Windows Event ID 4732 - Member Added to Security Group
Records when a member is added to a security-enabled local or domain group. Critical for detecting privilege escalation, unauthorized group modifications, and tracking administrative changes
Quick Facts
Default Path (Linux)
N/A (Windows Event Forwarding to SIEM)Default Format
Windows Event Log (EVTX)
JSON Native
No
Rotation
Windows Event Log settings (default 20MB)
Log Example
Default format: Windows Event Log Format
Example Log Entrylog
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2/1/2026 14:22:45 PM
Event ID: 4732
Task Category: Security Group Management
Level: Information
Keywords: Audit Success
User: N/A
Computer: DC01.corp.local
Description:
A member was added to a security-enabled local group.
Subject:
Security ID: S-1-5-21-1234567890-1234567890-1234567890-500
Account Name: Administrator
Account Domain: CORP
Logon ID: 0x12345678
Member:
Security ID: S-1-5-21-1234567890-1234567890-1234567890-1001
Account Name: CN=John Smith,OU=Users,DC=corp,DC=local
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: BuiltinStructure:
XML-based binary format with structured EventData fieldsPaths by Platform
Available Formats
Windows Event Log Format
Default
Example:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2/1/2026 14:22:45 PM
Event ID: 4732
Task Category: Security Group Management
Level: Information
Keywords: Audit Success
User: N/A
Computer: DC01.corp.local
Description:
A member was added to a security-enabled local group.
Subject:
Security ID: S-1-5-21-1234567890-1234567890-1234567890-500
Account Name: Administrator
Account Domain: CORP
Logon ID: 0x12345678
Member:
Security ID: S-1-5-21-1234567890-1234567890-1234567890-1001
Account Name: CN=John Smith,OU=Users,DC=corp,DC=local
Group:
Security ID: S-1-5-32-544
Group Name: Administrators
Group Domain: BuiltinStructure:
XML-based binary format with structured EventData fieldsXML Format
Example:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}"/>
<EventID>4732</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2026-02-01T14:22:45.123456789Z"/>
<EventRecordID>345678</EventRecordID>
<Computer>DC01.corp.local</Computer>
</System>
<EventData>
<Data Name="MemberName">CN=John Smith,OU=Users,DC=corp,DC=local</Data>
<Data Name="MemberSid">S-1-5-21-1234567890-1234567890-1234567890-1001</Data>
<Data Name="TargetUserName">Administrators</Data>
<Data Name="TargetDomainName">Builtin</Data>
<Data Name="TargetSid">S-1-5-32-544</Data>
<Data Name="SubjectUserSid">S-1-5-21-1234567890-1234567890-1234567890-500</Data>
<Data Name="SubjectUserName">Administrator</Data>
<Data Name="SubjectDomainName">CORP</Data>
<Data Name="SubjectLogonId">0x12345678</Data>
</EventData>
</Event>Structure:
Native XML representation of the eventJSON (Winlogbeat/NXLog)
Example:
{
"event_id": 4732,
"log_name": "Security",
"source_name": "Microsoft-Windows-Security-Auditing",
"computer_name": "DC01.corp.local",
"time_created": "2026-02-01T14:22:45.123Z",
"keywords": ["Audit Success"],
"event_data": {
"MemberName": "CN=John Smith,OU=Users,DC=corp,DC=local",
"MemberSid": "S-1-5-21-1234567890-1234567890-1234567890-1001",
"TargetUserName": "Administrators",
"TargetDomainName": "Builtin",
"TargetSid": "S-1-5-32-544",
"SubjectUserSid": "S-1-5-21-1234567890-1234567890-1234567890-500",
"SubjectUserName": "Administrator",
"SubjectDomainName": "CORP",
"SubjectLogonId": "0x12345678"
}
}Structure:
Structured JSON from log forwardersFields Reference
| Field | Type | Description | Example |
|---|---|---|---|
EventID | integer | Event identifier (always 4732 for member added to group) | 4732 |
TimeCreated | datetime | Timestamp when the member was added | 2026-02-01T14:22:45.123Z |
Computer | string | Computer where the change was made | DC01.corp.local |
MemberName | string | Distinguished name of the added member | CN=John Smith,OU=Users,DC=corp,DC=local |
MemberSid | string | SID of the added member | S-1-5-21-1234567890-1234567890-1234567890-1001 |
TargetUserName | string | Name of the group that was modified | Administrators |
TargetDomainName | string | Domain of the group | Builtin |
TargetSid | string | SID of the group | S-1-5-32-544 |
SubjectUserName | string | Account that performed the change | Administrator |
SubjectDomainName | string | Domain of the account that made the change | CORP |
SubjectLogonId | string | Logon session ID of who made the change | 0x12345678 |
Parsing Patterns
Grok Patterns
xml:
<Data Name="MemberName">%{DATA:member_name}</Data>.*<Data Name="TargetUserName">%{DATA:group_name}</Data>.*<Data Name="SubjectUserName">%{DATA:subject_user}</Data>Regular Expressions
xml:
MemberName">(?P<member_name>[^<]+)</Data>.*TargetUserName">(?P<group_name>[^<]+)</Data>.*SubjectUserName">(?P<subject_user>[^<]+)</Data>Collector Configurations
splunkyaml
1# Additions to privileged groups2index=wineventlog EventCode=4732 (TargetUserName="Domain Admins" OR TargetUserName="Administrators" OR TargetUserName="Enterprise Admins")3| table _time, MemberName, TargetUserName, SubjectUserName, ComputerConfiguration
Enable Logging
Enable security group management auditing
auditpol /set /subcategory:"Security Group Management" /success:enableLog To Syslog
Forward via Windows Event Forwarding (WEF)
# Include in WEF subscription for group management eventsUse Cases
Track group membership changes
Monitor all additions to security groups
MemberName
TargetUserName
SubjectUserName
TimeCreated
Troubleshooting
Tested On
vWindows Server 2022 on Windows Server 2022
admin - 2026-02-01
Last updated: 2026-02-01 by admin
1 contributor
Community Discussions
Help improve this documentation
Found an error or want to add more examples? Contributions are welcome!