Delinea Privilege Manager unusual spike in application justification events

This rule is part of a beta feature. To learn more, contact Support.
delinea-privilege-manager

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1204-user-execution

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects an unusual spike in application justification events.

Strategy

This rule monitors the Delinea Privilege Manager logs to detect an unusual spike in application justification events.

Triage and Response

  1. Analyze the application justification events to identify the users, applications, and computers that are contributing significantly to the spike.
  2. Identify whether the spike involves applications flagged as suspicious or bad.
  3. Determine if these justifications (user reasons) were for legitimate business needs or potential misuse.
  4. If suspicious or unauthorized justifications are identified, revoke or restrict the privileges granted to the affected applications.
  5. Review change history logs to identify any recent modifications to policies or permissions causing spike and if a misconfiguration is found, revert to a more secure policy.
PREVIEWING: brett.blue/embedded-collector-nav