Zendesk account assumption is enabled

zendesk

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1098-account-manipulation

Set up the zendesk integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when the Zendesk account assumption setting is enabled.

Strategy

Monitor Zendesk audit logs to look for events with an @source_label value of "Security: Enable Account assumption". Account assumption grants Zendesk the ability to access your account to troubleshoot an issue. It allows Zendesk to assume the role of an agent for a specified amount of time.

Triage and response

  1. Determine if the user {{@usr.name}} intended to enable the account assumption setting.
  2. If Zendesk support should not have the ability to assume the role of an agent, disable the setting.