Hello J_at_Adatasol,
Thank you for posting in Q&A forum.
Security Monitoring Recommendations
For 4798(S): A user's local group membership was enumerated.
Important
For this event, also see Appendix A: Security monitoring recommendations for many audit events.
- If you have high value domain or local accounts for which you need to monitor each enumeration of their group membership, or any access attempt, monitor events with the “Subject\Security ID” that corresponds to the high value account or accounts.
- If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with “Process Name” not equal to your defined value.
- You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or Program Files) or is in a restricted folder (for example, Temporary Internet Files).
- If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz” or “cain.exe”), check for these substrings in “Process Name.”
Ref: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4798
I hope the information above is helpful.
If you have any questions or concerns, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.