Atlassian user added to administrative group

This rule is part of a beta feature. To learn more, contact Support.
atlassian-event-logs

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1098-account-manipulation

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when an Atlassian user is added to an administrative group.

Strategy

This rule monitors Atlassian organization audit logs for when a user is added to a default administrative group. An attacker may try to assign a compromised identity to an administrative group in order to elevate their privileges.

Triage and response

  1. Determine if the user {{@usr.email}} intended to assign the target user to the administrative group:
    • Is there a related ticket tracking this change?
    • Is {{@usr.email}} aware of this activity?
    • Is the network metadata associated with the activity unusual for this user?
  2. If the results of the triage indicate that {{@usr.email}} was not aware of this activity or it did not originate from a known network, begin your company’s incident response process, and start an investigation.