This alert triggers when a user is added a a privileged group such as Domain Admins. This is an unusual event and it may indicate a malicious actor attempting to escalate Windows event ID 1102 is logged whenever the Security log is cleared, regardless of the status of the Audit System Events audit policy. The Account Name and Domain Name fields identify the user who cleared the log.
MITRE ATT&CK Tactics
Windows Security Event Log
Review the user accounts which have been added to the privileged domain groups and identify the account owners. Confirm if the request is valid.
If not, disable the accounts immediately and start an investigation for discovery of account use into your organization.