detection.wiki

Detection rules › Panther

An administrator account was created, deleted, or modified.

Severity
high
Log types
Netskope.Audit
Tags
Netskope, Account Manipulation
Reference
https://docs.netskope.com/en/netskope-help/admin-console/administration/managing-administrators/
Source
github.com/panther-labs/panther-analysis

An administrator account was created, deleted, or modified.

MITRE ATT&CK coverage

TacticTechniques
Privilege EscalationT1098 Account Manipulation

Rule body yaml

AnalysisType: rule
RuleID: "Netskope.AdminUserChange"
DisplayName: "An administrator account was created, deleted, or modified."
Enabled: true
Filename: netskope_admin_user_change.py
LogTypes:
  - Netskope.Audit
Tags:
  - Netskope
  - Account Manipulation
Reports:
  MITRE ATT&CK:
    - TA0004:T1098
Severity: High
Reference: https://docs.netskope.com/en/netskope-help/admin-console/administration/managing-administrators/
Description: An administrator account was created, deleted, or modified.
DedupPeriodMinutes: 60
Threshold: 1
Runbook: An administrator account was created, deleted, or modified.  Validate that this activity is expected and authorized.
Tests:
  - Name: True positive
    ExpectedResult: true
    Log:
      {
        "_id": "e5ca619b059fccdd0cfd9398",
        "_insertion_epoch_timestamp": 1702308331,
        "audit_log_event": "Created new admin",
        "count": 1,
        "is_netskope_personnel": true,
        "organization_unit": "",
        "severity_level": 2,
        "supporting_data":
          {
            "data_type": "user",
            "data_values": ["11.22.33.44", "adminsupport@netskope.com"],
          },
        "timestamp": "2023-12-11 15:25:31.000000000",
        "type": "admin_audit_logs",
        "ur_normalized": "adminsupport@netskope.com",
        "user": "adminsupport@netskope.com",
      }
  - Name: True negative
    ExpectedResult: false
    Log:
      {
        "_id": "1e589befa3da30132362f32a",
        "_insertion_epoch_timestamp": 1702318213,
        "audit_log_event": "Rest API V2 Call",
        "count": 1,
        "is_netskope_personnel": false,
        "organization_unit": "",
        "severity_level": 2,
        "supporting_data":
          {
            "data_type": "incidents",
            "data_values":
              [
                200,
                "POST",
                "/api/v2/incidents/uba/getuci",
                "trid=ccb898fgrhvdd0v0lebg",
              ],
          },
        "timestamp": "2023-12-11 18:10:13.000000000",
        "type": "admin_audit_logs",
        "ur_normalized": "service-account",
        "user": "service-account",
      }

Detection logic

Condition

audit_log_event in ["Created new admin", "Added SSO Admin", "Edited SSO Admin Record", "Created new support admin", "Edit admin record", "Deleted admin", "Enabled admin", "Disabled admin", "Unlocked admin", "Updated admin settings", "Deleted Netskope SSO admin"]

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
audit_log_eventin
  • Added SSO Admin
  • Created new admin
  • Created new support admin
  • Deleted Netskope SSO admin
  • Deleted admin
  • Disabled admin
  • Edit admin record
  • Edited SSO Admin Record
  • Enabled admin
  • Unlocked admin
  • Updated admin settings

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

Field
user
audit_log_event