Jumpcloud admin granted system privileges
Set up the jumpcloud integration.
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect when a JumpCloud user grants administrative privileges on a user endpoint. This is not indicative of malicious activity, but detecting this event is valuable for auditing.
Strategy
This rule monitors JumpCloud audit logs to detect when a user triggers the @evt.name of system_admin_grant.
Triage and response
- Reach out to the admin making the change (
{{@usr.email}}) to confirm that the user (@usr.name) should have administrative privileges on the specified resource (@resource.name). - If the change was not authorized, reverify there are no other signals from the jumpcloud admin: {{@usr.email}} and the system (
@resource.name).
