Monitor privileged accounts for suspicious activity
Use Splunk Enterprise Security to identify, search, and report on the activities of users with privileged accounts and help protect your environment from malicious attackers. Privileged accounts are user or system accounts with elevated privileges, such as users with Domain Administrator rights or root privileges. An attacker that gains access to privileged user credentials can take control of an organization's infrastructure to modify security settings, exfiltrate data, create user accounts, and more. If an attacker gains privileged account access credentials, their activities appear more legitimate and become harder to detect. Attackers attempt to gain access to privileged accounts by using social engineering techniques, sending spear-phishing messages, using malware, or "passing the hash" attacks.
- A Splunk platform instance with Splunk Enterprise Security installed and configured.
- An identity lookup that contains user accounts with a category field of
category=privileged. Use this search to view the user accounts:
| datamodel "Identity_Management" High_Critical_Identities search |stats count by All_Identities.identity
Identify privileged user accounts
In order to monitor privileged account activity and identify suspicious actions that could indicate an adversary moving around in the network, define privileged accounts in your identity lookup using the Category field. You can use a search with the
ldapsearch command to populate the
identity.csv with privileged users.
- Create an identity lookup that includes users who have Domain Admin privileges or who are in the VIP group.
- Modify the example search below for your specific environment, or create your own.
This example search takes users with a group membership of Domain Admins or VIPs and adds them to the privileged category. Depending on your environment, you can modify the search to focus on specific organizational units (OUs) rather than group membership.
| ldapsearch domain=Acme search="(&(objectclass=user)(!(objectClass=computer)))"
| eval suffix=""
| eval priority="medium"
| eval category="normal"
| eval watchlist="false"
| eval endDate=""
| eval category=case(match(memberOf, "(?i)^.*?Domain\sAdmins?.+"),"privileged",
match(memberOf, "(?i)^.*?VIP?.+"), "privileged")
| table sAMAccountName,personalTitle,displayName,givenName,sn,suffix,mail,
| rename sAMAccountName as identity, personalTitle as prefix, displayName as nick, givenName as
first, sn as last, mail as email, telephoneNumber as phone, mobile as phone2, manager as managedBy,
department as bunit, whenCreated as
See more about the Category lookup field in Format an asset or identity list as a lookup in Splunk Enterprise Security in Administer Splunk Enterprise Security. To add a new identity lookup, see Configure the new asset or identity list in Splunk Enterprise Security in Administer Splunk Enterprise Security.
Review current privileged account activity
Splunk Enterprise Security includes two reports that depict privileged user activity. Review them to determine the current state of privileged account usage in your environment.
- On the Splunk Enterprise Security menu bar, select Search > Reports.
- In the filter, type the word
privilegedto locate the privileged user reports.
- Click the Access - Privileged Account Usage Over Time report to open it and review the total count of events over time that included a privileged user account to see the pattern of normal privileged account usage and identify unusual or unexpected activity.
- Click the Access - Privileged Accounts In Use report to open it and review privileged accounts in use during the selected time frame, as well as how many times the accounts have been used to log in to identify rarely used accounts that suddenly show bursts of activity.
You notice that the domain admin account bob has logged in 100,000 times in the last 24 hours.
- Select Configure > Incident Management > New Notable Event to create a notable event for a tier one analyst to investigate.
- In the new notable event, type a title of Privileged user bob has logged in 100,000 times in 24 hrs.
- Set the Urgency to Critical.
- Assign the notable event to a tier one analyst.
- The tier one analyst investigates bob and determines that it is an administrative account used to run scripts, so the authentications are legitimate.
Set up a dashboard to monitor privileged accounts
To allow the security analysts to more easily review and monitor privileged user accounts, create a privileged account dashboard from the two reports.
- Select Search > Reports and filter on privileged to see the privileged account reports.
- Click the title to view the Access - Privileged Accounts In Use report.
- Click Add to Dashboard and select a New dashboard.
- Type a Dashboard Title of Privileged Accounts. The Dashboard ID is set automatically.
- For Dashboard Permissions select Shared in App.
- Type a Panel Title of Privileged Accounts in Use.
- For Panel Powered By select Report.
- For Panel Content select Statistics to view the raw data rather than a graph.
- Click Save and View Dashboard to view your creation.
- Add the Access - Privileged Account Usage Over Time report to the new dashboard using the same steps, but select an Existing dashboard of Privileged Accounts instead of creating a new dashboard.
After you create the dashboard, make it easy to find by adding it to the Splunk Enterprise Security menu bar.
- Select Configure > General > Navigation to view the navigation editor.
- Locate the Identity security domain navigation collection.
- Click the Add View icon and select the Privileged Accounts dashboard.
- Click Save to save the dashboard navigation location.
- Click Save to update the menu bar.
Monitor privileged accounts with notable events
In the case of bob, you manually created a notable event in order for a tier one analyst to investigate the account activity. By using a correlation search, you can automate privileged account activity monitoring and generate alerts as notable events. See Create correlation searches in Splunk Enterprise Security in Administer Splunk Enterprise Security.
You want to alert tier one analysts when a privileged user account makes concurrent access attempts to the same application from different hosts. This search creates notable events to identify potentially shared privileged credentials. This example uses a modified version of the existing correlation search, Concurrent Login Attempts Detected, to do this.
- Select Configure > Content > Content Management.
- Select Create New Content > Correlation Search.
- Type a Search Name of Shared Privileged Account Credentials.
- Use the following search as your Search:
| datamodel "Identity_Management" High_Critical_Identities search | rename All_Identities.identity as "user" | fields user | eval cs_key='user' | join type=inner cs_key [| tstats `summariesonly` count from datamodel=Authentication by _time,Authentication.app,Authentication.src,Authentication.user span=1s | `drop_dm_object_name("Authentication")` | eventstats dc(src) as src_count by app,user | search src_count>1 | sort 0 + _time | streamstats current=t window=2 earliest(_time) as previous_time,earliest(src) as previous_src by app,user | where (src!=previous_src) | eval time_diff=abs(_time-previous_time) | where time_diff<300 | eval cs_key='user']
- Type a Cron Schedule for how often you want the search to run.
- Select Add New Response Action and select a Notable.
- Type a Title, a Description, and other important fields for the notable event.
- Click Save.
You needed to monitor privileged account activity to identify suspicious activity indicating data exfiltration, lateral movement by an attacker, shared privileged credentials, and more. After configuring the identity data stored in Splunk Enterprise Security to categorize privileged users, you reviewed the two privileged account reports to identify any current users acting suspiciously. Then you created a dashboard to more easily review those reports in the future and keep a close eye on user accounts like bob. Finally, you set up a correlation search so that the tier one analysts would be notified of definitive suspicious activity such as concurrent login attempts from a privileged account.
Using Enterprise Security to find data exfiltration
This documentation applies to the following versions of Splunk® Enterprise Security: 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2