After validating that this is a security incident, the next step is determining how an attacker was able to modify the system configuration.
This would, generally, be a post-compromise approach to maintain access to the compromised systems.
Check Incident Explorer for other potentially related incidents, such as
hijacked processes.
Review additional runtime audits for the source to see if there are other clues.