Detection rules › Panther
ZIA Insecure Password Settings
This rule detects when password settings are insecure.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1556.009 Modify Authentication Process: Conditional Access Policies |
| Defense Impairment | T1556.009 Modify Authentication Process: Conditional Access Policies |
| Credential Access | T1556.009 Modify Authentication Process: Conditional Access Policies |
Rule body yaml
AnalysisType: rule
RuleID: ZIA.Insecure.Password.Settings
Description: This rule detects when password settings are insecure.
DisplayName: ZIA Insecure Password Settings
Runbook: Set the secure password configurations.
Reference: https://help.zscaler.com/zia/customizing-your-admin-account-settings
Enabled: true
Filename: zia_insecure_password_settings.py
Severity: Medium
Reports:
MITRE ATT&CK:
- TA0005:T1556.009 # Defense Evasion: Modify Authentication Process: Conditional Access Policies
LogTypes:
- Zscaler.ZIA.AdminAuditLog
DedupPeriodMinutes: 60
Threshold: 1
Tests:
- Name: Permanent cookie
ExpectedResult: true
Log:
{
"event": {
"action": "UPDATE",
"adminid": "admin@test.zscalerbeta.net",
"auditlogtype": "ZIA",
"category": "AUTHENTICATION_SETTINGS",
"clientip": "1.2.3.4",
"errorcode": "None",
"interface": "UI",
"postaction": {
"authFrequency": "PERMANENT_COOKIE",
"autoProvision": false,
"directorySyncMigrateToScimEnabled": false,
"kerberosEnabled": false,
"mobileAdminSamlIdpEnabled": false,
"oneTimeAuth": "OTP_DISABLED",
"orgAuthType": "SAFECHANNEL_DIR",
"passwordExpiry": "NEVER",
"passwordStrength": "NONE",
"samlEnabled": false
},
"preaction": {
"authFrequency": "DAILY_COOKIE",
"autoProvision": false,
"directorySyncMigrateToScimEnabled": false,
"kerberosEnabled": false,
"mobileAdminSamlIdpEnabled": false,
"oneTimeAuth": "OTP_DISABLED",
"orgAuthType": "SAFECHANNEL_DIR",
"passwordExpiry": "NEVER",
"passwordStrength": "NONE",
"samlEnabled": false
},
"recordid": "356",
"resource": "None",
"result": "SUCCESS",
"subcategory": "AUTH_SETTINGS_PROFILE",
"time": "2024-11-04 16:29:24.000000000"
},
"sourcetype": "zscalernss-audit"
}
- Name: Password expiry - never
ExpectedResult: true
Log:
{
"event": {
"action": "UPDATE",
"adminid": "admin@test.zscalerbeta.net",
"auditlogtype": "ZIA",
"category": "AUTHENTICATION_SETTINGS",
"clientip": "1.2.3.4",
"errorcode": "None",
"interface": "UI",
"postaction": {
"authFrequency": "DAILY_COOKIE",
"autoProvision": false,
"directorySyncMigrateToScimEnabled": false,
"kerberosEnabled": false,
"mobileAdminSamlIdpEnabled": false,
"oneTimeAuth": "OTP_LINK",
"orgAuthType": "SAFECHANNEL_DIR",
"passwordExpiry": "NEVER",
"passwordStrength": "NONE",
"samlEnabled": false
},
"preaction": {
"authFrequency": "DAILY_COOKIE",
"autoProvision": false,
"directorySyncMigrateToScimEnabled": false,
"kerberosEnabled": false,
"mobileAdminSamlIdpEnabled": false,
"oneTimeAuth": "OTP_DISABLED",
"orgAuthType": "SAFECHANNEL_DIR",
"passwordExpiry": "NEVER",
"passwordStrength": "NONE",
"samlEnabled": false
},
"recordid": "357",
"resource": "None",
"result": "SUCCESS",
"subcategory": "AUTH_SETTINGS_PROFILE",
"time": "2024-11-04 16:29:40.000000000"
},
"sourcetype": "zscalernss-audit"
}
- Name: Password strength - none
ExpectedResult: true
Log:
{
"event": {
"action": "UPDATE",
"adminid": "admin@test.zscalerbeta.net",
"auditlogtype": "ZIA",
"category": "AUTHENTICATION_SETTINGS",
"clientip": "1.2.3.4",
"errorcode": "None",
"interface": "UI",
"postaction": {
"authFrequency": "DAILY_COOKIE",
"autoProvision": false,
"directorySyncMigrateToScimEnabled": false,
"kerberosEnabled": false,
"mobileAdminSamlIdpEnabled": false,
"oneTimeAuth": "OTP_DISABLED",
"orgAuthType": "SAFECHANNEL_DIR",
"passwordExpiry": "SIX_MONTHS",
"passwordStrength": "NONE",
"samlEnabled": false
},
"preaction": {
"authFrequency": "DAILY_COOKIE",
"autoProvision": false,
"directorySyncMigrateToScimEnabled": false,
"kerberosEnabled": false,
"mobileAdminSamlIdpEnabled": false,
"oneTimeAuth": "OTP_DISABLED",
"orgAuthType": "SAFECHANNEL_DIR",
"passwordExpiry": "NEVER",
"passwordStrength": "NONE",
"samlEnabled": false
},
"recordid": "361",
"resource": "None",
"result": "SUCCESS",
"subcategory": "AUTH_SETTINGS_PROFILE",
"time": "2024-11-04 16:30:36.000000000"
},
"sourcetype": "zscalernss-audit"
}
- Name: Other event
ExpectedResult: false
Log:
{
"event": {
"action": "SIGN_IN",
"adminid": "admin@test.zscalerbeta.net",
"auditlogtype": "ZIA",
"category": "LOGIN",
"clientip": "1.2.3.4",
"errorcode": "None",
"interface": "UI",
"postaction": { },
"preaction": { },
"recordid": "354",
"resource": "None",
"result": "SUCCESS",
"subcategory": "LOGIN",
"time": "2024-11-04 16:27:37.000000000"
},
"sourcetype": "zscalernss-audit"
}
Detection logic
Condition
event.errorcode eq "None"
event.result eq "SUCCESS"
event.postaction.authFrequency eq "PERMANENT_COOKIE" or event.postaction.passwordExpiry eq "NEVER" or event.postaction.passwordStrength eq "NONE"
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
event.errorcode | eq |
|
event.postaction.authFrequency | eq |
|
event.postaction.passwordExpiry | eq |
|
event.postaction.passwordStrength | eq |
|
event.result | eq |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
action | event.action |
admin_id | event.adminid |
category | event.category |
client_ip | event.clientip |
preaction | event.preaction |
postaction | event.postaction |