Admin Users
Understanding Admin Groups, Admin Accounts, and Admin Activity" "body": "SIEM (InsightIDR) distinguishes between administrative **group membership** and **observed administrative behavior**: <br/>**- Admin Groups:** Shows users that belong to admin groups. A user is considered an admin in SIEM (InsightIDR) if they have an account that belongs to an admin group associated with an identity provider, like LDAP, Entra ID, or Okta. <br/>**- Admin Accounts:** Shows users identified as administrators in SIEM based on both group membership and observed administrative behavior. <br/>**- Admin Activity:** Shows the administrative actions performed by those users, based on collected log data. <br/>Together, these provide a complete picture of administrative access: **who belongs to an admin group, who is acting as an admin, and what actions they are taking.**
When you connect Active Directory to SIEM (InsightIDR), SIEM can identify and appropriately tag any administrator users. Groups are sourced from your identity provider and indicate that the user is a member of an admin group.
Admin groups from LDAP
Any users that are members of these LDAP groups are considered to be admin users:
domain adminsenterprise adminsschema adminsadministratorsbackup operators
Admin Groups from Cloud Identity Providers
A cloud user is considered an administrator if they have an account that belongs to an admin group associated with a cloud service, such as Okta or Entra ID. SIEM (InsightIDR) identifies admin groups by substring matching on terms like ‘admin’, ‘privileged’, ‘root’, ‘super’, or ‘elevated’ in the group’s name.
When you click the Admin Accounts number on the Users & Accounts page, you will see a table of admin information, such as Admin Accounts and Admin Activity.
Rapid7 recommends reviewing the list of administrators to ensure proper administrative access to the right users.
Admin Accounts
The Admin Accounts tab reflects users who are acting as administrators in your environment. This includes:
- Users who belong to admin groups in identity providers
- Users who perform administrative actions observed in SIEM
The Admin Account tab displays a list of the following:
- Groups that the account belongs to
- Department
- Title
- Date of the latest asset logon with one of the AD accounts that belong to the user
This data is collected from the LDAP event source, which pulls the information directly from your domain controller. SIEM (InsightIDR) also applies admin group tags based on the observed admin activities users perform.
| Admin activity group tag | Description |
|---|---|
| AWS Admins | This group contains all accounts that perform IAM activities in AWS. |
| Box Admins | This group contains all accounts that perform Box.com admin activity. |
| Google Admins | This group contains all accounts that perform admin activities in Google Apps. |
| Okta Admins | This group contains all accounts that perform admin activities in Okta. |
| O365 Admins | This group contains all accounts that perform admin activities in Microsoft Office 365. |
| Azure AD Admins | This group contains all accounts that perform admin activities in Azure Active Directory. |
| LDAP Admins | This group contains all accounts that perform LDAP admin activity. |
| Zscaler Admins | This group contains all accounts that perform admin activity in Zscaler. |
| SentinelOne Admins | The group contains all accounts that perform admin activity in SentinelOne. |
For users who belong to multiple admin groups, hovering over the admin group tag displays the groups that user is a member of. Note that the standalone Administrators tag indicates a Local Administrator.
SIEM (InsightIDR) applies admin group tags to categorize users based on the systems where they perform administrative actions (for example, AWS, Okta, or LDAP). While some tags align with identity provider roles, others are derived from observed administrative activity, allowing SIEM to identify users who are functioning as administrators even if they are not explicitly assigned to a known admin group.
To see definitions of the other account tags that SIEM (InsightIDR) can apply to admin users, view the Account Tags page.
Admin Activity
The Admin Activity view provides a historical record of administrative behavior, showing the actions performed by users identified as administrators in SIEM (InsightIDR).
You can also select the Admin Activity view at the top of the user list to see historical administrative activity, including:
- Source user
- Target user
- Action
- Timestamp
This data mirrors the log data included in the Active Directory Administrative Activity log set(s). You can also select the Activity dropdown on the left to switch to different data sources, such as LDAP, Okta, and others.
You can also search for a particular admin to see only their activity.