<  Back to rules search

Jumpcloud admin granted system privileges

jumpcloud

Classification:

attack

Tactic:

Technique:

Set up the jumpcloud integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a JumpCloud user grants administrative privileges on a user endpoint. This is not indicative of malicious activity, but detecting this event is valuable for auditing.

Strategy

This rule monitors JumpCloud audit logs to detect when a user triggers the @evt.name of system_admin_grant.

Triage and response

  1. Reach out to the admin making the change ({{@usr.email}}) to confirm that the user (@usr.name) should have administrative privileges on the specified resource (@resource.name).
  2. If the change was not authorized, reverify there are no other signals from the jumpcloud admin: {{@usr.email}} and the system (@resource.name).