Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

New Blog Post | Track changes to sensitive groups with Advanced Hunting in Microsoft 365 Defender

Microsoft

AshleyMartin_0-1649275942880.png

Track changes to sensitive groups with Advanced Hunting in Microsoft 365 Defender - Microsoft Tech C...

In my role working with Defender for Identity (MDI) customers, I'm often asked if MDI can help them answer questions about activities taking place within the environment. MDI does have a lot of information around the activities taking place in Active Directory and now combined with the power of Advanced Hunting in Microsoft 365 Defender, we can help customers answer some these questions with ease and efficiency.  

 

MDI tracks the changes made to Active Directory group memberships. These changes are recorded by MDI as an activity and are available in the Microsoft 365 Defender Advanced Hunting, IdentityDirectoryEvents. MDI records these changes from two different sources:

 

  1. Tracking changes made to an entity by the Active Directory Update Sequence Number (USN).  In the case of a group, MDI can see who has been added or removed from a group, but we don’t see the actor who made the change or which domain controller the change was made on.
  2. Tracking changes to a group, including who performed the action. MDI requires specific Windows events to be recorded on the domain controller.  For more information on the Windows events required by MDI, see https://docs.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection.

In this blog we will show you how to build an Advanced Hunting query that captures group modification. Let’s start with a very basic script showing all the changes to a query that will show modifications to sensitive groups in your organization.

0 Replies