How to monitor administrative privileges use

Monitoring administrative privileges requires configuring audit coverage, building views, and scheduling reports.

1. Ensure audit data is collected

Collect operating system and application logs that record privileged actions:

• Windows: security, system, and Active Directory audit logs (for example, account management, logon/logoff, policy changes)
• Linux: system logs for user/group creation, privilege elevation, and sudo activity

Relevant collection guides include:

• How to collect data on Windows Security Log
• How to collect data on Windows System Log
• How to collect data on Active Directory

2. Define which privileged actions are relevant

Focus on high-risk actions:

• Windows: user creation, event log cleared, password resets, user account management
• Linux: group creation, user creation, user/group deletion

Additional guidance for self‑audit of CYBERQUEST users is available in: How to monitor CYBERQUEST user activities.

3. Use reports to review activity

Run reports interactively for investigations or schedule them for regular delivery (for example, daily or weekly summaries of administrative changes).

For details on creating and running reports, see: How to create a new report and run it.