Defender for Identity

Contributor

I know Microsoft Defender for Identity has a report for 'Modifications to Sensitive Groups' but is there a way to get a list of entities in these sensitive groups?  We're looking to compile a list for 'tagging' in the SIEM.  

 

Manage sensitive or honeytoken accounts with Microsoft Defender for Identity | Microsoft Docs

 

Is there anyway to get this list Defender for Identity?  Or would it be best to grab the ADModule and try some queries?  We do have multiple forests and multiple domains. 

 

Could KQL maybe do this? 

 

 

2 Replies
Not at the moment, but it is something we are planning to add (no ETA yet), the only thing you can do is query the "Group Membership Changed" activity in advanced hunting
Got it, thank you for the reply!