Was investigating on AD group membership changes. Checked the AD audit logs and found that events related to group membership changes, but doesn't show the account which made the changes. It says that the changes was intiated by an application called Microsoft Substrate Management and not the actual Username.
Can any one point me to right direction on how to findout the group memebrship changes.
Initiated by (actor)
Type
Application
Display Name
Microsoft Substrate Management
We use sentinel and would be nice to setup an alert





