Anomalous Group Policy Discovery
Query
let PreviousActivity = materialize (
IdentityQueryEvents
| where Timestamp > ago(30d)
| where QueryType == "AllGroupPolicies"
| summarize make_set(DeviceName)
);
IdentityQueryEvents
| where Timestamp > ago(1d)
| where QueryType == "AllGroupPolicies"
| where not(DeviceName has_any(PreviousActivity))About this query
Explanation
This query is designed to detect unusual activity related to Group Policy discovery within a network. Here's a simplified explanation:
-
Purpose: The query aims to identify devices that are querying Group Policy information in a way that is unusual for them, which could indicate malicious activity or an attacker trying to gather information about the network.
-
How it Works:
- The query first looks at the past 30 days of activity to see which devices have performed Group Policy queries.
- It then checks the last day's activity to find any devices that have queried Group Policies but did not do so in the previous 30 days.
-
Why It's Important:
- Group Policies can contain sensitive information about network configurations and security settings. If a device suddenly starts querying this information without a history of doing so, it could be a sign of an attacker trying to gather intelligence for further attacks.
-
Potential False Positives:
- New administrators or legitimate users who have not previously performed such queries might trigger this alert. It's important to verify whether the activity is legitimate or suspicious.
-
Tools:
- The query is written for use in Microsoft Defender XDR and Microsoft Sentinel, which are security tools used to monitor and respond to threats in a network.
In summary, this query helps security teams identify potentially suspicious behavior related to Group Policy queries by highlighting devices that are performing these queries for the first time in the last 30 days.
