OneLogin administrator assumed a user

onelogin

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1078-valid-accounts

Set up the onelogin integration.

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when a OneLogin user with appropriate privileges assumes another OneLogin user’s identity. Logging in as another user allows the user to view another OneLogin user’s account and perform actions on their behalf.

Strategy

This rule lets you monitor the following OneLogin events to detect when an administrator assumes another OneLogin user’s identity:

  • @evt.name:USER_ASSUMED_USER

Triage and response

  1. Determine whether the user ({{@usr.name}}) should be legitimately assuming another user’s identity.
  2. If the activity was not legitimate, review all activity from {{@usr.name}} and the IP ({{@network.client.ip}}) associated with this signal.