Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1078-valid-accounts

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects when users are assigned the Datadog Admin Role. Admin role grants full platform access including security configuration changes.

Strategy

This rule monitors Datadog Access Management events where @asset.type is user and @action is created or modified with @asset.name matching Datadog Admin Role. The Datadog Admin Role is the default built-in administrative role that provides unrestricted access to all platform features including security monitoring configuration, user management, API key creation, and audit settings. Granting admin privileges expands the attack surface and provides capabilities for privilege abuse, so assignments should be carefully controlled and monitored. This rule only monitors the default admin role to avoid noise from organization-specific custom roles.

Triage and response

• Verify if {{@usr.email}} has authorization to grant admin privileges by checking with security or platform administration teams.
• Identify the user account that received admin permissions by examining @asset.id and determine if this user requires admin access for their job function.
• Review the timing and context of the role assignment to determine if it aligns with legitimate onboarding, role changes, or incident response activities.
• Check for other privilege escalation activity by examining if multiple users received elevated permissions in a short timeframe.
• Investigate recent actions performed by {{@usr.email}} to identify if the account shows other signs of compromise such as unusual login locations or suspicious configuration changes.
• Monitor the newly granted admin account for suspicious activity including creation of additional admin accounts, modification of security controls, or unusual data access patterns.