Detection rules › Panther
ZIA Trust Modification
This rule detects when SAML authentication was enabled/disabled.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1484.002 Domain or Tenant Policy Modification: Trust Modification |
Rule body yaml
AnalysisType: rule
RuleID: ZIA.Trust.Modification
Description: This rule detects when SAML authentication was enabled/disabled.
DisplayName: ZIA Trust Modification
Runbook: Verify that this change was planned. If not, revert the change and ensure this doesn't happen again.
Reference: https://help.zscaler.com/zia/configuring-saml
Enabled: true
Filename: zia_trust_modification.py
Severity: Medium
Reports:
MITRE ATT&CK:
- TA0004:T1484.002 # Domain or Tenant Policy Modification: Trust Modification
LogTypes:
- Zscaler.ZIA.AdminAuditLog
DedupPeriodMinutes: 60
Threshold: 1
Tests:
- Name: Administration > Administration Management > Enable SAML Authentication
ExpectedResult: true
Log:
{
"event": {
"action": "UPDATE",
"adminid": "admin@16991311.zscalerbeta.net",
"auditlogtype": "ZIA",
"category": "ADMINISTRATOR_MANAGEMENT",
"clientip": "123.123.123.123",
"errorcode": "None",
"interface": "UI",
"postaction": {
"certFilename": "abc.crt",
"productId": 0,
"samlEnabled": true
},
"preaction": {
"productId": 0,
"samlEnabled": false
},
"recordid": "332",
"resource": "None",
"result": "SUCCESS",
"subcategory": "ADMINISTRATOR_SAML",
"time": "2024-10-22 22:13:23.000000000"
},
"sourcetype": "zscalernss-audit"
}
- Name: Administration > Administration Management > Disable SAML Authentication
ExpectedResult: true
Log:
{
"event": {
"action": "UPDATE",
"adminid": "admin@16991311.zscalerbeta.net",
"auditlogtype": "ZIA",
"category": "ADMINISTRATOR_MANAGEMENT",
"clientip": "123.123.123.123",
"errorcode": "None",
"interface": "UI",
"postaction": {
"certFilename": "abc.crt",
"productId": 0,
"samlEnabled": false
},
"preaction": {
"productId": 0,
"samlEnabled": true
},
"recordid": "332",
"resource": "None",
"result": "SUCCESS",
"subcategory": "ADMINISTRATOR_SAML",
"time": "2024-10-22 22:13:23.000000000"
},
"sourcetype": "zscalernss-audit"
}
- Name: Administration > Administration Management > UPDATE without SAML fields
ExpectedResult: false
Log:
{
"event": {
"action": "UPDATE",
"adminid": "admin@16991311.zscalerbeta.net",
"auditlogtype": "ZIA",
"category": "ADMINISTRATOR_MANAGEMENT",
"clientip": "123.123.123.123",
"errorcode": "None",
"interface": "UI",
"postaction": {
"certFilename": "abc.crt",
"productId": 0
},
"preaction": {
"productId": 0
},
"recordid": "332",
"resource": "None",
"result": "SUCCESS",
"subcategory": "ADMINISTRATOR_SAML",
"time": "2024-10-22 22:13:23.000000000"
},
"sourcetype": "zscalernss-audit"
}
Detection logic
Condition
event.errorcode eq "None"
event.result eq "SUCCESS"
event.action eq "UPDATE"
event.category eq "ADMINISTRATOR_MANAGEMENT"
event.preaction.samlEnabled ne ""
event.postaction.samlEnabled ne ""
event.preaction.samlEnabled cross_field_compare "event.postaction.samlEnabled"
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
event.action | eq |
|
event.category | eq |
|
event.errorcode | eq |
|
event.preaction.samlEnabled | cross_field_compare |
|
event.result | eq |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
action | event.action |
admin_id | event.adminid |
category | event.category |
client_ip | event.clientip |
preaction | event.preaction |
postaction | event.postaction |