From b3ec513df06c5e56953b7ae00fed365defbb7c9c Mon Sep 17 00:00:00 2001 From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com> Date: Wed, 6 Nov 2024 22:52:39 +0200 Subject: [PATCH] THREAT-403 Create rules for User, Administrator, and Role Management based on test cases (#1415) Co-authored-by: ben-githubs <38414634+ben-githubs@users.noreply.github.com> --- global_helpers/panther_zscaler_helpers.py | 19 + global_helpers/panther_zscaler_helpers.yml | 5 + packs/zscaler_zia.yml | 14 + .../zia/zia_account_access_removal.py | 24 ++ .../zia/zia_account_access_removal.yml | 324 +++++++++++++++++ .../zia/zia_additional_cloud_roles.py | 22 ++ .../zia/zia_additional_cloud_roles.yml | 327 ++++++++++++++++++ .../zia/zia_create_cloud_account.py | 29 ++ .../zia/zia_create_cloud_account.yml | 202 +++++++++++ .../zia/zia_password_expiration.py | 34 ++ .../zia/zia_password_expiration.yml | 73 ++++ .../zia/zia_trust_modification.py | 32 ++ .../zia/zia_trust_modification.yml | 75 ++++ 13 files changed, 1180 insertions(+) create mode 100644 global_helpers/panther_zscaler_helpers.py create mode 100644 global_helpers/panther_zscaler_helpers.yml create mode 100644 packs/zscaler_zia.yml create mode 100644 rules/zscaler_rules/zia/zia_account_access_removal.py create mode 100644 rules/zscaler_rules/zia/zia_account_access_removal.yml create mode 100644 rules/zscaler_rules/zia/zia_additional_cloud_roles.py create mode 100644 rules/zscaler_rules/zia/zia_additional_cloud_roles.yml create mode 100644 rules/zscaler_rules/zia/zia_create_cloud_account.py create mode 100644 rules/zscaler_rules/zia/zia_create_cloud_account.yml create mode 100644 rules/zscaler_rules/zia/zia_password_expiration.py create mode 100644 rules/zscaler_rules/zia/zia_password_expiration.yml create mode 100644 rules/zscaler_rules/zia/zia_trust_modification.py create mode 100644 rules/zscaler_rules/zia/zia_trust_modification.yml diff --git a/global_helpers/panther_zscaler_helpers.py b/global_helpers/panther_zscaler_helpers.py new file mode 100644 index 000000000..a085e7459 --- /dev/null +++ b/global_helpers/panther_zscaler_helpers.py @@ -0,0 +1,19 @@ +def zia_success(event): + if ( + event.deep_get("event", "errorcode", default="") == "None" + and event.deep_get("event", "result", default="") == "SUCCESS" + ): + return True + return False + + +def zia_alert_context(event): + event_data = event.get("event", {}) + return { + "action": event_data.get("action", ""), + "admin_id": event_data.get("adminid", ""), + "category": event_data.get("category", ""), + "client_ip": event_data.get("clientip", ""), + "preaction": event_data.get("preaction", ""), + "postaction": event_data.get("postaction", ""), + } diff --git a/global_helpers/panther_zscaler_helpers.yml b/global_helpers/panther_zscaler_helpers.yml new file mode 100644 index 000000000..674367e94 --- /dev/null +++ b/global_helpers/panther_zscaler_helpers.yml @@ -0,0 +1,5 @@ +AnalysisType: global +Filename: panther_zscaler_helpers.py +GlobalID: "panther_zscaler_helpers" +Description: > + Used to define global helpers for Zscaler events diff --git a/packs/zscaler_zia.yml b/packs/zscaler_zia.yml new file mode 100644 index 000000000..5cea13ed8 --- /dev/null +++ b/packs/zscaler_zia.yml @@ -0,0 +1,14 @@ +AnalysisType: pack +PackID: PantherManaged.Zscaler.ZIA +Description: Group of all Zscaler ZIA detections +DisplayName: "Panther Zscaler ZIA Pack" +PackDefinition: + IDs: + - ZIA.Account.Access.Removed + - ZIA.Additional.Cloud.Roles + - ZIA.Cloud.Account.Created + - ZIA.Password.Expiration + - ZIA.Trust.Modification + - panther_zscaler_helpers + - panther_base_helpers + diff --git a/rules/zscaler_rules/zia/zia_account_access_removal.py b/rules/zscaler_rules/zia/zia_account_access_removal.py new file mode 100644 index 000000000..6d437d232 --- /dev/null +++ b/rules/zscaler_rules/zia/zia_account_access_removal.py @@ -0,0 +1,24 @@ +from panther_zscaler_helpers import zia_alert_context, zia_success + +SENSITIVE_CATEGORIES = ["ADMINISTRATOR_MANAGEMENT", "ROLE_MANAGEMENT"] + + +def rule(event): + if not zia_success(event): + return False + event_data = event.get("event", {}) + return ( + event_data.get("action", "ACTION_NOT_FOUND") == "DELETE" + and event_data.get("category", "CATEGORY_NOT_FOUND") in SENSITIVE_CATEGORIES + ) + + +def title(event): + return ( + f"[Zscaler.ZIA]: Admin account was deleted by admin with id " + f"[{event.deep_get('event', 'adminid', default='')}]" + ) + + +def alert_context(event): + return zia_alert_context(event) diff --git a/rules/zscaler_rules/zia/zia_account_access_removal.yml b/rules/zscaler_rules/zia/zia_account_access_removal.yml new file mode 100644 index 000000000..b5806a435 --- /dev/null +++ b/rules/zscaler_rules/zia/zia_account_access_removal.yml @@ -0,0 +1,324 @@ +AnalysisType: rule +RuleID: ZIA.Account.Access.Removed +Description: This rule detects when admin user/role was deleted. +DisplayName: ZIA Account Access Removed +Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again. +Reference: https://help.zscaler.com/zia/authentication-administration/administrator-role-management +Enabled: true +Filename: zia_account_access_removal.py +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0040:T1531 # Account Access removal +LogTypes: + - Zscaler.ZIA.AdminAuditLog +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: Administration > User Management > Add User, remove from Service Admin group + ExpectedResult: false + Log: + { + "event": { + "action": "UPDATE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "USER_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { + "adminUser": false, + "department": { + "id": 19752838, + "isDeleted": false, + "isForUnauthenticatedUser": false, + "isNonEditable": false, + "name": "test" + }, + "email": "johndoe@dev-company.com", + "groups": [ + { + "id": 19631231, + "isNonEditable": false, + "name": "test" + } + ], + "id": 19752821, + "isNonEditable": false, + "miscflags": 0, + "name": "johndoe", + "systemDefinedGroups": [ ] + }, + "preaction": { + "adminUser": false, + "authType": "SAFECHANNEL_DIR", + "department": { + "id": 16991313, + "isDeleted": false, + "isForUnauthenticatedUser": false, + "isNonEditable": false, + "name": "Service Admin" + }, + "email": "johndoe@dev-company.com", + "groups": [ + { + "id": 16991312, + "isNonEditable": false, + "name": "Service Admin" + } + ], + "id": 19752821, + "miscflags": 268435456, + "name": "johndoe" + }, + "recordid": "324", + "resource": "johndoe", + "result": "SUCCESS", + "subcategory": "USER", + "time": "2024-10-22 22:01:28.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Administration Management > Administrators > Edit Administrator, delete administrator + ExpectedResult: true + Log: + { + "event": { + "action": "DELETE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "ADMINISTRATOR_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { }, + "preaction": { + "adminScope": { + "scopeEntities": [ ], + "scopeGroupMemberEntities": [ ], + "type": "ORGANIZATION" + }, + "disabled": false, + "email": "johndoe@company.com", + "id": 19752821, + "isExecMobileAppEnabled": true, + "isPasswordLoginAllowed": true, + "loginName": "johndoe@dev-company.com", + "pwdLastModifiedTime": 1729634767, + "role": { + "deleted": false, + "extensions": { + "adminRank": "0", + "roleType": "EXEC_INSIGHT_AND_ORG_ADMIN" + }, + "id": 24354, + "isNameL10nTag": true, + "name": "Super Admin" + }, + "userName": "johndoe1123" + }, + "recordid": "327", + "resource": "johndoe1123", + "result": "SUCCESS", + "subcategory": "ADMINISTRATOR_ADMIN_USER", + "time": "2024-10-22 22:09:01.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Administration Management > Auditors > Edit Auditor, delete auditor + ExpectedResult: true + Log: + { + "event": { + "action": "DELETE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "ADMINISTRATOR_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { }, + "preaction": { + "disabled": false, + "id": 19752860, + "isAuditor": true, + "loginName": "arieeel@dev-company.com", + "newLocationCreateAllowed": false, + "pwdLastModifiedTime": 0, + "role": { + "deleted": false, + "id": 30510, + "isNameL10nTag": false, + "name": "Auditor" + }, + "userName": "areiiiel" + }, + "recordid": "329", + "resource": "areiiiel", + "result": "SUCCESS", + "subcategory": "ADMINISTRATOR_AUDITOR", + "time": "2024-10-22 22:11:56.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Administration > Role Management > Edit Administrator Role, delete role + ExpectedResult: true + Log: + { + "event": { + "action": "DELETE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "ROLE_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { }, + "preaction": { + "adminAcctAccess": "READ_WRITE", + "alertingAccess": "READ_WRITE", + "analysisAccess": "READ_ONLY", + "dashboardAccess": "READ_WRITE", + "deviceInfoAccess": "READ_ONLY", + "id": 32780, + "logsLimit": "Unrestricted", + "name": "mega admin", + "permissions": [ + "SECURE", + "COMPLY", + "SSL_POLICY", + "ADVANCED_SETTINGS", + "FIREWALL_DNS", + "NSS_CONFIGURATION", + "VZEN_CONFIGURATION", + "LOCATIONS", + "HOSTED_PAC_FILES", + "EZ_AGENT_CONFIGURATIONS", + "SECURE_AGENT_NOTIFICATIONS", + "VPN_CREDENTIALS", + "AUTHENTICATION_SETTINGS", + "IDENTITY_PROXY_SETTINGS", + "USER_MANAGEMENT", + "APIKEY_MANAGEMENT", + "PARTNER_INTEGRATION", + "POLICY_RESOURCE_MANAGEMENT", + "CUSTOM_URL_CAT", + "OVERRIDE_EXISTING_CAT", + "PROXY_GATEWAY", + "TENANT_PROFILE_MANAGEMENT", + "STATIC_IPS", + "REMOTE_ASSISTANCE_MANAGEMENT", + "GRE_TUNNELS", + "CLIENT_CONNECTOR_PORTAL", + "SUBCLOUDS" + ], + "policyAccess": "READ_WRITE", + "rank": 7, + "reportAccess": "READ_WRITE", + "reportTimeDuration": -1, + "roleType": "EXEC_INSIGHT_AND_ORG_ADMIN", + "usernameAccess": "READ_ONLY" + }, + "recordid": "342", + "resource": "mega admin", + "result": "SUCCESS", + "subcategory": "ADMINISTRATOR_ROLE", + "time": "2024-10-22 22:31:35.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Administration > Role Management > Edit SD-WAN Partner API Role, delete role + ExpectedResult: true + Log: + { + "event": { + "action": "DELETE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "ROLE_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { }, + "preaction": { + "adminAcctAccess": "NONE", + "alertingAccess": "READ_ONLY", + "analysisAccess": "NONE", + "dashboardAccess": "NONE", + "deviceInfoAccess": "NONE", + "id": 32781, + "name": "wanny", + "permissions": [ + "STATIC_IPS", + "LOCATIONS", + "GRE_TUNNELS", + "VPN_CREDENTIALS" + ], + "policyAccess": "READ_WRITE", + "rank": 7, + "reportAccess": "NONE", + "reportTimeDuration": -1, + "roleType": "SDWAN", + "usernameAccess": "NONE" + }, + "recordid": "345", + "resource": "wanny", + "result": "SUCCESS", + "subcategory": "ADMINISTRATOR_ROLE", + "time": "2024-10-22 22:34:58.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Administration > Role Management > Edit API Role, delete role + ExpectedResult: true + Log: + { + "event": { + "action": "DELETE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "ROLE_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { }, + "preaction": { + "adminAcctAccess": "READ_WRITE", + "alertingAccess": "NONE", + "analysisAccess": "NONE", + "dashboardAccess": "NONE", + "deviceInfoAccess": "NONE", + "id": 32782, + "logsLimit": "Unrestricted", + "name": "bad API", + "permissions": [ + "SECURE", + "COMPLY", + "SSL_POLICY", + "ADVANCED_SETTINGS", + "FIREWALL_DNS", + "LOCATIONS", + "VPN_CREDENTIALS", + "USER_MANAGEMENT", + "POLICY_RESOURCE_MANAGEMENT", + "CUSTOM_URL_CAT", + "OVERRIDE_EXISTING_CAT", + "STATIC_IPS", + "GRE_TUNNELS" + ], + "policyAccess": "READ_WRITE", + "rank": 7, + "reportAccess": "NONE", + "reportTimeDuration": -1, + "roleType": "PUBLIC_API", + "usernameAccess": "NONE" + }, + "recordid": "346", + "resource": "bad API", + "result": "SUCCESS", + "subcategory": "ADMINISTRATOR_ROLE", + "time": "2024-10-22 22:35:06.000000000" + }, + "sourcetype": "zscalernss-audit" + } diff --git a/rules/zscaler_rules/zia/zia_additional_cloud_roles.py b/rules/zscaler_rules/zia/zia_additional_cloud_roles.py new file mode 100644 index 000000000..c0867aa54 --- /dev/null +++ b/rules/zscaler_rules/zia/zia_additional_cloud_roles.py @@ -0,0 +1,22 @@ +from panther_zscaler_helpers import zia_alert_context, zia_success + + +def rule(event): + if not zia_success(event): + return False + event_data = event.get("event", {}) + return ( + event_data.get("action", "ACTION_NOT_FOUND") == "CREATE" + and event_data.get("category", "CATEGORY_NOT_FOUND") == "ROLE_MANAGEMENT" + ) + + +def title(event): + return ( + f"[Zscaler.ZIA]: Additional cloud role was created by admin with id " + f"[{event.deep_get('event', 'adminid', default='')}]" + ) + + +def alert_context(event): + return zia_alert_context(event) diff --git a/rules/zscaler_rules/zia/zia_additional_cloud_roles.yml b/rules/zscaler_rules/zia/zia_additional_cloud_roles.yml new file mode 100644 index 000000000..538d97536 --- /dev/null +++ b/rules/zscaler_rules/zia/zia_additional_cloud_roles.yml @@ -0,0 +1,327 @@ +AnalysisType: rule +RuleID: ZIA.Additional.Cloud.Roles +Description: This rule detects when an additional cloud role was created. +DisplayName: ZIA Additional Cloud Roles +Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again. +Reference: https://help.zscaler.com/zia/about-role-management +Enabled: true +Filename: zia_additional_cloud_roles.py +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0003:T1098.003 # Persistence: Additional Cloud Roles + - TA0004:T1098.003 # Priv Escalation: Additional Cloud Roles +LogTypes: + - Zscaler.ZIA.AdminAuditLog +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: Administration > User Management > Add User, assign to Service Admin group + ExpectedResult: false + Log: + { + "event": { + "action": "UPDATE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "USER_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { + "adminUser": false, + "department": { + "id": 19752838, + "isDeleted": false, + "isForUnauthenticatedUser": false, + "isNonEditable": false, + "name": "test" + }, + "email": "johndoe@dev-company.com", + "groups": [ + { + "id": 16991312, + "isNonEditable": true, + "name": "Service Admin" + }, + { + "id": 19631231, + "isNonEditable": false, + "name": "test" + } + ], + "id": 19752821, + "isNonEditable": false, + "miscflags": 0, + "name": "johndoe", + "systemDefinedGroups": [ ] + }, + "preaction": { + "adminUser": false, + "authType": "SAFECHANNEL_DIR", + "department": { + "id": 19752838, + "isDeleted": false, + "isForUnauthenticatedUser": false, + "isNonEditable": false, + "name": "test" + }, + "email": "johndoe@dev-company.com", + "groups": [ + { + "id": 19631231, + "isNonEditable": false, + "name": "test" + } + ], + "id": 19752821, + "miscflags": 268435456, + "name": "johndoe" + }, + "recordid": "325", + "resource": "johndoe", + "result": "SUCCESS", + "subcategory": "USER", + "time": "2024-10-22 22:02:29.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Administration > Role Management > Add Administrator Role, all permissions + ExpectedResult: true + Log: + { + "event": { + "action": "CREATE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "ROLE_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { + "adminAcctAccess": "READ_WRITE", + "alertingAccess": "READ_WRITE", + "analysisAccess": "READ_ONLY", + "dashboardAccess": "READ_WRITE", + "deviceInfoAccess": "READ_ONLY", + "id": 32780, + "logsLimit": "Unrestricted", + "name": "mega admin", + "permissions": [ + "ADVANCED_SETTINGS", + "COMPLY", + "FIREWALL_DNS", + "NSS_CONFIGURATION", + "SECURE", + "SSL_POLICY", + "VZEN_CONFIGURATION", + "PARTNER_INTEGRATION", + "REMOTE_ASSISTANCE_MANAGEMENT", + "LOCATIONS", + "VPN_CREDENTIALS", + "HOSTED_PAC_FILES", + "EZ_AGENT_CONFIGURATIONS", + "SECURE_AGENT_NOTIFICATIONS", + "PROXY_GATEWAY", + "STATIC_IPS", + "GRE_TUNNELS", + "SUBCLOUDS", + "AUTHENTICATION_SETTINGS", + "USER_MANAGEMENT", + "IDENTITY_PROXY_SETTINGS", + "APIKEY_MANAGEMENT", + "POLICY_RESOURCE_MANAGEMENT", + "CLIENT_CONNECTOR_PORTAL", + "CUSTOM_URL_CAT", + "OVERRIDE_EXISTING_CAT", + "TENANT_PROFILE_MANAGEMENT" + ], + "policyAccess": "READ_WRITE", + "rank": 7, + "reportAccess": "READ_WRITE", + "reportTimeDuration": -1, + "roleType": "EXEC_INSIGHT_AND_ORG_ADMIN", + "usernameAccess": "READ_ONLY" + }, + "preaction": { + "adminAcctAccess": "READ_WRITE", + "alertingAccess": "READ_WRITE", + "analysisAccess": "READ_ONLY", + "dashboardAccess": "READ_WRITE", + "deviceInfoAccess": "READ_ONLY", + "id": 0, + "isAuditor": false, + "isNonEditable": false, + "logsLimit": "Unrestricted", + "name": "mega admin", + "permissions": [ + "ADVANCED_SETTINGS", + "COMPLY", + "FIREWALL_DNS", + "NSS_CONFIGURATION", + "SECURE", + "SSL_POLICY", + "VZEN_CONFIGURATION", + "PARTNER_INTEGRATION", + "REMOTE_ASSISTANCE_MANAGEMENT", + "LOCATIONS", + "VPN_CREDENTIALS", + "HOSTED_PAC_FILES", + "EZ_AGENT_CONFIGURATIONS", + "SECURE_AGENT_NOTIFICATIONS", + "PROXY_GATEWAY", + "STATIC_IPS", + "GRE_TUNNELS", + "SUBCLOUDS", + "AUTHENTICATION_SETTINGS", + "USER_MANAGEMENT", + "IDENTITY_PROXY_SETTINGS", + "APIKEY_MANAGEMENT", + "POLICY_RESOURCE_MANAGEMENT", + "CLIENT_CONNECTOR_PORTAL", + "CUSTOM_URL_CAT", + "OVERRIDE_EXISTING_CAT", + "TENANT_PROFILE_MANAGEMENT" + ], + "policyAccess": "READ_WRITE", + "rank": 7, + "reportAccess": "READ_WRITE", + "reportTimeDuration": -1, + "roleType": "EXEC_INSIGHT_AND_ORG_ADMIN", + "usernameAccess": "READ_ONLY" + }, + "recordid": "341", + "resource": "mega admin", + "result": "SUCCESS", + "subcategory": "ADMINISTRATOR_ROLE", + "time": "2024-10-22 22:19:57.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Administration > Role Management > Add SD-WAN Partner API Role, all permissions + ExpectedResult: true + Log: + { + "event": { + "action": "CREATE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "ROLE_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { + "adminAcctAccess": "NONE", + "alertingAccess": "READ_ONLY", + "analysisAccess": "NONE", + "dashboardAccess": "NONE", + "deviceInfoAccess": "NONE", + "id": 32781, + "name": "wanny", + "permissions": [ + "LOCATIONS", + "VPN_CREDENTIALS", + "STATIC_IPS", + "GRE_TUNNELS" + ], + "policyAccess": "READ_WRITE", + "rank": 7, + "reportAccess": "NONE", + "reportTimeDuration": -1, + "roleType": "SDWAN", + "usernameAccess": "NONE" + }, + "preaction": { + "id": 0, + "name": "wanny", + "policyAccess": "READ_WRITE", + "rank": 7, + "reportTimeDuration": -1, + "roleType": "SDWAN" + }, + "recordid": "343", + "resource": "wanny", + "result": "SUCCESS", + "subcategory": "ADMINISTRATOR_ROLE", + "time": "2024-10-22 22:31:46.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Administration > Role Management > Add API Role, all permissions + ExpectedResult: true + Log: + { + "event": { + "action": "CREATE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "ROLE_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { + "adminAcctAccess": "READ_WRITE", + "alertingAccess": "NONE", + "analysisAccess": "NONE", + "dashboardAccess": "NONE", + "deviceInfoAccess": "NONE", + "id": 32782, + "logsLimit": "Unrestricted", + "name": "bad API", + "permissions": [ + "ADVANCED_SETTINGS", + "COMPLY", + "FIREWALL_DNS", + "SECURE", + "SSL_POLICY", + "LOCATIONS", + "VPN_CREDENTIALS", + "STATIC_IPS", + "GRE_TUNNELS", + "USER_MANAGEMENT", + "POLICY_RESOURCE_MANAGEMENT", + "CUSTOM_URL_CAT", + "OVERRIDE_EXISTING_CAT" + ], + "policyAccess": "READ_WRITE", + "rank": 7, + "reportAccess": "NONE", + "reportTimeDuration": -1, + "roleType": "PUBLIC_API", + "usernameAccess": "NONE" + }, + "preaction": { + "adminAcctAccess": "READ_WRITE", + "id": 0, + "isAuditor": false, + "isNonEditable": false, + "logsLimit": "Unrestricted", + "name": "bad API", + "permissions": [ + "ADVANCED_SETTINGS", + "COMPLY", + "FIREWALL_DNS", + "SECURE", + "SSL_POLICY", + "LOCATIONS", + "VPN_CREDENTIALS", + "STATIC_IPS", + "GRE_TUNNELS", + "USER_MANAGEMENT", + "POLICY_RESOURCE_MANAGEMENT", + "CUSTOM_URL_CAT", + "OVERRIDE_EXISTING_CAT" + ], + "policyAccess": "READ_WRITE", + "rank": 7, + "reportTimeDuration": -1, + "roleType": "PUBLIC_API" + }, + "recordid": "344", + "resource": "bad API", + "result": "SUCCESS", + "subcategory": "ADMINISTRATOR_ROLE", + "time": "2024-10-22 22:34:34.000000000" + }, + "sourcetype": "zscalernss-audit" + } diff --git a/rules/zscaler_rules/zia/zia_create_cloud_account.py b/rules/zscaler_rules/zia/zia_create_cloud_account.py new file mode 100644 index 000000000..56d8bfa6d --- /dev/null +++ b/rules/zscaler_rules/zia/zia_create_cloud_account.py @@ -0,0 +1,29 @@ +from panther_zscaler_helpers import zia_alert_context, zia_success + + +def rule(event): + if not zia_success(event): + return False + action = event.deep_get("event", "action", default="ACTION_NOT_FOUND") + category = event.deep_get("event", "category", default="CATEGORY_NOT_FOUND") + role_name = event.deep_get( + "event", "postaction", "role", "name", default="" + ).lower() + if ( + action == "CREATE" + and category == "ADMINISTRATOR_MANAGEMENT" + and ("admin" in role_name or "audit" in role_name) + ): + return True + return False + + +def title(event): + return ( + f"[Zscaler.ZIA]: New admin role was created by admin with id " + f"[{event.deep_get('event', 'adminid', default='')}]" + ) + + +def alert_context(event): + return zia_alert_context(event) diff --git a/rules/zscaler_rules/zia/zia_create_cloud_account.yml b/rules/zscaler_rules/zia/zia_create_cloud_account.yml new file mode 100644 index 000000000..81a82aa73 --- /dev/null +++ b/rules/zscaler_rules/zia/zia_create_cloud_account.yml @@ -0,0 +1,202 @@ +AnalysisType: rule +RuleID: ZIA.Cloud.Account.Created +Description: This rule detects when new cloud account was created. +DisplayName: ZIA Cloud Account Created +Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again. +Reference: https://help.zscaler.com/zia/choosing-provisioning-and-authentication-methods +Enabled: true +Filename: zia_create_cloud_account.py +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0003:T1136.003 # Persistence: Create Cloud Account +LogTypes: + - Zscaler.ZIA.AdminAuditLog +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: Administration > User Management > Add User, Service Admin group + ExpectedResult: false + Log: + { + "event": { + "action": "CREATE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "USER_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { + "department": { + "id": 16991313, + "isDeleted": false, + "isForUnauthenticatedUser": false, + "isNonEditable": true, + "name": "Service Admin" + }, + "email": "johndoe@dev-company.com", + "groups": [ + { + "id": 16991312, + "isNonEditable": true, + "name": "Service Admin" + } + ], + "id": 19752821, + "miscflags": 0, + "name": "johndoe", + "password": "*****", + "systemDefinedGroups": [] + }, + "preaction": { + "department": { + "id": 16991313, + "isDeleted": false, + "isForUnauthenticatedUser": false, + "isNonEditable": true, + "name": "Service Admin" + }, + "email": "johndoe@dev-company.com", + "groups": [ + { + "id": 16991312, + "isNonEditable": true, + "name": "Service Admin" + } + ], + "id": 19752821, + "miscflags": 0, + "name": "johndoe", + "password": "*****", + "systemDefinedGroups": [] + }, + "recordid": "321", + "resource": "johndoe", + "result": "SUCCESS", + "subcategory": "USER", + "time": "2024-10-22 21:57:58.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Administration Management > Administrators > Add Administrator + ExpectedResult: true + Log: + { + "event": { + "action": "CREATE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "ADMINISTRATOR_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { + "adminScope": { + "scopeEntities": [], + "scopeGroupMemberEntities": [], + "type": "ORGANIZATION" + }, + "disabled": false, + "email": "ajohndoe@company.com", + "id": 19752821, + "isExecMobileAppEnabled": true, + "isPasswordLoginAllowed": true, + "loginName": "johndoe@dev-company.com", + "pwdLastModifiedTime": 1729634767, + "role": { + "deleted": false, + "extensions": { + "adminRank": "0", + "roleType": "EXEC_INSIGHT_AND_ORG_ADMIN" + }, + "id": 24354, + "isNameL10nTag": true, + "name": "Super Admin" + }, + "userName": "johndoe1123" + }, + "preaction": { + "adminScope": { + "scopeEntities": [], + "scopeGroupMemberEntities": [], + "type": "ORGANIZATION" + }, + "disabled": false, + "email": "johndoe@company.com", + "id": 0, + "isAuditor": false, + "isDefaultAdmin": false, + "isExecMobileAppEnabled": true, + "isPasswordExpired": false, + "isPasswordLoginAllowed": true, + "loginName": "johndoe@dev-company.com", + "newLocationCreateAllowed": false, + "password": "*****", + "pwdLastModifiedTime": 0, + "role": { + "deleted": false, + "id": 24354, + "isNameL10nTag": false, + "name": "Super Admin" + }, + "userName": "johndoe1123" + }, + "recordid": "326", + "resource": "johndoe1123", + "result": "SUCCESS", + "subcategory": "ADMINISTRATOR_ADMIN_USER", + "time": "2024-10-22 22:06:04.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Administration Management > Auditors > Add Auditor + ExpectedResult: true + Log: + { + "event": { + "action": "CREATE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "ADMINISTRATOR_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { + "disabled": false, + "id": 19752860, + "isAuditor": true, + "loginName": "arieeel@dev-company.com", + "newLocationCreateAllowed": false, + "pwdLastModifiedTime": 0, + "role": { + "deleted": false, + "id": 30510, + "isNameL10nTag": false, + "name": "Auditor" + }, + "userName": "areiiiel" + }, + "preaction": { + "adminScope": { + "scopeEntities": [], + "scopeGroupMemberEntities": [], + "type": "ORGANIZATION" + }, + "disabled": false, + "id": 0, + "isAuditor": true, + "loginName": "arieeel@dev-company.com", + "newLocationCreateAllowed": false, + "password": "*****", + "pwdLastModifiedTime": 0, + "userName": "areiiiel" + }, + "recordid": "328", + "resource": "areiiiel", + "result": "SUCCESS", + "subcategory": "ADMINISTRATOR_AUDITOR", + "time": "2024-10-22 22:10:28.000000000" + }, + "sourcetype": "zscalernss-audit" + } diff --git a/rules/zscaler_rules/zia/zia_password_expiration.py b/rules/zscaler_rules/zia/zia_password_expiration.py new file mode 100644 index 000000000..5f33d2de8 --- /dev/null +++ b/rules/zscaler_rules/zia/zia_password_expiration.py @@ -0,0 +1,34 @@ +from panther_zscaler_helpers import zia_alert_context, zia_success + + +def rule(event): + if not zia_success(event): + return False + action = event.deep_get("event", "action", default="ACTION_NOT_FOUND") + category = event.deep_get("event", "category", default="CATEGORY_NOT_FOUND") + password_exp_pre = event.deep_get( + "event", + "preaction", + "passwordExpirationEnabled", + default="", + ) + password_exp_post = event.deep_get( + "event", + "postaction", + "passwordExpirationEnabled", + default="", + ) + if action == "UPDATE" and category == "LOGIN" and password_exp_pre != password_exp_post: + return True + return False + + +def title(event): + return ( + f"[Zscaler.ZIA]: SAML configuration was changed by admin with id " + f"[{event.deep_get('event', 'adminid', default='')}]" + ) + + +def alert_context(event): + return zia_alert_context(event) diff --git a/rules/zscaler_rules/zia/zia_password_expiration.yml b/rules/zscaler_rules/zia/zia_password_expiration.yml new file mode 100644 index 000000000..cc1556218 --- /dev/null +++ b/rules/zscaler_rules/zia/zia_password_expiration.yml @@ -0,0 +1,73 @@ +AnalysisType: rule +RuleID: ZIA.Password.Expiration +Description: This rule detects when password expiration eas set/removed. +DisplayName: ZIA Password Expiration +Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again. +Reference: https://help.zscaler.com/zia/configuring-password-expiration +Enabled: true +Filename: zia_password_expiration.py +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0007:T1201 # Password Policy Discovery +LogTypes: + - Zscaler.ZIA.AdminAuditLog +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: Administration Management > Administrator Management > Set Password Expriration 180 days + ExpectedResult: true + Log: + { + "event": { + "action": "UPDATE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "LOGIN", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { + "passwordExpirationEnabled": true, + "passwordExpiryDays": 180 + }, + "preaction": { + "passwordExpirationEnabled": false, + "passwordExpiryDays": 180 + }, + "recordid": "331", + "resource": "None", + "result": "SUCCESS", + "subcategory": "PASSWORD_EXPIRY", + "time": "2024-10-22 22:12:25.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Administration Management > Administrator Management > Remove Password Expriration + ExpectedResult: true + Log: + { + "event": { + "action": "UPDATE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "LOGIN", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { + "passwordExpirationEnabled": false, + "passwordExpiryDays": 180 + }, + "preaction": { + "passwordExpirationEnabled": true, + "passwordExpiryDays": 180 + }, + "recordid": "331", + "resource": "None", + "result": "SUCCESS", + "subcategory": "PASSWORD_EXPIRY", + "time": "2024-10-22 22:12:25.000000000" + }, + "sourcetype": "zscalernss-audit" + } diff --git a/rules/zscaler_rules/zia/zia_trust_modification.py b/rules/zscaler_rules/zia/zia_trust_modification.py new file mode 100644 index 000000000..5a65491fd --- /dev/null +++ b/rules/zscaler_rules/zia/zia_trust_modification.py @@ -0,0 +1,32 @@ +from panther_zscaler_helpers import zia_alert_context, zia_success + + +def rule(event): + if not zia_success(event): + return False + action = event.deep_get("event", "action", default="ACTION_NOT_FOUND") + category = event.deep_get("event", "category", default="CATEGORY_NOT_FOUND") + saml_enabled_pre = event.deep_get( + "event", "preaction", "samlEnabled", default="" + ) + saml_enabled_post = event.deep_get( + "event", "postaction", "samlEnabled", default="" + ) + if ( + action == "UPDATE" + and category == "ADMINISTRATOR_MANAGEMENT" + and saml_enabled_pre != saml_enabled_post + ): + return True + return False + + +def title(event): + return ( + f"[Zscaler.ZIA]: SAML configuration was changed by admin with id " + f"[{event.deep_get('event', 'adminid', default='')}]" + ) + + +def alert_context(event): + return zia_alert_context(event) diff --git a/rules/zscaler_rules/zia/zia_trust_modification.yml b/rules/zscaler_rules/zia/zia_trust_modification.yml new file mode 100644 index 000000000..97a383264 --- /dev/null +++ b/rules/zscaler_rules/zia/zia_trust_modification.yml @@ -0,0 +1,75 @@ +AnalysisType: rule +RuleID: ZIA.Trust.Modification +Description: This rule detects when SAML authentication was enabled/disabled. +DisplayName: ZIA Trust Modification +Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again. +Reference: https://help.zscaler.com/zia/configuring-saml +Enabled: true +Filename: zia_trust_modification.py +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0004:T1484.002 # Domain or Tenant Policy Modification: Trust Modification +LogTypes: + - Zscaler.ZIA.AdminAuditLog +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: Administration > Administration Management > Enable SAML Authentication + ExpectedResult: true + Log: + { + "event": { + "action": "UPDATE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "ADMINISTRATOR_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { + "certFilename": "abc.crt", + "productId": 0, + "samlEnabled": true + }, + "preaction": { + "productId": 0, + "samlEnabled": false + }, + "recordid": "332", + "resource": "None", + "result": "SUCCESS", + "subcategory": "ADMINISTRATOR_SAML", + "time": "2024-10-22 22:13:23.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Administration > Administration Management > Disable SAML Authentication + ExpectedResult: true + Log: + { + "event": { + "action": "UPDATE", + "adminid": "admin@16991311.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "ADMINISTRATOR_MANAGEMENT", + "clientip": "123.123.123.123", + "errorcode": "None", + "interface": "UI", + "postaction": { + "certFilename": "abc.crt", + "productId": 0, + "samlEnabled": false + }, + "preaction": { + "productId": 0, + "samlEnabled": true + }, + "recordid": "332", + "resource": "None", + "result": "SUCCESS", + "subcategory": "ADMINISTRATOR_SAML", + "time": "2024-10-22 22:13:23.000000000" + }, + "sourcetype": "zscalernss-audit" + }