Atlassian user added to administrative group

This rule is part of a beta feature. To learn more, contact Support.

Goal

Detect when an Atlassian user is added to an administrative group.

Strategy

This rule monitors Atlassian organization audit logs for when a user is added to a default administrative group. An attacker may try to assign a compromised identity to an administrative group in order to elevate their privileges.

Triage and response

  1. Determine if the user {{@usr.email}} intended to assign the target user to the administrative group:
    • Is there a related ticket tracking this change?
    • Is {{@usr.email}} aware of this activity?
    • Is the network metadata associated with the activity unusual for this user?
  2. If the results of the triage indicate that {{@usr.email}} was not aware of this activity or it did not originate from a known network, begin your company’s incident response process, and start an investigation.