Hi. Trying to send out alerts if the “Administrators” group is modified on a workstation with the agent. Any idea if this can be accomplished with what is built in or do i need to do a log shipper?
Hi @blombardo, I have built in the past a similar custom detection rule to got notified when a new account is added to the local Administrator group. In this case I used it to monitor on eventid 4732.
I used the logging.json file to collect more information from the workstation to get visibility on this event id. I am not sure it this still is required.