From edda9e2ef3227ee6ec02e27fd2307dca65a669eb Mon Sep 17 00:00:00 2001 From: Ariel Ropek Date: Mon, 11 Dec 2023 12:37:25 -0700 Subject: [PATCH] Netskope detections and pack --- packs/netskope.yml | 11 +++ .../netskope_admin_logged_out.yml | 73 +++++++++++++++ .../netskope_admin_user_change.yml | 93 +++++++++++++++++++ .../netskope_rules/netskope_many_deletes.yml | 67 +++++++++++++ .../netskope_personnel_action.yml | 73 +++++++++++++++ .../netskope_unauthorized_api_calls.yml | 76 +++++++++++++++ 6 files changed, 393 insertions(+) create mode 100644 packs/netskope.yml create mode 100644 rules/netskope_rules/netskope_admin_logged_out.yml create mode 100644 rules/netskope_rules/netskope_admin_user_change.yml create mode 100644 rules/netskope_rules/netskope_many_deletes.yml create mode 100644 rules/netskope_rules/netskope_personnel_action.yml create mode 100644 rules/netskope_rules/netskope_unauthorized_api_calls.yml diff --git a/packs/netskope.yml b/packs/netskope.yml new file mode 100644 index 000000000..45758b437 --- /dev/null +++ b/packs/netskope.yml @@ -0,0 +1,11 @@ +AnalysisType: pack +PackID: PantherManaged.Netskope +Description: Group of all Netskope detections +PackDefinition: + IDs: + - Netskope.AdminLoggedOutLoginFailures + - Netskope.AdminUserChange + - Netskope.ManyDeletes + - Netskope.NetskopePersonnelActivity + - Netskope.UnauthorizedAPICalls +DisplayName: "Panther Netskope Pack" diff --git a/rules/netskope_rules/netskope_admin_logged_out.yml b/rules/netskope_rules/netskope_admin_logged_out.yml new file mode 100644 index 000000000..993033c96 --- /dev/null +++ b/rules/netskope_rules/netskope_admin_logged_out.yml @@ -0,0 +1,73 @@ +AnalysisType: rule +RuleID: "Netskope.AdminLoggedOutLoginFailures" +DisplayName: "Admin logged out because of successive login failures" +AlertTitle: "Admin [{user}] was logged out because of successive login failures" +Detection: + - All: + - KeyPath: audit_log_event + Condition: Equals + Value: "Admin logged out because of successive login failures" +Enabled: true +LogTypes: + - Netskope.Audit +Tags: + - Netskope + - Brute Force +Reports: + MITRE ATT&CK: + - TA0006:T1110 +Severity: Medium +Description: An admin was logged out because of successive login failures. +DedupPeriodMinutes: 60 +Threshold: 1 +Runbook: An admin was logged out because of successive login failures. This could indicate brute force activity against this account. +Tests: + - Name: True positive + ExpectedResult: true + Log: + { + "_id": "e5ca619b059fccdd0cfd9398", + "_insertion_epoch_timestamp": 1702308331, + "audit_log_event": "Admin logged out because of successive login failures", + "count": 1, + "is_netskope_personnel": true, + "organization_unit": "", + "severity_level": 2, + "supporting_data": { + "data_type": "user", + "data_values": [ + "11.22.33.44", + "adminsupport@netskope.com" + ] + }, + "timestamp": "2023-12-11 15:25:31.000000000", + "type": "admin_audit_logs", + "ur_normalized": "adminsupport@netskope.com", + "user": "adminsupport@netskope.com" + } + - Name: True negative + ExpectedResult: false + Log: + { + "_id": "1e589befa3da30132362f32a", + "_insertion_epoch_timestamp": 1702318213, + "audit_log_event": "Rest API V2 Call", + "count": 1, + "is_netskope_personnel": false, + "organization_unit": "", + "severity_level": 2, + "supporting_data": { + "data_type": "incidents", + "data_values": [ + 200, + "POST", + "/api/v2/incidents/uba/getuci", + "trid=ccb898fgrhvdd0v0lebg" + ] + }, + "timestamp": "2023-12-11 18:10:13.000000000", + "type": "admin_audit_logs", + "ur_normalized": "service-account", + "user": "service-account" + } + diff --git a/rules/netskope_rules/netskope_admin_user_change.yml b/rules/netskope_rules/netskope_admin_user_change.yml new file mode 100644 index 000000000..f98513b87 --- /dev/null +++ b/rules/netskope_rules/netskope_admin_user_change.yml @@ -0,0 +1,93 @@ +AnalysisType: rule +RuleID: "Netskope.AdminUserChange" +DisplayName: "An administrator account was created, deleted, or modified." +AlertTitle: "User [{user}] performed [{audit_log_event}]" +Detection: + - All: + - KeyPath: audit_log_event + Condition: IsIn + Values: + - Created new admin + - Added SSO Admin + - Edited SSO Admin Record + - Created new support admin + - Edit admin record + - Deleted admin + - Enabled admin + - Disabled admin + - Unlocked admin + - Updated admin settings + - Deleted Netskope SSO admin +Enabled: true +LogTypes: + - Netskope.Audit +Tags: + - Netskope + - Account Manipulation +Reports: + MITRE ATT&CK: + - TA0004:T1098 +Severity: High +DynamicSeverities: + - ChangeTo: Critical + Conditions: + - KeyPath: audit_log_event + Condition: Contains + Values: + - Create + - Add + - Delete +Description: An administrator account was created, deleted, or modified. +DedupPeriodMinutes: 60 +Threshold: 1 +Runbook: An administrator account was created, deleted, or modified. Validate that this activity is expected and authorized. +Tests: + - Name: True positive + ExpectedResult: true + Log: + { + "_id": "e5ca619b059fccdd0cfd9398", + "_insertion_epoch_timestamp": 1702308331, + "audit_log_event": "Created new admin", + "count": 1, + "is_netskope_personnel": true, + "organization_unit": "", + "severity_level": 2, + "supporting_data": { + "data_type": "user", + "data_values": [ + "11.22.33.44", + "adminsupport@netskope.com" + ] + }, + "timestamp": "2023-12-11 15:25:31.000000000", + "type": "admin_audit_logs", + "ur_normalized": "adminsupport@netskope.com", + "user": "adminsupport@netskope.com" + } + - Name: True negative + ExpectedResult: false + Log: + { + "_id": "1e589befa3da30132362f32a", + "_insertion_epoch_timestamp": 1702318213, + "audit_log_event": "Rest API V2 Call", + "count": 1, + "is_netskope_personnel": false, + "organization_unit": "", + "severity_level": 2, + "supporting_data": { + "data_type": "incidents", + "data_values": [ + 200, + "POST", + "/api/v2/incidents/uba/getuci", + "trid=ccb898fgrhvdd0v0lebg" + ] + }, + "timestamp": "2023-12-11 18:10:13.000000000", + "type": "admin_audit_logs", + "ur_normalized": "service-account", + "user": "service-account" + } + diff --git a/rules/netskope_rules/netskope_many_deletes.yml b/rules/netskope_rules/netskope_many_deletes.yml new file mode 100644 index 000000000..6663338eb --- /dev/null +++ b/rules/netskope_rules/netskope_many_deletes.yml @@ -0,0 +1,67 @@ +AnalysisType: rule +RuleID: "Netskope.ManyDeletes" +DisplayName: "Netskope Many Objects Deleted" +AlertTitle: "[{user}] deleted many objects in a short time" +Detection: + - All: + - KeyPath: audit_log_event + Condition: Contains + Value: Delete +Enabled: true +LogTypes: + - Netskope.Audit +Tags: + - Netskope + - Configuration Required + - Data Destruction +Reports: + MITRE ATT&CK: + - TA0040:T1485 +Severity: High +Description: A user deleted a large number of objects in a short period of time. +DedupPeriodMinutes: 60 +Threshold: 10 +Runbook: A user deleted a large number of objects in a short period of time. Validate that this activity is expected and authorized. +Tests: + - Name: True positive + ExpectedResult: true + Log: + { + "_id": "1e589befa3da30132362f32a", + "_insertion_epoch_timestamp": 1702318213, + "audit_log_event": "Deleted rbi template", + "count": 1, + "is_netskope_personnel": false, + "organization_unit": "", + "severity_level": 2, + "timestamp": "2023-12-11 18:10:13.000000000", + "type": "admin_audit_logs", + "ur_normalized": "service-account", + "user": "service-account" + } + - Name: True negative + ExpectedResult: false + Log: + { + "_id": "1e589befa3da30132362f32a", + "_insertion_epoch_timestamp": 1702318213, + "audit_log_event": "Rest API V2 Call", + "count": 1, + "is_netskope_personnel": false, + "organization_unit": "", + "severity_level": 2, + "supporting_data": { + "data_type": "incidents", + "data_values": [ + 200, + "POST", + "/api/v2/incidents/uba/getuci", + "trid=ccb898fgrhvdd0v0lebg" + ] + }, + "timestamp": "2023-12-11 18:10:13.000000000", + "type": "admin_audit_logs", + "ur_normalized": "service-account", + "user": "service-account" + } + diff --git a/rules/netskope_rules/netskope_personnel_action.yml b/rules/netskope_rules/netskope_personnel_action.yml new file mode 100644 index 000000000..53fb387a0 --- /dev/null +++ b/rules/netskope_rules/netskope_personnel_action.yml @@ -0,0 +1,73 @@ +AnalysisType: rule +RuleID: "Netskope.NetskopePersonnelActivity" +DisplayName: "Action Performed by Netskope Personnel" +AlertTitle: "Action [{audit_log_event}] performed by Netskope personnel [{user}]" +Detection: + - All: + - KeyPath: is_netskope_personnel + Condition: Equals + Value: true +Enabled: true +LogTypes: + - Netskope.Audit +Tags: + - Netskope + - Supply Chain Compromise +Reports: + MITRE ATT&CK: + - TA0001:T1195 +Severity: Medium +Description: An action was performed by Netskope personnel. +DedupPeriodMinutes: 60 +Threshold: 1 +Runbook: Action taken by Netskope Personnel. Validate that this action was authorized. +Tests: + - Name: True positive + ExpectedResult: true + Log: + { + "_id": "e5ca619b059fccdd0cfd9398", + "_insertion_epoch_timestamp": 1702308331, + "audit_log_event": "Login Successful", + "count": 1, + "is_netskope_personnel": true, + "organization_unit": "", + "severity_level": 2, + "supporting_data": { + "data_type": "user", + "data_values": [ + "11.22.33.44", + "adminsupport@netskope.com" + ] + }, + "timestamp": "2023-12-11 15:25:31.000000000", + "type": "admin_audit_logs", + "ur_normalized": "adminsupport@netskope.com", + "user": "adminsupport@netskope.com" + } + - Name: True negative + ExpectedResult: false + Log: + { + "_id": "1e589befa3da30132362f32a", + "_insertion_epoch_timestamp": 1702318213, + "audit_log_event": "Rest API V2 Call", + "count": 1, + "is_netskope_personnel": false, + "organization_unit": "", + "severity_level": 2, + "supporting_data": { + "data_type": "incidents", + "data_values": [ + 200, + "POST", + "/api/v2/incidents/uba/getuci", + "trid=ccb898fgrhvdd0v0lebg" + ] + }, + "timestamp": "2023-12-11 18:10:13.000000000", + "type": "admin_audit_logs", + "ur_normalized": "service-account", + "user": "service-account" + } + diff --git a/rules/netskope_rules/netskope_unauthorized_api_calls.yml b/rules/netskope_rules/netskope_unauthorized_api_calls.yml new file mode 100644 index 000000000..6fe10496f --- /dev/null +++ b/rules/netskope_rules/netskope_unauthorized_api_calls.yml @@ -0,0 +1,76 @@ +AnalysisType: rule +RuleID: "Netskope.UnauthorizedAPICalls" +DisplayName: "Netskope Many Unauthorized API Calls" +AlertTitle: "Many unauthorized API calls from user [{user}]" +Detection: + - All: + - KeyPath: supporting_data.data_values[0] + Condition: Equals + Value: 403 +Enabled: true +LogTypes: + - Netskope.Audit +Tags: + - Netskope + - Configuration Required + - Brute Force +Reports: + MITRE ATT&CK: + - TA0006:T1110 +Severity: High +Description: Many unauthorized API calls were observed for a user in a short period of time. +DedupPeriodMinutes: 60 +Threshold: 10 +Runbook: An account is making many unauthorized API calls. This could indicate brute force activity, or expired service account credentials. +Tests: + - Name: True positive + ExpectedResult: true + Log: + { + "_id": "1e589befa3da30132362f32a", + "_insertion_epoch_timestamp": 1702318213, + "audit_log_event": "Rest API V2 Call", + "count": 1, + "is_netskope_personnel": false, + "organization_unit": "", + "severity_level": 2, + "supporting_data": { + "data_type": "incidents", + "data_values": [ + 403, + "POST", + "/api/v2/incidents/uba/getuci", + "trid=ccb898fgrhvdd0v0lebg" + ] + }, + "timestamp": "2023-12-11 18:10:13.000000000", + "type": "admin_audit_logs", + "ur_normalized": "service-account", + "user": "service-account" + } + - Name: True negative + ExpectedResult: false + Log: + { + "_id": "1e589befa3da30132362f32a", + "_insertion_epoch_timestamp": 1702318213, + "audit_log_event": "Rest API V2 Call", + "count": 1, + "is_netskope_personnel": false, + "organization_unit": "", + "severity_level": 2, + "supporting_data": { + "data_type": "incidents", + "data_values": [ + 200, + "POST", + "/api/v2/incidents/uba/getuci", + "trid=ccb898fgrhvdd0v0lebg" + ] + }, + "timestamp": "2023-12-11 18:10:13.000000000", + "type": "admin_audit_logs", + "ur_normalized": "service-account", + "user": "service-account" + } +