diff --git a/lookup_tables/greynoise/advanced/noise_advanced.yml b/lookup_tables/greynoise/advanced/noise_advanced.yml index a09f5d3c3..11b978f8d 100644 --- a/lookup_tables/greynoise/advanced/noise_advanced.yml +++ b/lookup_tables/greynoise/advanced/noise_advanced.yml @@ -422,16 +422,6 @@ LogTypeMap: - LogType: Sysdig.Audit Selectors: - "$.content.userOriginIP" - - LogType: Tailscale.Network - Selectors: - - "$.event.virtualTraffic[].srcIp" - - "$.event.virtualTraffic[].dstIp" - - "$.event.subnetTraffic[].srcIp" - - "$.event.subnetTraffic[].dstIp" - - "$.event.exitTraffic[].srcIp" - - "$.event.exitTraffic[].dstIp" - - "$.event.physicalTraffic[].srcIp" - - "$.event.physicalTraffic[].dstIp" - LogType: Tines.Audit Selectors: - "request_ip" diff --git a/lookup_tables/greynoise/advanced/riot_advanced.yml b/lookup_tables/greynoise/advanced/riot_advanced.yml index ae82a0797..6348c01c1 100644 --- a/lookup_tables/greynoise/advanced/riot_advanced.yml +++ b/lookup_tables/greynoise/advanced/riot_advanced.yml @@ -422,16 +422,6 @@ LogTypeMap: - LogType: Sysdig.Audit Selectors: - "$.content.userOriginIP" - - LogType: Tailscale.Network - Selectors: - - "$.event.virtualTraffic[].srcIp" - - "$.event.virtualTraffic[].dstIp" - - "$.event.subnetTraffic[].srcIp" - - "$.event.subnetTraffic[].dstIp" - - "$.event.exitTraffic[].srcIp" - - "$.event.exitTraffic[].dstIp" - - "$.event.physicalTraffic[].srcIp" - - "$.event.physicalTraffic[].dstIp" - LogType: Tines.Audit Selectors: - "request_ip" diff --git a/lookup_tables/greynoise/basic/noise_basic.yml b/lookup_tables/greynoise/basic/noise_basic.yml index dcb235596..9be4bd1c3 100644 --- a/lookup_tables/greynoise/basic/noise_basic.yml +++ b/lookup_tables/greynoise/basic/noise_basic.yml @@ -422,16 +422,6 @@ LogTypeMap: - LogType: Sysdig.Audit Selectors: - "$.content.userOriginIP" - - LogType: Tailscale.Network - Selectors: - - "$.event.virtualTraffic[].srcIp" - - "$.event.virtualTraffic[].dstIp" - - "$.event.subnetTraffic[].srcIp" - - "$.event.subnetTraffic[].dstIp" - - "$.event.exitTraffic[].srcIp" - - "$.event.exitTraffic[].dstIp" - - "$.event.physicalTraffic[].srcIp" - - "$.event.physicalTraffic[].dstIp" - LogType: Tines.Audit Selectors: - "request_ip" diff --git a/lookup_tables/greynoise/basic/riot_basic.yml b/lookup_tables/greynoise/basic/riot_basic.yml index 0705637d2..7dceb4667 100644 --- a/lookup_tables/greynoise/basic/riot_basic.yml +++ b/lookup_tables/greynoise/basic/riot_basic.yml @@ -422,16 +422,6 @@ LogTypeMap: - LogType: Sysdig.Audit Selectors: - "$.content.userOriginIP" - - LogType: Tailscale.Network - Selectors: - - "$.event.virtualTraffic[].srcIp" - - "$.event.virtualTraffic[].dstIp" - - "$.event.subnetTraffic[].srcIp" - - "$.event.subnetTraffic[].dstIp" - - "$.event.exitTraffic[].srcIp" - - "$.event.exitTraffic[].dstIp" - - "$.event.physicalTraffic[].srcIp" - - "$.event.physicalTraffic[].dstIp" - LogType: Tines.Audit Selectors: - "request_ip" diff --git a/lookup_tables/ipinfo/ipinfo_asn.yml b/lookup_tables/ipinfo/ipinfo_asn.yml index a9f7602d7..5aee66a28 100644 --- a/lookup_tables/ipinfo/ipinfo_asn.yml +++ b/lookup_tables/ipinfo/ipinfo_asn.yml @@ -422,16 +422,6 @@ LogTypeMap: - LogType: Sysdig.Audit Selectors: - "$.content.userOriginIP" - - LogType: Tailscale.Network - Selectors: - - "$.event.virtualTraffic[].srcIp" - - "$.event.virtualTraffic[].dstIp" - - "$.event.subnetTraffic[].srcIp" - - "$.event.subnetTraffic[].dstIp" - - "$.event.exitTraffic[].srcIp" - - "$.event.exitTraffic[].dstIp" - - "$.event.physicalTraffic[].srcIp" - - "$.event.physicalTraffic[].dstIp" - LogType: Tines.Audit Selectors: - "request_ip" diff --git a/lookup_tables/ipinfo/ipinfo_asn_datalake.yml b/lookup_tables/ipinfo/ipinfo_asn_datalake.yml index de1b02e2f..ee6b613af 100644 --- a/lookup_tables/ipinfo/ipinfo_asn_datalake.yml +++ b/lookup_tables/ipinfo/ipinfo_asn_datalake.yml @@ -422,16 +422,6 @@ LogTypeMap: - LogType: Sysdig.Audit Selectors: - "$.content.userOriginIP" - - LogType: Tailscale.Network - Selectors: - - "$.event.virtualTraffic[].srcIp" - - "$.event.virtualTraffic[].dstIp" - - "$.event.subnetTraffic[].srcIp" - - "$.event.subnetTraffic[].dstIp" - - "$.event.exitTraffic[].srcIp" - - "$.event.exitTraffic[].dstIp" - - "$.event.physicalTraffic[].srcIp" - - "$.event.physicalTraffic[].dstIp" - LogType: Tines.Audit Selectors: - "request_ip" diff --git a/lookup_tables/ipinfo/ipinfo_location.yml b/lookup_tables/ipinfo/ipinfo_location.yml index 9aff65042..c49741798 100644 --- a/lookup_tables/ipinfo/ipinfo_location.yml +++ b/lookup_tables/ipinfo/ipinfo_location.yml @@ -422,16 +422,6 @@ LogTypeMap: - LogType: Sysdig.Audit Selectors: - "$.content.userOriginIP" - - LogType: Tailscale.Network - Selectors: - - "$.event.virtualTraffic[].srcIp" - - "$.event.virtualTraffic[].dstIp" - - "$.event.subnetTraffic[].srcIp" - - "$.event.subnetTraffic[].dstIp" - - "$.event.exitTraffic[].srcIp" - - "$.event.exitTraffic[].dstIp" - - "$.event.physicalTraffic[].srcIp" - - "$.event.physicalTraffic[].dstIp" - LogType: Tines.Audit Selectors: - "request_ip" diff --git a/lookup_tables/ipinfo/ipinfo_location_datalake.yml b/lookup_tables/ipinfo/ipinfo_location_datalake.yml index da657eeb9..9f22a415f 100644 --- a/lookup_tables/ipinfo/ipinfo_location_datalake.yml +++ b/lookup_tables/ipinfo/ipinfo_location_datalake.yml @@ -422,16 +422,6 @@ LogTypeMap: - LogType: Sysdig.Audit Selectors: - "$.content.userOriginIP" - - LogType: Tailscale.Network - Selectors: - - "$.event.virtualTraffic[].srcIp" - - "$.event.virtualTraffic[].dstIp" - - "$.event.subnetTraffic[].srcIp" - - "$.event.subnetTraffic[].dstIp" - - "$.event.exitTraffic[].srcIp" - - "$.event.exitTraffic[].dstIp" - - "$.event.physicalTraffic[].srcIp" - - "$.event.physicalTraffic[].dstIp" - LogType: Tines.Audit Selectors: - "request_ip" diff --git a/lookup_tables/ipinfo/ipinfo_privacy.yml b/lookup_tables/ipinfo/ipinfo_privacy.yml index da7781172..375ebf5a3 100644 --- a/lookup_tables/ipinfo/ipinfo_privacy.yml +++ b/lookup_tables/ipinfo/ipinfo_privacy.yml @@ -422,16 +422,6 @@ LogTypeMap: - LogType: Sysdig.Audit Selectors: - "$.content.userOriginIP" - - LogType: Tailscale.Network - Selectors: - - "$.event.virtualTraffic[].srcIp" - - "$.event.virtualTraffic[].dstIp" - - "$.event.subnetTraffic[].srcIp" - - "$.event.subnetTraffic[].dstIp" - - "$.event.exitTraffic[].srcIp" - - "$.event.exitTraffic[].dstIp" - - "$.event.physicalTraffic[].srcIp" - - "$.event.physicalTraffic[].dstIp" - LogType: Tines.Audit Selectors: - "request_ip" diff --git a/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml b/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml index 5e4b45faa..2715aaa6c 100644 --- a/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml +++ b/lookup_tables/ipinfo/ipinfo_privacy_datalake.yml @@ -422,16 +422,6 @@ LogTypeMap: - LogType: Sysdig.Audit Selectors: - "$.content.userOriginIP" - - LogType: Tailscale.Network - Selectors: - - "$.event.virtualTraffic[].srcIp" - - "$.event.virtualTraffic[].dstIp" - - "$.event.subnetTraffic[].srcIp" - - "$.event.subnetTraffic[].dstIp" - - "$.event.exitTraffic[].srcIp" - - "$.event.exitTraffic[].dstIp" - - "$.event.physicalTraffic[].srcIp" - - "$.event.physicalTraffic[].dstIp" - LogType: Tines.Audit Selectors: - "request_ip" diff --git a/lookup_tables/tor/tor_exit_nodes.yml b/lookup_tables/tor/tor_exit_nodes.yml index 9e1011174..103ff3392 100644 --- a/lookup_tables/tor/tor_exit_nodes.yml +++ b/lookup_tables/tor/tor_exit_nodes.yml @@ -422,16 +422,6 @@ LogTypeMap: - LogType: Sysdig.Audit Selectors: - "$.content.userOriginIP" - - LogType: Tailscale.Network - Selectors: - - "$.event.virtualTraffic[].srcIp" - - "$.event.virtualTraffic[].dstIp" - - "$.event.subnetTraffic[].srcIp" - - "$.event.subnetTraffic[].dstIp" - - "$.event.exitTraffic[].srcIp" - - "$.event.exitTraffic[].dstIp" - - "$.event.physicalTraffic[].srcIp" - - "$.event.physicalTraffic[].dstIp" - LogType: Tines.Audit Selectors: - "request_ip" diff --git a/packs/netskope.yml b/packs/netskope.yml index 45758b437..b15ed4273 100644 --- a/packs/netskope.yml +++ b/packs/netskope.yml @@ -4,7 +4,6 @@ Description: Group of all Netskope detections PackDefinition: IDs: - Netskope.AdminLoggedOutLoginFailures - - Netskope.AdminUserChange - Netskope.ManyDeletes - Netskope.NetskopePersonnelActivity - Netskope.UnauthorizedAPICalls diff --git a/rules/netskope_rules/netskope_admin_user_change.yml b/rules/netskope_rules/netskope_admin_user_change.yml deleted file mode 100644 index abc84d284..000000000 --- a/rules/netskope_rules/netskope_admin_user_change.yml +++ /dev/null @@ -1,94 +0,0 @@ -AnalysisType: rule -RuleID: "Netskope.AdminUserChange" -DisplayName: "An administrator account was created, deleted, or modified." -AlertTitle: "User [{user}] performed [{audit_log_event}]" -Detection: - - All: - - KeyPath: audit_log_event - Condition: IsIn - Values: - - Created new admin - - Added SSO Admin - - Edited SSO Admin Record - - Created new support admin - - Edit admin record - - Deleted admin - - Enabled admin - - Disabled admin - - Unlocked admin - - Updated admin settings - - Deleted Netskope SSO admin -Enabled: true -LogTypes: - - Netskope.Audit -Tags: - - Netskope - - Account Manipulation -Reports: - MITRE ATT&CK: - - TA0004:T1098 -Reference: https://docs.netskope.com/en/netskope-help/admin-console/administration/managing-administrators/ -Severity: High -DynamicSeverities: - - ChangeTo: Critical - Conditions: - - KeyPath: audit_log_event - Condition: Contains - Values: - - Create - - Add - - Delete -Description: An administrator account was created, deleted, or modified. -DedupPeriodMinutes: 60 -Threshold: 1 -Runbook: An administrator account was created, deleted, or modified. Validate that this activity is expected and authorized. -Tests: - - Name: True positive - ExpectedResult: true - Log: - { - "_id": "e5ca619b059fccdd0cfd9398", - "_insertion_epoch_timestamp": 1702308331, - "audit_log_event": "Created new admin", - "count": 1, - "is_netskope_personnel": true, - "organization_unit": "", - "severity_level": 2, - "supporting_data": { - "data_type": "user", - "data_values": [ - "11.22.33.44", - "adminsupport@netskope.com" - ] - }, - "timestamp": "2023-12-11 15:25:31.000000000", - "type": "admin_audit_logs", - "ur_normalized": "adminsupport@netskope.com", - "user": "adminsupport@netskope.com" - } - - Name: True negative - ExpectedResult: false - Log: - { - "_id": "1e589befa3da30132362f32a", - "_insertion_epoch_timestamp": 1702318213, - "audit_log_event": "Rest API V2 Call", - "count": 1, - "is_netskope_personnel": false, - "organization_unit": "", - "severity_level": 2, - "supporting_data": { - "data_type": "incidents", - "data_values": [ - 200, - "POST", - "/api/v2/incidents/uba/getuci", - "trid=ccb898fgrhvdd0v0lebg" - ] - }, - "timestamp": "2023-12-11 18:10:13.000000000", - "type": "admin_audit_logs", - "ur_normalized": "service-account", - "user": "service-account" - } -