From 0b985b967c5532f64074f1af7ebcd469449fe779 Mon Sep 17 00:00:00 2001 From: akozlovets098 Date: Tue, 12 Nov 2024 12:50:15 +0200 Subject: [PATCH 1/5] THREAT-411 ZIA AdminAuditRules - Password, Log, Backup --- rules/zscaler_rules/zia/zia_backup_deleted.py | 22 +++ .../zscaler_rules/zia/zia_backup_deleted.yml | 78 ++++++++ .../zia/zia_golden_restore_point_dropped.py | 39 ++++ .../zia/zia_golden_restore_point_dropped.yml | 85 +++++++++ .../zia/zia_insecure_password_settings.py | 47 +++++ .../zia/zia_insecure_password_settings.yml | 171 ++++++++++++++++++ .../zscaler_rules/zia/zia_logs_downloaded.py | 22 +++ .../zscaler_rules/zia/zia_logs_downloaded.yml | 61 +++++++ 8 files changed, 525 insertions(+) create mode 100644 rules/zscaler_rules/zia/zia_backup_deleted.py create mode 100644 rules/zscaler_rules/zia/zia_backup_deleted.yml create mode 100644 rules/zscaler_rules/zia/zia_golden_restore_point_dropped.py create mode 100644 rules/zscaler_rules/zia/zia_golden_restore_point_dropped.yml create mode 100644 rules/zscaler_rules/zia/zia_insecure_password_settings.py create mode 100644 rules/zscaler_rules/zia/zia_insecure_password_settings.yml create mode 100644 rules/zscaler_rules/zia/zia_logs_downloaded.py create mode 100644 rules/zscaler_rules/zia/zia_logs_downloaded.yml diff --git a/rules/zscaler_rules/zia/zia_backup_deleted.py b/rules/zscaler_rules/zia/zia_backup_deleted.py new file mode 100644 index 000000000..d3f98cd9b --- /dev/null +++ b/rules/zscaler_rules/zia/zia_backup_deleted.py @@ -0,0 +1,22 @@ +from panther_zscaler_helpers import zia_alert_context, zia_success + + +def rule(event): + if not zia_success(event): + return False + action = event.deep_get("event", "action", default="ACTION_NOT_FOUND") + category = event.deep_get("event", "category", default="CATEGORY_NOT_FOUND") + if action == "DELETE" and category == "BACKUP_AND_RESTORE": + return True + return False + + +def title(event): + return ( + f"[Zscaler.ZIA]: Backup was deleted by admin with id " + f"[{event.deep_get('event', 'adminid', default='')}]" + ) + + +def alert_context(event): + return zia_alert_context(event) diff --git a/rules/zscaler_rules/zia/zia_backup_deleted.yml b/rules/zscaler_rules/zia/zia_backup_deleted.yml new file mode 100644 index 000000000..4cb8a9944 --- /dev/null +++ b/rules/zscaler_rules/zia/zia_backup_deleted.yml @@ -0,0 +1,78 @@ +AnalysisType: rule +RuleID: ZIA.Backup.Deleted +Description: This rule detects when ZIA backup data was deleted. +DisplayName: ZIA Backup Deleted +Runbook: Verify that this change was planned. If not, make sure to restore the backup. +Reference: https://help.zscaler.com/zia/about-backup-and-restore +Enabled: true +Filename: zia_backup_deleted.py +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0005:T1562.008 # Disable or Modify Cloud Logs +LogTypes: + - Zscaler.ZIA.AdminAuditLog +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: Backup deleted + ExpectedResult: true + Log: + { + "event": { + "action": "DELETE", + "adminid": "admin@test.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "BACKUP_AND_RESTORE", + "clientip": "1.2.3.4", + "errorcode": "None", + "interface": "UI", + "postaction": { }, + "preaction": { + "adminLogin": "admin@test.zscalerbeta.net", + "goldenRestorePoint": false, + "id": 163372, + "name": "test-restore-2", + "time": 1730737925000 + }, + "recordid": "366", + "resource": "test-restore-2", + "result": "SUCCESS", + "subcategory": "BACKUP_AND_RESTORE", + "time": "2024-11-04 16:32:18.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Backup created + ExpectedResult: false + Log: + { + "event": { + "action": "CREATE", + "adminid": "admin@test.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "BACKUP_AND_RESTORE", + "clientip": "1.2.3.4", + "errorcode": "None", + "interface": "UI", + "postaction": { + "adminLogin": "admin@test.zscalerbeta.net", + "goldenRestorePoint": false, + "id": 163372, + "name": "test-restore-2", + "time": 1730737925000 + }, + "preaction": { + "goldenRestorePoint": false, + "id": 0, + "name": "test-restore-2", + "time": 0 + }, + "recordid": "365", + "resource": "test-restore-2", + "result": "SUCCESS", + "subcategory": "BACKUP_AND_RESTORE", + "time": "2024-11-04 16:32:05.000000000" + }, + "sourcetype": "zscalernss-audit" + } diff --git a/rules/zscaler_rules/zia/zia_golden_restore_point_dropped.py b/rules/zscaler_rules/zia/zia_golden_restore_point_dropped.py new file mode 100644 index 000000000..b21f10af7 --- /dev/null +++ b/rules/zscaler_rules/zia/zia_golden_restore_point_dropped.py @@ -0,0 +1,39 @@ +from panther_zscaler_helpers import zia_alert_context, zia_success + + +def rule(event): + if not zia_success(event): + return False + action = event.deep_get("event", "action", default="ACTION_NOT_FOUND") + category = event.deep_get("event", "category", default="CATEGORY_NOT_FOUND") + golden_restore_point_pre = event.deep_get( + "event", + "preaction", + "goldenRestorePoint", + default="", + ) + golden_restore_point_post = event.deep_get( + "event", + "postaction", + "goldenRestorePoint", + default="", + ) + if ( + action == "UPDATE" + and category == "BACKUP_AND_RESTORE" + and golden_restore_point_pre == True + and golden_restore_point_post == False + ): + return True + return False + + +def title(event): + return ( + f"[Zscaler.ZIA]: goldenRestorePoint was dropped by admin with id " + f"[{event.deep_get('event', 'adminid', default='')}]" + ) + + +def alert_context(event): + return zia_alert_context(event) diff --git a/rules/zscaler_rules/zia/zia_golden_restore_point_dropped.yml b/rules/zscaler_rules/zia/zia_golden_restore_point_dropped.yml new file mode 100644 index 000000000..21d2dceb3 --- /dev/null +++ b/rules/zscaler_rules/zia/zia_golden_restore_point_dropped.yml @@ -0,0 +1,85 @@ +AnalysisType: rule +RuleID: ZIA.Golden.Restore.Point.Dropped +Description: This rule detects when ZIA goldenRestorePoint was dropped. + It means that some piece of information that was impossible to delete before, now is deletable +DisplayName: ZIA Golden Restore Point Dropped +Runbook: Verify that this change was planned. If not, revert the change. +Reference: https://help.zscaler.com/zia/about-backup-and-restore +Enabled: true +Filename: zia_golden_restore_point_dropped.py +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0005:T1562.008 # Disable or Modify Cloud Logs +LogTypes: + - Zscaler.ZIA.AdminAuditLog +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: goldenRestorePoint dropped + ExpectedResult: true + Log: + { + "event": { + "action": "UPDATE", + "adminid": "admin@test.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "BACKUP_AND_RESTORE", + "clientip": "1.2.3.4", + "errorcode": "None", + "interface": "UI", + "postaction": { + "adminLogin": "admin@test.zscalerbeta.net", + "goldenRestorePoint": false, + "id": 163371, + "name": "test-restore", + "time": 1730737915000 + }, + "preaction": { + "adminLogin": "admin@test.zscalerbeta.net", + "goldenRestorePoint": true, + "id": 163371, + "name": "test-restore", + "time": 1730737915000 + }, + "recordid": "367", + "resource": "test-restore", + "result": "SUCCESS", + "subcategory": "BACKUP_AND_RESTORE", + "time": "2024-11-04 16:32:28.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Backup created + ExpectedResult: false + Log: + { + "event": { + "action": "CREATE", + "adminid": "admin@test.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "BACKUP_AND_RESTORE", + "clientip": "1.2.3.4", + "errorcode": "None", + "interface": "UI", + "postaction": { + "adminLogin": "admin@test.zscalerbeta.net", + "goldenRestorePoint": false, + "id": 163372, + "name": "test-restore-2", + "time": 1730737925000 + }, + "preaction": { + "goldenRestorePoint": false, + "id": 0, + "name": "test-restore-2", + "time": 0 + }, + "recordid": "365", + "resource": "test-restore-2", + "result": "SUCCESS", + "subcategory": "BACKUP_AND_RESTORE", + "time": "2024-11-04 16:32:05.000000000" + }, + "sourcetype": "zscalernss-audit" + } diff --git a/rules/zscaler_rules/zia/zia_insecure_password_settings.py b/rules/zscaler_rules/zia/zia_insecure_password_settings.py new file mode 100644 index 000000000..ab0026532 --- /dev/null +++ b/rules/zscaler_rules/zia/zia_insecure_password_settings.py @@ -0,0 +1,47 @@ +from panther_zscaler_helpers import zia_alert_context, zia_success +from pygments.lexer import default + + +def rule(event): + if not zia_success(event): + return False + auth_frequency = event.deep_get( + "event", + "postaction", + "authFrequency", + default="", + ) + password_expiry = event.deep_get( + "event", + "postaction", + "passwordExpiry", + default="", + ) + password_strength = event.deep_get( + "event", + "postaction", + "passwordStrength", + default="", + ) + if ( + auth_frequency == "PERMANENT_COOKIE" + or password_expiry == "NEVER" + or password_strength == "NONE" + ): + return True + return False + + +def dedup(event): + return event.deep_get("event", "adminid", default="") + + +def title(event): + return ( + f"[Zscaler.ZIA]: Password settings are insecure for admin with id " + f"[{event.deep_get('event', 'adminid', default='')}]" + ) + + +def alert_context(event): + return zia_alert_context(event) diff --git a/rules/zscaler_rules/zia/zia_insecure_password_settings.yml b/rules/zscaler_rules/zia/zia_insecure_password_settings.yml new file mode 100644 index 000000000..3d89c7344 --- /dev/null +++ b/rules/zscaler_rules/zia/zia_insecure_password_settings.yml @@ -0,0 +1,171 @@ +AnalysisType: rule +RuleID: ZIA.Insecure.Password.Settings +Description: This rule detects when password settings are insecure. +DisplayName: ZIA Insecure Password Settings +Runbook: Set the secure password configurations. +Reference: https://help.zscaler.com/zia/customizing-your-admin-account-settings +Enabled: true +Filename: zia_insecure_password_settings.py +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0005:T1556.009 # Defense Evasion: Modify Authentication Process: Conditional Access Policies +LogTypes: + - Zscaler.ZIA.AdminAuditLog +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: Permanent cookie + ExpectedResult: true + Log: + { + "event": { + "action": "UPDATE", + "adminid": "admin@test.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "AUTHENTICATION_SETTINGS", + "clientip": "1.2.3.4", + "errorcode": "None", + "interface": "UI", + "postaction": { + "authFrequency": "PERMANENT_COOKIE", + "autoProvision": false, + "directorySyncMigrateToScimEnabled": false, + "kerberosEnabled": false, + "mobileAdminSamlIdpEnabled": false, + "oneTimeAuth": "OTP_DISABLED", + "orgAuthType": "SAFECHANNEL_DIR", + "passwordExpiry": "NEVER", + "passwordStrength": "NONE", + "samlEnabled": false + }, + "preaction": { + "authFrequency": "DAILY_COOKIE", + "autoProvision": false, + "directorySyncMigrateToScimEnabled": false, + "kerberosEnabled": false, + "mobileAdminSamlIdpEnabled": false, + "oneTimeAuth": "OTP_DISABLED", + "orgAuthType": "SAFECHANNEL_DIR", + "passwordExpiry": "NEVER", + "passwordStrength": "NONE", + "samlEnabled": false + }, + "recordid": "356", + "resource": "None", + "result": "SUCCESS", + "subcategory": "AUTH_SETTINGS_PROFILE", + "time": "2024-11-04 16:29:24.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Password expiry - never + ExpectedResult: true + Log: + { + "event": { + "action": "UPDATE", + "adminid": "admin@test.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "AUTHENTICATION_SETTINGS", + "clientip": "1.2.3.4", + "errorcode": "None", + "interface": "UI", + "postaction": { + "authFrequency": "DAILY_COOKIE", + "autoProvision": false, + "directorySyncMigrateToScimEnabled": false, + "kerberosEnabled": false, + "mobileAdminSamlIdpEnabled": false, + "oneTimeAuth": "OTP_LINK", + "orgAuthType": "SAFECHANNEL_DIR", + "passwordExpiry": "NEVER", + "passwordStrength": "NONE", + "samlEnabled": false + }, + "preaction": { + "authFrequency": "DAILY_COOKIE", + "autoProvision": false, + "directorySyncMigrateToScimEnabled": false, + "kerberosEnabled": false, + "mobileAdminSamlIdpEnabled": false, + "oneTimeAuth": "OTP_DISABLED", + "orgAuthType": "SAFECHANNEL_DIR", + "passwordExpiry": "NEVER", + "passwordStrength": "NONE", + "samlEnabled": false + }, + "recordid": "357", + "resource": "None", + "result": "SUCCESS", + "subcategory": "AUTH_SETTINGS_PROFILE", + "time": "2024-11-04 16:29:40.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Password strength - none + ExpectedResult: true + Log: + { + "event": { + "action": "UPDATE", + "adminid": "admin@test.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "AUTHENTICATION_SETTINGS", + "clientip": "1.2.3.4", + "errorcode": "None", + "interface": "UI", + "postaction": { + "authFrequency": "DAILY_COOKIE", + "autoProvision": false, + "directorySyncMigrateToScimEnabled": false, + "kerberosEnabled": false, + "mobileAdminSamlIdpEnabled": false, + "oneTimeAuth": "OTP_DISABLED", + "orgAuthType": "SAFECHANNEL_DIR", + "passwordExpiry": "SIX_MONTHS", + "passwordStrength": "NONE", + "samlEnabled": false + }, + "preaction": { + "authFrequency": "DAILY_COOKIE", + "autoProvision": false, + "directorySyncMigrateToScimEnabled": false, + "kerberosEnabled": false, + "mobileAdminSamlIdpEnabled": false, + "oneTimeAuth": "OTP_DISABLED", + "orgAuthType": "SAFECHANNEL_DIR", + "passwordExpiry": "NEVER", + "passwordStrength": "NONE", + "samlEnabled": false + }, + "recordid": "361", + "resource": "None", + "result": "SUCCESS", + "subcategory": "AUTH_SETTINGS_PROFILE", + "time": "2024-11-04 16:30:36.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Other event + ExpectedResult: false + Log: + { + "event": { + "action": "SIGN_IN", + "adminid": "admin@test.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "LOGIN", + "clientip": "1.2.3.4", + "errorcode": "None", + "interface": "UI", + "postaction": { }, + "preaction": { }, + "recordid": "354", + "resource": "None", + "result": "SUCCESS", + "subcategory": "LOGIN", + "time": "2024-11-04 16:27:37.000000000" + }, + "sourcetype": "zscalernss-audit" + } diff --git a/rules/zscaler_rules/zia/zia_logs_downloaded.py b/rules/zscaler_rules/zia/zia_logs_downloaded.py new file mode 100644 index 000000000..c0a3dff6a --- /dev/null +++ b/rules/zscaler_rules/zia/zia_logs_downloaded.py @@ -0,0 +1,22 @@ +from panther_zscaler_helpers import zia_alert_context, zia_success + + +def rule(event): + if not zia_success(event): + return False + action = event.deep_get("event", "action", default="ACTION_NOT_FOUND") + category = event.deep_get("event", "category", default="CATEGORY_NOT_FOUND") + if action == "DOWNLOAD" and category == "AUDIT_LOGS": + return True + return False + + +def title(event): + return ( + f"[Zscaler.ZIA]: Audit logs were downloaded by admin with id " + f"[{event.deep_get('event', 'adminid', default='')}]" + ) + + +def alert_context(event): + return zia_alert_context(event) diff --git a/rules/zscaler_rules/zia/zia_logs_downloaded.yml b/rules/zscaler_rules/zia/zia_logs_downloaded.yml new file mode 100644 index 000000000..41ae30f2f --- /dev/null +++ b/rules/zscaler_rules/zia/zia_logs_downloaded.yml @@ -0,0 +1,61 @@ +AnalysisType: rule +RuleID: ZIA.Logs.Downloaded +Description: This rule detects when ZIA Audit Logs were downloaded. +DisplayName: ZIA Logs Downloaded +Runbook: Verify that this change was planned. If not, make sure no sensitive information was leaked. +Reference: https://help.zscaler.com/zia/about-audit-logs +Enabled: true +Filename: zia_logs_downloaded.py +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0007:T1654 # Log Enumeration +LogTypes: + - Zscaler.ZIA.AdminAuditLog +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: Logs downloaded + ExpectedResult: true + Log: + { + "event": { + "action": "DOWNLOAD", + "adminid": "admin@test.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "AUDIT_LOGS", + "clientip": "1.2.3.4", + "errorcode": "None", + "interface": "UI", + "postaction": { }, + "preaction": { }, + "recordid": "363", + "resource": "None", + "result": "SUCCESS", + "subcategory": "AUDIT_LOGS", + "time": "2024-11-04 16:31:24.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: Other event + ExpectedResult: false + Log: + { + "event": { + "action": "SIGN_IN", + "adminid": "admin@test.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "LOGIN", + "clientip": "1.2.3.4", + "errorcode": "None", + "interface": "UI", + "postaction": { }, + "preaction": { }, + "recordid": "354", + "resource": "None", + "result": "SUCCESS", + "subcategory": "LOGIN", + "time": "2024-11-04 16:27:37.000000000" + }, + "sourcetype": "zscalernss-audit" + } From 752ad860c2243959930c73a3bb2a5e9be19be2ec Mon Sep 17 00:00:00 2001 From: akozlovets098 Date: Tue, 12 Nov 2024 12:56:25 +0200 Subject: [PATCH 2/5] THREAT-411 ZIA AdminAuditRules - Password, Log, Backup --- rules/zscaler_rules/zia/zia_insecure_password_settings.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/zscaler_rules/zia/zia_insecure_password_settings.py b/rules/zscaler_rules/zia/zia_insecure_password_settings.py index ab0026532..7f9a1c53c 100644 --- a/rules/zscaler_rules/zia/zia_insecure_password_settings.py +++ b/rules/zscaler_rules/zia/zia_insecure_password_settings.py @@ -25,8 +25,8 @@ def rule(event): ) if ( auth_frequency == "PERMANENT_COOKIE" - or password_expiry == "NEVER" - or password_strength == "NONE" + or password_expiry == "NEVER" # nosec bandit B105 + or password_strength == "NONE" # nosec bandit B105 ): return True return False From 2b3990c49542396be558fe0730127ebd6bf82303 Mon Sep 17 00:00:00 2001 From: akozlovets098 Date: Tue, 12 Nov 2024 13:00:39 +0200 Subject: [PATCH 3/5] THREAT-411 ZIA AdminAuditRules - Password, Log, Backup --- packs/zscaler_zia.yml | 4 ++++ rules/zscaler_rules/zia/zia_golden_restore_point_dropped.py | 4 ++-- rules/zscaler_rules/zia/zia_insecure_password_settings.py | 1 - 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/packs/zscaler_zia.yml b/packs/zscaler_zia.yml index 5cea13ed8..1d7dc0402 100644 --- a/packs/zscaler_zia.yml +++ b/packs/zscaler_zia.yml @@ -6,7 +6,11 @@ PackDefinition: IDs: - ZIA.Account.Access.Removed - ZIA.Additional.Cloud.Roles + - ZIA.Backup.Deleted - ZIA.Cloud.Account.Created + - ZIA.Golden.Restore.Point.Dropped + - ZIA.Insecure.Password.Settings + - ZIA.Logs.Downloaded - ZIA.Password.Expiration - ZIA.Trust.Modification - panther_zscaler_helpers diff --git a/rules/zscaler_rules/zia/zia_golden_restore_point_dropped.py b/rules/zscaler_rules/zia/zia_golden_restore_point_dropped.py index b21f10af7..2d8409460 100644 --- a/rules/zscaler_rules/zia/zia_golden_restore_point_dropped.py +++ b/rules/zscaler_rules/zia/zia_golden_restore_point_dropped.py @@ -21,8 +21,8 @@ def rule(event): if ( action == "UPDATE" and category == "BACKUP_AND_RESTORE" - and golden_restore_point_pre == True - and golden_restore_point_post == False + and golden_restore_point_pre is True + and golden_restore_point_post is False ): return True return False diff --git a/rules/zscaler_rules/zia/zia_insecure_password_settings.py b/rules/zscaler_rules/zia/zia_insecure_password_settings.py index 7f9a1c53c..d637cad25 100644 --- a/rules/zscaler_rules/zia/zia_insecure_password_settings.py +++ b/rules/zscaler_rules/zia/zia_insecure_password_settings.py @@ -1,5 +1,4 @@ from panther_zscaler_helpers import zia_alert_context, zia_success -from pygments.lexer import default def rule(event): From 2af4d1567e436e53e18ad8b19c1d106e5e097ddf Mon Sep 17 00:00:00 2001 From: akozlovets098 Date: Thu, 14 Nov 2024 00:05:39 +0200 Subject: [PATCH 4/5] THREAT-411 ZIA AdminAuditRules - Password, Log, Backup --- .../zia/zia_log_streaming_disabled.py | 31 ++++ .../zia/zia_log_streaming_disabled.yml | 159 ++++++++++++++++++ 2 files changed, 190 insertions(+) create mode 100644 rules/zscaler_rules/zia/zia_log_streaming_disabled.py create mode 100644 rules/zscaler_rules/zia/zia_log_streaming_disabled.yml diff --git a/rules/zscaler_rules/zia/zia_log_streaming_disabled.py b/rules/zscaler_rules/zia/zia_log_streaming_disabled.py new file mode 100644 index 000000000..8208c2583 --- /dev/null +++ b/rules/zscaler_rules/zia/zia_log_streaming_disabled.py @@ -0,0 +1,31 @@ +from panther_zscaler_helpers import zia_alert_context, zia_success +from pygments.lexer import default + + +def rule(event): + if not zia_success(event): + return False + action = event.deep_get("event", "action", default="ACTION_NOT_FOUND") + category = event.deep_get("event", "category", default="CATEGORY_NOT_FOUND") + if action == "DELETE" and category == "NSS": + return True + return False + + +def title(event): + cloud_connection_url = event.deep_get( + "event", + "preaction", + "cloudNssSiemConfiguration", + "connectionURL", + default="", + ) + return ( + f"[Zscaler.ZIA]: Log streaming for location [{cloud_connection_url}] " + f"was deleted by admin with id " + f"[{event.deep_get('event', 'adminid', default='')}]" + ) + + +def alert_context(event): + return zia_alert_context(event) diff --git a/rules/zscaler_rules/zia/zia_log_streaming_disabled.yml b/rules/zscaler_rules/zia/zia_log_streaming_disabled.yml new file mode 100644 index 000000000..0c481ed3e --- /dev/null +++ b/rules/zscaler_rules/zia/zia_log_streaming_disabled.yml @@ -0,0 +1,159 @@ +AnalysisType: rule +RuleID: ZIA.Log.Streaming.Disabled +Description: This rule detects when ZIA log streaming was disabled. +DisplayName: ZIA Log Streaming Disabled +Runbook: Verify that this change was planned. If not, make sure to restore previous settings. +Reference: https://help.zscaler.com/zia/about-nss-feeds +Enabled: true +Filename: zia_log_streaming_disabled.py +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0005:T1562.008 # Disable or Modify Cloud Logs +LogTypes: + - Zscaler.ZIA.AdminAuditLog +DedupPeriodMinutes: 60 +Threshold: 1 +Tests: + - Name: Log streaming disabled (NSS deleted) + ExpectedResult: true + Log: + { + "event": { + "action": "DELETE", + "adminid": "admin@test.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "NSS", + "clientip": "1.2.3.4", + "errorcode": "None", + "interface": "UI", + "postaction": { }, + "preaction": { + "cloudNss": true, + "cloudNssSiemConfiguration": { + "connectionHeaders": [ + "123:123" + ], + "connectionURL": "https://logs.company.net/http/a7adc684-f65c-42af-9519-0a0786656f20", + "lastSuccessFullTest": 0, + "maxBatchSize": 512, + "nssType": "NSS_FOR_WEB", + "oAuthAuthentication": false, + "siemType": "OTHER", + "testConnectivityCode": 0 + }, + "customEscapedCharacter": [ + "ASCII_44", + "ASCII_92", + "ASCII_34" + ], + "duplicateLogs": 0, + "epsRateLimit": 0, + "feedOutputFormat": "\\{ \"sourcetype\" : \"zscalernss-web\", \"event\" : \\{\"datetime\":\"%d{yy}-%02d{mth}-%02d{dd} %02d{hh}:%02d{mm}:%02d{ss}\",\"reason\":\"%s{reason}\",\"event_id\":\"%d{recordid}\",\"protocol\":\"%s{proto}\",\"action\":\"%s{action}\",\"transactionsize\":\"%d{totalsize}\",\"responsesize\":\"%d{respsize}\",\"requestsize\":\"%d{reqsize}\",\"urlcategory\":\"%s{urlcat}\",\"serverip\":\"%s{sip}\",\"requestmethod\":\"%s{reqmethod}\",\"refererURL\":\"%s{ereferer}\",\"useragent\":\"%s{eua}\",\"product\":\"NSS\",\"location\":\"%s{elocation}\",\"ClientIP\":\"%s{cip}\",\"status\":\"%s{respcode}\",\"user\":\"%s{elogin}\",\"url\":\"%s{eurl}\",\"vendor\":\"Zscaler\",\"hostname\":\"%s{ehost}\",\"clientpublicIP\":\"%s{cintip}\",\"threatcategory\":\"%s{malwarecat}\",\"threatname\":\"%s{threatname}\",\"filetype\":\"%s{filetype}\",\"appname\":\"%s{appname}\",\"app_status\":\"%s{app_status}\",\"pagerisk\":\"%d{riskscore}\",\"threatseverity\":\"%s{threatseverity}\",\"department\":\"%s{edepartment}\",\"urlsupercategory\":\"%s{urlsupercat}\",\"appclass\":\"%s{appclass}\",\"dlpengine\":\"%s{dlpeng}\",\"urlclass\":\"%s{urlclass}\",\"threatclass\":\"%s{malwareclass}\",\"dlpdictionaries\":\"%s{dlpdict}\",\"fileclass\":\"%s{fileclass}\",\"bwthrottle\":\"%s{bwthrottle}\",\"contenttype\":\"%s{contenttype}\",\"unscannabletype\":\"%s{unscannabletype}\",\"deviceowner\":\"%s{deviceowner}\",\"devicehostname\":\"%s{devicehostname}\",\"keyprotectiontype\":\"%s{keyprotectiontype}\"\\}\\}\n", + "feedStatus": "ENABLED", + "id": 2898, + "jsonArrayToggle": true, + "name": "test-feed-2", + "nssFeedType": "JSON", + "nssFilter": { + "securityFeedFilter": false + }, + "nssLogType": "WEBLOG", + "timeZone": "GMT", + "userObfuscation": "DISABLED" + }, + "recordid": "371", + "resource": "test-feed-2", + "result": "SUCCESS", + "subcategory": "NSS_FEED", + "time": "2024-11-04 16:34:34.000000000" + }, + "sourcetype": "zscalernss-audit" + } + - Name: NSS created + ExpectedResult: false + Log: + { + "event": { + "action": "CREATE", + "adminid": "admin@test.zscalerbeta.net", + "auditlogtype": "ZIA", + "category": "NSS", + "clientip": "1.2.3.4", + "errorcode": "None", + "interface": "UI", + "postaction": { + "cloudNss": true, + "cloudNssSiemConfiguration": { + "clientSecret": "******", + "connectionHeaders": [ + "123:123" + ], + "connectionURL": "https://logs.company.net/http/a7adc684-f65c-42af-9519-0a0786656f20", + "lastSuccessFullTest": 0, + "maxBatchSize": 512, + "nssType": "NSS_FOR_WEB", + "oAuthAuthentication": false, + "siemType": "OTHER", + "testConnectivityCode": 0 + }, + "customEscapedCharacter": [ + "ASCII_44", + "ASCII_92", + "ASCII_34" + ], + "duplicateLogs": 0, + "epsRateLimit": 0, + "feedOutputFormat": "\\{ \"sourcetype\" : \"zscalernss-web\", \"event\" : \\{\"datetime\":\"%d{yy}-%02d{mth}-%02d{dd} %02d{hh}:%02d{mm}:%02d{ss}\",\"reason\":\"%s{reason}\",\"event_id\":\"%d{recordid}\",\"protocol\":\"%s{proto}\",\"action\":\"%s{action}\",\"transactionsize\":\"%d{totalsize}\",\"responsesize\":\"%d{respsize}\",\"requestsize\":\"%d{reqsize}\",\"urlcategory\":\"%s{urlcat}\",\"serverip\":\"%s{sip}\",\"requestmethod\":\"%s{reqmethod}\",\"refererURL\":\"%s{ereferer}\",\"useragent\":\"%s{eua}\",\"product\":\"NSS\",\"location\":\"%s{elocation}\",\"ClientIP\":\"%s{cip}\",\"status\":\"%s{respcode}\",\"user\":\"%s{elogin}\",\"url\":\"%s{eurl}\",\"vendor\":\"Zscaler\",\"hostname\":\"%s{ehost}\",\"clientpublicIP\":\"%s{cintip}\",\"threatcategory\":\"%s{malwarecat}\",\"threatname\":\"%s{threatname}\",\"filetype\":\"%s{filetype}\",\"appname\":\"%s{appname}\",\"app_status\":\"%s{app_status}\",\"pagerisk\":\"%d{riskscore}\",\"threatseverity\":\"%s{threatseverity}\",\"department\":\"%s{edepartment}\",\"urlsupercategory\":\"%s{urlsupercat}\",\"appclass\":\"%s{appclass}\",\"dlpengine\":\"%s{dlpeng}\",\"urlclass\":\"%s{urlclass}\",\"threatclass\":\"%s{malwareclass}\",\"dlpdictionaries\":\"%s{dlpdict}\",\"fileclass\":\"%s{fileclass}\",\"bwthrottle\":\"%s{bwthrottle}\",\"contenttype\":\"%s{contenttype}\",\"unscannabletype\":\"%s{unscannabletype}\",\"deviceowner\":\"%s{deviceowner}\",\"devicehostname\":\"%s{devicehostname}\",\"keyprotectiontype\":\"%s{keyprotectiontype}\"\\}\\}\n", + "feedStatus": "ENABLED", + "id": 2898, + "jsonArrayToggle": true, + "name": "test-feed-2", + "nssFeedType": "JSON", + "nssFilter": { + "securityFeedFilter": false + }, + "nssLogType": "WEBLOG", + "timeZone": "GMT", + "userObfuscation": "DISABLED" + }, + "preaction": { + "cloudNss": true, + "cloudNssSiemConfiguration": { + "connectionHeaders": [ + "123:123" + ], + "connectionURL": "https://logs.company.net/http/a7adc684-f65c-42af-9519-0a0786621f20", + "maxBatchSize": 524288, + "nssType": "NSS_FOR_WEB", + "oAuthAuthentication": false, + "siemType": "OTHER" + }, + "customEscapedCharacter": [ + "ASCII_44", + "ASCII_92", + "ASCII_34" + ], + "duplicateLogs": 0, + "epsRateLimit": 0, + "feedOutputFormat": "\\{ \"sourcetype\" : \"zscalernss-web\", \"event\" : \\{\"datetime\":\"%d{yy}-%02d{mth}-%02d{dd} %02d{hh}:%02d{mm}:%02d{ss}\",\"reason\":\"%s{reason}\",\"event_id\":\"%d{recordid}\",\"protocol\":\"%s{proto}\",\"action\":\"%s{action}\",\"transactionsize\":\"%d{totalsize}\",\"responsesize\":\"%d{respsize}\",\"requestsize\":\"%d{reqsize}\",\"urlcategory\":\"%s{urlcat}\",\"serverip\":\"%s{sip}\",\"requestmethod\":\"%s{reqmethod}\",\"refererURL\":\"%s{ereferer}\",\"useragent\":\"%s{eua}\",\"product\":\"NSS\",\"location\":\"%s{elocation}\",\"ClientIP\":\"%s{cip}\",\"status\":\"%s{respcode}\",\"user\":\"%s{elogin}\",\"url\":\"%s{eurl}\",\"vendor\":\"Zscaler\",\"hostname\":\"%s{ehost}\",\"clientpublicIP\":\"%s{cintip}\",\"threatcategory\":\"%s{malwarecat}\",\"threatname\":\"%s{threatname}\",\"filetype\":\"%s{filetype}\",\"appname\":\"%s{appname}\",\"app_status\":\"%s{app_status}\",\"pagerisk\":\"%d{riskscore}\",\"threatseverity\":\"%s{threatseverity}\",\"department\":\"%s{edepartment}\",\"urlsupercategory\":\"%s{urlsupercat}\",\"appclass\":\"%s{appclass}\",\"dlpengine\":\"%s{dlpeng}\",\"urlclass\":\"%s{urlclass}\",\"threatclass\":\"%s{malwareclass}\",\"dlpdictionaries\":\"%s{dlpdict}\",\"fileclass\":\"%s{fileclass}\",\"bwthrottle\":\"%s{bwthrottle}\",\"contenttype\":\"%s{contenttype}\",\"unscannabletype\":\"%s{unscannabletype}\",\"deviceowner\":\"%s{deviceowner}\",\"devicehostname\":\"%s{devicehostname}\",\"keyprotectiontype\":\"%s{keyprotectiontype}\"\\}\\}\n", + "feedStatus": "ENABLED", + "id": 0, + "jsonArrayToggle": true, + "name": "test-feed-2", + "nssFeedType": "JSON", + "nssFilter": { + "securityFeedFilter": false + }, + "nssLogType": "WEBLOG", + "siemConfiguration": { }, + "timeZone": "GMT" + }, + "recordid": "370", + "resource": "test-feed-2", + "result": "SUCCESS", + "subcategory": "NSS_FEED", + "time": "2024-11-04 16:33:48.000000000" + }, + "sourcetype": "zscalernss-audit" + } From 80ed8ec5e6f6c13fb4cb1f41b697af9ed7473dc6 Mon Sep 17 00:00:00 2001 From: akozlovets098 Date: Thu, 14 Nov 2024 00:08:43 +0200 Subject: [PATCH 5/5] THREAT-411 ZIA AdminAuditRules - Password, Log, Backup --- packs/zscaler_zia.yml | 1 + rules/zscaler_rules/zia/zia_log_streaming_disabled.py | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/packs/zscaler_zia.yml b/packs/zscaler_zia.yml index 1d7dc0402..d77e39d7e 100644 --- a/packs/zscaler_zia.yml +++ b/packs/zscaler_zia.yml @@ -11,6 +11,7 @@ PackDefinition: - ZIA.Golden.Restore.Point.Dropped - ZIA.Insecure.Password.Settings - ZIA.Logs.Downloaded + - ZIA.Log.Streaming.Disabled - ZIA.Password.Expiration - ZIA.Trust.Modification - panther_zscaler_helpers diff --git a/rules/zscaler_rules/zia/zia_log_streaming_disabled.py b/rules/zscaler_rules/zia/zia_log_streaming_disabled.py index 8208c2583..acde5c745 100644 --- a/rules/zscaler_rules/zia/zia_log_streaming_disabled.py +++ b/rules/zscaler_rules/zia/zia_log_streaming_disabled.py @@ -1,5 +1,4 @@ from panther_zscaler_helpers import zia_alert_context, zia_success -from pygments.lexer import default def rule(event):