Delinea Privilege Manager unusual spike in application justification events

This rule is part of a beta feature. To learn more, contact Support.
delinea-privilege-manager

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1204-user-execution

Goal

Detects an unusual spike in application justification events.

Strategy

This rule monitors the Delinea Privilege Manager logs to detect an unusual spike in application justification events.

Triage and Response

  1. Analyze the application justification events to identify the users, applications, and computers that are contributing significantly to the spike.
  2. Identify whether the spike involves applications flagged as suspicious or bad.
  3. Determine if these justifications (user reasons) were for legitimate business needs or potential misuse.
  4. If suspicious or unauthorized justifications are identified, revoke or restrict the privileges granted to the affected applications.
  5. Review change history logs to identify any recent modifications to policies or permissions causing spike and if a misconfiguration is found, revert to a more secure policy.
OSZAR »