AD Group Additions
MDI AD Group Additions
Query
let Groups = dynamic(['Domain Admins', 'GroupName2']); // Add your sensitive groups to this list
let SearchWindow = 48h; //Customizable h = hours, d = days
IdentityDirectoryEvents
| where Timestamp > (now() - SearchWindow)
| where ActionType == "Group Membership changed"
| extend Group = parse_json(AdditionalFields).['TO.GROUP']
| extend GroupAdditionInitiatedBy = parse_json(AdditionalFields).['ACTOR.ACCOUNT']
| project-reorder Group, GroupAdditionInitiatedBy
| where Group has_any (Groups)About this query
AD Group Additions
Query Information
Description
This query can be used to list all Active Directory group additions. The query uses 2 variables as input, the Group names on which you want to search and the timeframe used for the search. This could help in your investigation by knowing if accounts have been added to high priviliged groups in order for them to have more privileges.
References
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitydirectoryevents-table?view=o365-worldwide
- https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-default-user-accounts
Defender XDR
Sentinel
let Groups = dynamic(['Domain Admins', 'GroupName2']); // Add your sensitive groups to this list
let SearchWindow = 48h; //Customizable h = hours, d = days
IdentityDirectoryEvents
| where Timestamp > (now() - SearchWindow)
| where ActionType == "Group Membership changed"
| extend Group = parse_json(AdditionalFields).['TO.GROUP']
| extend GroupAdditionInitiatedBy = parse_json(AdditionalFields).['ACTOR.ACCOUNT']
| project-reorder Group, GroupAdditionInitiatedBy
| where Group has_any (Groups)
Explanation
This query is designed to help you monitor changes in Active Directory group memberships, specifically focusing on additions to certain high-privilege groups. Here's a simple breakdown:
-
Purpose: The query identifies when users are added to specific Active Directory groups, which could indicate an increase in their privileges.
-
Inputs:
- Groups: A list of sensitive or high-privilege groups you want to monitor (e.g., 'Domain Admins').
- SearchWindow: The time frame for the search (e.g., the last 48 hours).
-
Process:
- The query checks for events where group memberships have changed within the specified time frame.
- It extracts and lists the group to which a user was added and who initiated the addition.
-
Output:
- The query results show which users were added to the specified groups and who added them, helping you identify potential unauthorized privilege escalations.
This query is useful for security investigations, allowing you to track and respond to changes in group memberships that could affect your organization's security posture.
Details

Bert-Jan Pals
Released: October 20, 2024
Tables
Keywords
Operators