Task Outline: Investigation of User Creation and Privilege Escalation
Objective
To discover and report or alert on threats related to user creation and privilege assignment, whether performed on Linux or Windows servers.
Preparation of Solution:
- Analyze and distinguish between different cases:
| Event type | Alert or Visualization | Justification / Explanation |
|---|---|---|
| Standard user creation | Visualization / report | Frequent; used for trend analysis and general oversight |
| Privilege escalation (admin rights assigned) | Alert (high severity) | Critical; potentially a mobilizing security event (unauthorized privilege escalation risk) |
| Standard user creation at unusual time (e.g., overnight) | Alert (medium severity) | Suspicious; could indicate an insider threat or compromise, though sometimes legitimate |
Implementation in SIEM:
- Check if logs exist for the events under investigation; if not, configure log collection
- Create visualizations for reports
- Where reports are not sufficient, generate alerts
- Compile everything into a dashboard
- Configure notification/media types for forwarding alerts classified as high severity