title: Group Modification Logging
id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e
status: stable
description: "Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges. Sigma detects\
    \ Event ID 4728 indicates a \u2018Member is added to a Security Group\u2019. Event ID 4729 indicates a \u2018Member is removed from a Security enabled-group\u2019\
    . Event ID 4730 indicates a\u2018Security Group is deleted\u2019. The case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2\
    \ and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP."
author: Alexandr Yampolskyi, SOC Prime
date: 2019/03/26
references:
    - https://www.cisecurity.org/controls/cis-controls-list/
    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729
    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730
    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633
    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632
    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 4728
            - 4729
            - 4730
            - 633
            - 632
            - 634
    condition: selection
falsepositives:
    - unknown
level: low
tags:
    - CSC4
    - CSC4.8
    - NIST CSF 1.1 PR.AC-4
    - NIST CSF 1.1 PR.AT-2
    - NIST CSF 1.1 PR.MA-2
    - NIST CSF 1.1 PR.PT-3
    - ISO 27002-2013 A.9.1.1
    - ISO 27002-2013 A.9.2.2
    - ISO 27002-2013 A.9.2.3
    - ISO 27002-2013 A.9.2.4
    - ISO 27002-2013 A.9.2.5
    - ISO 27002-2013 A.9.2.6
    - ISO 27002-2013 A.9.3.1
    - ISO 27002-2013 A.9.4.1
    - ISO 27002-2013 A.9.4.2
    - ISO 27002-2013 A.9.4.3
    - ISO 27002-2013 A.9.4.4
    - PCI DSS 3.2 2.1
    - PCI DSS 3.2 7.1
    - PCI DSS 3.2 7.2
    - PCI DSS 3.2 7.3
    - PCI DSS 3.2 8.1
    - PCI DSS 3.2 8.2
    - PCI DSS 3.2 8.3
    - PCI DSS 3.2 8.7