OneLogin user granted administrative privileges

Classification:

attack

Tactic:

Technique:

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when a OneLogin administrator grants additional privileges to another OneLogin user.

This rule lets you monitor the following OneLogin events to detect when an administrator grants additional privileges to another OneLogin user:

Determine whether the user ({{@actor_user_name}}) should be legitimately adding additional roles to @usr.name. Note: The role granted to the user is not available in OneLogin logs.
If the activity was not legitimate, review all activity from {{@actor_user_name}} and the IP ({{@network.client.ip}}) associated with this signal.