detection.wiki

Detection rules › Sigma

A Member Was Removed From a Security-Enabled Global Group

Severity
low
Author
Alexandr Yampolskyi, SOC Prime
Source
upstream

Detects activity when a member is removed from a security-enabled global group

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1098 Account Manipulation
Privilege EscalationT1098 Account Manipulation

Event coverage

ProviderEvent IDTitle
Security-Auditing633
Security-Auditing4729A member was removed from a security-enabled global group.

Stages and Predicates

Stage 1: selection