This rule identifies instances where users are added to the admin group on macOS systems, which can be an indicator of privilege escalation activity. It leverages the Jamf Protect data source to analyze event logs. To trigger alerts, the rule looks for events of type 'change' with the action 'od_group_add' specifically targeting the 'admin' group. The risk score assigned to this rule is 21, indicating a low risk level. It's crucial for security teams to investigate activities following the addition of a user to the admin group, as these could be historically linked to unauthorized access or harmful activities. The provided investigation guide recommends analyzing subsequent actions such as the installation of new software, creation of additional user accounts, and checking for persistence mechanisms post-elevation. This helps ensure that the elevation to administrator has not been misused.