Privilege Fields
Overview
The privilege fields describe operating system- or platform-level privilege constructs that govern what actions an account is authorized to perform. Privileges may represent roles, rights, or attributes depending on the underlying system. These fields support normalized interpretation across privilege models such as attribute-based systems found in Windows or role-based models used in cloud identity platforms.
Design and Usage
The privilege entity provides a vendor-neutral representation of identifiers, names, and contextual metadata associated with privilege assignments or removals. It abstracts the conceptual properties of privileges regardless of whether they originate from security tokens, directory roles, application-defined permissions, or local operating system configuration. Category-style subfields allow enrichment to flag elevated or sensitive privileges based on organizational or compliance requirements.
Common Use Cases
- Identifying which privileges were assigned or removed from an account during authentication, authorization, or configuration changes.
- Normalizing privilege identifiers across heterogeneous systems for audit, compliance, and access governance.
- Highlighting privileged operations or elevated attributes that may indicate risk or require additional review.
- Supporting correlation between account activity and the privileges that governed that activity.
Implementation Notes
As a top-level entity, privilege represents the privilege object itself rather than the event in which it was used or evaluated. Privilege identifiers may originate from security tokens, identity services, or operating system structures; therefore, normalization should focus on stable identifiers and descriptive names when available. Category subfields may be applied to clarify privilege characteristics or to indicate classifications such as elevated or built-in privilege types. If multiple privilege naming conventions are present, both identifier and descriptive fields should be included to maintain relational integrity and consistent interpretation across sources.
| field | field_type | description | example_values |
|---|---|---|---|
|
privilege_assigned_category |
keyword |
Classification applied to the privilege at assignment time to provide contextual metadata about its characteristics. |
elevated_privilege |
|
privilege_assigned_id |
keyword |
Identifier of the privilege that was assigned to the account or group. |
ffd52fa5-98dc-465c-991d-fc073eb59f8f |
|
privilege_assigned_name |
keyword |
Descriptive name of the privilege assigned to the account or group. |
SeDebugPrivilege |
|
privilege_category |
keyword |
Classification applied to the privilege to supply contextual metadata about its origin or characteristics. |
built_in |
|
privilege_id |
keyword |
Identifier of the privilege referenced by the event. |
c430b396-e693-46cc-96f3-db01bf8bb62a |
|
privilege_name |
keyword |
Human-readable name associated with the privilege. |
Attack Simulation Administrator |
|
privilege_removed_category |
keyword |
Classification applied to the privilege at the time it was removed to provide contextual metadata about its characteristics. |
built_in |
|
privilege_removed_id |
keyword |
Identifier of the privilege that was removed from the account or group. |
c430b396-e693-46cc-96f3-db01bf8bb62a |
|
privilege_removed_name |
keyword |
Descriptive name of the privilege that was removed from the account or group. |
SeLoadDriverPrivilege |
