Skip to main content
Registration for .conf24 is open! Join us June 11-14 in Las Vegas.
Splunk Lantern

Detecting non-privileged user accounts conducting privileged actions


The Payment Card Industry Data Security Standard (PCI DSS) was created to secure credit cardholder data from theft and misuse. It defines 12 security areas in which companies should enhance protection for this type of data. The requirements apply to anyone involved in credit card processing, including merchants, processors, and third party service providers that store, process and transmit cardholder data. It was developed to encourage and improve cardholder data security, as well as facilitate the global adoption of consistent data security measures.

Accounts with increased privileges, such as the “administrator” or “root” account, have the potential to greatly impact the security or operational functionality of a system and networks. Without an audit trail of the activities conducted, organizations are unable to trace issues resulting from an administrative mistake or misuse of privilege back to the specific action and individual.

Attackers commonly target privileged user credentials to access organizational high value resources and sensitive information. Privileged user accounts are accounts of users with managerial rights or root privileges and accounts with upgraded permissions to perform high level system activities. Efficient privileged user monitoring plays a critical role for organizations in protecting critical assets. In addition, it assists in meeting compliance requirements, and decreasing the number of both insider and external threats.

How to use Splunk Enterprise Security for this use case

You can utilize Splunk Enterprise Security use cases to effectively monitor privilege account activity to ensure PCI-DSS compliance. Use Splunk Enterprise Security correlation searches to detect all the actions taken by any individual with root or administrative privileges or when user non-privileged accounts attempt to conduct escalated actions.

  1. Configure user account events from authentication servers, such as Microsoft Active Directory (AD) or LDAP servers, as a primary source of user activity.
    • Ensure you are monitoring events such as the upgrade of user credentials and user permissions or creation of new users.
    • Ensure that account names, account categories, departments of relevant users and other relevant information are listed along with credential data.
  2. Generate a list of privileged events. Many Splunk technical add-ons define privileged actions by default.
  3. Generate a list of privileged and non-privileged users. You can see a detailed example of this in Splunk Security Essentials.
  4. Run the following search. You can optimize it by specifying an index and adjusting the time range.
    index=* source="*WinEventLog:Security" tag=privileged 
    | lookup PrivilegedRiskScores user OUTPUT isAdminAccount 
    | search isAdminAccount=0
  5. For any results, investigate why an account is performing these actions by following up with the user or with managerial staff.
  6. If necessary, disable account activity until a complete investigation can be performed and user events can be validated.
  7. Perform corrective actions such as user guidance or change management processes if these actions were authorized.

Privileged access rights should be reviewed within appropriate time periods (at least once a month). All privileged user accesses to the files and databases, including the local system access, should be monitored. The alert mechanisms of critical privileged user changes should be shared with SOC operations.

Next steps