KQL Search

Query Details

Security Event Daily Summaryof Group Additions

Query

//Create a daily report of users being added to on premise Active Directory groups, summarized by group name

//Data connector required for this query - Windows Security Events via AMA or Security Events via Legacy Agent

SecurityEvent
| where TimeGenerated > ago (7d)
| where AccountType == "User"
| where EventID in (4728, 4732, 4756, 4761, 4746, 4751)
| project TimeGenerated, MemberName, ['Group Name']=TargetUserName, EventID
| parse MemberName with * 'CN=' UserAdded ',' *
| summarize UsersAdded=make_set(UserAdded) by ['Group Name'], startofday(TimeGenerated)
| sort by ['Group Name'] asc, TimeGenerated desc

Explanation

This query creates a daily report of users being added to on-premise Active Directory groups. It summarizes the information by group name. The query filters the data to include only security events related to user accounts being added to groups. It then projects the relevant fields and parses the member name to extract the user added. The query then summarizes the data by group name and the start of each day, and sorts the results by group name and time generated.

Details

Matt Zorich

Released: June 17, 2022

Tables

SecurityEvent

Keywords

SecurityEvent,TimeGenerated,AccountType,EventID,MemberName,TargetUserName,CN,UserAdded,GroupName

Operators

whereago==inprojectparsesummarizemake_setbysort

KQL Search

Security Event Daily Summaryof Group Additions

Query

Explanation

Details

Actions