This detection rule monitors Active Directory for changes to security-enabled global groups by tracking event IDs 4728 and 632, which indicate when a member is added to a group. These IDs are relevant to account manipulation techniques often exploited to establish persistence within a network environment. The rule utilizes Splunk to gather and analyze event log data from Windows systems, specifically focusing on the addition of user accounts to security groups that can grant significant privileges within the domain. By capturing these events, the rule provides critical visibility into potential unauthorized access or insider threats. The data is extracted to include essential context such as the time of the change, the host, the user responsible for the change, and other relevant identifiers. This aids security teams in investigating suspicious activities in real time and responding to potential security incidents.