Vendor
The rule identifies when a user is added to the admin group on macOS systems, potentially indicating privilege escalation activity, and requires Jamf Protect for data ingestion into Elastic.