Query Details
Function AD Group Changes
Query
// Save as a function in your workspace then invoke via its name, i.e if you save as ADGroupChanges
// ADGroupChanges | where TimeGenerated > ago(1d) | where Action == "Add" and GroupName == "TestGroup1" // will all group additions to "TestGroup1"
// ADGroupChanges | where TimeGenerated > ago(1d) | where Action == "Remove" and Actor == "User1" // will find all group removals by "User1"
// This will parse the SecurityEvent log for any group additions or removals.
SecurityEvent
| project
TimeGenerated,
EventID,
AccountType,
MemberName,
SubjectUserName,
TargetUserName,
Activity,
MemberSid
| where EventID in (4728, 4729, 4732, 4733, 4756, 4757)
| parse MemberName with * 'CN=' Subject ',OU=' *
| extend Action = case(EventID in ("4728", "4756", "4732"), strcat("Add"),
EventID in ("4729", "4757", "4733"), strcat("Remove"), "unknown")
| project
TimeGenerated,
Action,
AccountType,
Actor=SubjectUserName,
Subject,
GroupName=TargetUserName,
ActivityExplanation
This query searches the SecurityEvent log for group additions or removals. It retrieves specific fields such as TimeGenerated, EventID, AccountType, MemberName, SubjectUserName, TargetUserName, Activity, and MemberSid. It filters the events based on certain EventIDs related to group changes. It then parses the MemberName field to extract the Subject and OU information. It extends the Action field based on the EventID value to indicate whether it is an "Add", "Remove", or "unknown" action. Finally, it projects the desired fields including TimeGenerated, Action, AccountType, Actor (SubjectUserName), Subject, GroupName (TargetUserName), and Activity.
Details
Matt Zorich
Released: April 22, 2022
Tables
SecurityEvent
Keywords
SecurityEvent,TimeGenerated,EventID,AccountType,MemberName,SubjectUserName,TargetUserName,Activity,MemberSid,Action,Actor,Subject,GroupName
Operators
whereprojectinparseextendcasestrcat