Active Directory Activity

# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Active Directory Activity

# MITRE ATT&CK technique IDs
mitre_ids:
  - T1078
  - T1098

# Description of what the query does and its purpose.
description: |
  Table of recent Active Directory activity including disabled, deleted and password reset events.

# The author or team that created the query.
author: ByteRay GmbH

# The required log sources to run this query successfully in Next-Gen SIEM.
# This will be displayed in the UI to inform the user.
log_sources:
  - Identity

# Tags for filtering and categorization.
# Include relevant techniques, tactics, or platforms.
tags:
  - Monitoring

cs_required_modules: 
  - Identity

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  name=ActiveDirectoryAudit*
  | setField(target="ActiveDirectoryAuditActionType", value=if(ActiveDirectoryAuditActionType == 4,
  then="GROUP_MEMBER_ADDED", else=(if(ActiveDirectoryAuditActionType == 0,
  then="CREATED", else=(if(ActiveDirectoryAuditActionType == 1,
  then="DELETED", else=(if(ActiveDirectoryAuditActionType == 2,
  then="MODIFIED", else=(if(ActiveDirectoryAuditActionType == 8,
  then="GROUP_MEMBER_REMOVED", else=(if(ActiveDirectoryAuditActionType == 16,
  then="PASSWORD_CHANGE", else=(if(ActiveDirectoryAuditActionType == 32,
  then="PASSWORD_RESET", else=(if(ActiveDirectoryAuditActionType == 64,
  then="ENABLED", else=(if(ActiveDirectoryAuditActionType == 128, then="DISABLED", else=(if(ActiveDirectoryAuditActionType == 256, then="LOCKED",
  else=(if(ActiveDirectoryAuditActionType == 512, then="UNLOCKED", else=(UNKNOWN)))))))))))))))))))))))
  |
  groupBy([@timestamp,ActiveDirectoryAuditActionType,ComputerName,TargetDomainControllerHostName,DetectName,Severity,AddedPrivileges,GroupMemberAccountName,PerformedOnAccountName,PerformedByAccountObjectName]) | sort(@timestamp, limit=20000)