A security-enabled local group membership was enumerated

Infrastructure team has informed me about following two alerts generated by SharePoint server.


1. A security-enabled local group membership was enumerated (this is generated by Administrators group)

2. A scheduled task was created (this is generated by service account which is running Workflow Manager)


I believe we need to ignore/whitelist these alerts because this is done by SharePoint. I remember I asked about similar alert on old TechNet forums and Trevor Seward replied to ignore it but that post and forum is now nowhere to be found.


What shall I reply Infrastructure team?

Hi @FrankMartin1610,

the notifications triggered by the SharePoint server regarding the enumeration of a security-enabled local group membership and the establishment of a scheduled task align with anticipated behaviors within the SharePoint environment.

The alert labeled 'A security-enabled local group membership was enumerated' arises when a process systematically lists the members of a security-enabled local group on the respective computer or device.
This activity is a routine operation carried out by the Administrators group.

Also, the alert 'A scheduled task was created' is initiated by the service account overseeing the Workflow Manager.
SharePoint executes background tasks, oversees the environment, and manages scheduled processes that demand significant processing resources.
Such actions are considered standard in the SharePoint framework.

These alerts constitute integral components of SharePoint's operational framework and do not signify any security vulnerabilities.

You can consider whitelisting (or ignoring) these alerts in monitoring system.

