This detection rule identifies the creation of new local administrator accounts within a Windows environment by monitoring specific event logs. It focuses on Windows Event Code 4720, which indicates a user account creation, and Event Code 4732, which signifies a user being added to the Administrators group. Such activities are of critical importance as they may signify unauthorized privilege escalation—a tactic often leveraged by attackers to gain administrative access, leading to potential data breaches, system alterations, and service disruptions. The rule implements a search query that filters these event logs, utilizing the `wineventlog_security` data source, and analyzes the events to give visibility into suspicious account elevation activities, urging immediate investigation upon detection.