Detection rules › Panther
A User Role with Sensitive Permissions has been Created
A Panther user role has been created that contains admin level permissions.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1098 Account Manipulation |
Rule body yaml
AnalysisType: rule
Filename: panther_sensitive_role_created.py
RuleID: "Panther.Sensitive.Role"
DisplayName: "A User Role with Sensitive Permissions has been Created"
Enabled: true
LogTypes:
- Panther.Audit
Severity: High
Tags:
- DataModel
- Persistence:Account Manipulation
Reports:
MITRE ATT&CK:
- TA0003:T1098
Description: A Panther user role has been created that contains admin level permissions.
Runbook: Contact the creator of this role to ensure its creation was appropriate.
Reference: https://docs.panther.com/system-configuration/rbac
SummaryAttributes:
- p_any_ip_addresses
Tests:
- Name: Admin Role Created
ExpectedResult: true
Log:
{
"actionName": "CREATE_USER_ROLE",
"actionParams":
{
"dynamic":
{
"input":
{
"logTypeAccessKind": "DENY_ALL",
"name": "New Admins",
"permissions":
[
"GeneralSettingsModify",
"GeneralSettingsRead",
"SummaryRead",
],
},
},
},
"actionResult": "SUCCEEDED",
"actor":
{
"attributes":
{
"email": "homer@springfield.gov",
"emailVerified": true,
"roleId": "1111111",
},
"id": "11111111",
"name": "Homer Simpson",
"type": "USER",
},
"errors": null,
"p_log_type": "Panther.Audit",
"pantherVersion": "1.2.3",
"sourceIP": "1.2.3.4",
"timestamp": "2022-04-27 20:47:09.425",
}
- Name: Non-Admin Role Created
ExpectedResult: false
Log:
{
"actionName": "CREATE_USER_ROLE",
"actionParams":
{
"dynamic":
{
"input":
{
"logTypeAccessKind": "DENY_ALL",
"name": "New Admins",
"permissions": ["SummaryRead"],
},
},
},
"actionResult": "SUCCEEDED",
"actor":
{
"attributes":
{
"email": "homer@springfield.gov",
"emailVerified": true,
"roleId": "1111111",
},
"id": "11111111",
"name": "Homer Simpson",
"type": "USER",
},
"errors": null,
"p_log_type": "Panther.Audit",
"pantherVersion": "1.2.3",
"sourceIP": "1.2.3.4",
"timestamp": "2022-04-27 20:47:09.425",
}
- Name: nonetype error
ExpectedResult: false
Log:
{
"XForwardedFor": ["1.2.3.4", "5.6.7.8"],
"actionDescription": "Adds a new User role to Panther",
"actionName": "CREATE_USER_ROLE",
"actionParams":
{
"dynamic":
{
"input":
{
"logTypeAccess": ["Okta.SystemLog"],
"logTypeAccessKind": "ALLOW",
"name": "ITE Role",
"permissions": ["AlertRead", "DataAnalyticsRead"],
},
},
"static": {},
},
"actionResult": "FAILED",
"actor":
{
"attributes":
{
"email": "random@noreply.com",
"emailVerified": false,
"roleId": "2a7bfe22-666d-4f71-99d2-c16b8666eca1",
"roleName": "Admin",
},
"id": "PantherSSO_random@noreply.com",
"name": "random@noreply.com",
"type": "USER",
},
"errors":
[
{
"message": "You cannot save a role that has both log type restrictions and alerts/detections permissions at this time.",
},
],
"p_alert_creation_time": "2023-02-09 21:47:09.745566000",
"p_alert_id": "7eb5ca596b2153f95885cb2440e12345",
"p_alert_severity": "HIGH",
"p_alert_update_time": "2023-02-09 21:47:09.745566000",
"p_any_ip_addresses": ["1.2.3.4", "5.6.7.8"],
"p_any_trace_ids": ["PantherSSO_random@noreply.com"],
"p_any_usernames": ["random@noreply.com"],
"p_enrichment":
{
"ipinfo_asn":
{
"sourceIP":
{
"asn": "AS396982",
"domain": "google.com",
"name": "Google LLC",
"route": "208.127.224.0/21",
"type": "hosting",
},
},
"ipinfo_location":
{
"sourceIP":
{
"city": "Ashburn",
"country": "US",
"lat": "39.04372",
"lng": "-77.48749",
"postal_code": "20147",
"region": "Virginia",
"region_code": "VA",
"timezone": "America/New_York",
},
},
},
"p_event_time": "2023-02-09 21:45:59.352910070",
"p_log_type": "Panther.Audit",
"p_parse_time": "2023-02-09 21:46:53.858602089",
"p_row_id": "b29dff36ad73cb77a5d7a3a816c39c2a",
"p_rule_error": '''NoneType'' object is not iterable: Panther.Sensitive.Role.py, line 20, in rule role_permissions = set(event.deep_get("actionParams", "input", "permissions"))',
"p_rule_id": "Panther.Sensitive.Role",
"p_rule_reports": { "MITRE ATT&CK": ["TA0003:T1098"] },
"p_rule_severity": "HIGH",
"p_rule_tags": ["DataModel", "Persistence:Account Manipulation"],
"p_schema_version": 0,
"p_source_id": "9a116557-0a1c-4a21-8565-1135dfe5e82b",
"p_source_label": "panther-audit-logs-us-east-1",
"pantherVersion": "1.53.7",
"sourceIP": "1.2.3.4",
"timestamp": "2023-02-09 21:45:59.352910070",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36",
}
Detection logic
Condition
actionResult eq "SUCCEEDED"
This rule also runs imperative logic the parser cannot express as a filter; the conditions above are the structured part it could extract.
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
actionResult | eq |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
user | actor_user |
role_name | actionParams.name |
ip | source_ip |
name | actionParams.input.name |