Having determined that this is a bona fide incident, then the next steps focus on determining how an attacker was able to modify the system configuration.
This would, generally, be a post-compromise approach to maintain access to the compromised systems.
Check Incident Explorer for additional incidents, such as
hijacked processes.
Review additional runtime audits for the source to see if there are other clues.