Add Event ID 4756 to windows_privileged_group_modification detection #3969
Description
Is your feature request related to a problem? Please describe.
Yes.
While using the windows_privileged_group_modification detection in production, we observed that additions to highly privileged Active Directory groups (notably Enterprise Admins) are logged using Event ID 4756 (A member was added to a security-enabled universal group).
The current detection only includes Event IDs 4727, 4731, 4744, 4749, 4754, 4759, 4783, 4790, which results in missed detections for real-world privilege escalation scenarios involving universal security groups such as Enterprise Admins.
Describe the solution you'd like
Add Event ID 4756 to the SPL used in the windows_privileged_group_modification detection.
Describe alternatives you've considered
As a workaround, we locally modified the detection to include Event ID 4756.
Additional context
Event ID 4756 is the standard Windows Security Event generated when a member is added to a security-enabled universal group and is logged on Domain Controllers. This behavior is consistently observed in production Active Directory environments. Missing this Event ID can allow high-impact privilege escalations (e.g. addition to Enterprise Admins) to go undetected.