OneLogin user granted administrative privileges

onelogin

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

Set up the onelogin integration.

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when a OneLogin administrator grants additional privileges to another OneLogin user.

Strategy

This rule lets you monitor the following OneLogin events to detect when an administrator grants additional privileges to another OneLogin user:

  • @evt.name:PRIVILEGE_GRANTED_TO_USER

Triage and response

  1. Determine whether the user ({{@actor_user_name}}) should be legitimately adding additional roles to @usr.name. Note: The role granted to the user is not available in OneLogin logs.
  2. If the activity was not legitimate, review all activity from {{@actor_user_name}} and the IP ({{@network.client.ip}}) associated with this signal.