Query Details

Defender for Identity - Active Directory - Password Policy Change

MDI AD Group Policy Password Policy

Query

IdentityDirectoryEvents
| where ActionType == @"Group Policy settings were changed"
| extend Info = parse_json(AdditionalFields)
| extend MachinePolicies = tostring(Info.MachinePolicies),
         GroupPolicyName = tostring(Info.GroupPolicyName),
         GroupPolicyId   = tostring(Info.GroupPolicyId),
         DomainName      = tostring(Info.DomainName),
         Category        = tostring(Info.Category),
         AttackTechniques = tostring(Info.AttackTechniques)
| project TimeGenerated, DomainName, GroupPolicyName, GroupPolicyId, MachinePolicies, Category, AttackTechniques
| mv-expand PolicyEntry = split(MachinePolicies, ",") to typeof(string)
| extend FullPath    = tostring(split(PolicyEntry, "=")[0]),
         PolicyValue = tostring(split(PolicyEntry, "=")[1])
| extend PathParts   = split(FullPath, @"\"),
         PolicyName  = tostring(split(FullPath, @"\")[-1])
| extend PolicyPath  = strcat_array(array_slice(PathParts, 0, array_length(PathParts) - 2), @"\")
| where PolicyPath == @"Account Policies\PasswordPolicy"
| summarize Settings = make_bag(pack(PolicyName, PolicyValue)) 
    by TimeGenerated, GroupPolicyId, GroupPolicyName, DomainName, AttackTechniques, Category, PolicyPath

About this query

Defender for Identity - Active Directory - Password Policy Change

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1484Domain Policy Modificationhttps://attack.mitre.org/techniques/T1484/
1484.001Group Policy Modificationhttps://attack.mitre.org/techniques/T1484/001/

Description

The below query retrieves events from Defender for Identity when Active Directory Domain Account Password policies are changed.

References

Author

  • Alex Verboon

Defender XDR

Explanation

This KQL query is designed to monitor changes in Active Directory password policies by retrieving specific events from Microsoft Defender for Identity. Here's a simplified breakdown of what the query does:

  1. Source of Data: It starts by accessing the IdentityDirectoryEvents table, which contains events related to identity and directory activities.

  2. Filter Events: The query filters for events where the action type indicates that "Group Policy settings were changed."

  3. Extract Information: It extracts additional details from these events, such as:

    • MachinePolicies: The specific policy settings that were changed.
    • GroupPolicyName and GroupPolicyId: Identifiers for the group policy that was modified.
    • DomainName: The domain where the change occurred.
    • Category and AttackTechniques: Additional context about the change, possibly related to security techniques.
  4. Process Policy Entries: The query splits the MachinePolicies string into individual policy entries and further breaks down each entry into a policy path and value.

  5. Filter for Password Policies: It specifically looks for changes in the "Account Policies\PasswordPolicy" path, which relates to password policy settings.

  6. Summarize Results: Finally, it summarizes the changes by grouping them into a structured format, showing the time of the change, the group policy details, domain name, and the specific password policy settings that were altered.

In essence, this query helps security analysts track and review modifications to password policies in Active Directory, which can be crucial for maintaining security and compliance.

Details

Alex Verboon profile picture

Alex Verboon

Released: April 22, 2026

Tables

IdentityDirectoryEvents

Keywords

DefenderIdentityActiveDirectoryPasswordPolicyDomainAccountGroupSettingsMachinePoliciesCategoryAttackTechniques

Operators

IdentityDirectoryEventswhereextendparse_jsontostringprojectmv-expandsplittypeofstrcat_arrayarray_slicearray_lengthsummarizemake_bagpack

MITRE Techniques

Actions

GitHub