This analytic rule is designed to detect instances where a user adds themselves to an Active Directory (AD) group. Typically, this behavior signals a possible attempt at privilege escalation, indicating that a user is seeking unauthorized access to higher-level privileges or sensitive resources. The detection focuses on Windows Event Log Security entry 4728, which logs when a user is added to a group. By analyzing these logs, organizations can uncover suspicious activities that may indicate part of a broader attack strategy aimed at compromising critical systems and sensitive data. The query utilizes Splunk's search language to extract, aggregate, and analyze relevant user actions, thereby facilitating the identification of potentially malicious behavior. Further, the rule includes integrated drilldown searches to view detailed detection results, risk events, and analytic stories associated with the activity, enhancing situational awareness during security assessments and incident response processes.