Query Details
Security Event GPO Inheritance Changed
Query
//Detect when group policy inheritance is either allowed or blocked
//Data connector required for this query - Windows Security Events via AMA or Security Events via Legacy Agent
SecurityEvent
| project TimeGenerated, EventID, EventData, SubjectAccount
| where EventID == "5136"
| parse EventData with * 'ObjectDN">' OU '</Data' *
| parse EventData with * 'AttributeLDAPDisplayName">' LDAPAttribute '</Data' *
| parse EventData with * 'AttributeValue">' AttributeValue '</Data' *
| parse EventData with * 'OperationType">%%' OperationType '</Data' *
| project
TimeGenerated,
Actor=SubjectAccount,
OU,
LDAPAttribute,
AttributeValue,
OperationType
| where LDAPAttribute == "gPOptions"
| where AttributeValue == "1"
| extend Activity = case
(OperationType == "14674" and AttributeValue == "1", strcat("Group Policy Inheritance Blocked"),
OperationType == "14675" and AttributeValue == "1", strcat("Group Policy Inheritance Allowed"),
"Unknown")
| project TimeGenerated, Actor, OU, Activity
Explanation
This query is used to detect when group policy inheritance is either allowed or blocked. It retrieves Windows security events with Event ID 5136 and extracts relevant information such as the time generated, event data, subject account, object DN, LDAP attribute, attribute value, and operation type. It then filters the results to only include events where the LDAP attribute is "gPOptions" and the attribute value is "1". The query also extends the results to include an activity field that indicates whether group policy inheritance is blocked or allowed based on the operation type and attribute value. Finally, it projects the time generated, actor, organizational unit, and activity fields for further analysis.
Details
Matt Zorich
Released: June 17, 2022
Tables
Keywords
Operators