KQL Search

Query Details

HomeAI ToolsDevice Query

Sensitive Group Modification

Query

let SensitiveGroupNames = pack_array(  // Add any groups that you consider sensitive
    'Account Operators',
    'Administrators',
    'Backup Operators',
    'Domain Admins', 
    'Domain Controllers',
    'Enterprise Admins',
    'Enterprise Read-only Domain Controllers',
    'Group Policy Creator Owners',
    'Incoming Forest Trust Builders',
    'Microsoft Exchange Servers',
    'Network Configuration Operators',
    'Power Users',
    'Print Operators',
    'Read-only Domain Controllers',
    'Replicators',
    'Schema Admins',
    'Server Operators'
);
IdentityDirectoryEvents
| where Application == "Active Directory"
| where ActionType == "Group Membership changed"
| where DestinationDeviceName != "" // Exclude activites coming AD Sync changes.
// filter on additions to sensitive groups
| extend ToGroup = tostring(parse_json(AdditionalFields).["TO.GROUP"]) // action is add entity to a group
| extend FromGroup = tostring(parse_json(AdditionalFields).["FROM.GROUP"]) // action is remove entity from a group
| extend Action = iff(isempty(ToGroup), "Remove", "Add")
| where Action == "Add"
| extend GroupModified = iff(isempty(ToGroup), FromGroup, ToGroup) // group name that the action was taken on 
| where GroupModified in~ (SensitiveGroupNames)
// extract the user or group that was added
| extend TargetUser = tostring(parse_json(AdditionalFields).["TARGET_OBJECT.USER"])
| extend TargetGroup = tostring(parse_json(AdditionalFields).["TARGET_OBJECT.GROUP"])
| extend TargetName = iff(isempty(TargetGroup), TargetUser, TargetGroup)
| extend TargetType = iff(isempty(TargetGroup), "User", "Group")
// clean up
| distinct Timestamp, Action, GroupModified, TargetName, TargetType, Actor=AccountDisplayName, AccountSid, ReportId
| sort by Timestamp desc

Explanation

This query is looking for events in Active Directory where there is a change in group membership. It specifically focuses on additions to sensitive groups. It filters out activities related to AD Sync changes. The query extracts information about the group that was modified and the user or group that was added. It then cleans up the results and sorts them by timestamp in descending order.

Details

C.J. May profile picture

C.J. May

Released: May 18, 2023

Tables

IdentityDirectoryEvents

Keywords

SensitiveGroupNames,IdentityDirectoryEvents,Application,ActionType,DestinationDeviceName,AdditionalFields,TO.GROUP,FROM.GROUP,Action,Add,GroupModified,TargetUser,TargetGroup,TargetName,TargetType,Timestamp,Actor,AccountSid,ReportId

Operators

|,==,!=,tostring,parse_json,iff,isempty,in~,extend,distinct,sort by

Actions