Privilege fields are fields related to operating system privilege assignments. These are typically either considered either roles or attributes that can be assigned to account groups or individual accounts.
Microsoft Windows is an example of an attribute-based privilege solution. While Windows privileges are often managed through group membership, security tokens are key to determining what actions an account is authorized to perform. These tokens are generated during the authentication process and include information about the account's privileges, such as SeDebugPrivilege, which allows an account to debug and interact with sensitive system processes. Each privilege in the token corresponds to specific rights that are granted to the account, enabling or restricting particular actions.
Microsoft Entra ID is an example of a role-based privilege solution. Entra ID provides a number of built-in roles and allows users to define custom roles, which are used to determine which actions Entra ID users can take.
The ..._category sub-fields are a common enrichment used on a per-source type basis add context to vendor-provided or custom privileges. The tag value elevated_privilege is the value to assign to the category field when a value in the privilege_name, privilege_assigned_name, or privilege_removed_name value is one which gives an account the ability to perform sensitive activities.
| Field Name | Example Values | Field Type | Notes |
|---|---|---|---|
privilege_assigned_category
|
elevated_privilege | keyword | Tag-type values which can be used to add supplemental metadata about the privilege in question. The value 'elevated_privilege' is assigned here to identify when an attribute or role listed in the privilege_id field indicates the privilege provides access to perform sensitive tasks on a system. |
privilege_assigned_id
|
ffd52fa5-98dc-465c-991d-fc073eb59f8f | keyword | Identification of the privilege attribute or role, this is the field used by compliance content. |
privilege_assigned_name
|
SeDebugPrivilege | keyword | A short descriptive name of the privilege, not all systems will generate this. |
privilege_category
|
built_in | keyword | Tag-type values which can be used to add supplemental metadata about the privilege in question. The value 'elevated_privilege' is assigned here to identify when an attribute or role listed in the privilege_id field indicates the privilege provides access to perform sensitive tasks on a system. |
privilege_id
|
c430b396-e693-46cc-96f3-db01bf8bb62a | keyword | Identification of the privilege attribute or role, this is the field used by compliance content. |
privilege_name
|
Attack Simulation Administrator | keyword | A short descriptive name of the privilege, not all systems will generate this. |
privilege_removed_category
|
built_in | keyword | Tag-type values which can be used to add supplemental metadata about the privilege in question. The value 'elevated_privilege' is assigned here to identify when an attribute or role listed in the privilege_id field indicates the privilege provides access to perform sensitive tasks on a system. |
privilege_removed_id
|
c430b396-e693-46cc-96f3-db01bf8bb62a | keyword | Identification of the privilege attribute or role, this is the field used by compliance content. |
privilege_removed_name
|
SeLoadDriverPrivilege | keyword | A short descriptive name of the privilege, not all systems will generate this. |
