Administrative privileges assigned to a user, group or role
Goal
Detects when administrative privileges are assigned to user accounts, groups, or roles.
Strategy
This rule monitors OCSF-transformed logs where @ocsf.class_uid
is 3005
(User Access Management) or 3006
(Group Management) for administrative privilege assignment activities. It triggers when events include @ocsf.activity_name
set to Assign Privileges
and @ocsf.privileges
containing ADMIN_PRIVILEGES_ASSIGNED
. Administrative privilege assignments are significant security events that could indicate legitimate administrative actions or potential privilege escalation attacks. Monitoring these activities across all connected systems is critical for maintaining proper access controls.
Triage and response
- Verify if the privilege assignment to
{{@ocsf.user.name}}
was authorized through your organization’s access management process. - Review the specific privileges granted and determine if they align with the user’s legitimate business role and responsibilities.
- Examine the timing and context of the privilege assignment to identify if it occurred during normal business hours or as part of scheduled administrative activities.
- Check for any concurrent suspicious activities from the same user account across connected systems and platforms.
- Validate that the privilege assignment was performed by an authorized administrator with proper approval documentation.
- Determine if the newly assigned privileges have been used since the assignment and review any actions taken with the elevated permissions.