "name": "Service Admin" + } + ], + "id": 19752821, + "miscflags": 268435456, + "name": "johndoe" + }, + "recordid": "324", + "resource": "johndoe", + "result": "SUCCESS", + "subcategory": "USER", + "time": "2024-10-22 22:01:28.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Administration Management > Administrators > Edit Administrator, delete administrator + ExpectedResult: true + Log: + { + "event": { + "action": "DELETE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "ADMINISTRATOR_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { }, + "preaction": { + "adminScope": { + "scopeEntities": [ ], + "scopeGroupMemberEntities": [ ], + "type": "ORGANIZATION" + }, + "disabled": false, + "email": "johndoe@company.com", + "id": 19752821, + "isExecMobileAppEnabled": true, + "isPasswordLoginAllowed": true, + "loginName": "johndoe@dev-company.com", + "pwdLastModifiedTime": 1729634767, + "role": { + "deleted": false, + "extensions": { + "adminRank": "0", + "roleType": "EXEC_INSIGHT_AND_ORG_ADMIN" + }, + "id": 24354, + "isNameL10nTag": true, + "name": "Super Admin" + }, + "userName": "johndoe1123" + }, + "recordid": "327", + "resource": "johndoe1123", + "result": "SUCCESS", + "subcategory": "ADMINISTRATOR_ADMIN_USER", + "time": "2024-10-22 22:09:01.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Administration Management > Auditors > Edit Auditor, delete auditor + ExpectedResult: true + Log: + { + "event": { + "action": "DELETE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "ADMINISTRATOR_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { }, + "preaction": { + "disabled": false, + "id": 19752860, + "isAuditor": true, + "loginName": "arieeel@dev-company.com", + "newLocationCreateAllowed": false, + "pwdLastModifiedTime": 0, + "role": { + "deleted": false, + "id": 30510, + "isNameL10nTag": false, + "name": "Auditor" + }, + "userName": "areiiiel" + }, + "recordid": "329", + "resource": "areiiiel", + "result": "SUCCESS", + "subcategory": "ADMINISTRATOR_AUDITOR", + "time": "2024-10-22 22:11:56.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Administration > Role Management > Edit Administrator Role, delete role + ExpectedResult: true + Log: + { + "event": { + "action": "DELETE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "ROLE_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { }, + "preaction": { + "adminAcctAccess": "READ_WRITE", + "alertingAccess": "READ_WRITE", + "analysisAccess": "READ_ONLY", + "dashboardAccess": "READ_WRITE", + "deviceInfoAccess": "READ_ONLY", + "id": 32780, + "logsLimit": "Unrestricted", + "name": "mega admin", + "permissions": [ + "SECURE", + "COMPLY", + "SSL_POLICY", + "ADVANCED_SETTINGS", + "FIREWALL_DNS", + "NSS_CONFIGURATION", + "VZEN_CONFIGURATION", + "LOCATIONS", + "HOSTED_PAC_FILES", + "EZ_AGENT_CONFIGURATIONS", + "SECURE_AGENT_NOTIFICATIONS", + "VPN_CREDENTIALS", + "AUTHENTICATION_SETTINGS", + "IDENTITY_PROXY_SETTINGS", + "USER_MANAGEMENT", + "APIKEY_MANAGEMENT", + "PARTNER_INTEGRATION", + "POLICY_RESOURCE_MANAGEMENT", + "CUSTOM_URL_CAT", + "OVERRIDE_EXISTING_CAT", + "PROXY_GATEWAY", + "TENANT_PROFILE_MANAGEMENT", + "STATIC_IPS", + "REMOTE_ASSISTANCE_MANAGEMENT", + "GRE_TUNNELS", + "CLIENT_CONNECTOR_PORTAL", + "SUBCLOUDS" + ], + "policyAccess": "READ_WRITE", + "rank": 7, + "reportAccess": "READ_WRITE", + "reportTimeDuration": -1, + "roleType": "EXEC_INSIGHT_AND_ORG_ADMIN", + "usernameAccess": "READ_ONLY" + }, + "recordid": "342", + "resource": "mega admin", + "result": "SUCCESS", + "subcategory": "ADMINISTRATOR_ROLE", + "time": "2024-10-22 22:31:35.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Administration > Role Management > Edit SD-WAN Partner API Role, delete role + ExpectedResult: true + Log: + { + "event": { + "action": "DELETE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "ROLE_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { }, + "preaction": { + "adminAcctAccess": "NONE", + "alertingAccess": "READ_ONLY", + "analysisAccess": "NONE", + "dashboardAccess": "NONE", + "deviceInfoAccess": "NONE", + "id": 32781, + "name": "wanny", + "permissions": [ + "STATIC_IPS", + "LOCATIONS", + "GRE_TUNNELS", + "VPN_CREDENTIALS" + ], + "policyAccess": "READ_WRITE", + "rank": 7, + "reportAccess": "NONE", + "reportTimeDuration": -1, + "roleType": "SDWAN", + "usernameAccess": "NONE" + }, + "recordid": "345", + "resource": "wanny", + "result": "SUCCESS", + "subcategory": "ADMINISTRATOR_ROLE", + "time": "2024-10-22 22:34:58.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Administration > Role Management > Edit API Role, delete role + ExpectedResult: true + Log: + { + "event": { + "action": "DELETE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "ROLE_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { }, + "preaction": { + "adminAcctAccess": "READ_WRITE", + "alertingAccess": "NONE", + "analysisAccess": "NONE", + "dashboardAccess": "NONE", + "deviceInfoAccess": "NONE", + "id": 32782, + "logsLimit": "Unrestricted", + "name": "bad API", + "permissions": [ + "SECURE", + "COMPLY", + "SSL_POLICY", + "ADVANCED_SETTINGS", + "FIREWALL_DNS", + "LOCATIONS", + "VPN_CREDENTIALS", + "USER_MANAGEMENT", + "POLICY_RESOURCE_MANAGEMENT", + "CUSTOM_URL_CAT", + "OVERRIDE_EXISTING_CAT", + "STATIC_IPS", + "GRE_TUNNELS" + ], + "policyAccess": "READ_WRITE", + "rank": 7, + "reportAccess": "NONE", + "reportTimeDuration": -1, + "roleType": "PUBLIC_API", + "usernameAccess": "NONE" + }, + "recordid": "346", + "resource": "bad API", + "result": "SUCCESS", + "subcategory": "ADMINISTRATOR_ROLE", + "time": "2024-10-22 22:35:06.000000000" + }, + "sourcetype": "zscalernss-audit" + } diff --git a/rules/zscaler_rules/zia_create_cloud_account.py b/rules/zscaler_rules/zia_create_cloud_account.py new file mode 100644 index 000000000..56d8bfa6d --- /dev/null +++ b/rules/zscaler_rules/zia_create_cloud_account.py @@ -0,0 +1,29 @@ +from panther_zscaler_helpers import zia_alert_context, zia_success + + +def rule(event): + if not zia_success(event): + return False + action = event.deep_get("event", "action", default="ACTION_NOT_FOUND") + category = event.deep_get("event", "category", default="CATEGORY_NOT_FOUND") + role_name = event.deep_get( + "event", "postaction", "role", "name", default="" + ).lower() + if ( + action == "CREATE" + and category == "ADMINISTRATOR_MANAGEMENT" + and ("admin" in role_name or "audit" in role_name) + ): + return True + return False + + +def title(event): + return ( + f"[Zscaler.ZIA]: New admin role was created by admin with id " + f"[{event.deep_get('event', 'adminid', default='')}]" + ) + + +def alert_context(event): + return zia_alert_context(event) diff --git a/rules/zscaler_rules/zia_create_cloud_account.yml b/rules/zscaler_rules/zia_create_cloud_account.yml new file mode 100644 index 000000000..81a82aa73 --- /dev/null +++ b/rules/zscaler_rules/zia_create_cloud_account.yml @@ -0,0 +1,202 @@ +AnalysisType: rule +RuleID: ZIA.Cloud.Account.Created +Description: This rule detects when new cloud account was created. +DisplayName: ZIA Cloud Account Created +Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again. +Reference: https://help.zscaler.com/zia/choosing-provisioning-and-authentication-methods +Enabled: true +Filename: zia_create_cloud_account.py +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0003:T1136.003 # Persistence: Create Cloud Account +LogTypes: + - Zscaler.ZIA.AdminAuditLog +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: Administration > User Management > Add User, Service Admin group + ExpectedResult: false + Log: + { + "event": { + "action": "CREATE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "USER_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { + "department": { + "id": 16991313, + "isDeleted": false, + "isForUnauthenticatedUser": false, + "isNonEditable": true, + "name": "Service Admin" + }, + "email": "johndoe@dev-company.com", + "groups": [ + { + "id": 16991312, + "isNonEditable": true, + "name": "Service Admin" + } + ], + "id": 19752821, + "miscflags": 0, + "name": "johndoe", + "password": "*****", + "systemDefinedGroups": [] + }, + "preaction": { + "department": { + "id": 16991313, + "isDeleted": false, + "isForUnauthenticatedUser": false, + "isNonEditable": true, + "name": "Service Admin" + }, + "email": "johndoe@dev-company.com", + "groups": [ + { + "id": 16991312, + "isNonEditable": true, + "name": "Service Admin" + } + ], + "id": 19752821, + "miscflags": 0, + "name": "johndoe", + "password": "*****", + "systemDefinedGroups": [] + }, + "recordid": "321", + "resource": "johndoe", + "result": "SUCCESS", + "subcategory": "USER", + "time": "2024-10-22 21:57:58.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Administration Management > Administrators > Add Administrator + ExpectedResult: true + Log: + { + "event": { + "action": "CREATE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "ADMINISTRATOR_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { + "adminScope": { + "scopeEntities": [], + "scopeGroupMemberEntities": [], + "type": "ORGANIZATION" + }, + "disabled": false, + "email": "ajohndoe@company.com", + "id": 19752821, + "isExecMobileAppEnabled": true, + "isPasswordLoginAllowed": true, + "loginName": "johndoe@dev-company.com", + "pwdLastModifiedTime": 1729634767, + "role": { + "deleted": false, + "extensions": { + "adminRank": "0", + "roleType": "EXEC_INSIGHT_AND_ORG_ADMIN" + }, + "id": 24354, + "isNameL10nTag": true, + "name": "Super Admin" + }, + "userName": "johndoe1123" + }, + "preaction": { + "adminScope": { + "scopeEntities": [], + "scopeGroupMemberEntities": [], + "type": "ORGANIZATION" + }, + "disabled": false, + "email": "johndoe@company.com", + "id": 0, + "isAuditor": false, + "isDefaultAdmin": false, + "isExecMobileAppEnabled": true, + "isPasswordExpired": false, + "isPasswordLoginAllowed": true, + "loginName": "johndoe@dev-company.com", + "newLocationCreateAllowed": false, + "password": "*****", + "pwdLastModifiedTime": 0, + "role": { + "deleted": false, + "id": 24354, + "isNameL10nTag": false, + "name": "Super Admin" + }, + "userName": "johndoe1123" + }, + "recordid": "326", + "resource": "johndoe1123", + "result": "SUCCESS", + "subcategory": "ADMINISTRATOR_ADMIN_USER", + "time": "2024-10-22 22:06:04.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Administration Management > Auditors > Add Auditor + ExpectedResult: true + Log: + { + "event": { + "action": "CREATE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "ADMINISTRATOR_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { + "disabled": false, + "id": 19752860, + "isAuditor": true, + "loginName": "arieeel@dev-company.com", + "newLocationCreateAllowed": false, + "pwdLastModifiedTime": 0, + "role": { + "deleted": false, + "id": 30510, + "isNameL10nTag": false, + "name": "Auditor" + }, + "userName": "areiiiel" + }, + "preaction": { + "adminScope": { + "scopeEntities": [], + "scopeGroupMemberEntities": [], + "type": "ORGANIZATION" + }, + "disabled": false, + "id": 0, + "isAuditor": true, + "loginName": "arieeel@dev-company.com", + "newLocationCreateAllowed": false, + "password": "*****", + "pwdLastModifiedTime": 0, + "userName": "areiiiel" + }, + "recordid": "328", + "resource": "areiiiel", + "result": "SUCCESS", + "subcategory": "ADMINISTRATOR_AUDITOR", + "time": "2024-10-22 22:10:28.000000000" + }, + "sourcetype": "zscalernss-audit" + }