This detection rule specifically monitors for the event of a member being added to a security-enabled global group within Windows environments. The rule utilizes security event logs, specifically filtering for Event IDs 4728 and 632, which correspond to members being added to such groups. This type of activity is often associated with changes in permissions and group memberships that might indicate unauthorized access or account compromise. The rule, authored by Alexandr Yampolskyi from SOC Prime, aims to enhance visibility into group management activities, particularly those that could affect security posture and system integrity.