From 4221029f254cdce65041881f410f952475e9260e Mon Sep 17 00:00:00 2001 From: akozlovets098 Date: Tue, 12 Dec 2023 15:47:05 +0200 Subject: [PATCH 1/2] Add references to rules (zendesk_rules) --- rules/zendesk_rules/zendesk_mobile_app_access.yml | 1 + rules/zendesk_rules/zendesk_new_api_token.yml | 1 + rules/zendesk_rules/zendesk_new_owner.yml | 1 + rules/zendesk_rules/zendesk_sensitive_data_redaction.yml | 1 + rules/zendesk_rules/zendesk_user_assumption.yml | 1 + rules/zendesk_rules/zendesk_user_role.yml | 1 + rules/zendesk_rules/zendesk_user_suspension.yml | 1 + 7 files changed, 7 insertions(+) diff --git a/rules/zendesk_rules/zendesk_mobile_app_access.yml b/rules/zendesk_rules/zendesk_mobile_app_access.yml index 48c78101b..e14dbebca 100644 --- a/rules/zendesk_rules/zendesk_mobile_app_access.yml +++ b/rules/zendesk_rules/zendesk_mobile_app_access.yml @@ -14,6 +14,7 @@ Reports: - TA0003:T1078 Severity: Medium Description: A user updated account setting that enabled or disabled mobile app access. +Reference: https://support.zendesk.com/hc/en-us/articles/4408846407066-About-the-Zendesk-Support-mobile-app#:~:text=More%20settings.-,Configuring%20the%20mobile%20app,-Activate%20the%20new SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/zendesk_rules/zendesk_new_api_token.yml b/rules/zendesk_rules/zendesk_new_api_token.yml index b384d5256..cafcb2bdd 100644 --- a/rules/zendesk_rules/zendesk_new_api_token.yml +++ b/rules/zendesk_rules/zendesk_new_api_token.yml @@ -15,6 +15,7 @@ Reports: - TA0006:T1528 Description: A user created a new API token to be used with Zendesk. Runbook: Validate the api token was created for valid use case, otherwise delete the token immediately. +Reference: https://support.zendesk.com/hc/en-us/articles/4408889192858-Managing-access-to-the-Zendesk-API#topic_bsw_lfg_mmb:~:text=enable%20token%20access.-,Generating%20API%20tokens,-To%20generate%20an SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/zendesk_rules/zendesk_new_owner.yml b/rules/zendesk_rules/zendesk_new_owner.yml index 9e5cb5657..cc4ddb6d4 100644 --- a/rules/zendesk_rules/zendesk_new_owner.yml +++ b/rules/zendesk_rules/zendesk_new_owner.yml @@ -14,6 +14,7 @@ Reports: MITRE ATT&CK: - TA0004:T1078 Description: Only one admin user can be the account owner. Ensure the change in ownership is expected. +Reference: https://support.zendesk.com/hc/en-us/articles/4408822084634-Changing-the-account-owner SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/zendesk_rules/zendesk_sensitive_data_redaction.yml b/rules/zendesk_rules/zendesk_sensitive_data_redaction.yml index 0f050887a..36e31095c 100644 --- a/rules/zendesk_rules/zendesk_sensitive_data_redaction.yml +++ b/rules/zendesk_rules/zendesk_sensitive_data_redaction.yml @@ -15,6 +15,7 @@ Reports: Severity: High Description: A user updated account setting that disabled credit card redaction. Runbook: Re-enable credit card redaction. +Reference: https://support.zendesk.com/hc/en-us/articles/4408822124314-Automatically-redacting-credit-card-numbers-from-tickets SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/zendesk_rules/zendesk_user_assumption.yml b/rules/zendesk_rules/zendesk_user_assumption.yml index fbc40da9e..0ad09cb98 100644 --- a/rules/zendesk_rules/zendesk_user_assumption.yml +++ b/rules/zendesk_rules/zendesk_user_assumption.yml @@ -15,6 +15,7 @@ Severity: Medium Description: User enabled or disabled zendesk support user assumption. Runbook: > Investigate whether allowing zendesk support to assume users is necessary. If not, disable the feature. +Reference: https://support.zendesk.com/hc/en-us/articles/4408894200474-Assuming-end-users#:~:text=In%20Support%2C%20click%20the%20Customers,user%20in%20the%20information%20dialog. SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/zendesk_rules/zendesk_user_role.yml b/rules/zendesk_rules/zendesk_user_role.yml index 70205aeac..731f41c53 100644 --- a/rules/zendesk_rules/zendesk_user_role.yml +++ b/rules/zendesk_rules/zendesk_user_role.yml @@ -8,6 +8,7 @@ LogTypes: - Zendesk.Audit Severity: Info Description: A user's Zendesk role was changed +Reference: https://support.zendesk.com/hc/en-us/articles/4408824375450-Setting-roles-and-access-in-Zendesk-Admin-Center SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/zendesk_rules/zendesk_user_suspension.yml b/rules/zendesk_rules/zendesk_user_suspension.yml index 08f1a1410..48d70d49f 100644 --- a/rules/zendesk_rules/zendesk_user_suspension.yml +++ b/rules/zendesk_rules/zendesk_user_suspension.yml @@ -15,6 +15,7 @@ Reports: Severity: High Description: A user's Zendesk suspension status was changed. Runbook: Ensure the user's suspension status is appropriate. +Reference: https://support.zendesk.com/hc/en-us/articles/4408889293978-Suspending-a-user#:~:text=select%20Unsuspend%20access.-,Identifying%20suspended%20users,name%20on%20the%20Customers%20page. SummaryAttributes: - p_any_ip_addresses Tests: From 69960cbfca0d63620115184925581c883a5bf524 Mon Sep 17 00:00:00 2001 From: akozlovets098 Date: Tue, 12 Dec 2023 16:30:04 +0200 Subject: [PATCH 2/2] Add references to rules (zendesk_rules) --- rules/zendesk_rules/zendesk_user_assumption.yml | 2 +- rules/zendesk_rules/zendesk_user_suspension.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/zendesk_rules/zendesk_user_assumption.yml b/rules/zendesk_rules/zendesk_user_assumption.yml index 0ad09cb98..12b3ef138 100644 --- a/rules/zendesk_rules/zendesk_user_assumption.yml +++ b/rules/zendesk_rules/zendesk_user_assumption.yml @@ -15,7 +15,7 @@ Severity: Medium Description: User enabled or disabled zendesk support user assumption. Runbook: > Investigate whether allowing zendesk support to assume users is necessary. If not, disable the feature. -Reference: https://support.zendesk.com/hc/en-us/articles/4408894200474-Assuming-end-users#:~:text=In%20Support%2C%20click%20the%20Customers,user%20in%20the%20information%20dialog. +Reference: https://support.zendesk.com/hc/en-us/articles/4408894200474-Assuming-end-users#:~:text=In%20Support%2C%20click%20the%20Customers,user%20in%20the%20information%20dialog SummaryAttributes: - p_any_ip_addresses Tests: diff --git a/rules/zendesk_rules/zendesk_user_suspension.yml b/rules/zendesk_rules/zendesk_user_suspension.yml index 48d70d49f..b0c3f4a18 100644 --- a/rules/zendesk_rules/zendesk_user_suspension.yml +++ b/rules/zendesk_rules/zendesk_user_suspension.yml @@ -15,7 +15,7 @@ Reports: Severity: High Description: A user's Zendesk suspension status was changed. Runbook: Ensure the user's suspension status is appropriate. -Reference: https://support.zendesk.com/hc/en-us/articles/4408889293978-Suspending-a-user#:~:text=select%20Unsuspend%20access.-,Identifying%20suspended%20users,name%20on%20the%20Customers%20page. +Reference: https://support.zendesk.com/hc/en-us/articles/4408889293978-Suspending-a-user#:~:text=select%20Unsuspend%20access.-,Identifying%20suspended%20users,name%20on%20the%20Customers%20page SummaryAttributes: - p_any_ip_addresses Tests: