Track change on DC with Defender for Identity?

RT-7199 471 Reputation points
2023-04-25T21:59:27.9533333+00:00

We have 2016 Domain Controllers and Auditing is enabled. We are trying to configure/deny read permission, for members of a group, over the Domain Admins group in Active Directory. But something is removing that change after some time.    I can find changes, we make on the group in event ID 4662, by searching for the group name that is denied permission, but can't figure out what is reverting it.   We have Microsoft Defender for Identity solution implemented on all our DC's, can it help track what is reverting the changes? Thanks

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,237 questions
Microsoft Defender for Identity
Microsoft Defender for Identity
A Microsoft service that helps protect enterprise hybrid environments from multiple types of advanced, targeted cyberattacks and insider threats.
169 questions
Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps
A Microsoft cloud access security broker that enables customers to control the access and use of software as a service apps in their organization.
116 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Andrew Blumhardt 9,676 Reputation points Microsoft Employee
    2023-04-25T22:11:28.7833333+00:00

    MDI will alert on changes to sensitive groups. You should get alerts on changes to Domain Admins, it should be flagged sensitive by default. I don't think MDI can help specifically on what or who is reverting the change if that is not clear in the audit events. MDI can make you aware of other unusual activity or signs or persistence (if the concern is malicious activity).

    I am not clear on what RBAC is needed to modify the DA group. Possibly a GPO. Consider looking at other events and audit options. Recreate the activity manually to help identify an indicator. Consider the timing as a possible clue. https://learn.microsoft.com/en-us/defender-for-identity/alerts-overview

    0 comments No comments