The Carbon Black Admin Role Granted detection rule is designed to monitor and identify instances when a user is granted elevated permissions, specifically Admin or Super Admin roles within the Carbon Black environment. It tracks changes in access rights by analyzing audit logs generated by the Carbon Black system. When such a grant occurs, especially if it is made by an unauthorized individual or unexpected account, it signifies a possible privilege escalation or account manipulation attempt, which is a critical security concern. The rule achieves this by checking log events that detail role grants and categorizing them according to expected results. If an Admin or Super Admin role is granted, the rule will trigger an alert. The threshold is set to detect a single occurrence of this log entry, and it is enabled to provide real-time surveillance. Reports have aligned this detection with the MITRE ATT&CK framework, notably T1098 pertaining to account manipulation and escalation of privileges.