Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

VIEW RULE IN DATADOG VIEW SIGNALS

Set up the jumpcloud integration.

Goal

Detect when a JumpCloud user grants administrative privileges on a user endpoint. This is not indicative of malicious activity, but detecting this event is valuable for auditing.

Strategy

This rule monitors JumpCloud audit logs to detect when a user triggers the @evt.name of system_admin_grant.

Triage and response

1. Reach out to the admin making the change ({{@usr.email}}) to confirm that the user (@usr.name) should have administrative privileges on the specified resource (@resource.name).
2. If the change was not authorized, reverify there are no other signals from the jumpcloud admin: {{@usr.email}} and the system (@resource.name).