MDI AD Group Policy Password Policy

# Defender for Identity - Active Directory - Password Policy Change ![KQL](https://img.shields.io/badge/language-KQL-blue.svg) ![Status: Stable](https://img.shields.io/badge/status-stable-brightgreen.svg) ## Query Information ### MITRE ATT&CK Technique(s) | Technique ID | Title | Link | | --- | --- | --- | | T1484 | Domain Policy Modification | https://attack.mitre.org/techniques/T1484/ | | 1484.001 | Group Policy Modification | https://attack.mitre.org/techniques/T1484/001/ | ### Description The below query retrieves events from Defender for Identity when Active Directory Domain Account Password policies are changed. #### References - [Password Policy](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/password-policy) ### Author - **Alex Verboon** ## Defender XDR ```kql IdentityDirectoryEvents | where ActionType == @"Group Policy settings were changed" | extend Info = parse_json(AdditionalFields) | extend MachinePolicies = tostring(Info.MachinePolicies), GroupPolicyName = tostring(Info.GroupPolicyName), GroupPolicyId = tostring(Info.GroupPolicyId), DomainName = tostring(Info.DomainName), Category = tostring(Info.Category), AttackTechniques = tostring(Info.AttackTechniques) | project TimeGenerated, DomainName, GroupPolicyName, GroupPolicyId, MachinePolicies, Category, AttackTechniques | mv-expand PolicyEntry = split(MachinePolicies, ",") to typeof(string) | extend FullPath = tostring(split(PolicyEntry, "=")[0]), PolicyValue = tostring(split(PolicyEntry, "=")[1]) | extend PathParts = split(FullPath, @"\"), PolicyName = tostring(split(FullPath, @"\")[-1]) | extend PolicyPath = strcat_array(array_slice(PathParts, 0, array_length(PathParts) - 2), @"\") | where PolicyPath == @"Account Policies\PasswordPolicy" | summarize Settings = make_bag(pack(PolicyName, PolicyValue)) by TimeGenerated, GroupPolicyId, GroupPolicyName, DomainName, AttackTechniques, Category, PolicyPath ```

Explanation

This KQL query is designed to monitor changes in Active Directory password policies by retrieving specific events from Microsoft Defender for Identity. Here's a simplified breakdown of what the query does:

Source of Data: It starts by accessing the IdentityDirectoryEvents table, which contains events related to identity and directory activities.
Filter Events: The query filters for events where the action type indicates that "Group Policy settings were changed."
Extract Information: It extracts additional details from these events, such as:
- MachinePolicies: The specific policy settings that were changed.
- GroupPolicyName and GroupPolicyId: Identifiers for the group policy that was modified.
- DomainName: The domain where the change occurred.
- Category and AttackTechniques: Additional context about the change, possibly related to security techniques.
Process Policy Entries: The query splits the MachinePolicies string into individual policy entries and further breaks down each entry into a policy path and value.
Filter for Password Policies: It specifically looks for changes in the "Account Policies\PasswordPolicy" path, which relates to password policy settings.
Summarize Results: Finally, it summarizes the changes by grouping them into a structured format, showing the time of the change, the group policy details, domain name, and the specific password policy settings that were altered.

In essence, this query helps security analysts track and review modifications to password policies in Active Directory, which can be crucial for maintaining security and compliance.

Details

Alex Verboon

Released: April 22, 2026

Tables

IdentityDirectoryEvents

Keywords

DefenderIdentityActiveDirectoryPasswordPolicyDomainAccountGroupPolicySettingsMachinePoliciesCategoryAttackTechniques

Operators

IdentityDirectoryEventswhereextendparse_jsontostringprojectmv-expandsplittypeofstrcat_arrayarray_slicearray_lengthsummarizemake_bagpack

KQL Search