Delinea Privilege Manager unusual spike in password disclosure events by a requesting user

This rule is part of a beta feature. To learn more, contact Support.
delinea-privilege-manager

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1555-credentials-from-password-stores

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detects an unusual spike in password disclosure events by a requesting user.

Strategy

This rule monitors Delinea Privilege Manager logs to detect an unusual spike in password disclosure events by a requesting user.

Triage and Response

  1. Reach out to the requesting user: {{@RequestingUser}} to clarify if the password disclosure activity was intentional or possibly unauthorized.
  2. Investigate affected accounts to determine if they belong to critical systems, privileged users, or sensitive roles.
  3. Analyze patterns in disclosure requests, such as unusual IP addresses, locations.
  4. Temporarily restrict or disable access to impacted accounts if the activity appears unauthorized.
  5. Reset passwords for affected accounts to prevent potential misuse.
  6. Update access roles and refine disclosure policies to prevent future incidents.
PREVIEWING: brett.blue/embedded-collector-nav