Jumpcloud admin granted system privileges

jumpcloud

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

Set up the jumpcloud integration.

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when a JumpCloud user grants administrative privileges on a user endpoint. This is not indicative of malicious activity, but detecting this event is valuable for auditing.

Strategy

This rule monitors JumpCloud audit logs to detect when a user triggers the @evt.name of system_admin_grant.

Triage and response

  1. Reach out to the admin making the change ({{@usr.email}}) to confirm that the user (@usr.name) should have administrative privileges on the specified resource (@resource.name).
  2. If the change was not authorized, reverify there are no other signals from the jumpcloud admin: {{@usr.email}} and the system (@resource.name).
PREVIEWING: rtrieu/product-analytics-ui-changes