For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/dil-xy4-9ag.md. A documentation index is available at /llms.txt.

JumpCloud policy modified

jumpcloud

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1484-domain-or-tenant-policy-modification

Goal

Detect when a JumpCloud policy is modified.

Strategy

This rule lets you monitor the following JumpCloud event to detect when a policy is modified:

  • @evt.name:policy_update

Triage and response

  1. Contact the JumpCloud administrator {{@usr.email}} to confirm if the policy modification(s) was intended.
  2. If the change was not authorized, verify there are no other signals from the administrator:{{@usr.email}}.