KQL Search

Query Details

AD GPO Creation

Query

# TITLE

## Query Information

### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1110.003 | Credential Access: Brute Force: Password Spraying | https://attack.mitre.org/techniques/T1110/003/ |

### Description

DESCRIPTION


#### References



### Microsoft 365 Defender




```kql
IdentityDirectoryEvents
| where ActionType == @"Group Policy was created"
| extend GroupPolicyName = tostring(parse_json(AdditionalFields).GroupPolicyName)
```

Explanation

This query looks for events in the IdentityDirectoryEvents table where a Group Policy was created. It then extends the query to include the name of the Group Policy created.

Details

Alex Verboon

Released: March 25, 2024

Tables

IdentityDirectoryEvents

Keywords

IdentityDirectoryEvents,ActionType,GroupPolicyName,AdditionalFields

Operators

whereextendtostringparse_json

KQL Search

AD GPO Creation

Query

Explanation

Details

Actions