Atlassian user added to administrative group
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect when an Atlassian user is added to an administrative group.
Strategy
This rule monitors Atlassian organization audit logs for when a user is added to a default administrative group. An attacker may try to assign a compromised identity to an administrative group in order to elevate their privileges.
Triage and response
- Determine if the user
{{@usr.email}} intended to assign the target user to the administrative group:- Is there a related ticket tracking this change?
- Is
{{@usr.email}} aware of this activity? - Is the network metadata associated with the activity unusual for this user?
- If the results of the triage indicate that
{{@usr.email}} was not aware of this activity or it did not originate from a known network, begin your company’s incident response process, and start an investigation.
