rules/compliance/group_modification_logging.yml

title: Group Modification Logging
id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e
status: stable
description: 'Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges. Sigma detects\
    \ Event ID 4728 indicates a \u2018Member is added to a Security Group\u2019. Event ID 4729 indicates a \u2018Member is removed from a Security enabled-group\u2019\
    . Event ID 4730 indicates a\u2018Security Group is deleted\u2019. The case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2\
    \ and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.'
author: Alexandr Yampolskyi, SOC Prime
date: 2019/03/26
references:
    - https://www.cisecurity.org/controls/cis-controls-list/
    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729
    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730
    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633
    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632
    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 4728
            - 4729
            - 4730
            - 633
            - 632
            - 634
    condition: selection
falsepositives:
    - Unknown
level: low
# tags:
    # - CSC4
    # - CSC4.8
    # - NIST CSF 1.1 PR.AC-4
    # - NIST CSF 1.1 PR.AT-2
    # - NIST CSF 1.1 PR.MA-2
    # - NIST CSF 1.1 PR.PT-3
    # - ISO 27002-2013 A.9.1.1
    # - ISO 27002-2013 A.9.2.2
    # - ISO 27002-2013 A.9.2.3
    # - ISO 27002-2013 A.9.2.4
    # - ISO 27002-2013 A.9.2.5
    # - ISO 27002-2013 A.9.2.6
    # - ISO 27002-2013 A.9.3.1
    # - ISO 27002-2013 A.9.4.1
    # - ISO 27002-2013 A.9.4.2
    # - ISO 27002-2013 A.9.4.3
    # - ISO 27002-2013 A.9.4.4
    # - PCI DSS 3.2 2.1
    # - PCI DSS 3.2 7.1
    # - PCI DSS 3.2 7.2
    # - PCI DSS 3.2 7.3
    # - PCI DSS 3.2 8.1
    # - PCI DSS 3.2 8.2
    # - PCI DSS 3.2 8.3
    # - PCI DSS 3.2 8.7
Level to low 2019-08-05 19:48:21 +02:00			`title: Group Modification Logging`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e`
Fixed my git issue 2020-09-13 22:03:04 -06:00			`status: stable`
$frack113$ Change double quote to quote 2022-01-06 14:02:35 +01:00			`description: 'Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges. Sigma detects\`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`\ Event ID 4728 indicates a \u2018Member is added to a Security Group\u2019. Event ID 4729 indicates a \u2018Member is removed from a Security enabled-group\u2019\`
			`. Event ID 4730 indicates a\u2018Security Group is deleted\u2019. The case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2\`
$frack113$ Change double quote to quote 2022-01-06 14:02:35 +01:00			`\ and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.'`
compliance rules by SOC prime 2019-08-05 19:42:19 +03:00			`author: Alexandr Yampolskyi, SOC Prime`
Fixed my git issue 2020-09-13 22:03:04 -06:00			`date: 2019/03/26`
compliance rules by SOC prime 2019-08-05 19:42:19 +03:00			`references:`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`- https://www.cisecurity.org/controls/cis-controls-list/`
			`- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf`
			`- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf`
			`- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728`
			`- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729`
			`- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730`
			`- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633`
			`- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632`
			`- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634`
compliance rules by SOC prime 2019-08-05 19:42:19 +03:00			`logsource:`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`product: windows`
			`service: security`
compliance rules by SOC prime 2019-08-05 19:42:19 +03:00			`detection:`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`selection:`
			`EventID:`
			`- 4728`
			`- 4729`
			`- 4730`
			`- 633`
			`- 632`
			`- 634`
			`condition: selection`
compliance rules by SOC prime 2019-08-05 19:42:19 +03:00			`falsepositives:`
fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00			`- Unknown`
Level to low 2019-08-05 19:48:21 +02:00			`level: low`
$frack113$ Fix invalid tags 2021-08-25 09:15:57 +02:00			`# tags:`
			`# - CSC4`
			`# - CSC4.8`
			`# - NIST CSF 1.1 PR.AC-4`
			`# - NIST CSF 1.1 PR.AT-2`
			`# - NIST CSF 1.1 PR.MA-2`
			`# - NIST CSF 1.1 PR.PT-3`
			`# - ISO 27002-2013 A.9.1.1`
			`# - ISO 27002-2013 A.9.2.2`
			`# - ISO 27002-2013 A.9.2.3`
			`# - ISO 27002-2013 A.9.2.4`
			`# - ISO 27002-2013 A.9.2.5`
			`# - ISO 27002-2013 A.9.2.6`
			`# - ISO 27002-2013 A.9.3.1`
			`# - ISO 27002-2013 A.9.4.1`
			`# - ISO 27002-2013 A.9.4.2`
			`# - ISO 27002-2013 A.9.4.3`
			`# - ISO 27002-2013 A.9.4.4`
			`# - PCI DSS 3.2 2.1`
			`# - PCI DSS 3.2 7.1`
			`# - PCI DSS 3.2 7.2`
			`# - PCI DSS 3.2 7.3`
			`# - PCI DSS 3.2 8.1`
			`# - PCI DSS 3.2 8.2`
			`# - PCI DSS 3.2 8.3`
			`# - PCI DSS 3.2 8.7`