Alert when a group is added to a sensitive Active Directory group - Microsoft Tech Community
Hi everyone, it’s Gershon, back again with a follow up to my last blog where we were able to track changes to sensitive groups with Advanced Hunting in Microsoft 365 Defender. One of the questions I had from a customer after they read through the blog was “how can we be alerted directly when a group has been added to a sensitive group?”. This is a great question to focus on, as this scenario should not be commonplace in an established environment, as nested group memberships in sensitive groups should not be something that changes after initial set up. Additionally, adding a group to another group is a quick and easy way to add users to a sensitive group and making sure it’s highlighted quickly could stop an attacker from gaining persistence.
We will start by assuming that all the steps from my previous blog have been completed, where we can see all the changes to the groups we defined as sensitive.
In this blog, we will take things further by:
- Updating the advanced hunting query to focus on groups that are added to a sensitive group.
- Validating that the query works as expected.
- Creating a custom detection policy based on the advanced query.
- Testing out the custom detection policy.