These queries show users who have been added to various security groups. There are several variants of this query, explained below.
Log Set: Active Directory Admin Activity
Event Source: Active Directory
User Added to Security Group
This query shows all users who have been added to a security group. Recommended visualization option is a table (the "Count" column is the total number of events for the target user that have occurred in the selected time range):
Note that you can change the groupby from target_user to source_user to show all users who are responsible for adding others to security groups, rather than the users who were added to the groups.
User Added to Administrator Group
This query uses RegEx to find users who have been added to a group that contains "admin".
where(action="MEMBER_ADDED_TO_SECURITY_GROUP" AND group=/.*admin.*/) groupby(target_user)
User Adding others to Administrator Group
By switching the groupby to source_user, we can change the table to show which administrators are adding other users to administrator groups:
where(action="MEMBER_ADDED_TO_SECURITY_GROUP" AND group=/.*admin.*/) groupby(source_user)
Users Added to Security Group Trend over Time
To see a trend over time for forced password resets, utilize a count function, a timeline chart, and a longer time range to show the number of forced password resets over time: