Rule 1
Status	Active
Alert Message	Windows audit event

Contents 1 Description 1.1 What you should do 2 Troubleshooting 2.1 False Positives 2.2 Tuning Guidance 3 Additional Information 3.1 Support 3.2 Similar Rules 3.3 Knowledge Base Articles 3.4 Outside References 3.5 Notes

[edit] Description

A security enabled group has been created in Active Directory.

[edit] What you should do

This means a new group with Security rights has been created in Active Directory. Users in the Security group will have access to audit configuration, and data. Review if this was an authorized change.

For some regulatory frameworks, collecting this for auditing reporting may be required.

[edit] Troubleshooting

[edit] False Positives

There are no false positives with this rule.

[edit] Tuning Guidance

There is no guidance for tuning this rule, this is an auditing event and the rule should not be disabled.

[edit] Additional Information

[edit] Support

If you are unsure about how to respond to this alert, please contact Atomicorp support. We're here to help you!

[edit] Similar Rules

None.

[edit] Knowledge Base Articles

None.

[edit] Outside References

None.

[edit] Notes