The rule detects modifications to the Access Control List (ACL) on the domain root object within Active Directory, denoted by Event Code 5136. Given the implications of such changes, they are considered significant and high-impact, warranting careful review as per Microsoft guidelines. The rule utilizes a search query crafted to extract relevant information from Windows Security logs, including old and new values of modified attributes, their operation types, and user accounts involved in the changes. The detection helps identify unauthorized or suspicious modifications to critical AD configurations, providing insights into which users or accounts have been granted or altered permissions. Relevant searches allow analysts to drill down into specific user actions and associated risk events to better understand potential security threats. Implementation requires correct setup of audit logs and relevant macros within the logging infrastructure, ensuring all necessary data is accurately captured and analyzed.