Set up and manage privileged user monitoring

Requirements

To use privileged user monitoring, you must:

Have the appropriate user role or privileges
Turn on the required advanced setting

For more information, refer to Privileged user monitoring requirements.

Before you can start monitoring privileged users, you need to define which users in your environment are considered privileged.

Privileged users typically include accounts with elevated access rights that allow them to configure security settings, manage user permissions, or access sensitive data.

Define privileged users

You can define privileged users in the following ways:

Add a supported integration with your organization’s user identities. If your environment is already ingesting data from a supported integration, the setup steps are skipped—you're taken directly to the Privileged user monitoring dashboard, where you can start monitoring user activity.
Select an existing index or create a new custom index with privileged user data.
Bulk-upload a list of privileged users using a CSV or TXT file.
Use the Entity analytics APIs to mark individual users as privileged or bulk-upload multiple privileged users.

To get started, find the Privileged user monitoring page in the navigation menu or use the global search field.

Add a supported integration

Select an integration

On the Privileged user monitoring page, select an integration. The supported integrations are:
- Active Directory Entity Analytics.
  Privileged users are identified by matching the entityanalytics_ad.user.privileged.group_member field against privileged Active Directory groups based on security identifier (SID) group codes. Users in the following Active Directory groups are automatically assigned as privileged:
  - 512: Domain Admins
  - 516: Domain Controllers
  - 518: Schema Admins
  - 519: Enterprise Admins
  - 520: Group Policy Creator Owners
  - 525: Protected Users
  - 526: Key Admins
  - 527: Enterprise Key Admins
  - 544: Administrators
  - 548: Account Operators
  - 549: Server Operators
  - 551: Backup Operators
  Note
  
  If you already have privileged user monitoring configured, you must delete and re-add your integration data source to use SID-based group matching.
  Users in the following Active Directory groups are automatically assigned as privileged:
  - Domain Admins
  - Enterprise Admins
  Important
  
  Privileged users are identified by matching the user.group.name field against the literal strings Domain Admins and Enterprise Admins. If your Active Directory uses localized group names (for example, Domänen-Admins instead of Domain Admins), these users won't be assigned as privileged.
- Okta Entity Analytics. Refer to Standard administrator roles and permissions for a list of Okta roles that will be automatically assigned as privileged users.
Install the integration

Follow the steps to install the integration.

Select or create an index

On the Privileged user monitoring page, click Index.
From the Select index popup, you can create new or choose existing indices as your data source.
Select Add privileged users.

All user names, specified in the user.name field in your selected indices, will be defined as privileged users.

Import a list of privileged users from a text file

On the Privileged user monitoring page, click File.
Select or drag and drop the file you want to import. The maximum file size is 1 MB.
Select Add privileged user.

The file must contain at least one column, with each user record listed on a separate row:

The first column specifies the privileged user's user name.
An optional second column may specify a label, representing the user’s role, group, team, or similar.

File structure example:

		superadmin
admin01,Domain Admin
sec_ops
jdoe,IT Support
		
	

Note

Any lines that don’t follow the required file structure will be highlighted, and those users won't be added. We recommend that you fix any invalid lines and re-upload the file.

After setting up your privileged users, you can start monitoring their activity and related insights on the Privileged user monitoring dashboard.

You can update the selected data sources at any time by selecting Manage data sources.

Manage data sources

Use the Manage data sources page to update your selected data sources.

You can use multiple data source types, such as an index and a CSV file, at the same time to define privileged users. Users defined through different data source types are monitored together.

On this page, you can:

Change which integrations you're using as data sources.
View, remove, and change indices after initially defining them.
Import a new supported file with a list of privileged users.

Note

Importing a new file will overwrite any users added from a previous file. This doesn't affect users defined through other data source types.