Privileged user monitoring requirements
Serverless Security Stack
This page covers the requirements for using the privileged user monitoring feature, as well as its known limitations.
The privileged user monitoring feature requires:
- Stack The appropriate subscription
- Serverless The appropriate feature tier
To enable this feature, turn on the securitySolution:enablePrivilegedUserMonitoring advanced setting.
To use this feature, you need:
- Stack A role with the appropriate privileges
- Serverless Either the appropriate predefined Security user role or a custom role with the right privileges
| Action | Index Privileges | Kibana Privileges |
|---|---|---|
| Enable the privileged user monitoring feature | N/A | All for the Security feature |
| View the Privileged user monitoring dashboard | Read for the following indices:- .entity_analytics.monitoring.users-<space-id>- risk-score.risk-score-*- .alerts-security.alerts-<space-id>- .ml-anomalies-shared- Security data view indices |
Read for the Security feature |
Serverless
| Action | Predefined role |
|---|---|
| Enable privileged user monitoring | - Platform engineer - Admin |
| View the Privileged user monitoring dashboard | - Tier 1 analyst - Tier 2 analyst - Tier 3 analyst - Rule author - SOC manager - Platform engineer - Detections admin - Admin |
Currently, none of the privileged user monitoring visualizations support cross-cluster search as part of the data that they query from.
You can define up to 10,000 privileged users per data source.