This alert detects when a secondary email address is added to an existing team member. Impact A threat actor may create a new identity/role for an existing team member to maintain persistence in the network. Mitigation Verify if this action is legitimate and that the member is aware of it. If not, revert the action and investigate further. MITRE Tactic: TA0003 MITRE Technique: T1136

This alert detects when a user's role is changed. A user after logging in can access the different Zendesk products such as support, guide, explore, talk, and chat. For each of these products, the user can have different kinds of roles such as admin, agent, contributor, editor, viewer, etc. These roles have different levels of privileges associated. Impact Admin privileges allow a threat actor to access and manipulate data and other users on the platform. Mitigation Verify if this action was legitimate or not. If not, revert the action and investigate further. MITRE Tactic: TA0004 MITRE Technique: T1078 MITRE Sub-Technique: 004

This alert detects when a team member is added to a group in Zendesk. Impact A threat actor may add a team member to a higher privileged group to escalate their privileges and perform malicious operations. Mitigation Verify that this action was legitimate and that the user is aware of it. If not, investigate further and revert the action. MITRE Tactic: TA0003 MITRE Technique: T1078

This alert detects when a team member is removed from a group in Zendesk. Impact A threat actor may remove a team member from Zendesk to revoke access for the user and disrupt normal business operations. Mitigation Verify that the remove operation and the user performing it were legitimate. MITRE Tactic: TA0040 MITRE Technique: T1531

This rule detects when a user's suspension is disabled in Zendesk. Impact Threat actors may disable a user's suspension and target that user to perform malicious operations using privileges associated with the suspended user. Mitigation Check if this action was legitimate. if not, revert the action and investigate further. MITRE Tactic: TA0040 MITRE Technique: T1531

This rule detects when a user is suspended in Zendesk. Impact Threat actors may suspend legitimate users to prevent them from accessing the services. This can impact normal business operations. Mitigation Check if this action was legitimate and doesn't cause interruptions in the platform. if not, revert the action and investigate further. MITRE Tactic: TA0040 MITRE Technique: T1531

This rule detects when a user is deleted from Zendesk. Impact An adversary may attempt to delete a user that it previously added to perform malicious activities in a network to remove its trace from the network. Mitigation Check if the user is aware of this action and validate if the user was authorized to perform the deletion action. If not, investigate it further. MITRE Tactic: TA0005 MITRE Technique: T1562

This alert detects when a new user is created. Impact An adversary may attempt to create a user to maintain persistence in a network. It then can add that user to a privileged group and thus can escalate privileges. Mitigation Check if the user is aware of this action and validate if the user was authorized to perform the creation action. If not, investigate it further. MITRE Tactic: TA0003 MITRE Technique: T1136

This rule detects if there are no logs in the last 24 hours for Zendesk in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562