Rules Contributing to Suspicious Activity Related to Security-Enabled Group Alerts
    
                                            The following rules are used to identify suspicious activity related to security-enabled group. Any one or more of these will trigger suspicious Activity Related to Security-Enabled Group Alert. Details for each rule can be viewed by clicking the More Details link in the description.
| Title | Description | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Security-Enabled Universal Group was Created | A Security-Enabled Universal Group has been created. This could be an indication of malicious activity. More details   Rule IDQuery{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4754}, 'selection3': {'SourceUserName': ''}, 'selection4': {'DomainName': ''}, 'condition': 'selection1 and selection2 and not selection3 and not selection4'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
    N/A
 Severity50 Suppression Logic Based On
 Additional Information
 | ||||||||
| Security-Enabled Global Group was Created | A Security-Enabled Global Group has been created. This could be an indication of malicious activity. More details   Rule IDQuery{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4727}, 'selection3': {'SourceUserName': ''}, 'selection4': {'DomainName': ''}, 'condition': 'selection1 and selection2 and not selection3 and not selection4'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
    N/A
 Severity50 Suppression Logic Based On
 Additional Information
 | ||||||||
| Member Added to Security-Enabled Universal Group | A member was added to a Security-Enabled Universal Group. This could be an indication of malicious activity. More details   Rule IDQuery{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4756}, 'selection3': {'SourceUserName': ''}, 'selection4': {'DomainName': ''}, 'condition': 'selection1 and selection2 and not selection3 and not selection4'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
    N/A
 Severity50 Suppression Logic Based On
 Additional Information
 | ||||||||
| Security-Enabled Local Group was Created | A Security-Enabled Local Group has been created. This could be an indication of malicious activity. More details   Rule IDQuery{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4731}, 'selection3': {'SourceUserName': ''}, 'selection4': {'DomainName': ''}, 'condition': 'selection1 and selection2 and not selection3 and not selection4'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
    N/A
 Severity50 Suppression Logic Based On
 Additional Information
 | ||||||||
| Security-Enabled Local Group was Deleted | A Security-Enabled Local Group has been deleted. This could be an indication of malicious activity. More details   Rule IDQuery{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4734}, 'selection3': {'UserName': ''}, 'selection4': {'DomainName': ''}, 'condition': 'selection1 and selection2 and not selection3 and not selection4'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
    N/A
 Severity50 Suppression Logic Based On
 Additional Information
 | ||||||||
| Security-Enabled Universal Group was Deleted | A Security-Enabled Universal Group has been deleted. This could be an indication of malicious activity. More details   Rule IDQuery{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4758}, 'selection3': {'UserName': ''}, 'selection4': {'DomainName': ''}, 'condition': 'selection1 and selection2 and not selection3 and not selection4'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
    N/A
 Severity50 Suppression Logic Based On
 Additional Information
 | ||||||||
| Security-Enabled Global Group was Deleted | A Security-Enabled Global Group has been deleted. This could be an indication of malicious activity. More details   Rule IDQuery{'selection1': {'SubCategory': 'Microsoft-Windows-Security-Auditing'}, 'selection2': {'EventID': 4730}, 'selection3': {'UserName': ''}, 'selection4': {'DomainName': ''}, 'condition': 'selection1 and selection2 and not selection3 and not selection4'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
    N/A
 Severity50 Suppression Logic Based On
 Additional Information
 | 
