This detection rule identifies when a new client-side extension is added to an Active Directory Group Policy using the Group Policy Management Console (GPMC). It specifically monitors Event ID 5136 from Windows Security logs, which indicates changes made to group policy objects. When a new client-side extension is added, it triggers this event and captures the details about the old and new values of the policy extension. The rule utilizes a combination of filtering, event extraction, and transformation functions to analyze the changes in group policy attributes. It includes checks for valid GUID formats and cross-references with a lookup table for enhanced readability of results. The detection accounts for common false positives due to regular group policy modifications and specifies limitations when using alternative tooling like SharpGPOAbuse that may not log typical AD events.