The Zendesk team did an exceptional job at patching this vulnerability in a timely manner. If this vulnerability was discovered by threat actors before the Varonis team, or if this vulnerability was left unpatched, the flaw would have been considered a critical vulnerability in the Zendesk application; attackers would have the capabiilty to steal any information from the database that they wanted. Since many organizations have external user registration enabled by default and any user could invoke this API, this would have been a difficult exploit to monitor for in terms of detection rules. The actual activity itself would likely not have logged anything that a reliable detection could be built around. In terms of these specific vulnerabilities, the best course of detection would be to create rules around data exfiltration. The scenario highlights the need for a defense-in-depth strategy to cover all stages of the cyber kill chain.
https://www.varonis.com/blog/zendesk-sql-injection-and-access-flaws
