<  Back to rules search

OneLogin user viewed secure note

onelogin
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a OneLogin user views a secure note.

Strategy

This rule lets you monitor the following OneLogin events to detect when a user views a secure note:

  • @evt.name:PRIVILEGE_GRANTED_TO_USER

This rule is useful when correlating its findings with other anomalous events from the same OneLogin user ({{@actor_user_name}}).

Triage and response

  1. Determine whether the OneLogin user ({{@actor_user_name}}) should be legitimately accessing secure notes.
  2. If the activity was not legitimate, review all activity from {{@actor_user_name}} and the IP ({{@network.client.ip}}) associated with this signal.