AD Group Policy changes on devices
MDE Group Policy Modification Events
Query
DeviceEvents
| where ActionType == "AuditPolicyModification"
| extend polmod = parse_json(AdditionalFields)
| extend AuditPolicyChange = polmod.AuditPolicyChanges
| extend CategoryId = trim(@"[^\w]+",tostring(polmod.CategoryId))
| extend SubcategoryGuid = toupper(polmod.SubcategoryGuid)
| extend SubcategoryId = trim(@"[^\w]+",tostring(polmod.SubcategoryId))
// | project Timestamp, DeviceName, AuditPolicyChange, CategoryId, SubcategoryGuid, SubcategoryId
| mv-expand split(AuditPolicyChange,",")
| extend AuditPolicyChange = trim(@"[^\w]+",tostring(AuditPolicyChange))
| extend AuditPolicyChangesName = case(
AuditPolicyChange == "8448","Success Removed",
AuditPolicyChange == "8450","Failure Removed",
AuditPolicyChange == "8449","Success Added",
AuditPolicyChange == "8451","Failure Added","undefined")
| extend CategoryName = case (
CategoryId == "8280","Account Logon",
CategoryId == "8278","Account Management",
CategoryId == "8276","Detrailed Tracking",
CategoryId == "8279","DS Access",
CategoryId == "8273","Logon/Logoff",
CategoryId == "8274","Object Access",
CategoryId == "8277","Policy Change",
CategoryId == "8275","Privilege Use",
CategoryId == "8272","System",
"undefined")
| extend SubcategoryName = case(
// Accont Logon
SubcategoryGuid == "0CCE923F-69AE-11D9-BED3-505054503030", "Credential Validation",
SubcategoryGuid == "0CCE9242-69AE-11D9-BED3-505054503030", "Kerberos Authentication Service ",
SubcategoryGuid == "0CCE9240-69AE-11D9-BED3-505054503030", "Kerberos Service Ticket Operations",
SubcategoryGuid == "0CCE9241-69AE-11D9-BED3-505054503030", "Other Account Logon Events",
// Account Managent
SubcategoryGuid == "0CCE9239-69AE-11D9-BED3-505054503030", "Application Group Management",
SubcategoryGuid == "0CCE9236-69AE-11D9-BED3-505054503030", "Computer Account Management",
SubcategoryGuid == "0CCE9238-69AE-11D9-BED3-505054503030", "Distribution Group Management",
SubcategoryGuid == "0CCE923A-69AE-11D9-BED3-505054503030", "Other Account Management Events",
SubcategoryGuid == "0CCE9237-69AE-11D9-BED3-505054503030", "Security Group Management",
SubcategoryGuid == "0CCE9235-69AE-11D9-BED3-505054503030", "User Account Management",
// Detailed Tracking
SubcategoryGuid == "0CCE922D-69AE-11D9-BED3-505054503030", "DPAPI Activity",
SubcategoryGuid == "0CCE9248-69AE-11D9-BED3-505054503030", "PNP Activity",
SubcategoryGuid == "0CCE922B-69AE-11D9-BED3-505054503030", "Process Creation",
SubcategoryGuid == "0CCE922C-69AE-11D9-BED3-505054503030", "Process Termination",
SubcategoryGuid == "0CCE922E-69AE-11D9-BED3-505054503030", "RPC Events",
SubcategoryGuid == "0CCE924A-69AE-11D9-BED3-505054503030", "Audit Token Right Adjusted",
// DS Access
SubcategoryGuid == "0CCE923E-69AE-11D9-BED3-505054503030", "Detailed Directory Service Replication",
SubcategoryGuid == "0CCE923B-69AE-11D9-BED3-505054503030", "Directory Service Access",
SubcategoryGuid == "0CCE923C-69AE-11D9-BED3-505054503030", "Directory Service Changes",
SubcategoryGuid == "0CCE923D-69AE-11D9-BED3-505054503030", "Directory Service Replication",
// Logon - Logoff
SubcategoryGuid == "0CCE9217-69AE-11D9-BED3-505054503030", "Account Lockout",
SubcategoryGuid == "0CCE9247-69AE-11d9-BED3-505054503030", "User/Device Claims",
SubcategoryGuid == "0CCE9249-69AE-11d9-BED3-505054503030", "Group Membership",
SubcategoryGuid == "0CCE921A-69AE-11D9-BED3-505054503030", "IPsec Extended Mode",
SubcategoryGuid == "0CCE9218-69AE-11D9-BED3-505054503030", "IPsec Main Mode",
SubcategoryGuid == "0CCE9219-69AE-11D9-BED3-505054503030", "IPsec Quick Mode",
SubcategoryGuid == "0CCE9216-69AE-11D9-BED3-505054503030", "Logoff",
SubcategoryGuid == "0CCE9215-69AE-11D9-BED3-505054503030", "Logon",
SubcategoryGuid == "0CCE9243-69AE-11D9-BED3-505054503030", "Network Policy Server",
SubcategoryGuid == "0CCE921C-69AE-11D9-BED3-505054503030", "Other Logon/Logoff Events",
SubcategoryGuid == "0CCE921B-69AE-11D9-BED3-505054503030", "Special Logon",
// Object Access
SubcategoryGuid == "0CCE9222-69AE-11D9-BED3-505054503030", "Application Generated",
SubcategoryGuid == "0CCE9221-69AE-11D9-BED3-505054503030", "Certification Services",
SubcategoryGuid == "0CCE9244-69AE-11D9-BED3-505054503030", "Detailed File Share",
SubcategoryGuid == "0CCE9224-69AE-11D9-BED3-505054503030", "File Share",
SubcategoryGuid == "0CCE921D-69AE-11D9-BED3-505054503030", "File System",
SubcategoryGuid == "0CCE9226-69AE-11D9-BED3-505054503030", "Filtering Platform Connection",
SubcategoryGuid == "0CCE9225-69AE-11D9-BED3-505054503030", "Filtering Platform Packet Drop",
SubcategoryGuid == "0CCE9223-69AE-11D9-BED3-505054503030", "Handle Manipulation",
SubcategoryGuid == "0CCE921F-69AE-11D9-BED3-505054503030", "Kernel Object",
SubcategoryGuid == "0CCE9227-69AE-11D9-BED3-505054503030", "Other Object Access",
SubcategoryGuid == "0CCE9227-69AE-11D9-BED3-505054503030", "Other Object Access",
SubcategoryGuid == "0CCE921E-69AE-11D9-BED3-505054503030", "Registry",
SubcategoryGuid == "0CCE9245-69AE-11D9-BED3-505054503030", "Removable Storage",
SubcategoryGuid == "0CCE9220-69AE-11D9-BED3-505054503030", "SAM",
SubcategoryGuid == "0CCE9246-69AE-11D9-BED3-505054503030", "Central Access Policy Staging",
// Policy Change
SubcategoryGuid == "0CCE922F-69AE-11D9-BED3-505054503030", "Audit Policy Change",
SubcategoryGuid == "0CCE9230-69AE-11D9-BED3-505054503030", "Authentication Policy Change",
SubcategoryGuid == "0CCE9231-69AE-11D9-BED3-505054503030", "Authorization Policy Change",
SubcategoryGuid == "0CCE9233-69AE-11D9-BED3-505054503030", "Filtering Platform Policy Change",
SubcategoryGuid == "0CCE9232-69AE-11D9-BED3-505054503030", "MPSSVC Rule-Level Policy Change",
SubcategoryGuid == "0CCE9234-69AE-11D9-BED3-505054503030", "Other Policy Change Events",
// Privilege Use
SubcategoryGuid == "0CCE9229-69AE-11D9-BED3-505054503030", "Non Sensitive Privilege Use",
SubcategoryGuid == "0CCE922A-69AE-11D9-BED3-505054503030", "Other Privilege Use Events",
SubcategoryGuid == "0CCE9228-69AE-11D9-BED3-505054503030", "Sensitive Privilege Use",
// System
SubcategoryGuid == "0CCE9213-69AE-11D9-BED3-505054503030", "IPsec Driver",
SubcategoryGuid == "0CCE9214-69AE-11D9-BED3-505054503030", "Other System Events",
SubcategoryGuid == "0CCE9210-69AE-11D9-BED3-505054503030", "Security State Change",
SubcategoryGuid == "0CCE9211-69AE-11D9-BED3-505054503030", "Security System Extension",
SubcategoryGuid == "0CCE9212-69AE-11D9-BED3-505054503030", "the System Integrity",
"undefined")
| project Timestamp, DeviceName, AuditPolicyChange, AuditPolicyChangesName, CategoryId, CategoryName, SubcategoryGuid, SubcategoryName,SubcategoryId
| sort by Timestamp
// find events where auditing was Removed
// | where AuditPolicyChangesName contains "Removed"About this query
Explanation
The query is used to detect various AD Group Policy changes on devices. It includes the following events:
- Audit Policy changes: Detects changes made to the audit policy on devices.
- Audit policy configuration file changes on domain controllers: Detects changes made to the audit policy configuration file on domain controllers.
- Audit policy configuration file changes on clients: Detects changes made to the audit policy configuration file on clients.
- Scripts added/modified within the SYSVOL share: Detects any scripts that are added or modified within the SYSVOL share.
- Group Policy logon scripts executed on clients: Detects the execution of Group Policy logon scripts on clients.
The query uses different KQL queries for each event to retrieve the relevant information from the Defender for Endpoint devices.
Details

Alex Verboon
Released: June 4, 2023
Tables
DeviceEventsDeviceFileEventsDeviceProcessEventsDeviceRegistryEvents
Keywords
DevicesIntuneUserAudit Policy ModificationGroup Policy ModificationDomain Policy ModificationAudit Policy changesAudit policy configuration file changes on domain controllersAudit policy configuration file changes on clientsScripts added/modified within the SYSVOL shareGroup Policy logon scripts are executed on clients
Operators
whereextendparse_jsontrimtouppercasemv-expandsplitprojectsortletstartswithcontainshas_anydistinct!contains!=orandtoxml