Query Details

TITLE

AD GPO Creation

Query

IdentityDirectoryEvents
| where ActionType == @"Group Policy was created"
| extend GroupPolicyName = tostring(parse_json(AdditionalFields).GroupPolicyName)

About this query

TITLE

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1110.003Credential Access: Brute Force: Password Sprayinghttps://attack.mitre.org/techniques/T1110/003/

Description

DESCRIPTION

References

Microsoft 365 Defender

Explanation

This query looks for events in the IdentityDirectoryEvents table where a Group Policy was created. It then extends the query to include the name of the Group Policy created.

Details

Alex Verboon profile picture

Alex Verboon

Released: March 25, 2024

Tables

IdentityDirectoryEvents

Keywords

IdentityDirectoryEventsActionTypeGroupPolicyNameAdditionalFields

Operators

whereextendtostringparse_json

MITRE Techniques

Actions

GitHub