Rule 1
Status	Active
Alert Message	Windows audit event

Contents 1 Description 1.1 What you should do 2 Troubleshooting 2.1 False Positives 2.2 Tuning Guidance 3 Additional Information 3.1 Support 3.2 Similar Rules 3.3 Knowledge Base Articles 3.4 Outside References 3.5 Notes

Description

A local security group has been been changed on the windows host. This could indicate a malicous application or user has modified the host, or it could indicate an administrative user has been added locally.

What you should do

Investigate this event to identify if it was an authorized change

Some regulatory frameworks may require this data to be collected

Troubleshooting

False Positives

There are no false positives with this rule.

Tuning Guidance

There is no guidance for tuning this rule, this is a generic Windows event and the rule should not be disabled.

Additional Information

Support

If you are unsure about how to respond to this alert, please contact Atomicorp support. We're here to help you!

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

None.

Notes