How to check Windows client Administrators group from Defender

Continuing the previous post, where I showed how to check the local Administrators group on Windows clients with Intune, now I will show another way to do that with Microsoft Defender. This method is more suitable for organizations that use Microsoft Defender for Endpoint P2, as it requires the advanced hunting feature. Sadly we can not get the members of the local Administrators group directly from the Defender, but we can check the processes and check if any user login with the membership local Administrators group. This method is not perfect, but it can help to detect potential threats.

So what I would like to do is to check if any user who login to the client is a member of the local Administrators group and that user is domain user.

Hunting query

//add all users who should login to decrease the noise
let excluded_users = dynamic(["UserToExclude1", "UserToExclude2"]);
DeviceLogonEvents
| where Timestamp > ago(1d)
| where ActionType == "LogonSuccess"
| where LogonType in ("Interactive", "RemoteInteractive")
| where IsLocalAdmin == true
| where InitiatingProcessCommandLine == "lsass.exe"
| extend DeviceDomain = tostring(split(DeviceName, ".")[0])
| where AccountDomain != DeviceDomain
| where AccountName !in (excluded_users) 
| join kind=leftsemi (
    DeviceInfo
    | where DeviceType == "Workstation"
) on DeviceName
| summarize AffectedUsers = make_set(AccountName) by DeviceName
| project DeviceName, AffectedUsers

Use the exluded_users variable to add the users who should login to the client to decrease the noise.
This query will return the devices where the local Administrators group member is used to log in. You can schedule this query to run regularly and send an alert if any device is found.