Elastic Security Detection Rules

Unusual Privilege Type assigned to a User

Last updated 2 months ago on 2025-07-02

Created 6 months ago on 2025-02-18

About

A machine learning job has identified a user leveraging an uncommon privilege type for privileged operations, indicating potential privileged access activity. This indicates that a user is performing operations requiring elevated privileges but is using a privilege type that is not typically seen in their baseline logs.

Tags

Use Case: Privileged Access DetectionRule Type: MLRule Type: Machine LearningTactic: Privilege Escalation

Severity

low

Risk Score

21

MITRE ATT&CK™

Privilege Escalation (TA0004)(opens in a new tab or window)

↳ Exploitation for Privilege Escalation (T1068)(opens in a new tab or window)

↳ Valid Accounts (T1078)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Machine Learning

Integration Pack

Prebuilt Security Detection Rules

Related Integrations

pad(opens in a new tab or window)

endpoint(opens in a new tab or window)

windows(opens in a new tab or window)

Query

Install detection rules in Elastic Security

Detect Unusual Privilege Type assigned to a User in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).