Netskope detections and pack

packs/netskope.yml

@@ -0,0 +1,11 @@
+AnalysisType: pack
+PackID: PantherManaged.Netskope
+Description: Group of all Netskope detections
+PackDefinition:
+  IDs:
+    - Netskope.AdminLoggedOutLoginFailures
+    - Netskope.AdminUserChange
+    - Netskope.ManyDeletes
+    - Netskope.NetskopePersonnelActivity
+    - Netskope.UnauthorizedAPICalls
+DisplayName: "Panther Netskope Pack"

rules/netskope_rules/netskope_admin_logged_out.yml

@@ -0,0 +1,73 @@
+AnalysisType: rule
+RuleID: "Netskope.AdminLoggedOutLoginFailures"
+DisplayName: "Admin logged out because of successive login failures"
+AlertTitle: "Admin [{user}] was logged out because of successive login failures"
+Detection:
+  - All:
+    - KeyPath: audit_log_event
+      Condition: Equals
+      Value: "Admin logged out because of successive login failures"
+Enabled: true
+LogTypes:
+  - Netskope.Audit
+Tags:
+  - Netskope
+  - Brute Force
+Reports:
+  MITRE ATT&CK: 
+    - TA0006:T1110
+Severity: Medium
+Description: An admin was logged out because of successive login failures.
+DedupPeriodMinutes: 60
+Threshold: 1
+Runbook: An admin was logged out because of successive login failures.  This could indicate brute force activity against this account.
+Tests:
+    - Name: True positive
+      ExpectedResult: true
+      Log: 
+        {
+          "_id": "e5ca619b059fccdd0cfd9398",
+          "_insertion_epoch_timestamp": 1702308331,
+          "audit_log_event": "Admin logged out because of successive login failures",
+          "count": 1,
+          "is_netskope_personnel": true,
+          "organization_unit": "",
+          "severity_level": 2,
+          "supporting_data": {
+            "data_type": "user",
+            "data_values": [
+              "11.22.33.44",
+              "[email protected]"
+            ]
+          },
+          "timestamp": "2023-12-11 15:25:31.000000000",
+          "type": "admin_audit_logs",
+          "ur_normalized": "[email protected]",
+          "user": "[email protected]"
+        }
+    - Name: True negative
+      ExpectedResult: false
+      Log: 
+        {
+        "_id": "1e589befa3da30132362f32a",
+        "_insertion_epoch_timestamp": 1702318213,
+        "audit_log_event": "Rest API V2 Call",
+        "count": 1,
+        "is_netskope_personnel": false,
+        "organization_unit": "",
+        "severity_level": 2,
+        "supporting_data": {
+          "data_type": "incidents",
+          "data_values": [
+            200,
+            "POST",
+            "/api/v2/incidents/uba/getuci",
+            "trid=ccb898fgrhvdd0v0lebg"
+          ]
+        },
+        "timestamp": "2023-12-11 18:10:13.000000000",
+        "type": "admin_audit_logs",
+        "ur_normalized": "service-account",
+        "user": "service-account"
+      }
+

rules/netskope_rules/netskope_admin_user_change.yml

@@ -0,0 +1,93 @@
+AnalysisType: rule
+RuleID: "Netskope.AdminUserChange"
+DisplayName: "An administrator account was created, deleted, or modified."
+AlertTitle: "User [{user}] performed [{audit_log_event}]"
+Detection:
+  - All:
+    - KeyPath: audit_log_event
+      Condition: IsIn
+      Values:
+        - Created new admin
+        - Added SSO Admin
+        - Edited SSO Admin Record
+        - Created new support admin
+        - Edit admin record
+        - Deleted admin
+        - Enabled admin
+        - Disabled admin
+        - Unlocked admin
+        - Updated admin settings
+        - Deleted Netskope SSO admin
+Enabled: true
+LogTypes:
+  - Netskope.Audit
+Tags:
+  - Netskope
+  - Account Manipulation
+Reports:
+  MITRE ATT&CK: 
+    - TA0004:T1098
+Severity: High
+DynamicSeverities:
+  - ChangeTo: Critical
+    Conditions:
+      - KeyPath: audit_log_event
+        Condition: Contains
+        Values:
+          - Create
+          - Add
+          - Delete
+Description: An administrator account was created, deleted, or modified.
+DedupPeriodMinutes: 60
+Threshold: 1
+Runbook: An administrator account was created, deleted, or modified.  Validate that this activity is expected and authorized.
+Tests:
+    - Name: True positive
+      ExpectedResult: true
+      Log: 
+        {
+          "_id": "e5ca619b059fccdd0cfd9398",
+          "_insertion_epoch_timestamp": 1702308331,
+          "audit_log_event": "Created new admin",
+          "count": 1,
+          "is_netskope_personnel": true,
+          "organization_unit": "",
+          "severity_level": 2,
+          "supporting_data": {
+            "data_type": "user",
+            "data_values": [
+              "11.22.33.44",
+              "[email protected]"
+            ]
+          },
+          "timestamp": "2023-12-11 15:25:31.000000000",
+          "type": "admin_audit_logs",
+          "ur_normalized": "[email protected]",
+          "user": "[email protected]"
+        }
+    - Name: True negative
+      ExpectedResult: false
+      Log: 
+        {
+        "_id": "1e589befa3da30132362f32a",
+        "_insertion_epoch_timestamp": 1702318213,
+        "audit_log_event": "Rest API V2 Call",
+        "count": 1,
+        "is_netskope_personnel": false,
+        "organization_unit": "",
+        "severity_level": 2,
+        "supporting_data": {
+          "data_type": "incidents",
+          "data_values": [
+            200,
+            "POST",
+            "/api/v2/incidents/uba/getuci",
+            "trid=ccb898fgrhvdd0v0lebg"
+          ]
+        },
+        "timestamp": "2023-12-11 18:10:13.000000000",
+        "type": "admin_audit_logs",
+        "ur_normalized": "service-account",
+        "user": "service-account"
+      }
+

rules/netskope_rules/netskope_many_deletes.yml

@@ -0,0 +1,67 @@
+AnalysisType: rule
+RuleID: "Netskope.ManyDeletes"
+DisplayName: "Netskope Many Objects Deleted"
+AlertTitle: "[{user}] deleted many objects in a short time"
+Detection:
+  - All:
+    - KeyPath: audit_log_event
+      Condition: Contains
+      Value: Delete
+Enabled: true
+LogTypes:
+  - Netskope.Audit
+Tags:
+  - Netskope
+  - Configuration Required
+  - Data Destruction
+Reports:
+  MITRE ATT&CK: 
+    - TA0040:T1485
+Severity: High
+Description: A user deleted a large number of objects in a short period of time.
+DedupPeriodMinutes: 60
+Threshold: 10
+Runbook: A user deleted a large number of objects in a short period of time.  Validate that this activity is expected and authorized.
+Tests:
+    - Name: True positive
+      ExpectedResult: true
+      Log: 
+        {
+        "_id": "1e589befa3da30132362f32a",
+        "_insertion_epoch_timestamp": 1702318213,
+        "audit_log_event": "Deleted rbi template",
+        "count": 1,
+        "is_netskope_personnel": false,
+        "organization_unit": "",
+        "severity_level": 2,
+        "timestamp": "2023-12-11 18:10:13.000000000",
+        "type": "admin_audit_logs",
+        "ur_normalized": "service-account",
+        "user": "service-account"
+      }
+    - Name: True negative
+      ExpectedResult: false
+      Log: 
+        {
+        "_id": "1e589befa3da30132362f32a",
+        "_insertion_epoch_timestamp": 1702318213,
+        "audit_log_event": "Rest API V2 Call",
+        "count": 1,
+        "is_netskope_personnel": false,
+        "organization_unit": "",
+        "severity_level": 2,
+        "supporting_data": {
+          "data_type": "incidents",
+          "data_values": [
+            200,
+            "POST",
+            "/api/v2/incidents/uba/getuci",
+            "trid=ccb898fgrhvdd0v0lebg"
+          ]
+        },
+        "timestamp": "2023-12-11 18:10:13.000000000",
+        "type": "admin_audit_logs",
+        "ur_normalized": "service-account",
+        "user": "service-account"
+      }
+

rules/netskope_rules/netskope_personnel_action.yml

@@ -0,0 +1,73 @@
+AnalysisType: rule
+RuleID: "Netskope.NetskopePersonnelActivity"
+DisplayName: "Action Performed by Netskope Personnel"
+AlertTitle: "Action [{audit_log_event}] performed by Netskope personnel [{user}]"
+Detection:
+  - All:
+    - KeyPath: is_netskope_personnel
+      Condition: Equals
+      Value: true
+Enabled: true
+LogTypes:
+  - Netskope.Audit
+Tags:
+  - Netskope
+  - Supply Chain Compromise
+Reports:
+  MITRE ATT&CK: 
+    - TA0001:T1195
+Severity: Medium
+Description: An action was performed by Netskope personnel.
+DedupPeriodMinutes: 60
+Threshold: 1
+Runbook: Action taken by Netskope Personnel.  Validate that this action was authorized.
+Tests:
+    - Name: True positive
+      ExpectedResult: true
+      Log: 
+        {
+          "_id": "e5ca619b059fccdd0cfd9398",
+          "_insertion_epoch_timestamp": 1702308331,
+          "audit_log_event": "Login Successful",
+          "count": 1,
+          "is_netskope_personnel": true,
+          "organization_unit": "",
+          "severity_level": 2,
+          "supporting_data": {
+            "data_type": "user",
+            "data_values": [
+              "11.22.33.44",
+              "[email protected]"
+            ]
+          },
+          "timestamp": "2023-12-11 15:25:31.000000000",
+          "type": "admin_audit_logs",
+          "ur_normalized": "[email protected]",
+          "user": "[email protected]"
+        }
+    - Name: True negative
+      ExpectedResult: false
+      Log: 
+        {
+        "_id": "1e589befa3da30132362f32a",
+        "_insertion_epoch_timestamp": 1702318213,
+        "audit_log_event": "Rest API V2 Call",
+        "count": 1,
+        "is_netskope_personnel": false,
+        "organization_unit": "",
+        "severity_level": 2,
+        "supporting_data": {
+          "data_type": "incidents",
+          "data_values": [
+            200,
+            "POST",
+            "/api/v2/incidents/uba/getuci",
+            "trid=ccb898fgrhvdd0v0lebg"
+          ]
+        },
+        "timestamp": "2023-12-11 18:10:13.000000000",
+        "type": "admin_audit_logs",
+        "ur_normalized": "service-account",
+        "user": "service-account"
+      }
+

rules/netskope_rules/netskope_unauthorized_api_calls.yml

@@ -0,0 +1,76 @@
+AnalysisType: rule
+RuleID: "Netskope.UnauthorizedAPICalls"
+DisplayName: "Netskope Many Unauthorized API Calls"
+AlertTitle: "Many unauthorized API calls from user [{user}]"
+Detection:
+  - All:
+    - KeyPath: supporting_data.data_values[0]
+      Condition: Equals
+      Value: 403
+Enabled: true
+LogTypes:
+  - Netskope.Audit
+Tags:
+  - Netskope
+  - Configuration Required
+  - Brute Force
+Reports:
+  MITRE ATT&CK: 
+    - TA0006:T1110
+Severity: High
+Description: Many unauthorized API calls were observed for a user in a short period of time.
+DedupPeriodMinutes: 60
+Threshold: 10
+Runbook: An account is making many unauthorized API calls.  This could indicate brute force activity, or expired service account credentials.
+Tests:
+    - Name: True positive
+      ExpectedResult: true
+      Log: 
+        {
+        "_id": "1e589befa3da30132362f32a",
+        "_insertion_epoch_timestamp": 1702318213,
+        "audit_log_event": "Rest API V2 Call",
+        "count": 1,
+        "is_netskope_personnel": false,
+        "organization_unit": "",
+        "severity_level": 2,
+        "supporting_data": {
+          "data_type": "incidents",
+          "data_values": [
+            403,
+            "POST",
+            "/api/v2/incidents/uba/getuci",
+            "trid=ccb898fgrhvdd0v0lebg"
+          ]
+        },
+        "timestamp": "2023-12-11 18:10:13.000000000",
+        "type": "admin_audit_logs",
+        "ur_normalized": "service-account",
+        "user": "service-account"
+      }
+    - Name: True negative
+      ExpectedResult: false
+      Log: 
+        {
+        "_id": "1e589befa3da30132362f32a",
+        "_insertion_epoch_timestamp": 1702318213,
+        "audit_log_event": "Rest API V2 Call",
+        "count": 1,
+        "is_netskope_personnel": false,
+        "organization_unit": "",
+        "severity_level": 2,
+        "supporting_data": {
+          "data_type": "incidents",
+          "data_values": [
+            200,
+            "POST",
+            "/api/v2/incidents/uba/getuci",
+            "trid=ccb898fgrhvdd0v0lebg"
+          ]
+        },
+        "timestamp": "2023-12-11 18:10:13.000000000",
+        "type": "admin_audit_logs",
+        "ur_normalized": "service-account",
+        "user": "service-account"
+      }
+