For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-xgm.md. A documentation index is available at /llms.txt.

Zendesk IP restriction settings is disabled

zendesk

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

Goal

Detect when IP restriction is disabled.

Strategy

Monitor Zendesk audit logs to look for events with an @source_label value of "Security: Enable IP restrictions" and message:"Turned off". IP restriction allows administrators to limit access to Zendesk to users within a certain range of IP addresses only.

Triage and response

  1. Determine if the user {{@usr.name}} intended to disable IP restriction.
  2. If there is not a legitimate business use case, reset the IP restrictions to the original configuration.