Forum Discussion
Use OMS to check policy changes
This is a feature that has been request https://feedback.azure.com/forums/267889-log-analytics/suggestions/6519278-change-tracking-group-policy-changes
The only was you could do this at the moment would be to monitor the Sysvol folders for changes, but i would only be able to inform you changes where made, not what was changed.
- Pascal WendersSep 20, 2017Brass Contributor
Hi Kent, thank you for this information, I will look for the requested feature and vote for this. I Hope it will be possible in the futher
For the first thing that I need it, when does audit policy change. I look at event 4739. Then I need to check in the AD what has been changed. I would be better that you can monitor on every event for allerting.
let timeframe = 30d;
let timeframetot = 0d;
SecurityEvent
| where TimeGenerated > ago(timeframe) and TimeGenerated < ago(timeframetot)
| where EventID == 4739
| summarize count() by Computer,AccountType, Activity, TimeGenerated, EventData