Skip to content

Commit

Permalink
THREAT-403 Create rules for User, Administrator, and Role Management …
Browse files Browse the repository at this point in the history 
…based on test cases - part 1
  • Loading branch information
@akozlovets098
akozlovets098 committed Oct 30, 2024
1 parent eeaaaf0 commit 30d5619
Show file tree
Hide file tree
Showing 6 changed files with 603 additions and 0 deletions.
19 changes: 19 additions & 0 deletions global_helpers/panther_zscaler_helpers.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
def zia_success(event):
if (
event.deep_get("event", "errorcode", default="") == "None"
and event.deep_get("event", "result", default="") == "SUCCESS"
):
return True
return False


def zia_alert_context(event):
event_data = event.get("event", {})
return {
"action": event_data.get("action", ""),
"admin_id": event_data.get("adminid", ""),
"category": event_data.get("category", ""),
"client_ip": event_data.get("clientip", ""),
"preaction": event_data.get("preaction", ""),
"postaction": event_data.get("postaction", ""),
}
5 changes: 5 additions & 0 deletions global_helpers/panther_zscaler_helpers.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
AnalysisType: global
Filename: panther_zscaler_helpers.py
GlobalID: "panther_zscaler_helpers"
Description: >
Used to define global helpers for Zscaler events
24 changes: 24 additions & 0 deletions rules/zscaler_rules/zia_account_access_removal.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
from panther_zscaler_helpers import zia_alert_context, zia_success

SENSITIVE_CATEGORIES = ["ADMINISTRATOR_MANAGEMENT", "ROLE_MANAGEMENT"]


def rule(event):
if not zia_success(event):
return False
event_data = event.get("event", {})
return (
event_data.get("action", "ACTION_NOT_FOUND") == "DELETE"
and event_data.get("category", "CATEGORY_NOT_FOUND") in SENSITIVE_CATEGORIES
)


def title(event):
return (
f"[Zscaler.ZIA]: Admin account was deleted by admin with id "
f"[{event.deep_get('event', 'adminid', default='<ADMIN_ID_NOT_FOUND>')}]"
)


def alert_context(event):
return zia_alert_context(event)
324 changes: 324 additions & 0 deletions rules/zscaler_rules/zia_account_access_removal.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,324 @@
AnalysisType: rule
RuleID: ZIA.Account.Access.Removed
Description: This rule detects when and admin user/role was deleted.
DisplayName: ZIA Account Access Removed
Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again.
Reference: https://help.zscaler.com/zia/authentication-administration/administrator-role-management
Enabled: true
Filename: zia_account_access_removal.py
Severity: Medium
Reports:
MITRE ATT&CK:
- TA0040:T1531 # Account Access removal
LogTypes:
- Zscaler.ZIA.AdminAuditLog
DedupPeriodMinutes: 60
Threshold: 1
Tests:
- Name: Administration > User Management > Add User, remove from Service Admin group
ExpectedResult: false
Log:
{
"event": {
"action": "UPDATE",
"adminid": "admin@16991311.zscalerbeta.net",
"auditlogtype": "ZIA",
"category": "USER_MANAGEMENT",
"clientip": "123.123.123.123",
"errorcode": "None",
"interface": "UI",
"postaction": {
"adminUser": false,
"department": {
"id": 19752838,
"isDeleted": false,
"isForUnauthenticatedUser": false,
"isNonEditable": false,
"name": "test"
},
"email": "johndoe@dev-company.com",
"groups": [
{
"id": 19631231,
"isNonEditable": false,
"name": "test"
}
],
"id": 19752821,
"isNonEditable": false,
"miscflags": 0,
"name": "johndoe",
"systemDefinedGroups": [ ]
},
"preaction": {
"adminUser": false,
"authType": "SAFECHANNEL_DIR",
"department": {
"id": 16991313,
"isDeleted": false,
"isForUnauthenticatedUser": false,
"isNonEditable": false,
"name": "Service Admin"
},
"email": "johndoe@dev-company.com",
"groups": [
{
"id": 16991312,
"isNonEditable": false,
"name": "Service Admin"
}
],
"id": 19752821,
"miscflags": 268435456,
"name": "johndoe"
},
"recordid": "324",
"resource": "johndoe",
"result": "SUCCESS",
"subcategory": "USER",
"time": "2024-10-22 22:01:28.000000000"
},
"sourcetype": "zscalernss-audit"
}
- Name: Administration Management > Administrators > Edit Administrator, delete administrator
ExpectedResult: true
Log:
{
"event": {
"action": "DELETE",
"adminid": "admin@16991311.zscalerbeta.net",
"auditlogtype": "ZIA",
"category": "ADMINISTRATOR_MANAGEMENT",
"clientip": "123.123.123.123",
"errorcode": "None",
"interface": "UI",
"postaction": { },
"preaction": {
"adminScope": {
"scopeEntities": [ ],
"scopeGroupMemberEntities": [ ],
"type": "ORGANIZATION"
},
"disabled": false,
"email": "johndoe@company.com",
"id": 19752821,
"isExecMobileAppEnabled": true,
"isPasswordLoginAllowed": true,
"loginName": "johndoe@dev-company.com",
"pwdLastModifiedTime": 1729634767,
"role": {
"deleted": false,
"extensions": {
"adminRank": "0",
"roleType": "EXEC_INSIGHT_AND_ORG_ADMIN"
},
"id": 24354,
"isNameL10nTag": true,
"name": "Super Admin"
},
"userName": "johndoe1123"
},
"recordid": "327",
"resource": "johndoe1123",
"result": "SUCCESS",
"subcategory": "ADMINISTRATOR_ADMIN_USER",
"time": "2024-10-22 22:09:01.000000000"
},
"sourcetype": "zscalernss-audit"
}
- Name: Administration Management > Auditors > Edit Auditor, delete auditor
ExpectedResult: true
Log:
{
"event": {
"action": "DELETE",
"adminid": "admin@16991311.zscalerbeta.net",
"auditlogtype": "ZIA",
"category": "ADMINISTRATOR_MANAGEMENT",
"clientip": "123.123.123.123",
"errorcode": "None",
"interface": "UI",
"postaction": { },
"preaction": {
"disabled": false,
"id": 19752860,
"isAuditor": true,
"loginName": "arieeel@dev-company.com",
"newLocationCreateAllowed": false,
"pwdLastModifiedTime": 0,
"role": {
"deleted": false,
"id": 30510,
"isNameL10nTag": false,
"name": "Auditor"
},
"userName": "areiiiel"
},
"recordid": "329",
"resource": "areiiiel",
"result": "SUCCESS",
"subcategory": "ADMINISTRATOR_AUDITOR",
"time": "2024-10-22 22:11:56.000000000"
},
"sourcetype": "zscalernss-audit"
}
- Name: Administration > Role Management > Edit Administrator Role, delete role
ExpectedResult: true
Log:
{
"event": {
"action": "DELETE",
"adminid": "admin@16991311.zscalerbeta.net",
"auditlogtype": "ZIA",
"category": "ROLE_MANAGEMENT",
"clientip": "123.123.123.123",
"errorcode": "None",
"interface": "UI",
"postaction": { },
"preaction": {
"adminAcctAccess": "READ_WRITE",
"alertingAccess": "READ_WRITE",
"analysisAccess": "READ_ONLY",
"dashboardAccess": "READ_WRITE",
"deviceInfoAccess": "READ_ONLY",
"id": 32780,
"logsLimit": "Unrestricted",
"name": "mega admin",
"permissions": [
"SECURE",
"COMPLY",
"SSL_POLICY",
"ADVANCED_SETTINGS",
"FIREWALL_DNS",
"NSS_CONFIGURATION",
"VZEN_CONFIGURATION",
"LOCATIONS",
"HOSTED_PAC_FILES",
"EZ_AGENT_CONFIGURATIONS",
"SECURE_AGENT_NOTIFICATIONS",
"VPN_CREDENTIALS",
"AUTHENTICATION_SETTINGS",
"IDENTITY_PROXY_SETTINGS",
"USER_MANAGEMENT",
"APIKEY_MANAGEMENT",
"PARTNER_INTEGRATION",
"POLICY_RESOURCE_MANAGEMENT",
"CUSTOM_URL_CAT",
"OVERRIDE_EXISTING_CAT",
"PROXY_GATEWAY",
"TENANT_PROFILE_MANAGEMENT",
"STATIC_IPS",
"REMOTE_ASSISTANCE_MANAGEMENT",
"GRE_TUNNELS",
"CLIENT_CONNECTOR_PORTAL",
"SUBCLOUDS"
],
"policyAccess": "READ_WRITE",
"rank": 7,
"reportAccess": "READ_WRITE",
"reportTimeDuration": -1,
"roleType": "EXEC_INSIGHT_AND_ORG_ADMIN",
"usernameAccess": "READ_ONLY"
},
"recordid": "342",
"resource": "mega admin",
"result": "SUCCESS",
"subcategory": "ADMINISTRATOR_ROLE",
"time": "2024-10-22 22:31:35.000000000"
},
"sourcetype": "zscalernss-audit"
}
- Name: Administration > Role Management > Edit SD-WAN Partner API Role, delete role
ExpectedResult: true
Log:
{
"event": {
"action": "DELETE",
"adminid": "admin@16991311.zscalerbeta.net",
"auditlogtype": "ZIA",
"category": "ROLE_MANAGEMENT",
"clientip": "123.123.123.123",
"errorcode": "None",
"interface": "UI",
"postaction": { },
"preaction": {
"adminAcctAccess": "NONE",
"alertingAccess": "READ_ONLY",
"analysisAccess": "NONE",
"dashboardAccess": "NONE",
"deviceInfoAccess": "NONE",
"id": 32781,
"name": "wanny",
"permissions": [
"STATIC_IPS",
"LOCATIONS",
"GRE_TUNNELS",
"VPN_CREDENTIALS"
],
"policyAccess": "READ_WRITE",
"rank": 7,
"reportAccess": "NONE",
"reportTimeDuration": -1,
"roleType": "SDWAN",
"usernameAccess": "NONE"
},
"recordid": "345",
"resource": "wanny",
"result": "SUCCESS",
"subcategory": "ADMINISTRATOR_ROLE",
"time": "2024-10-22 22:34:58.000000000"
},
"sourcetype": "zscalernss-audit"
}
- Name: Administration > Role Management > Edit API Role, delete role
ExpectedResult: true
Log:
{
"event": {
"action": "DELETE",
"adminid": "admin@16991311.zscalerbeta.net",
"auditlogtype": "ZIA",
"category": "ROLE_MANAGEMENT",
"clientip": "123.123.123.123",
"errorcode": "None",
"interface": "UI",
"postaction": { },
"preaction": {
"adminAcctAccess": "READ_WRITE",
"alertingAccess": "NONE",
"analysisAccess": "NONE",
"dashboardAccess": "NONE",
"deviceInfoAccess": "NONE",
"id": 32782,
"logsLimit": "Unrestricted",
"name": "bad API",
"permissions": [
"SECURE",
"COMPLY",
"SSL_POLICY",
"ADVANCED_SETTINGS",
"FIREWALL_DNS",
"LOCATIONS",
"VPN_CREDENTIALS",
"USER_MANAGEMENT",
"POLICY_RESOURCE_MANAGEMENT",
"CUSTOM_URL_CAT",
"OVERRIDE_EXISTING_CAT",
"STATIC_IPS",
"GRE_TUNNELS"
],
"policyAccess": "READ_WRITE",
"rank": 7,
"reportAccess": "NONE",
"reportTimeDuration": -1,
"roleType": "PUBLIC_API",
"usernameAccess": "NONE"
},
"recordid": "346",
"resource": "bad API",
"result": "SUCCESS",
"subcategory": "ADMINISTRATOR_ROLE",
"time": "2024-10-22 22:35:06.000000000"
},
"sourcetype": "zscalernss-audit"
}
Loading

0 comments on commit 30d5619

Please sign in to comment.