Jumpcloud admin granted system privileges
Set up the jumpcloud integration.
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detect when a JumpCloud user grants administrative privileges on a user endpoint. This is not indicative of malicious activity, but detecting this event is valuable for auditing.
Strategy
This rule monitors JumpCloud audit logs to detect when a user triggers the @evt.name of system_admin_grant.
Triage and response
- Reach out to the admin making the change (
{{@usr.email}}) to confirm that the user (@usr.name) should have administrative privileges on the specified resource (@resource.name). - If the change was not authorized, reverify there are no other signals from the jumpcloud admin: {{@usr.email}} and the system (
@resource.name).
