Atlassian user invited to organization as an organization administrator

This rule is part of a beta feature. To learn more, contact Support.
atlassian-event-logs

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1098-account-manipulation

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when an Atlassian user is invited to the organization with the organizational administrator role.

Strategy

This rule monitors Atlassian organization audit logs for when a user is invited to the organization with the organizational administrator role. An attacker may try to invite an additional identity to the organization with high-level privileges.

Triage and response

  1. Determine if the user {{@usr.email}} intended to invite the target user as an organizational administrator:
    • Is there a related ticket tracking this change?
    • Is {{@usr.email}} aware of this activity?
    • Is the network metadata associated with the activity unusual for this user?
  2. If the results of the triage indicate that {{@usr.email}} was not aware of this activity or it did not originate from a known network, begin your company’s incident response process, and start an investigation.