Forum Discussion
Security Event 4732 and 4733 is missing details
Sentinel gets security events 4732 and 4733, but it's missing which users/groups get added or removed from the endpoints. The security logs are not detailed when I checked the event viewer. Am I miss...
I have been running into this too and unable to find a solution, besides maybe adding automation to query the memberSID that actually is in the EventData and appending that to an email alert.
I can see the User/Group being added from the General Tab, but I do not see it in the Details view, which is probably why Sentinel doesn't see it. This also only seems to happen to local groups like Builtin\Administrators. For events related to security groups that are part of our domain I do get an actual value in the Member field.
stevosec yes it's only happening to all local groups.
I have to find a way to do the automation to query the member SID. I'm still new to Microsoft Sentinel. Thank you.