Query Details

Active Directory - Sensitive Group Membership Changes

AD Sensitive Group Changes

Query

// Monitor Active Directory sensitive Group Membership changes
// Active Directory, sensitive groups
let SensitiveGroups = dynamic(["Administrators","Power Users","Account Operators" ,"Server Operators","Print Operators","Backup Operators","Replicators","Network Configuration Operators","Incoming Forest Trust Builders",
"Domain Admins","Domain Controllers","Group Policy Creator Owners","read-only Domain Controllers","Enterprise Read-only Domain Controllers","Enterprise Admins","Schema Admins","Microsoft Exchange Servers"
"Remote Desktop Users","Remote Management Users","DnsAdmins","Protected Users"]);
// Active Directory, custom sensitive groups
let customSensitiveGroups = dynamic(["NLAdmins"]);
IdentityDirectoryEvents 
| where Timestamp > ago (2h)
| where ActionType == "Group Membership changed"
| extend Actor = tostring(AdditionalFields ['ACTOR.ACCOUNT'])
| extend ActorUpn = AccountUpn 
| extend TargetObjectIdentity = iff(AdditionalFields contains "TARGET_OBJECT.USER",AdditionalFields['TARGET_OBJECT.USER'],iff(AdditionalFields contains "TARGET_OBJECT.GROUP",AdditionalFields['TARGET_OBJECT.GROUP'],"undefined"))
| extend TargetObjectType = iff(AdditionalFields contains "TARGET_OBJECT.USER","User",iff(AdditionalFields contains "TARGET_OBJECT.GROUP","Group","undefined"))
| extend Operation = iff(AdditionalFields contains "TO.GROUP","Add",iff(AdditionalFields contains "FROM.GROUP","Remove","Undefined"))
| extend ChangedGroup = iff(Operation == "Add", AdditionalFields['TO.GROUP'],iff(Operation == "Remove", AdditionalFields['FROM.GROUP'],"Undefined"))
| extend IsSensitive = iff( ChangedGroup in (SensitiveGroups) or ChangedGroup in (customSensitiveGroups),"1","0")
| join kind= leftouter(IdentityInfo 
| distinct AccountObjectId , AccountUpn, IsAccountEnabled, CloudSid )
on $left. TargetAccountUpn == $right. AccountUpn 
| extend AccountUpn = AccountUpn1 
| extend AccountSid  = CloudSid 
| extend AccountObjectId = AccountObjectId1 
| sort by Timestamp 
| where IsSensitive == "1" 
| project Timestamp , ActionType,Operation, ChangedGroup,Actor, ActorUpn,LegitActor, TargetObjectIdentity,TargetAccountUpn, AccountUpn, AccountObjectId, AccountSid,TargetAccountDisplayName, IsAccountEnabled , TargetObjectType  , IsSensitive, DestinationDeviceName, ReportId

About this query

Active Directory - Sensitive Group Membership Changes

Query Information

Description

Use the below query to monitor Active Directory sensitive group changes

References

Microsoft 365 Defender

Explanation

This KQL query is designed to monitor changes in membership for sensitive groups within Active Directory. Here's a simplified breakdown of what the query does:

  1. Define Sensitive Groups: The query starts by defining a list of sensitive groups, such as "Administrators", "Domain Admins", and other critical groups that require monitoring. It also includes a custom group called "NLAdmins".

  2. Filter Events: It looks at events from the IdentityDirectoryEvents table that have occurred in the last 2 hours (Timestamp > ago(2h)) and specifically filters for events where the action type is "Group Membership changed".

  3. Extract Information: The query extracts various pieces of information from the events, such as:

    • The actor who made the change.
    • The target object (user or group) whose membership was changed.
    • The type of operation (whether a user was added to or removed from a group).
    • The group that was changed.
  4. Identify Sensitive Changes: It checks if the changed group is one of the predefined sensitive groups. If it is, it marks the change as sensitive.

  5. Join with Identity Information: The query joins the results with the IdentityInfo table to get additional details about the accounts involved, such as their unique identifiers and whether the account is enabled.

  6. Filter and Sort: It filters the results to only include changes that are marked as sensitive and sorts them by the timestamp.

  7. Project Results: Finally, it selects specific columns to display in the output, providing a clear view of the sensitive group membership changes, including details about the actor, the operation, and the target.

Overall, this query helps administrators monitor and review changes to critical group memberships in Active Directory, ensuring that any unauthorized or suspicious changes can be quickly identified and investigated.

Details

Alex Verboon profile picture

Alex Verboon

Released: April 16, 2026

Tables

IdentityDirectoryEventsIdentityInfo

Keywords

ActiveDirectorySensitiveGroupMembershipChangesIdentityEventsUserAccountObjectDeviceReport

Operators

letdynamicagowhereextendtostringiffinjoinkinddistinctonsort byproject

Actions

GitHub