User Account Modification (d27b0089-2c39-4b6c-84ff-303e48657e77)
Changes made to an existing user, service, or machine account, including alterations to attributes, permissions, roles, authentication methods, or group memberships.
Data Collection Measures:
- Host-Based Logging
- Windows Event Logs
- Event ID 4738 – A user account was changed.
- Event ID 4725 – A user account was disabled.
- Event ID 4724 – An attempt was made to reset an account's password.
- Event ID 4767 – A user account was unlocked.
- Linux/macOS Authentication Logs
/var/log/auth.log,/var/log/secure– Tracks account modifications (usermod,chage,passwd).- AuditD – Monitors account changes (
useradd,usermod,gpasswd). - OSQuery – Queries the
userstable for recent modifications.
- Windows Event Logs
- Cloud-Based Logging
- Azure AD Logs
- Azure AD Audit Logs – Tracks modifications to users and security groups.
- Azure Graph API – Captures changes to authentication policies and MFA settings.
- AWS IAM & CloudTrail Logs
ModifyUser,UpdateLoginProfile– Captures changes to IAM user attributes.AttachUserPolicy,AddUserToGroup– Detects policy and group modifications.
- Google Workspace & Office 365 Logs
- Google Admin Console – Logs account changes, role modifications, and group membership updates.
- Microsoft 365 Unified Audit Log – Captures modifications to security settings and privileged account changes.
- Azure AD Logs
- Container & Network Account Modification Logs
- Kubernetes Service Account Changes
- kubectl audit logs – Detects service account modifications in Kubernetes clusters.
- GKE/Azure AKS Logs – Monitors role and permission changes.
- Kubernetes Service Account Changes