This detection rule identifies instances where an Active Directory Group Policy Object (GPO) is disabled through the Group Policy Management Console. It leverages Windows Security Event 5136, which captures changes to GPOs including their status. The rule evaluates various 'AttributeValue' fields that indicate the state of the GPO, generating a descriptive label for each possible configuration. The rule integrates data from the AD monitoring (admon) logs to correlate the event with user actions and GPO display names, allowing for a deeper investigation of the changes made. The search conditions and evaluations are tailored to filter significant GPO modifications, providing actionable insights into potential unauthorized changes in the AD environment. Additionally, the implementation requires active ingestion of necessary logs, and users must ensure correct configurations of macros to effectively utilize the rule in a security monitoring setup.