Privileged user monitoring requirements
This page covers the requirements for using the privileged user monitoring feature, as well as its known limitations.
The privileged user monitoring feature requires:
-
The appropriate subscription -
The appropriate feature tier
To enable this feature, turn on the securitySolution:enablePrivilegedUserMonitoring advanced setting.
To use this feature, you need:
-
A role with the appropriate privileges -
Either the appropriate predefined Security user role or a custom role with the right privileges
| Action | Index Privileges | Kibana Privileges |
|---|---|---|
| Enable the privileged user monitoring feature | N/A | All for the Security feature |
| View the Privileged user monitoring dashboard | Read for the following indices:- .entity_analytics.monitoring.users-<space-id>- risk-score.risk-score-*- .alerts-security.alerts-<space-id>- .ml-anomalies-shared- Security data view indices |
Read for the Security feature |
| Action | Predefined role |
|---|---|
| Enable privileged user monitoring | - Platform engineer - Admin |
| View the Privileged user monitoring dashboard | - Tier 1 analyst - Tier 2 analyst - Tier 3 analyst - Rule author - SOC manager - Platform engineer - Detections admin - Admin |
Currently, none of the privileged user monitoring visualizations support cross-cluster search as part of the data that they query from.
You can define up to 10,000 privileged users per data source.