How to check if Application run as administrator

Hello i have a question

Is there any rules to detect if any application run as administrator or if a user run the application as admin in windows machine ?

Hi @target_test - In Elastic SIEM, there is a default rule when you import from Elastic for "Unusual Windows User Privilege Elevation Activity". This job detects user privilege escalations which include "run as".

Check the prebuilt ML Jobs here - you will see the v3_windows_rare_user_runas_event at the bottom of the page.

and you can see the event json here


Thank you for the answer @eMitch, After i read page that you have included i found out it need ML to do the work (elastic platinum). Is there any other option other than upgrading to elastic platinum ?

Hey @target_test - Not that I'm aware of. Elastic Machine Learning requires Platinum licensing.

You could just make a custom Elastic SIEM rule to monitor it without ml, see


Thanks for the information

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.