In my role working with Defender for Identity (MDI) customers, I'm often asked if MDI can help them answer questions about activities taking place within the environment. MDI does have a lot of information around the activities taking place in Active Directory and now combined with the power of Advanced Hunting in Microsoft 365 Defender, we can help customers answer some these questions with ease and efficiency.
MDI tracks the changes made to Active Directory group memberships. These changes are recorded by MDI as an activity and are available in the Microsoft 365 Defender Advanced Hunting, IdentityDirectoryEvents. MDI records these changes from two different sources:
Tracking changes made to an entity by the Active Directory Update Sequence Number (USN). In the case of a group, MDI can see who has been added or removed from a group, but we don’t see the actor who made the change or which domain controller the change was made on.
In this blog we will show you how to build an Advanced Hunting query that captures group modification. Let’s start with a very basic script showing all the changes to a query that will show modifications to sensitive groups in your organization.