This uses the deprecated admin audit log to check for user changes. There is not really an easy 1 to 1 migration to the UAL in this case. Same problem as in other places, where we'd need to search for very specific commands being ran, and also filter out potential system garbage.
I think the best way moving forward with this and a few other functions is to determine exactly what changes would be made on an account when it's compromised (such as adding an additional MFA method) and pulling those from the UAL.
syne0
commented
3 months ago
This uses the deprecated admin audit log to check for user changes. There is not really an easy 1 to 1 migration to the UAL in this case. Same problem as in other places, where we'd need to search for very specific commands being ran, and also filter out potential system garbage.
I think the best way moving forward with this and a few other functions is to determine exactly what changes would be made on an account when it's compromised (such as adding an additional MFA method) and pulling those from the UAL.