---
title: Atlassian administrator impersonated user
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Atlassian administrator impersonated
  user
---

# Atlassian administrator impersonated user
Classification:attackTactic:[TA0004-privilege-escalation](https://attack.mitre.org/tactics/TA0004)Technique:[T1098-account-manipulation](https://attack.mitre.org/techniques/T1098) 
## Goal{% #goal %}

Detect when an Atlassian administrator logs in as another user.

## Strategy{% #strategy %}

This rule monitors Atlassian organization audit logs for when an administrator logs in as another user. This [feature](https://support.atlassian.com/user-management/docs/log-in-as-another-user/) allows administrators to impersonate other users. Due to the privileged nature of this, it is important to monitor and verify any impersonation.

## Triage and response{% #triage-and-response %}

1. Determine if `{{@usr.email}}` was authorized to impersonate the target user:
   - Is there a related ticket tracking this work?
   - Has it been approved by the target user?
   - Is `{{@usr.email}}` aware of this activity?
1. If the results of the triage indicate that `{{@usr.email}}` was not aware of this activity or it has not been approved, begin your company's incident response process, and start an investigation.