Privileged user monitoring requirements
Note
Privileged user monitoring is removed. Use Watchlists instead.
This page covers the requirements for using the privileged user monitoring feature, as well as its known limitations.
The privileged user monitoring feature requires:
-
The appropriate subscription -
The appropriate feature tier
securitySolution:enablePrivilegedUserMonitoring advanced setting.
To use this feature, you need:
-
A role with the appropriate privileges -
Either the appropriate predefined Security user role or a custom role with the right privileges
| Action | Index Privileges | Kibana Privileges |
|---|---|---|
| Enable privileged user monitoring | N/A | All for the Security feature |
| View Privileged user monitoring dashboard | Read for the following indices:- .entity_analytics.monitoring.users-<space-id>- risk-score.risk-score-*- .alerts-security.alerts-<space-id>- .ml-anomalies-shared- Security data view indices |
|
| Action | Predefined role |
|---|---|
| Enable privileged user monitoring | - Platform engineer - Admin |
| View the Privileged user monitoring dashboard | - Tier 1 analyst - Tier 2 analyst - Tier 3 analyst - Rule author - SOC manager - Platform engineer - Detections admin - Admin |
Currently, none of the privileged user monitoring visualizations support cross-cluster search as part of the data that they query from.
You can define up to 10,000 privileged users per data source.