Event ID 9007007 — User account added to local group

Provider: Defender-DeviceEvents
Channel: UserAccountAddedToLocalGroup

Description

User account added to local group

Fields #

Name	Description
`DeviceId`	—
`Timestamp`	—
`AccountName`	—
`AdditionalFields`	—

Detection Patterns #

Persistence: Account Manipulation

Defender-DeviceEvents Event ID 9007007: User account added to local group→Security-Auditing Event ID 4732: A member was added to a security-enabled local group.

1 rule

Kusto Query Language

Local Admin Group Changes (source)

References #

Microsoft Defender XDR — advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table