Merge branch 'THREAT-394/snowflake-anomaly-queries' of github.com:pan…

…ther-labs/panther-analysis into THREAT-394/snowflake-anomaly-queries
panther-labs · Nov 12, 2024 · 6ecab57 · 6ecab57
2 parents 2fc311a + 6d6a350
commit 6ecab57
Show file tree

Hide file tree

Showing 15 changed files with 1,482 additions and 291 deletions.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -1,6 +1,6 @@
 # Contributing to `panther-analysis`
 
-Thank you for your interest in contributing to Panther's open-source ruleset!  We appreciate all types of contributions, including new detection rules, feature requests, and bug reports.
+Thank you for your interest in contributing to Panther's open-source ruleset! We appreciate all types of contributions, including new detection rules, feature requests, and bug reports.
 
 ## What makes a good detection?
 
@@ -19,18 +19,18 @@ Before submitting your pull request, make sure to:
 - Write or update relevant unit tests
 - Redact any sensitive information or PII from example logs
 - Format, lint, and test your changes to ensure CI tests pass, using the following commands:
-    ```bash
-    make fmt
-    make lint
-    make test
-    ```
+  ```bash
+  make fmt
+  make lint
+  make test
+  ```
 
 ## Pull Request process
 
 1. Make desired detection changes. This may include creating new detections in existing log type directories, creating new log type directories, updating existing detections, etc
 2. Commit both the Python and Metadata files
 3. Write a clear commit message
-4. Open a [Pull Request](https://github.com/panther-labs/panther-analysis/pulls).
+4. Open a [Pull Request](https://github.com/panther-labs/panther-analysis/pulls) against the `develop` branch.
 5. Once your PR has been approved by code owners, if you have merge permissions, merge it. If you do not have merge permissions, leave a comment requesting a code owner merge it for you
 
 ## Code of Conduct
@@ -42,4 +42,5 @@ in all of your interactions with this project.
 
 If you need assistance at any point, feel free to open a support ticket, or reach out to us on [Panther Community Slack](https://pnthr.io/community).
 
-Thank you again for your contributions, and we look forward to working together!
+Thank you again for your contributions, and we look forward to working together!
+
diff --git a/global_helpers/panther_zscaler_helpers.py b/global_helpers/panther_zscaler_helpers.py
@@ -0,0 +1,19 @@
+def zia_success(event):
+    if (
+        event.deep_get("event", "errorcode", default="") == "None"
+        and event.deep_get("event", "result", default="") == "SUCCESS"
+    ):
+        return True
+    return False
+
+
+def zia_alert_context(event):
+    event_data = event.get("event", {})
+    return {
+        "action": event_data.get("action", ""),
+        "admin_id": event_data.get("adminid", ""),
+        "category": event_data.get("category", ""),
+        "client_ip": event_data.get("clientip", ""),
+        "preaction": event_data.get("preaction", ""),
+        "postaction": event_data.get("postaction", ""),
+    }
diff --git a/global_helpers/panther_zscaler_helpers.yml b/global_helpers/panther_zscaler_helpers.yml
@@ -0,0 +1,5 @@
+AnalysisType: global
+Filename: panther_zscaler_helpers.py
+GlobalID: "panther_zscaler_helpers"
+Description: >
+  Used to define global helpers for Zscaler events
diff --git a/lookup_tables/traildiscover/traildiscover_data.jsonl b/lookup_tables/traildiscover/traildiscover_data.jsonl
diff --git a/packs/zscaler_zia.yml b/packs/zscaler_zia.yml
@@ -0,0 +1,14 @@
+AnalysisType: pack
+PackID: PantherManaged.Zscaler.ZIA
+Description: Group of all Zscaler ZIA detections
+DisplayName: "Panther Zscaler ZIA Pack"
+PackDefinition:
+  IDs:
+    - ZIA.Account.Access.Removed
+    - ZIA.Additional.Cloud.Roles
+    - ZIA.Cloud.Account.Created
+    - ZIA.Password.Expiration
+    - ZIA.Trust.Modification
+    - panther_zscaler_helpers
+    - panther_base_helpers
+
diff --git a/rules/zscaler_rules/zia/zia_account_access_removal.py b/rules/zscaler_rules/zia/zia_account_access_removal.py
@@ -0,0 +1,24 @@
+from panther_zscaler_helpers import zia_alert_context, zia_success
+
+SENSITIVE_CATEGORIES = ["ADMINISTRATOR_MANAGEMENT", "ROLE_MANAGEMENT"]
+
+
+def rule(event):
+    if not zia_success(event):
+        return False
+    event_data = event.get("event", {})
+    return (
+        event_data.get("action", "ACTION_NOT_FOUND") == "DELETE"
+        and event_data.get("category", "CATEGORY_NOT_FOUND") in SENSITIVE_CATEGORIES
+    )
+
+
+def title(event):
+    return (
+        f"[Zscaler.ZIA]: Admin account was deleted by admin with id "
+        f"[{event.deep_get('event', 'adminid', default='<ADMIN_ID_NOT_FOUND>')}]"
+    )
+
+
+def alert_context(event):
+    return zia_alert_context(event)