I’m trying to find a way to detect the presence of Event ID 4732 ( A member was added to a security-enabled local group) so that I can be alerted by IDR if someone is added to the Local Administrator Group. But, I cannot seem to find a log that would contain this information.
Any ideas on how to locate this information in InsightIDR?
This is not collected out of the box on regular workstations, or servers. Only on Domain Controllers with a WMI AD event source configured will you have this visibility. See the events collected via the Insight Agent here Insight Agents with InsightIDR | InsightIDR Documentation
For regular endpoints we have the logging.json feature which enables you to collect the Entire System, Security and Application log as documented here Configure the Insight Agent to Send Additional Logs | InsightIDR Documentation
David
Use the built-in detection rule: “User Behavior - A Member Was Added To A Security-Enabled Local Group”.
Set it to Off by default, then create an exclusion that creates alerts and define the SID of the built-in admins group.