Jumpcloud password manager local export

This rule is part of a beta feature. To learn more, contact Support.
jumpcloud

Classification:

attack

Tactic:

TA0010-exfiltration

Technique:

T1567-exfiltration-over-web-service

Set up the jumpcloud integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a Jumpcloud password manager export is initiated for download.

Strategy

This rule monitors Jumpcloud events for when a password manager export is downloaded. This export action could involve downloading a significant amount of password data. Unauthorized exports could indicate a potential data breach, insider threat, or misuse of administrative privileges.

Potential risks associated with these export actions include:

  • Unauthorized access to and exfiltration of sensitive company data and secrets.
  • Insider threats downloading and sharing confidential data.

Triage and response

  1. Determine if the export download is expected by:

    • Contacting the user or admin {{@usr.email}} who initiated the export to verify the legitimacy of the request.
    • Reviewing the context and scope of the export, including:
      • The type of data exported.
      • The time and date of the export and the business justification for the action.
    • Checking Jumpcloud logs for other unusual or suspicious activity by the user, such as mass downloads, file sharing, or privilege escalation.

  2. If the export is unauthorized or unexpected:

    • Begin your organization’s incident response process and investigate further.
    • Analyze the exported data for sensitive information, and determine the scope of exposure.
    • Monitor for any further attempts to export data or download sensitive information across the workspace.