/
zscaler_scam_destinations_threat_blocked.yml
61 lines (61 loc) · 2.52 KB
/
zscaler_scam_destinations_threat_blocked.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
name: Zscaler Scam Destinations Threat Blocked
id: a0c21379-f4ba-4bac-a958-897e260f964a
version: 1
date: '2023-10-30'
author: Gowthamaraj Rajendran, Rod Soto, Splunk
status: production
type: Anomaly
data_source: []
description: The analytic is engineered to detect potential scam activities within a network by Zscaler. Utilizing Splunk search functionality, it examines web proxy logs for blocked actions related to scam threats. Essential data points like the device owner, user, URL category, destination URL and IP, and action taken are analyzed to highlight possible scam endeavors. This detection, marked as an anomaly, aids in early identification and mitigation of scam activities, ensuring a safer network environment.
search: '`zscaler_proxy` action=blocked threatname=*scam*
| stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
| `zscaler_scam_destinations_threat_blocked_filter`'
how_to_implement: You must install the latest version of Zscaler Add-on from Splunkbase. You must be ingesting Zscaler events into your Splunk environment through an ingester. This analytic was written to be used with the "zscalernss-web" sourcetype leveraging the Zscaler proxy data. This enables the integration with Splunk Enterprise Security. Security teams are encouraged to adjust the detection parameters, ensuring the detection is tailored to their specific environment.
known_false_positives: False positives are limited to Zscaler configuration.
references:
- https://help.zscaler.com/zia/nss-feed-output-format-web-logs
tags:
analytic_story:
- Zscaler Browser Proxy Threats
asset_type: Web Server
confidence: 80
impact: 10
message: Potential Scam Threat from dest -[$dest$] on $src$ for user-[$user$].
mitre_attack_id:
- T1566
observable:
- name: src
type: IP Address
role:
- Victim
- name: user
type: User
role:
- Victim
- name: url
type: URL String
role:
- Attacker
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
risk_score: 8
required_fields:
- action
- threatname
- deviceowner
- user
- urlcategory
- url
- dest
- dest_ip
- action
security_domain: threat
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/zscalar_web_proxy/zscalar_web_proxy.json
source: zscaler
sourcetype: zscalernss-web