or hostname should be making changes in your environment. user additions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

source: <a href=https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml>elastic
technicques: T1098

Techniques

Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM).

event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success