This is a KQL written for Azure Sentinel.
Purpose is to search for eventid from Active Directory Domain Services related to Group objects.
SecurityEvent
| where EventID in (4728, 4729, 4732, 4733, 4756, 4757, 4727, 4730, 4731, 4734) // Add or remove from group, create or delete group
| extend
Action = case(
EventID == 4728, "Added to Global Group",
EventID == 4729, "Removed from Global Group",
EventID == 4732, "Added to Local Group",
EventID == 4733, "Removed from Local Group",
EventID == 4756, "Added to Universal Group",
EventID == 4757, "Removed from Universal Group",
EventID == 4727, "Created a Security-Enabled Global Group",
EventID == 4730, "Deleted a Security-Enabled Global Group",
EventID == 4731, "Created a Security-Enabled Local Group",
EventID == 4734, "Deleted a Security-Enabled Local Group",
"Unknown Action"
),
Initiator = coalesce(tostring(SubjectUserName), tostring(AccountName), "Unknown Initiator")
| summarize
FirstOccurrence = min(TimeGenerated)
by Action, TargetGroup = TargetAccount, Initiator, Domain = TargetDomainName, MemberName, EventID
| project FirstOccurrence, Action, Initiator, Domain, TargetGroup, MemberName, EventID