Classification:

attack

Tactic:

TA0004-privilege-escalation

VIEW RULE IN DATADOG VIEW SIGNALS

Set up the jumpcloud integration.

Goal

Detect when administrative privileges are provisioned to a JumpCloud user.

Strategy

This rule lets you monitor the following JumpCloud event to detect when administrative privileges are provisioned:

• user_admin_granted

Triage and response

1. Contact the JumpCloud administrator: {{@usr.email}} to confirm that the users or devices should have administrative privileges.
2. If the change was not authorized, verify there are no other signals from the JumpCloud administrator: {{@usr.email}}.