title: A member was added to a security-enabled universal group.
description: hogehoge
enabled: true
author: Yea
logsource: 
    product: windows
detection:
    selection:
        Channel: Security
        EventID: 4756
        TargetUserName: Administrators
    # condition: selection
falsepositives:
    - unknown
level: low
output: 'user added to universal Administrators UserName: %MemberName% SID: %MemberSid%'
creation_date: 2020/11/8
updated_date: 2020/11/8