This detection rule monitors the creation of new Group Policy Objects (GPOs) within Active Directory environments using Splunk's Admon data. The objective of the rule is to identify instances where new GPOs are created, while filtering out the default GPO entries to prevent false positives. Monitoring GPO creation is essential because attackers can manipulate these objects to gain unauthorized access, escalate privileges, and deploy malicious payloads throughout the network. If a newly created GPO is deemed malicious, it can lead to significant security breaches, including unauthorized control over critical system settings or malware propagation. The underlying search uses Splunk's query language to source relevant events and then aggregates and analyzes them to extract timestamps and path data related to GPOs created within Active Directory. Overall, it is a critical rule aimed at enhancing security monitoring in Active Directory implementations.