Admin user report #insightidr

I was looking for an accurate report of users with privilege access- Company admins .
I found Admin Accounts under the users and accounts dashboard.
I was hoping the count would be accurate but is does appear to be lower than when I look from another system. nad pull for AD directly.
What populates that Admins accounts on the user and accounts dashboard? I am tryig to understand why it is not accurate. Also, when you drill down on that the list comes up but there doesnt seem to be a way to export it. is there?
thanks for any help

Hi @tracey_jackson ,

there is no export option on the Users & Accounts page today unfortunately, the next best thing we have is the Data Export page under settings.

As for the question on how this is populated, we gather Admin Account information primarily via the LDAP event source, and secondarily we also mark accounts as O365 admins, or Azure Admins by parsing certain admin actions from the Cloud Services logs (as well as other event sources), you should see this under Cloud Service Admin Activity if this is the case with your account.

We also add Admin flags to accounts when we observe certain event codes via the AD event source, such as a user being added to the Domain Admin group, these will be shown in AD Admin Activity logset in log search.

This should compliment the information we pull via LDAP, which is considered the primary source.


1 Like

It’s also worth mentioning that IDR has a list of ‘default’ privileged groups that it queries from LDAP. However, industrious users can add additional groups to be treated as ‘admin’ groups under Settings > Admin Groups Settings