User Added To Sensitive Group
Query
let SensitiveGroups = dynamic(['Domain Admins', 'Enterprise Admins', 'Exchange Admins']); // Add your sensitive groups to this list
IdentityDirectoryEvents
| where Timestamp > ago(30d)
| where ActionType == "Group Membership changed"
| extend Group = parse_json(AdditionalFields).['TO.GROUP']
| extend GroupAdditionInitiatedBy = parse_json(AdditionalFields).['ACTOR.ACCOUNT']
| project-reorder Group, GroupAdditionInitiatedBy
| where Group has_any (SensitiveGroups)About this query
Explanation
This query is designed to detect when a user is added to a sensitive group within an organization's directory, which could indicate a potential security threat. Here's a simple breakdown of what the query does:
-
Sensitive Groups List: It starts by defining a list of sensitive groups, such as 'Domain Admins', 'Enterprise Admins', and 'Exchange Admins'. These groups typically have high-level privileges in a network.
-
Data Source: The query looks at events from the
IdentityDirectoryEventstable, which logs changes in group memberships. -
Time Frame: It filters events from the last 30 days.
-
Action Type: It specifically looks for events where the action type is "Group Membership changed", indicating that a user was added to a group.
-
Extracting Information: It extracts the group to which the user was added and the account that initiated the addition.
-
Filtering: The query then checks if the group involved in the change is one of the sensitive groups listed.
-
Purpose: The goal is to identify any unauthorized or suspicious additions to these high-privilege groups, which could be a sign of an attacker trying to gain elevated access.
In summary, this query helps detect potential security breaches by monitoring for unauthorized additions to critical security groups within an organization's network.
