SIEM Use Cases

Monitoring and Managing the Highly Privileged User Account

In order to access organizational resources and sensitive information, the attackers’ primary target is to obtain privileged user credentials. Privileged user accounts are the accounts of users with managerial rights or root privileges and the accounts with upgraded privileges. Efficient privileged user monitoring plays an important role for organizations in protecting their critical assets. In addition, it assists in meeting compliance requirements and decreasing the number of both insider and external threats.

How to monitor and manage the privileged user accounts

Configuring the data coming from credential servers or from index servers such as Active Directory (AD) or LDAP should be set as the primary target. Incidents such as the daily upgrade of user credentials and user rights or the creation of new users should be monitored. Account names, account categories, departments of relevant users, and other relevant information should be listed along with credential data. Privileged access rights should be reviewed within appropriate time periods (at least once a month) and the privileged license allocation should be reviewed regularly. All privileged user accesses to the files and databases (including the local system access) should be monitored. The alert mechanisms of critical privileged user changes should be momentarily shared with relevant IT managers via email and SMS.

By means of correlation processes and Behavior Analysis, the user can be tagged as Attacker, Victim, and Suspicious.


On the attacker side, after the initial activity initiated by the user, behavior analysis is performed by correlating the logs from various sources and enriching the logs. Activities conducted by the attacker, both from inside to outside and from outside to inside, are subjected to log activity correlation, ensuring their display on relevant dashboard panels.


On the dashboard, you can see how many times privileged accounts were used to log in during a specific time frame.


The dashboard provides a real-time snapshot of users. Identity data panels, containing account names, account categories, departments, and other relevant information, are included in this indicator table.


To gain more insight into the activities of privileged users, you can create correlation definitions to detect critical actions. For example, if a user attempts authentication to an application from multiple computers simultaneously, you can create a correlation to report access.


You can track a privileged user uploading a large file to a field with "". Correlation searches can be conducted using access and identity information, and incident management and response processes can be initiated.


By centralizing and correlating security event data, it streamlines efficient incident response workflows. It integrates with ticketing systems and other incident response tools, enabling security teams to automate their incident response processes. Logsign can trigger automatic actions such as quarantining a compromised host or blocking malicious IP addresses, usernames, URLs, domains, or hashes to shorten response times and minimize the impact of security incidents.

Other SIEM Use Cases