Zendesk IP restriction settings is disabled

zendesk

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

Set up the zendesk integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when IP restriction is disabled.

Strategy

Monitor Zendesk audit logs to look for events with an @source_label value of "Security: Enable IP restrictions" and message:"Turned off". IP restriction allows administrators to limit access to Zendesk to users within a certain range of IP addresses only.

Triage and response

  1. Determine if the user {{@usr.name}} intended to disable IP restriction.
  2. If there is not a legitimate business use case, reset the IP restrictions to the original configuration.