Zendesk IP restriction settings is disabled

zendesk

Classification:

attack

Set up the zendesk integration.

Goal

Detect when IP restriction is disabled.

Strategy

Monitor Zendesk audit logs to look for events with an @source_label value of "Security: Enable IP restrictions" and message:"Turned off". IP restriction allows administrators to limit access to Zendesk to users within a certain range of IP addresses only.

Triage and response

  1. Determine if the user {{@usr.name}} intended to disable IP restriction.
  2. If there is not a legitimate business use case, reset the IP restrictions to the original configuration.