KQL Search

Query Details

HomeAI ToolsDevice Query

AD Group Policy

Query

# Active Directory - Group Policy Objects (WORK IN PROGRESS)

## Query Information

### Description

KQL queries to find Active Directory Group Policy changes

#### References

### Microsoft Defender XDR

```kql
IdentityDirectoryEvents
| where ActionType == @"Group Policy was created"
| extend GroupPolicyName = tostring(parse_json(AdditionalFields).GroupPolicyName)
```

```kql
IdentityDirectoryEvents
| where ActionType == @"Group Policy settings were changed"
```

```kql
DeviceEvents
| where ActionType == @"DirectoryServiceObjectCreated"
| where parse_json(AdditionalFields)["ObjectClass"] == 'groupPolicyContainer'
```

```kql
IdentityDirectoryEvents
| where ActionType == @"Group Policy settings were changed"
```

```kql
IdentityDirectoryEvents
| where ActionType == @"Group Policy Display Name changed"
```

Explanation

This query is a work-in-progress set of KQL (Kusto Query Language) queries designed to track changes related to Active Directory Group Policy Objects (GPOs). Here's a simple breakdown of what each part of the query does:

  1. Identify Newly Created Group Policies:

    • The first query looks for events where a new Group Policy was created. It extracts the name of the Group Policy from additional fields in the event data.

  2. Detect Changes to Group Policy Settings:

    • The second query identifies events where the settings of an existing Group Policy were changed.

  3. Track Creation of Group Policy Containers:

    • The third query searches for events where a directory service object of the type 'groupPolicyContainer' was created, indicating the creation of a new Group Policy container.

  4. Monitor Changes to Group Policy Settings:

    • The fourth query is similar to the second one, focusing on detecting changes to Group Policy settings.

  5. Identify Changes to Group Policy Display Names:

    • The fifth query looks for events where the display name of a Group Policy was changed.

Overall, these queries are used to monitor and track various changes to Group Policies within an Active Directory environment, which can be crucial for security and compliance purposes.

Details

Alex Verboon profile picture

Alex Verboon

Released: May 19, 2025

Tables

IdentityDirectoryEvents DeviceEvents

Keywords

ActiveDirectoryGroupPolicyDevices

Operators

|where==@extend=tostring()parse_json().

Actions