Forum Discussion

Brass Contributor

Sep 14, 2017

Use OMS to check policy changes

We are using OMS with the new query language. We are trying to get a report from OMS when a policy change has been made at our Windows 2012 R2 active directory. Does any one has some examples how to ...

azure

Kent Gaardmand

Steel Contributor

Sep 20, 2017

This is a feature that has been request https://feedback.azure.com/forums/267889-log-analytics/suggestions/6519278-change-tracking-group-policy-changes

The only was you could do this at the moment would be to monitor the Sysvol folders for changes, but i would only be able to inform you changes where made, not what was changed.

Pascal Wenders
Brass Contributor
Sep 20, 2017
Hi Kent, thank you for this information, I will look for the requested feature and vote for this. I Hope it will be possible in the futher

For the first thing that I need it, when does audit policy change. I look at event 4739. Then I need to check in the AD what has been changed. I would be better that you can monitor on every event for allerting.

let timeframe = 30d;
let timeframetot = 0d;
SecurityEvent
| where TimeGenerated > ago(timeframe) and TimeGenerated < ago(timeframetot)
| where EventID == 4739
| summarize count() by Computer,AccountType, Activity, TimeGenerated, EventData