Query Details

User Added To Sensitive Group

Query

let SensitiveGroups = dynamic(['Domain Admins', 'Enterprise Admins', 'Exchange Admins']); // Add your sensitive groups to this list
IdentityDirectoryEvents
| where Timestamp > ago(30d)
| where ActionType == "Group Membership changed"
| extend Group = parse_json(AdditionalFields).['TO.GROUP']
| extend GroupAdditionInitiatedBy = parse_json(AdditionalFields).['ACTOR.ACCOUNT']
| project-reorder Group, GroupAdditionInitiatedBy
| where Group has_any (SensitiveGroups)

About this query

Explanation

This query is designed to detect when a user is added to a sensitive group within an organization's directory, which could indicate a potential security threat. Here's a simple breakdown of what the query does:

  1. Sensitive Groups List: It starts by defining a list of sensitive groups, such as 'Domain Admins', 'Enterprise Admins', and 'Exchange Admins'. These groups typically have high-level privileges in a network.

  2. Data Source: The query looks at events from the IdentityDirectoryEvents table, which logs changes in group memberships.

  3. Time Frame: It filters events from the last 30 days.

  4. Action Type: It specifically looks for events where the action type is "Group Membership changed", indicating that a user was added to a group.

  5. Extracting Information: It extracts the group to which the user was added and the account that initiated the addition.

  6. Filtering: The query then checks if the group involved in the change is one of the sensitive groups listed.

  7. Purpose: The goal is to identify any unauthorized or suspicious additions to these high-privilege groups, which could be a sign of an attacker trying to gain elevated access.

In summary, this query helps detect potential security breaches by monitoring for unauthorized additions to critical security groups within an organization's network.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

IdentityDirectoryEvents

Keywords

IdentityDirectoryEventsGroupMembershipAccount

Operators

letdynamic//|where>ago==extendparse_json.[]project-reorderhas_any

MITRE Techniques

Actions

GitHub