← Library
splApache-2.0from splunk/security_content

Windows AD GPO Disabled

This detection identifies when an Active Directory Group Policy is disabled using the Group Policy Management Console.

Quality
59
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_ad_gpo_disabled.yml
`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=flags OperationType="%%14674" AttributeValue!=0
  | eval AttributeValueExp=case(AttributeValue==0,"Enabled",AttributeValue==1,"User configuration settings disabled",AttributeValue==2,"Computer configuration settings disabled",AttributeValue==3,"Disabled"), ObjectDN=upper(ObjectDN)
  | join ObjectDN type=inner [
  | search `admon` objectCategory="CN=Group-Policy-Container*" admonEventType=Update
  | eval ObjectDN=upper(distinguishedName)
  | stats latest(displayName) as displayName
    BY ObjectDN ]
  | stats min(_time) as _time values(AttributeValue) as AttributeValue values(AttributeValueExp) as AttributeValueExp values(OpCorrelationID) as OpCorrelationID values(displayName) as policyName values(src_user) as src_user
    BY ObjectDN SubjectLogonId dest
  | `windows_ad_gpo_disabled_filter`