Detection rules › Panther
ZIA Account Access Removed
This rule detects when admin user/role was deleted.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Impact | T1531 Account Access Removal |
Rule body yaml
AnalysisType: rule
RuleID: ZIA.Account.Access.Removed
Description: This rule detects when admin user/role was deleted.
DisplayName: ZIA Account Access Removed
Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again.
Reference: https://help.zscaler.com/zia/authentication-administration/administrator-role-management
Enabled: true
Filename: zia_account_access_removal.py
Severity: Medium
Reports:
MITRE ATT&CK:
- TA0040:T1531 # Account Access removal
LogTypes:
- Zscaler.ZIA.AdminAuditLog
DedupPeriodMinutes: 60
Threshold: 1
Tests:
- Name: Administration > User Management > Add User, remove from Service Admin group
ExpectedResult: false
Log:
{
"event": {
"action": "UPDATE",
"adminid": "admin@16991311.zscalerbeta.net",
"auditlogtype": "ZIA",
"category": "USER_MANAGEMENT",
"clientip": "123.123.123.123",
"errorcode": "None",
"interface": "UI",
"postaction": {
"adminUser": false,
"department": {
"id": 19752838,
"isDeleted": false,
"isForUnauthenticatedUser": false,
"isNonEditable": false,
"name": "test"
},
"email": "johndoe@dev-company.com",
"groups": [
{
"id": 19631231,
"isNonEditable": false,
"name": "test"
}
],
"id": 19752821,
"isNonEditable": false,
"miscflags": 0,
"name": "johndoe",
"systemDefinedGroups": [ ]
},
"preaction": {
"adminUser": false,
"authType": "SAFECHANNEL_DIR",
"department": {
"id": 16991313,
"isDeleted": false,
"isForUnauthenticatedUser": false,
"isNonEditable": false,
"name": "Service Admin"
},
"email": "johndoe@dev-company.com",
"groups": [
{
"id": 16991312,
"isNonEditable": false,
"name": "Service Admin"
}
],
"id": 19752821,
"miscflags": 268435456,
"name": "johndoe"
},
"recordid": "324",
"resource": "johndoe",
"result": "SUCCESS",
"subcategory": "USER",
"time": "2024-10-22 22:01:28.000000000"
},
"sourcetype": "zscalernss-audit"
}
- Name: Administration Management > Administrators > Edit Administrator, delete administrator
ExpectedResult: true
Log:
{
"event": {
"action": "DELETE",
"adminid": "admin@16991311.zscalerbeta.net",
"auditlogtype": "ZIA",
"category": "ADMINISTRATOR_MANAGEMENT",
"clientip": "123.123.123.123",
"errorcode": "None",
"interface": "UI",
"postaction": { },
"preaction": {
"adminScope": {
"scopeEntities": [ ],
"scopeGroupMemberEntities": [ ],
"type": "ORGANIZATION"
},
"disabled": false,
"email": "johndoe@company.com",
"id": 19752821,
"isExecMobileAppEnabled": true,
"isPasswordLoginAllowed": true,
"loginName": "johndoe@dev-company.com",
"pwdLastModifiedTime": 1729634767,
"role": {
"deleted": false,
"extensions": {
"adminRank": "0",
"roleType": "EXEC_INSIGHT_AND_ORG_ADMIN"
},
"id": 24354,
"isNameL10nTag": true,
"name": "Super Admin"
},
"userName": "johndoe1123"
},
"recordid": "327",
"resource": "johndoe1123",
"result": "SUCCESS",
"subcategory": "ADMINISTRATOR_ADMIN_USER",
"time": "2024-10-22 22:09:01.000000000"
},
"sourcetype": "zscalernss-audit"
}
- Name: Administration Management > Auditors > Edit Auditor, delete auditor
ExpectedResult: true
Log:
{
"event": {
"action": "DELETE",
"adminid": "admin@16991311.zscalerbeta.net",
"auditlogtype": "ZIA",
"category": "ADMINISTRATOR_MANAGEMENT",
"clientip": "123.123.123.123",
"errorcode": "None",
"interface": "UI",
"postaction": { },
"preaction": {
"disabled": false,
"id": 19752860,
"isAuditor": true,
"loginName": "arieeel@dev-company.com",
"newLocationCreateAllowed": false,
"pwdLastModifiedTime": 0,
"role": {
"deleted": false,
"id": 30510,
"isNameL10nTag": false,
"name": "Auditor"
},
"userName": "areiiiel"
},
"recordid": "329",
"resource": "areiiiel",
"result": "SUCCESS",
"subcategory": "ADMINISTRATOR_AUDITOR",
"time": "2024-10-22 22:11:56.000000000"
},
"sourcetype": "zscalernss-audit"
}
- Name: Administration > Role Management > Edit Administrator Role, delete role
ExpectedResult: true
Log:
{
"event": {
"action": "DELETE",
"adminid": "admin@16991311.zscalerbeta.net",
"auditlogtype": "ZIA",
"category": "ROLE_MANAGEMENT",
"clientip": "123.123.123.123",
"errorcode": "None",
"interface": "UI",
"postaction": { },
"preaction": {
"adminAcctAccess": "READ_WRITE",
"alertingAccess": "READ_WRITE",
"analysisAccess": "READ_ONLY",
"dashboardAccess": "READ_WRITE",
"deviceInfoAccess": "READ_ONLY",
"id": 32780,
"logsLimit": "Unrestricted",
"name": "mega admin",
"permissions": [
"SECURE",
"COMPLY",
"SSL_POLICY",
"ADVANCED_SETTINGS",
"FIREWALL_DNS",
"NSS_CONFIGURATION",
"VZEN_CONFIGURATION",
"LOCATIONS",
"HOSTED_PAC_FILES",
"EZ_AGENT_CONFIGURATIONS",
"SECURE_AGENT_NOTIFICATIONS",
"VPN_CREDENTIALS",
"AUTHENTICATION_SETTINGS",
"IDENTITY_PROXY_SETTINGS",
"USER_MANAGEMENT",
"APIKEY_MANAGEMENT",
"PARTNER_INTEGRATION",
"POLICY_RESOURCE_MANAGEMENT",
"CUSTOM_URL_CAT",
"OVERRIDE_EXISTING_CAT",
"PROXY_GATEWAY",
"TENANT_PROFILE_MANAGEMENT",
"STATIC_IPS",
"REMOTE_ASSISTANCE_MANAGEMENT",
"GRE_TUNNELS",
"CLIENT_CONNECTOR_PORTAL",
"SUBCLOUDS"
],
"policyAccess": "READ_WRITE",
"rank": 7,
"reportAccess": "READ_WRITE",
"reportTimeDuration": -1,
"roleType": "EXEC_INSIGHT_AND_ORG_ADMIN",
"usernameAccess": "READ_ONLY"
},
"recordid": "342",
"resource": "mega admin",
"result": "SUCCESS",
"subcategory": "ADMINISTRATOR_ROLE",
"time": "2024-10-22 22:31:35.000000000"
},
"sourcetype": "zscalernss-audit"
}
- Name: Administration > Role Management > Edit SD-WAN Partner API Role, delete role
ExpectedResult: true
Log:
{
"event": {
"action": "DELETE",
"adminid": "admin@16991311.zscalerbeta.net",
"auditlogtype": "ZIA",
"category": "ROLE_MANAGEMENT",
"clientip": "123.123.123.123",
"errorcode": "None",
"interface": "UI",
"postaction": { },
"preaction": {
"adminAcctAccess": "NONE",
"alertingAccess": "READ_ONLY",
"analysisAccess": "NONE",
"dashboardAccess": "NONE",
"deviceInfoAccess": "NONE",
"id": 32781,
"name": "wanny",
"permissions": [
"STATIC_IPS",
"LOCATIONS",
"GRE_TUNNELS",
"VPN_CREDENTIALS"
],
"policyAccess": "READ_WRITE",
"rank": 7,
"reportAccess": "NONE",
"reportTimeDuration": -1,
"roleType": "SDWAN",
"usernameAccess": "NONE"
},
"recordid": "345",
"resource": "wanny",
"result": "SUCCESS",
"subcategory": "ADMINISTRATOR_ROLE",
"time": "2024-10-22 22:34:58.000000000"
},
"sourcetype": "zscalernss-audit"
}
- Name: Administration > Role Management > Edit API Role, delete role
ExpectedResult: true
Log:
{
"event": {
"action": "DELETE",
"adminid": "admin@16991311.zscalerbeta.net",
"auditlogtype": "ZIA",
"category": "ROLE_MANAGEMENT",
"clientip": "123.123.123.123",
"errorcode": "None",
"interface": "UI",
"postaction": { },
"preaction": {
"adminAcctAccess": "READ_WRITE",
"alertingAccess": "NONE",
"analysisAccess": "NONE",
"dashboardAccess": "NONE",
"deviceInfoAccess": "NONE",
"id": 32782,
"logsLimit": "Unrestricted",
"name": "bad API",
"permissions": [
"SECURE",
"COMPLY",
"SSL_POLICY",
"ADVANCED_SETTINGS",
"FIREWALL_DNS",
"LOCATIONS",
"VPN_CREDENTIALS",
"USER_MANAGEMENT",
"POLICY_RESOURCE_MANAGEMENT",
"CUSTOM_URL_CAT",
"OVERRIDE_EXISTING_CAT",
"STATIC_IPS",
"GRE_TUNNELS"
],
"policyAccess": "READ_WRITE",
"rank": 7,
"reportAccess": "NONE",
"reportTimeDuration": -1,
"roleType": "PUBLIC_API",
"usernameAccess": "NONE"
},
"recordid": "346",
"resource": "bad API",
"result": "SUCCESS",
"subcategory": "ADMINISTRATOR_ROLE",
"time": "2024-10-22 22:35:06.000000000"
},
"sourcetype": "zscalernss-audit"
}
Detection logic
Condition
event.errorcode eq "None"
event.result eq "SUCCESS"
event.action eq "DELETE"
event.category in ["ADMINISTRATOR_MANAGEMENT", "ROLE_MANAGEMENT"]
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
event.action | eq |
|
event.category | in |
|
event.errorcode | eq |
|
event.result | eq |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
action | event.action |
admin_id | event.adminid |
category | event.category |
client_ip | event.clientip |
preaction | event.preaction |
postaction | event.postaction |