Query Details
User Added To Privileged Group
Query
Use Case: Monitoring for group membership additions in Windows security event logs over the past week to detect potential unauthorized access or privilege escalation.
Query:
WindowsEvent('Security', 7d)
| where tostring(EventId) == '4728' or tostring(EventId) == '4732' or tostring(EventId) == '4756'Explanation
The query is searching for specific events in the Windows security event logs that indicate group membership additions. These events are checked for the past week. The purpose is to identify any unauthorized access or privilege escalation.
Details
Ugur Koc
Released: February 4, 2024
Tables
WindowsEvent
Keywords
WindowsEvent,Security,EventId
Operators
|wheretostring==or