Delinea Privilege Manager unusual spike in application justification events

This rule is part of a beta feature. To learn more, contact Support.
delinea-privilege-manager

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1204-user-execution

Set up the delinea-privilege-manager integration.

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Goal

Detects an unusual spike in application justification events.

Strategy

This rule monitors the Delinea Privilege Manager logs to detect an unusual spike in application justification events.

Triage and Response

  1. Analyze the application justification events to identify the users, applications, and computers that are contributing significantly to the spike.
  2. Identify whether the spike involves applications flagged as suspicious or bad.
  3. Determine if these justifications (user reasons) were for legitimate business needs or potential misuse.
  4. If suspicious or unauthorized justifications are identified, revoke or restrict the privileges granted to the affected applications.
  5. Review change history logs to identify any recent modifications to policies or permissions causing spike and if a misconfiguration is found, revert to a more secure policy.
PREVIEWING: may/embedded-workflows