Loading

Audit Security Group Management

Some detection rules require monitoring security group management to detect unauthorized changes to user group memberships, which can affect access control and security policies. Enabling this setting ensures visibility into modifications of security groups, helping maintain security and compliance.

To enable Audit Security Group Management across a group of servers using Active Directory Group Policies, administrators must enable the Audit Security Group Management policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:

Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
Account Management >
Audit Security Group Management (Success,Failure)

To enable this policy on a local machine, run the following command in an elevated command prompt:

auditpol.exe /set /subcategory:"Security Group Management" /success:enable /failure:enable

When this audit policy is enabled, the following event IDs may be generated:

  • 4727: A security-enabled global group was created.
  • 4728: A member was added to a security-enabled global group.
  • 4729: A member was removed from a security-enabled global group.
  • 4730: A security-enabled global group was deleted.
  • 4731: A security-enabled local group was created.
  • 4732: A member was added to a security-enabled local group.
  • 4733: A member was removed from a security-enabled local group.
  • 4734: A security-enabled local group was deleted.
  • 4735: A security-enabled local group was changed.
  • 4737: A security-enabled global group was changed.
  • 4754: A security-enabled universal group was created.
  • 4755: A security-enabled universal group was changed.
  • 4756: A member was added to a security-enabled universal group.
  • 4757: A member was removed from a security-enabled universal group.
  • 4758: A security-enabled universal group was deleted.
  • 4764: A group’s type was changed.
  • 4799: A security-enabled local group membership was enumerated.

Use the following GitHub search to identify rules that use the events listed:

Elastic Detection Rules Github Repo Search