Classification:

attack

Tactic:

TA0010-exfiltration

Technique:

T1567-exfiltration-over-web-service

VIEW RULE IN DATADOG VIEW SIGNALS

Set up the jumpcloud integration.

Goal

Detect when a Jumpcloud password manager export is initiated for download.

Strategy

This rule monitors Jumpcloud events for when a password manager export is downloaded. This export action could involve downloading a significant amount of password data. Unauthorized exports could indicate a potential data breach, insider threat, or misuse of administrative privileges.

Potential risks associated with these export actions include:

• Unauthorized access to and exfiltration of sensitive company data and secrets.
• Insider threats downloading and sharing confidential data.

Triage and response

1. Determine if the export download is expected by:

   • Contacting the user or admin {{@usr.email}} who initiated the export to verify the legitimacy of the request.
   • Reviewing the context and scope of the export, including:
     • The type of data exported.
     • The time and date of the export and the business justification for the action.
   • Checking Jumpcloud logs for other unusual or suspicious activity by the user, such as mass downloads, file sharing, or privilege escalation.

2. If the export is unauthorized or unexpected:

   • Begin your organization’s incident response process and investigate further.
   • Analyze the exported data for sensitive information, and determine the scope of exposure.
   • Monitor for any further attempts to export data or download sensitive information across the workspace.