You can start by looking for this event ID -- 5136(S): A directory service object was modified -- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5136
Auditing logs must be enabled on Windows to get these events and forward them to QRadar.
------------------------------
Joao Caetano
------------------------------
Original Message:
Sent: Wed May 15, 2024 05:02 PM
From: Beko Resiti
Subject: Shared Folder or File
How to identify from logs or how to find from Qadar logs or from Log source which privileged user (or domain admin) or group policy has given right to access to the "shared folder or file" for a single domain user? Is there a possible way to find it out when the permissions of folder have been changed for a single CN or OU in order to get access to the specific shared folder in windows server environment?
------------------------------
Beko Resiti
------------------------------