Privileged User Monitoring

Attackers are increasingly using privileged user credentials to access corporate resources, sensitive information and exfiltrate sensitive data. Privileged user accounts are accounts with elevated privileges, such as users with Domain Administrator rights or root privileges. Effective privileged user monitoring (PUM) helps organizations to protect critical assets, meet compliance requirements and mitigate both external threats and insider threats.

Workflow

Overview

The Identity Center dashboard in ES provides a snapshot of users and serves as a good starting point to monitor privileged users.

This dashboard has panels on identity data including a list of account names, account categories, department and other associated information. The identity data is used by Splunk Cloud to correlate user information to indexed events, providing detailed context.

Privileged User Monitoring Dashboard

Splunk Enterprise Security (ES) includes two reports that represent privileged user activity. These reports help determine the current status of privileged account usage in your environment, and you can create a dashboard to monitor the reports and those users easily.

1.    Privileged account usage over time shows the total count of events over time that included a privileged user account. This report indicates the pattern of normal privileged account usage and identifies unusual or unexpected activity.

2.    Privileged accounts in use shows privileged accounts in use during the selected time frame, as well as how many times the accounts have been used to log in. This report identifies rarely used accounts that suddenly show bursts of activity.

By creating a Privileged User Monitoring dashboard, privileged user account activity can be easily viewed from the two reports.

Insight into Privileged User Activities

To gain further insight into the activities of privileged users in your environment, an analyst can create correlation searches to produce notable events. For example, you can create a correlation search that identifies privileged users attempting to authenticate to an application at the same time, but from different hosts, or track when a privileged user upload a large file to a domain with “.ru.” With Splunk ES, it’s easy to create correlation searches using the guided mode, and using the Access and Identities data models to provide the detailed insight.