Nov 05 2021 11:43 AM
I know Microsoft Defender for Identity has a report for 'Modifications to Sensitive Groups' but is there a way to get a list of entities in these sensitive groups? We're looking to compile a list for 'tagging' in the SIEM.
Manage sensitive or honeytoken accounts with Microsoft Defender for Identity | Microsoft Docs
Is there anyway to get this list Defender for Identity? Or would it be best to grab the ADModule and try some queries? We do have multiple forests and multiple domains.
Could KQL maybe do this?
Nov 07 2021 01:32 AM