A Security-Enabled Global Group Was Deleted

Severity: low
Author: Alexandr Yampolskyi, SOC Prime
Source: upstream

Detects activity when a security-enabled global group is deleted

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1098` Account Manipulation
Privilege Escalation	`T1098` Account Manipulation

Event coverage

Provider	Event ID	Title
Security-Auditing	634
Security-Auditing	4730	A security-enabled global group was deleted.

Stages and Predicates

Stage 1: `selection`

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Windows ESX Admins Group Creation Security Event [splunk]
Windows Increase in Group or Object Modification Activity [splunk]
Windows Privileged Group Modification [splunk]