GPO modification search?

I'm trying to set up a scheduled search to monitor changes to GPOs. Running SEM 2020.4. Any suggestions regarding the best way to set up this query would be much appreciated. Thanks!

  • OK I know there is audit event logs on the domain controller (these is per each domain controller) You must make sure the Auditing is configured to track. (https://rlevchenko.com/2017/03/17/how-easy-is-it-to-track-group-policy-changes-using-the-event-log/)

    the Event ID is:

    • Event ID Range: 4000–4007: This range covers events concerning Group Policy start events. These events are captured when a Group Policy processing instance begins.
    • Event ID Range: 4016–4299: This range covers Component start events. This range of events are captured when a Group Policy component processing starts the task defined in the event.
    • Event ID Range: 5000–5299: This range covers Component success events: These events appear in the event log when a Group Policy component successfully completes the task defined in the event.

    Checking the SolarWinds connecter to see if these logs are being tracked

    After looking at the connecter XML file I do not see these event logs listed.  

    So I recommend enable the audit logs on the file server and check windows event logs for which EVENT ID are the most useful and request a connector update to add these in the next revision.