Jumpcloud policy created

jumpcloud

Classification:

attack

Tactic:

TA0003-persistence

Set up the jumpcloud integration.

Goal

Detect when a JumpCloud policy is created.

Strategy

This rule lets you monitor the following JumpCloud event to detect when a policy is created:

  • @evt.name:policy_create

Triage and response

  1. Contact the JumpCloud administrator {{@usr.email}} to confirm if the policy creation was intended.
  2. If the change was not authorized, verify there are no other signals from the administrator:{{@usr.email}}.