This analytic rule monitors modifications to default Group Policy Objects (GPOs) through the Group Policy Management Editor (GPME) using Sysmon and Windows Event logs. It specifically targets instances where the process `mmc.exe` executes `gpme.msc` with particular GUIDs associated with default GPOs, including the crucial `Default Domain Controllers Policy` and `Default Domain Policy`. Unauthorized changes to these policies could indicate malicious activity aimed at compromising network security by granting unauthorized access or persistence. The detection employs a search that aggregates relevant logs and identifies unauthorized GPO modifications, ensuring the integrity of critical domain security configurations is maintained.