TD Website

Monitor Privileged Users

Overview

Monitoring privileged user activity helps SecOps teams detect unauthorized or suspicious behavior involving accounts with administrative rights. This includes privilege escalations, malicious insider actions, and misuse of system-level permissions on Windows endpoints. By tracking these events, analysts gain visibility into when and how special privileges are assigned, allowing for quicker investigations and proactive security controls.

Data Source

Privileged activity data is collected via the ThreatDefence Endpoint Agent:

  • EventCode: 4672Special privileges assigned to new logon

Privileges Tracked include:

  • SeAssignPrimaryTokenPrivilege

  • SeTcbPrivilege

  • SeSecurityPrivilege

  • SeTakeOwnershipPrivilege

  • SeLoadDriverPrivilege

  • SeBackupPrivilege

  • SeRestorePrivilege

  • SeDebugPrivilege

  • SeAuditPrivilege

  • SeSystemEnvironmentPrivilege

  • SeImpersonatePrivilege

  • SeDelegateSessionUserImpersonatePrivilege.

Events Captured

The Users With Admin Rights dashboard highlights the following information:

  • Users With Admin Rights – Count of accounts assigned special privileges.

  • User Breakdown – Distribution of SYSTEM, Administrator, and service accounts.

  • Event Feed – Real-time activity log with timestamps, IP addresses, and privilege assignments.

Key Fields

When investigating privileged activity, the following fields provide context:

  • agent.name – Endpoint hostname with TD agent installed. Example: agent.name: "TD-CCC-SENSOR-01"

  • data.win.eventdata.privilegeList – List of privileges assigned during logon. Example: data.win.eventdata.privilegeList: (SeBackupPrivilege OR SeRestorePrivilege)

  • source.ip – IP address of the system initiating the logon. Example: source.ip: 143.110.182.33

  • event.action – Action description from the Windows Event Log. Example: event.action: "Special privileges assigned to new logon"

  • destination.ip – Destination IP accessed during the privileged session. Example: destination.ip: 192.168.210.40

  • source.geo.organization – ISP or organization linked to the source IP. Example: source.geo.organization: "Digital Ocean"

  • tenant – Organization or tenant identifier. Example: tenant: acme

  • msp – MSP name or ID (if managed under an MSP). Example: msp: acme

Dashboard Access

Privileged activity is monitored in the Users With Admin Rights dashboard within the ThreatDefence Analyst Console.

  • From the Menu:

    1. Open the Dashboards section in the left-hand navigation panel.

    2. Expand the ENDPOINT menu.

    3. Under Windows, select Users With Admin Rights.

This dashboard provides a comprehensive view of privileged accounts, their assigned rights, and related activity logs.

PreviousAnalyze Entra ID LogonsNextReview Vulnerabilities

Last updated