Detection rules › Panther
Wiz Rule Change
This rule detects creations, updates and deletions of Wiz rules.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Stealth | T1562.001 Impair Defenses: Disable or Modify Tools |
Rule body yaml
AnalysisType: rule
RuleID: Wiz.Rule.Change
Description: This rule detects creations, updates and deletions of Wiz rules.
DisplayName: Wiz Rule Change
Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again. If needed, review the privileges of existing accounts.
Reference: https://www.wiz.io/blog/custom-runtime-rules-and-response-policies
Enabled: true
Filename: wiz_rule_change.py
Severity: Medium
Reports:
MITRE ATT&CK:
- TA0005:T1562.001 # Impair Defenses: Disable or Modify Tools
LogTypes:
- Wiz.Audit
DedupPeriodMinutes: 60
Threshold: 1
Tests:
- Name: DeleteCloudConfigurationRule
ExpectedResult: true
Log:
{
"action": "DeleteCloudConfigurationRule",
"actionparameters": {
"input": {
"id": "12345-3fd7-4063-8e06-12345"
},
"selection": [
"__typename",
"_stub"
]
},
"id": "12345-0301-491d-9fe6-12345",
"log_type": "auditLogEntries",
"requestid": "12345-c18f-4ce0-9288-12345",
"serviceaccount": null,
"sourceip": "8.8.8.8",
"status": "SUCCESS",
"timestamp": "2024-03-24 10:58:31.347",
"user": {
"id": "testy@company.com",
"name": "testy@company.com"
},
"useragent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"
}
- Name: CreateUser
ExpectedResult: false
Log:
{
"id": "220d23be-f07c-4d97-b4a6-87ad04eddb14",
"action": "CreateUser",
"requestId": "0d9521b2-c3f8-4a73-bf7c-20257788752e",
"status": "SUCCESS",
"timestamp": "2024-07-29T09:40:15.66643Z",
"actionParameters": {
"input": {
"assignedProjectIds": null,
"email": "testy@company.com",
"expiresAt": null,
"name": "Test User",
"role": "GLOBAL_ADMIN"
},
"selection": [
"__typename",
{
"user": [
"__typename",
"id"
]
}
]
},
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36",
"sourceIP": "8.8.8.8",
"serviceAccount": null,
"user": {
"id": "someuser@company.com",
"name": "someuser@company.com"
}
}
- Name: DeleteCloudConfigurationRule - Fail
ExpectedResult: false
Log:
{
"action": "DeleteCloudConfigurationRule",
"id": "12345-0301-491d-9fe6-12345",
"log_type": "auditLogEntries",
"requestid": "12345-c18f-4ce0-9288-12345",
"serviceaccount": null,
"sourceip": "8.8.8.8",
"status": "FAILED",
"timestamp": "2024-03-24 10:58:31.347",
"user": {
"id": "testy@company.com",
"name": "testy@company.com"
},
"useragent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36"
}
Detection logic
Condition
status eq "SUCCESS"
action in ["DeleteAutomationRule", "UpdateAutomationRule", "DeleteCloudEventRule", "UpdateCloudEventRule", "DeleteCloudConfigurationRule", "UpdateCloudConfigurationRule", "DeleteHostConfigurationRule", "UpdateHostConfigurationRule", "CreateIgnoreRule", "DeleteIgnoreRule", "UpdateIgnoreRule", "CreateMalwareExclusion", "UpdateMalwareExclusion"]
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
action | in |
|
status | eq |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
action | |
source_ip | sourceip |
event_id | id |
action_parameters | actionparameters |