Zendesk account assumption is enabled

zendesk

Classification:

attack

Set up the zendesk integration.

Goal

Detect when the Zendesk account assumption setting is enabled.

Strategy

Monitor Zendesk audit logs to look for events with an @source_label value of "Security: Enable Account assumption". Account assumption grants Zendesk the ability to access your account to troubleshoot an issue. It allows Zendesk to assume the role of an agent for a specified amount of time.

Triage and response

  1. Determine if the user {{@usr.name}} intended to enable the account assumption setting.
  2. If Zendesk support should not have the ability to assume the role of an agent, disable the setting.