Goal

Detects when administrative privileges are assigned to user accounts, groups, or roles.

Strategy

This rule monitors OCSF-transformed logs where @ocsf.class_uid is 3005 (User Access Management) or 3006 (Group Management) for administrative privilege assignment activities. It triggers when events include @ocsf.activity_name set to Assign Privileges and @ocsf.privileges containing ADMIN_PRIVILEGES_ASSIGNED. Administrative privilege assignments are significant security events that could indicate legitimate administrative actions or potential privilege escalation attacks. Monitoring these activities across all connected systems is critical for maintaining proper access controls.

Triage and response

• Verify if the privilege assignment to {{@ocsf.user.name}} was authorized through your organization’s access management process.
• Review the specific privileges granted and determine if they align with the user’s legitimate business role and responsibilities.
• Examine the timing and context of the privilege assignment to identify if it occurred during normal business hours or as part of scheduled administrative activities.
• Check for any concurrent suspicious activities from the same user account across connected systems and platforms.
• Validate that the privilege assignment was performed by an authorized administrator with proper approval documentation.
• Determine if the newly assigned privileges have been used since the assignment and review any actions taken with the elevated permissions.