diff --git a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
new file mode 100644
index 000000000..658919c94
--- /dev/null
+++ b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
@@ -0,0 +1,64 @@
+[metadata]
+creation_date = "2022/01/27"
+maturity = "production"
+updated_date = "2022/01/27"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the assignment of the SeEnableDelegationPrivilege sensitive "user right" to a user. The
+SeEnableDelegationPrivilege "user right" enables computer and user accounts to be trusted for delegation. Attackers can
+abuse this right to compromise Active Directory accounts and elevate their privileges.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-windows.*", "logs-system.*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User"
+note = """## Config
+
+The 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure).
+Steps to implement the logging policy with Advanced Audit Configuration:
+
+```
+Computer Configuration >
+Windows Settings >
+Security Settings >
+Advanced Audit Policy Configuration >
+Audit Policies >
+Policy Change >
+Audit Authorization Policy Change (Success,Failure)
+```
+"""
+references = [
+    "https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of",
+    "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_alert_active_directory_user_control.yml",
+    "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0105_windows_audit_authorization_policy_change.md",
+]
+risk_score = 73
+rule_id = "f494c678-3c33-43aa-b169-bb3d5198c41d"
+severity = "high"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.action: "Authorization Policy Change" and event.code:4704 and winlog.event_data.PrivilegeList:"SeEnableDelegationPrivilege"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+id = "TA0006"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+id = "TA0003"
+