EVID 4728...4762 : Group Member Added/Removed (Security)

Audit Security Group Management

• 4731(S) : A security-enabled local group was created.

• 4732(S) : A member was added to a security-enabled local group.

• 4733(S) : A member was removed from a security-enabled local group.

• 4734(S) : A security-enabled local group was deleted.

• 4735(S) : A security-enabled local group was changed.

• 4764(S) : A group’s type was changed.

• 4799(S) : A security-enabled local group membership was enumerated.

4731, 4732, 4733, 4734, 4735, 4764, 4799

Provider

N/A

N/A

EventID

<vmid>

<vmid>

Version

N/A

N/A

Level

<severity>

<severity>

Task

N/A

<vendorinfo>

Opcode

N/A

N/A

Keywords

<tag1>

<result>

TimeCreated

N/A

N/A

EventRecordID

N/A

N/A

Correlation

N/A

N/A

Execution

<processid>

N/A

Channel

N/A

N/A

Computer

<dname>

<dname>

GroupTypeChange

N/A

<action>

MemberName

N/A

<account>

MemberSid

<account>

N/A

TargetUserName

<group>

<group>

TargetDomainName

<domain>

<domainimpacted>

TargetSid

N/A

N/A

SubjectUserSid

N/A

N/A

SubjectUserName

<login>, <tag2>

<login>

SubjectDomainName

N/A

<domainorigin>

SubjectLogonId

<session>

<session>

PrivilegeList

N/A

N/A

CallerProcessId

N/A

<processid>

CallerProcessName

N/A

<process>

EventData

<vendorinfo>

N/A

1000635

Group Member Added/Removed

Base Rule

Account Added To Group

Access Granted

EVID 4728 : User Added Glbl Security Grp

Sub Rule

Account Added To Group

Access Granted

EVID 4729 : User Removed From Global Sec Grp

Sub Rule

Account Removed From Group

Access Revoked

EVID 4732 : User Added To Local Sec Grp

Sub Rule

Account Added To Group

Access Granted

EVID 4733 : User Removed From Local Sec Grp

Sub Rule

Account Removed From Group

Access Revoked

EVID 4746 : User Added To Local Dstr Grp

Sub Rule

Account Added To Group

Access Granted

EVID 4747 : User Removed From Local Dstr Grp

Sub Rule

Account Removed From Group

Access Revoked

EVID 4751 : User Added To Global Dstr Grp

Sub Rule

Account Added To Group

Access Granted

EVID 4761 : User Added To Universal Dstr Grp

Sub Rule

Account Added To Group

Access Granted

EVID 4752 : User Removed From Global Dstr Grp

Sub Rule

Account Removed From Group

Access Revoked

EVID 4756 : User Added To Univ Sec Grp

Sub Rule

Account Added To Group

Access Granted

EVID 4757 : User Removed From Univ Sec Grp

Sub Rule

Account Removed From Group

Access Revoked

EVID 4762 : User Removed From Univ Dstr Grp

Sub Rule

Account Removed From Group

Access Revoked

Regex ID

Rule Name

Rule Type

Common Event

Classification

1011139

V 2.0 : Group Management Events

Base Rule

Group Information

Information

V 2.0 : EVID 4727 : Sec-Enable Global Group Create

Sub Rule

Group Created

Account Created

V 2.0 : EVID 4728 : Memb Add To Sec-Enable Global

Sub Rule

Account Added To Group

Access Granted

V 2.0 : EVID 4729 : Memb Remove From Sec-Enabled

Sub Rule

Account Removed From Group

Access Revoked

V 2.0 : EVID 4730 : Sec-Enable Global Group Delete

Sub Rule

Group Deleted

Account Deleted

V 2.0 : EVID 4731 : Sec-Enabled Local Group Create

Sub Rule

Group Created

Account Created

V 2.0 : EVID 4732 : Memb Add To Sec-Enable Local

Sub Rule

Account Added To Group

Access Granted

V 2.0 : EVID 4733 : Memb Remove From Sec-Enabled

Sub Rule

Account Removed From Group

Access Revoked

V 2.0 : EVID 4734 : Sec-Enable Local Group Delete

Sub Rule

Group Deleted

Account Deleted

V 2.0 : EVID 4735 : Sec-Enable Local Group Modifi

Sub Rule

Group Attribute Modified

Account Modified

V 2.0 : EVID 4737 : Sec-Enable Global Group Modifi

Sub Rule

Group Attribute Modified

Account Modified

V 2.0 : EVID 4744 : Sec-Disable Local Group Create

Sub Rule

Group Created

Account Created

V 2.0 : EVID 4745 : Sec-Disable Local Group Modifi

Sub Rule

Group Attribute Modified

Account Modified

V 2.0 : EVID 4746 : Memb Add To Sec-Disable Local

Sub Rule

Account Added To Group

Access Granted

V 2.0 : EVID 4747 : Memb Remove From Sec-Disable

Sub Rule

Account Removed From Group

Access Revoked

V 2.0 : EVID 4748 : Sec-Disable Local Group Delete

Sub Rule

Group Deleted

Account Deleted

V 2.0 : EVID 4749 : Sec-Disabl Global Group Create

Sub Rule

Group Created

Account Created

V 2.0 : EVID 4750 : Sec-Disable Global Group Modif

Sub Rule

Group Attribute Modified

Account Modified

V 2.0 : EVID 4751 : Memb Add To Sec-Disable Global

Sub Rule

Account Added To Group

Access Granted

V 2.0 : EVID 4752 : Memb Remove From Sec-Disabled

Sub Rule

Account Removed From Group

Access Revoked

V 2.0 : EVID 4753 : Sec-Disable Global Group Delet

Sub Rule

Group Deleted

Account Deleted

V 2.0 : EVID 4754 : Sec-Enabled Univ Group Create

Sub Rule

Group Created

Account Created

V 2.0 : EVID 4755 : Sec-Enable Univer Group Modifi

Sub Rule

Group Attribute Modified

Account Modified

V 2.0 : EVID 4756 : Memb Add To Sec-Enable Univer

Sub Rule

Account Added To Group

Access Granted

V 2.0 : EVID 4757 : Memb Remove From Sec-Enabled

Sub Rule

Account Removed From Group

Access Revoked

V 2.0 : EVID 4758 : Sec-Enable Global Unive Delete

Sub Rule

Group Deleted

Account Deleted

V 2.0 : EVID 4759 : Sec-Disable Unive Group Create

Sub Rule

Group Created

Account Created

V 2.0 : EVID 4760 : Sec-Disable Unive Group Modifi

Sub Rule

Group Attribute Modified

Account Modified

V 2.0 : EVID 4761 : Memb Add To Sec-Disable Univer

Sub Rule

Account Added To Group

Access Granted

V 2.0 : EVID 4762 : Memb Remove From Sec-Disable

Sub Rule

Account Removed From Group

Access Revoked

V 2.0 : EVID 4763 : Sec-Disable Global Univ Delete

Sub Rule

Group Deleted

Account Deleted

V 2.0 : EVID 4764 : Group Type Changed

Sub Rule

Group Attribute Modified

Account Modified

V 2.0 : EVID 4799 : Sec-Enable Local Group Members

Sub Rule

Object Read

Access Success