Jumpcloud admin granted system privileges

jumpcloud

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

Set up the jumpcloud integration.

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when a JumpCloud user grants administrative privileges on a user endpoint. This is not indicative of malicious activity, but detecting this event is valuable for auditing.

Strategy

This rule monitors JumpCloud audit logs to detect when a user triggers the @evt.name of system_admin_grant.

Triage and response

  1. Reach out to the admin making the change ({{@usr.email}}) to confirm that the user (@usr.name) should have administrative privileges on the specified resource (@resource.name).
  2. If the change was not authorized, reverify there are no other signals from the jumpcloud admin: {{@usr.email}} and the system (@resource.name).
PREVIEWING: aliciascott/DOCS-9725-Cloudcraft