/
user_logged_in_as_user.yml
110 lines (110 loc) · 3.39 KB
/
user_logged_in_as_user.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
AnalysisType: rule
DedupPeriodMinutes: 60 # 1 hour
DisplayName: "Atlassian admin impersonated another user"
Enabled: true
Filename: user_logged_in_as_user.py
RuleID: "Atlassian.User.LoggedInAsUser"
Severity: High
LogTypes:
- Atlassian.Audit
Tags:
- Atlassian
- User impersonation
Description: >
Reports when an Atlassian user logs in (impersonates) another user.
Runbook: >
Validate that the Atlassian admin did log in (impersonate) as another user.
Reference: https://support.atlassian.com/user-management/docs/log-in-as-another-user/
Tests:
- Name: Admin impersonated user successfully
ExpectedResult: true
Log: {
"attributes":
{
"action": "user_logged_in_as_user",
"actor":
{
"email": "example.admin@example.com",
"id": "1234567890abcdefghijklmn",
"name": "Example Admin",
},
"container":
[
{
"attributes":
{
"siteHostName": "https://example.atlassian.net",
"siteName": "example",
},
"id": "12345678-abcd-9012-efgh-1234567890abcd",
"links": { "alt": "https://example.atlassian.net" },
"type": "sites",
},
],
"context":
[
{
"attributes":
{
"accountType": "atlassian",
"email": "example.user@example.io",
"name": "example.user@example.io",
},
"type": "users",
},
],
"time": "2022-12-15T00:35:15.890Z",
},
"id": "2508d209-3336-4763-89a0-aceaf1322fcf", #event ID
"message":
{
"content": "Logged in as example.user@example.io",
"format": "simple",
},
}
- Name: user_logged_in_as_user not in log
ExpectedResult: false
Log: {
"attributes":
{
"action": "user_login",
"actor":
{
"email": "example.admin@example.com",
"id": "1234567890abcdefghijklmn",
"name": "Example Admin",
},
"container":
[
{
"attributes":
{
"siteHostName": "https://example.atlassian.net",
"siteName": "example",
},
"id": "12345678-abcd-9012-efgh-1234567890abcd",
"links": { "alt": "https://example.atlassian.net" },
"type": "sites",
},
],
"context":
[
{
"attributes":
{
"accountType": "atlassian",
"email": "example.user@example.io",
"name": "example.user@example.io",
},
"type": "users",
},
],
"time": "2022-12-15T00:35:15.890Z",
},
"id": "2508d209-3336-4763-89a0-aceaf1322fcf", #event ID
"message":
{
"content": "Logged in as example.user@example.io",
"format": "simple",
},
}