Query Azure Sentinel Send To Show Daily Group Changes

Being responsible for account management and IT security in general, tracking group changes in Active Directory is very important. I feel it is a good way to detect if a malicious attacker is in your network. Finally it helps to ensure that your change control program is being followed.

In this blog post I will share with you the query you can use to obtain a daily report on Active Directory Group changes.

You will need to make sure that your Domain Controllers are sending log data to Azure Sentinel. This article discussed how to connect your Domain Controllers to Sentinel.

The query you will want to run is below.


| where EventID in (4728, 4729, 4732, 4733, 4756, 4757) and TargetAccount contains \"\" and TimeGenerated > ago(24h)

|project TimeGenerated, Account, Computer, TargetAccount, Activity, MemberName

You will be querying the security event log for the event ID's that are related to group changes.

You can then use an automation playbook to send a daily report to your email or teams a list of those groups changes. I will discuss how to setup an automation playbook in another blog post.

I hope this helps with your IT security and change control program

TBJ Consulting

TBJ Consulting