splApache-2.0from splunk/security_content
Windows AD GPO Deleted
This detection identifies when an Active Directory Group Policy is deleted using the Group Policy Management Console.
Quality
43
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_ad_gpo_deleted.yml
`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=gpLink
| eval ObjectDN=upper(ObjectDN)
| stats min(_time) as eventTime values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType values(src_user) as src_user values(dest) as dest
BY OpCorrelationID ObjectDN SubjectLogonId
| rex field=old_value max_match=10000 "(?i)LDAP://(?P<old_dn>cn.*?);(?P<old_flag>\d)\]"
| rex field=new_value max_match=10000 "(?i)LDAP://(?P<new_dn>cn.*?);(?P<new_flag>\d)\]"
| mvexpand old_dn
| where NOT old_dn IN (new_dn)
| eval ObjectDN=upper(old_dn)
| join ObjectDN type=outer [
| search `admon` objectCategory="CN=Group-Policy-Container*" admonEventType=Update
| eval ObjectDN=upper(distinguishedName)
| stats latest(displayName) as displayName
BY ObjectDN ]
| stats min(eventTime) as _time values(OpCorrelationID) as OpCorrelationID values(displayName) as policyName values(src_user) as src_user
BY ObjectDN SubjectLogonId
| `windows_ad_gpo_deleted_filter`