Atlassian Tor client activity detected

This rule is part of a beta feature. To learn more, contact Support.
jira-audit-records

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

Goal

Detect when Tor client activity is seen in Atlassian audit logs.

Strategy

This rule monitors Atlassian audit logs to determine when an activity had originated from a Tor client. Datadog enriches all ingested logs with expert-curated threat intelligence in real time. An attacker may use a Tor client to anonymize their true origin.

Triage and response

  1. Determine if the actions taken by the identity {{@usr.email}} are legitimate by looking at past activity and the type of logs occurring.
  2. If the results of the triage indicate that {{@usr.email}} was not aware of this activity, begin your company’s incident response process, and start an investigation.