Active Directory Group Additions Tracking with KQL Queries
Active Directory group additions are critical events that may indicate privilege escalations or unauthorized access. Using KQL queries, you can effectively track these changes by specifying group names and time frames to pinpoint when accounts are added to sensitive groups. This method provides clear insight into group membership modifications, aiding proactive investigation and security monitoring.
Risk
Unauthorized additions to privileged Active Directory groups can lead to serious security breaches, including data theft, lateral movement, and system compromise. Detecting these changes promptly minimizes the risk of privilege abuse and helps maintain organizational security posture.
Query
Microsoft Defender For Endpoint
let Groups = dynamic(['Domain Admins', 'GroupName2']); // Add your sensitive groups to this list
let SearchWindow = 48h; //Customizable h = hours, d = days
IdentityDirectoryEvents
| where Timestamp > (now() - SearchWindow)
| where ActionType == "Group Membership changed"
| extend Group = parse_json(AdditionalFields).['TO.GROUP']
| extend GroupAdditionInitiatedBy = parse_json(AdditionalFields).['ACTOR.ACCOUNT']
| project-reorder Group, GroupAdditionInitiatedBy
| where Group has_any (Groups)
Microsoft Sentinel
let Groups = dynamic(['Domain Admins', 'GroupName2']); // Add your sensitive groups to this list
let SearchWindow = 48h; //Customizable h = hours, d = days
IdentityDirectoryEvents
| where Timestamp > (now() - SearchWindow)
| where ActionType == "Group Membership changed"
| extend Group = parse_json(AdditionalFields).['TO.GROUP']
| extend GroupAdditionInitiatedBy = parse_json(AdditionalFields).['ACTOR.ACCOUNT']
| project-reorder Group, GroupAdditionInitiatedBy
| where Group has_any (Groups)
The KQL scripts uses two main variables: the sensitive group list and the search time window. It queries the IdentityDirectoryEvents table for “Group Membership changed” events and extracts the target group and the user who initiated the addition.