SensitiveGroupModification.kusto

let SensitiveGroupNames = pack_array(  // Add any groups that you consider sensitive
    'Account Operators',
    'Administrators',
    'Backup Operators',
    'Domain Admins', 
    'Domain Controllers',
    'Enterprise Admins',
    'Enterprise Read-only Domain Controllers',
    'Group Policy Creator Owners',
    'Incoming Forest Trust Builders',
    'Microsoft Exchange Servers',
    'Network Configuration Operators',
    'Power Users',
    'Print Operators',
    'Read-only Domain Controllers',
    'Replicators',
    'Schema Admins',
    'Server Operators'
);
IdentityDirectoryEvents
| where Application == "Active Directory"
| where ActionType == "Group Membership changed"
| where DestinationDeviceName != "" // Exclude activites coming AD Sync changes.
// filter on additions to sensitive groups
| extend ToGroup = tostring(parse_json(AdditionalFields).["TO.GROUP"]) // action is add entity to a group
| extend FromGroup = tostring(parse_json(AdditionalFields).["FROM.GROUP"]) // action is remove entity from a group
| extend Action = iff(isempty(ToGroup), "Remove", "Add")
| where Action == "Add"
| extend GroupModified = iff(isempty(ToGroup), FromGroup, ToGroup) // group name that the action was taken on 
| where GroupModified in~ (SensitiveGroupNames)
// extract the user or group that was added
| extend TargetUser = tostring(parse_json(AdditionalFields).["TARGET_OBJECT.USER"])
| extend TargetGroup = tostring(parse_json(AdditionalFields).["TARGET_OBJECT.GROUP"])
| extend TargetName = iff(isempty(TargetGroup), TargetUser, TargetGroup)
| extend TargetType = iff(isempty(TargetGroup), "User", "Group")
// clean up
| distinct Timestamp, Action, GroupModified, TargetName, TargetType, Actor=AccountDisplayName, AccountSid, ReportId
| sort by Timestamp desc