This detection rule identifies when an ACL (Access Control List) on the root object of a Windows Active Directory domain is deleted. Such an action is classified as a significant and potentially harmful change, impacting the security and integrity of the Active Directory environment. Following Microsoft's guidelines, any changes made at this root level should prompt a review due to their potential severity. The rule leverages Windows Security event log 5136, which captures modifications made to domain objects, specifically looking for the deletion operation of ALC entries through various evaluations and field extractions. The primary use is for monitoring unauthorized or accidental changes that may lead to security breaches, such as privilege escalation or unauthorized access. Security analysts should drill into the logon ID associated with Event Code 4624 to trace the device responsible for the change in order to assess and investigate potential malicious activities. The rules require proper configuration of active directory audits and include essential lookups for SID resolution to enhance the accuracy of detection.