heroui logo

ZIA Trust Modification

Panther Rules

View Source
Summary
The ZIA Trust Modification rule is designed to monitor and detect changes in the SAML (Security Assertion Markup Language) authentication configuration within the Zscaler Internet Access (ZIA) platform. This rule tracks whether the SAML authentication option is enabled or disabled by evaluating entries in the ZIA admin audit log. It utilizes specific tests that correspond to the actions taken in the administration console, which include enabling and disabling SAML authentication. Each test checks for an 'UPDATE' action in the logs and verifies the resultant state of the SAML authentication switch. If SAML authentication is turned on or off, this could have profound implications for security, making changes to this configuration sensitive events that require proper monitoring and validation. The rule employs deduplication for events occurring within a 60-minute interval and is configured to flag these changes at a medium severity level, prompting administrators to assess if alterations were authorized. Additionally, a follow-up action is recommended to revert unauthorized changes and safeguard future configurations.
Categories
  • Cloud
  • Identity Management
  • Application
Data Sources
  • Logon Session
  • Application Log
  • User Account
ATT&CK Techniques
  • T1484.002
Created: 2024-11-06