THREAT-403 Create rules for User, Administrator, and Role Management based on test cases

global_helpers/panther_zscaler_helpers.py

@@ -0,0 +1,19 @@
+def zia_success(event):
+    if (
+        event.deep_get("event", "errorcode", default="") == "None"
+        and event.deep_get("event", "result", default="") == "SUCCESS"
+    ):
+        return True
+    return False
+
+
+def zia_alert_context(event):
+    event_data = event.get("event", {})
+    return {
+        "action": event_data.get("action", ""),
+        "admin_id": event_data.get("adminid", ""),
+        "category": event_data.get("category", ""),
+        "client_ip": event_data.get("clientip", ""),
+        "preaction": event_data.get("preaction", ""),
+        "postaction": event_data.get("postaction", ""),
+    }

global_helpers/panther_zscaler_helpers.yml

@@ -0,0 +1,5 @@
+AnalysisType: global
+Filename: panther_zscaler_helpers.py
+GlobalID: "panther_zscaler_helpers"
+Description: >
+  Used to define global helpers for Zscaler events

packs/zscaler_zia.yml

@@ -0,0 +1,14 @@
+AnalysisType: pack
+PackID: PantherManaged.Zscaler.ZIA
+Description: Group of all Zscaler ZIA detections
+DisplayName: "Panther Zscaler ZIA Pack"
+PackDefinition:
+  IDs:
+    - ZIA.Account.Access.Removed
+    - ZIA.Additional.Cloud.Roles
+    - ZIA.Cloud.Account.Created
+    - ZIA.Password.Expiration
+    - ZIA.Trust.Modification
+    - panther_zscaler_helpers
+    - panther_base_helpers
+

rules/zscaler_rules/zia/zia_account_access_removal.py

@@ -0,0 +1,24 @@
+from panther_zscaler_helpers import zia_alert_context, zia_success
+
+SENSITIVE_CATEGORIES = ["ADMINISTRATOR_MANAGEMENT", "ROLE_MANAGEMENT"]
+
+
+def rule(event):
+    if not zia_success(event):
+        return False
+    event_data = event.get("event", {})
+    return (
+        event_data.get("action", "ACTION_NOT_FOUND") == "DELETE"
+        and event_data.get("category", "CATEGORY_NOT_FOUND") in SENSITIVE_CATEGORIES
+    )
+
+
+def title(event):
+    return (
+        f"[Zscaler.ZIA]: Admin account was deleted by admin with id "
+        f"[{event.deep_get('event', 'adminid', default='<ADMIN_ID_NOT_FOUND>')}]"
+    )
+
+
+def alert_context(event):
+    return zia_alert_context(event)

rules/zscaler_rules/zia/zia_account_access_removal.yml

@@ -0,0 +1,324 @@
+AnalysisType: rule
+RuleID: ZIA.Account.Access.Removed
+Description: This rule detects when admin user/role was deleted.
+DisplayName: ZIA Account Access Removed
+Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again.
+Reference: https://help.zscaler.com/zia/authentication-administration/administrator-role-management
+Enabled: true
+Filename: zia_account_access_removal.py
+Severity: Medium
+Reports:
+  MITRE ATT&CK:
+    - TA0040:T1531 # Account Access removal
+LogTypes:
+  - Zscaler.ZIA.AdminAuditLog
+DedupPeriodMinutes: 60
+Threshold: 1
+Tests:
+  - Name: Administration > User Management > Add User, remove from Service Admin group
+    ExpectedResult: false
+    Log:
+      {
+        "event": {
+          "action": "UPDATE",
+          "adminid": "admin@16991311.zscalerbeta.net",
+          "auditlogtype": "ZIA",
+          "category": "USER_MANAGEMENT",
+          "clientip": "123.123.123.123",
+          "errorcode": "None",
+          "interface": "UI",
+          "postaction": {
+            "adminUser": false,
+            "department": {
+              "id": 19752838,
+              "isDeleted": false,
+              "isForUnauthenticatedUser": false,
+              "isNonEditable": false,
+              "name": "test"
+            },
+            "email": "johndoe@dev-company.com",
+            "groups": [
+              {
+                "id": 19631231,
+                "isNonEditable": false,
+                "name": "test"
+              }
+            ],
+            "id": 19752821,
+            "isNonEditable": false,
+            "miscflags": 0,
+            "name": "johndoe",
+            "systemDefinedGroups": [ ]
+          },
+          "preaction": {
+            "adminUser": false,
+            "authType": "SAFECHANNEL_DIR",
+            "department": {
+              "id": 16991313,
+              "isDeleted": false,
+              "isForUnauthenticatedUser": false,
+              "isNonEditable": false,
+              "name": "Service Admin"
+            },
+            "email": "johndoe@dev-company.com",
+            "groups": [
+              {
+                "id": 16991312,
+                "isNonEditable": false,
+                "name": "Service Admin"
+              }
+            ],
+            "id": 19752821,
+            "miscflags": 268435456,
+            "name": "johndoe"
+          },
+          "recordid": "324",
+          "resource": "johndoe",
+          "result": "SUCCESS",
+          "subcategory": "USER",
+          "time": "2024-10-22 22:01:28.000000000"
+        },
+        "sourcetype": "zscalernss-audit"
+      }
+  - Name: Administration Management > Administrators > Edit Administrator, delete administrator
+    ExpectedResult: true
+    Log:
+      {
+        "event": {
+          "action": "DELETE",
+          "adminid": "admin@16991311.zscalerbeta.net",
+          "auditlogtype": "ZIA",
+          "category": "ADMINISTRATOR_MANAGEMENT",
+          "clientip": "123.123.123.123",
+          "errorcode": "None",
+          "interface": "UI",
+          "postaction": { },
+          "preaction": {
+            "adminScope": {
+              "scopeEntities": [ ],
+              "scopeGroupMemberEntities": [ ],
+              "type": "ORGANIZATION"
+            },
+            "disabled": false,
+            "email": "johndoe@company.com",
+            "id": 19752821,
+            "isExecMobileAppEnabled": true,
+            "isPasswordLoginAllowed": true,
+            "loginName": "johndoe@dev-company.com",
+            "pwdLastModifiedTime": 1729634767,
+            "role": {
+              "deleted": false,
+              "extensions": {
+                "adminRank": "0",
+                "roleType": "EXEC_INSIGHT_AND_ORG_ADMIN"
+              },
+              "id": 24354,
+              "isNameL10nTag": true,
+              "name": "Super Admin"
+            },
+            "userName": "johndoe1123"
+          },
+          "recordid": "327",
+          "resource": "johndoe1123",
+          "result": "SUCCESS",
+          "subcategory": "ADMINISTRATOR_ADMIN_USER",
+          "time": "2024-10-22 22:09:01.000000000"
+        },
+        "sourcetype": "zscalernss-audit"
+      }
+  - Name: Administration Management > Auditors > Edit Auditor, delete auditor
+    ExpectedResult: true
+    Log:
+      {
+        "event": {
+          "action": "DELETE",
+          "adminid": "admin@16991311.zscalerbeta.net",
+          "auditlogtype": "ZIA",
+          "category": "ADMINISTRATOR_MANAGEMENT",
+          "clientip": "123.123.123.123",
+          "errorcode": "None",
+          "interface": "UI",
+          "postaction": { },
+          "preaction": {
+            "disabled": false,
+            "id": 19752860,
+            "isAuditor": true,
+            "loginName": "arieeel@dev-company.com",
+            "newLocationCreateAllowed": false,
+            "pwdLastModifiedTime": 0,
+            "role": {
+              "deleted": false,
+              "id": 30510,
+              "isNameL10nTag": false,
+              "name": "Auditor"
+            },
+            "userName": "areiiiel"
+          },
+          "recordid": "329",
+          "resource": "areiiiel",
+          "result": "SUCCESS",
+          "subcategory": "ADMINISTRATOR_AUDITOR",
+          "time": "2024-10-22 22:11:56.000000000"
+        },
+        "sourcetype": "zscalernss-audit"
+      }
+  - Name: Administration > Role Management > Edit Administrator Role, delete role
+    ExpectedResult: true
+    Log:
+      {
+        "event": {
+          "action": "DELETE",
+          "adminid": "admin@16991311.zscalerbeta.net",
+          "auditlogtype": "ZIA",
+          "category": "ROLE_MANAGEMENT",
+          "clientip": "123.123.123.123",
+          "errorcode": "None",
+          "interface": "UI",
+          "postaction": { },
+          "preaction": {
+            "adminAcctAccess": "READ_WRITE",
+            "alertingAccess": "READ_WRITE",
+            "analysisAccess": "READ_ONLY",
+            "dashboardAccess": "READ_WRITE",
+            "deviceInfoAccess": "READ_ONLY",
+            "id": 32780,
+            "logsLimit": "Unrestricted",
+            "name": "mega admin",
+            "permissions": [
+              "SECURE",
+              "COMPLY",
+              "SSL_POLICY",
+              "ADVANCED_SETTINGS",
+              "FIREWALL_DNS",
+              "NSS_CONFIGURATION",
+              "VZEN_CONFIGURATION",
+              "LOCATIONS",
+              "HOSTED_PAC_FILES",
+              "EZ_AGENT_CONFIGURATIONS",
+              "SECURE_AGENT_NOTIFICATIONS",
+              "VPN_CREDENTIALS",
+              "AUTHENTICATION_SETTINGS",
+              "IDENTITY_PROXY_SETTINGS",
+              "USER_MANAGEMENT",
+              "APIKEY_MANAGEMENT",
+              "PARTNER_INTEGRATION",
+              "POLICY_RESOURCE_MANAGEMENT",
+              "CUSTOM_URL_CAT",
+              "OVERRIDE_EXISTING_CAT",
+              "PROXY_GATEWAY",
+              "TENANT_PROFILE_MANAGEMENT",
+              "STATIC_IPS",
+              "REMOTE_ASSISTANCE_MANAGEMENT",
+              "GRE_TUNNELS",
+              "CLIENT_CONNECTOR_PORTAL",
+              "SUBCLOUDS"
+            ],
+            "policyAccess": "READ_WRITE",
+            "rank": 7,
+            "reportAccess": "READ_WRITE",
+            "reportTimeDuration": -1,
+            "roleType": "EXEC_INSIGHT_AND_ORG_ADMIN",
+            "usernameAccess": "READ_ONLY"
+          },
+          "recordid": "342",
+          "resource": "mega admin",
+          "result": "SUCCESS",
+          "subcategory": "ADMINISTRATOR_ROLE",
+          "time": "2024-10-22 22:31:35.000000000"
+        },
+        "sourcetype": "zscalernss-audit"
+      }
+  - Name: Administration > Role Management > Edit SD-WAN Partner API Role, delete role
+    ExpectedResult: true
+    Log:
+      {
+        "event": {
+          "action": "DELETE",
+          "adminid": "admin@16991311.zscalerbeta.net",
+          "auditlogtype": "ZIA",
+          "category": "ROLE_MANAGEMENT",
+          "clientip": "123.123.123.123",
+          "errorcode": "None",
+          "interface": "UI",
+          "postaction": { },
+          "preaction": {
+            "adminAcctAccess": "NONE",
+            "alertingAccess": "READ_ONLY",
+            "analysisAccess": "NONE",
+            "dashboardAccess": "NONE",
+            "deviceInfoAccess": "NONE",
+            "id": 32781,
+            "name": "wanny",
+            "permissions": [
+              "STATIC_IPS",
+              "LOCATIONS",
+              "GRE_TUNNELS",
+              "VPN_CREDENTIALS"
+            ],
+            "policyAccess": "READ_WRITE",
+            "rank": 7,
+            "reportAccess": "NONE",
+            "reportTimeDuration": -1,
+            "roleType": "SDWAN",
+            "usernameAccess": "NONE"
+          },
+          "recordid": "345",
+          "resource": "wanny",
+          "result": "SUCCESS",
+          "subcategory": "ADMINISTRATOR_ROLE",
+          "time": "2024-10-22 22:34:58.000000000"
+        },
+        "sourcetype": "zscalernss-audit"
+      }
+  - Name: Administration > Role Management > Edit API Role, delete role
+    ExpectedResult: true
+    Log:
+      {
+        "event": {
+          "action": "DELETE",
+          "adminid": "admin@16991311.zscalerbeta.net",
+          "auditlogtype": "ZIA",
+          "category": "ROLE_MANAGEMENT",
+          "clientip": "123.123.123.123",
+          "errorcode": "None",
+          "interface": "UI",
+          "postaction": { },
+          "preaction": {
+            "adminAcctAccess": "READ_WRITE",
+            "alertingAccess": "NONE",
+            "analysisAccess": "NONE",
+            "dashboardAccess": "NONE",
+            "deviceInfoAccess": "NONE",
+            "id": 32782,
+            "logsLimit": "Unrestricted",
+            "name": "bad API",
+            "permissions": [
+              "SECURE",
+              "COMPLY",
+              "SSL_POLICY",
+              "ADVANCED_SETTINGS",
+              "FIREWALL_DNS",
+              "LOCATIONS",
+              "VPN_CREDENTIALS",
+              "USER_MANAGEMENT",
+              "POLICY_RESOURCE_MANAGEMENT",
+              "CUSTOM_URL_CAT",
+              "OVERRIDE_EXISTING_CAT",
+              "STATIC_IPS",
+              "GRE_TUNNELS"
+            ],
+            "policyAccess": "READ_WRITE",
+            "rank": 7,
+            "reportAccess": "NONE",
+            "reportTimeDuration": -1,
+            "roleType": "PUBLIC_API",
+            "usernameAccess": "NONE"
+          },
+          "recordid": "346",
+          "resource": "bad API",
+          "result": "SUCCESS",
+          "subcategory": "ADMINISTRATOR_ROLE",
+          "time": "2024-10-22 22:35:06.000000000"
+        },
+        "sourcetype": "zscalernss-audit"
+      }