LoFP / general usage of group policy will trigger this detection, also please not gpos modified using tools such as sharpgpoabuse will not generate the ad audit events which enable this detection.

`wineventlog_security` EventCode=5136 ObjectClass=groupPolicyContainer AttributeLDAPDisplayName=gPCMachineExtensionNames 
| stats min(_time) as _time values(eval(if(OperationType=="%%14675",AttributeValue,null))) as old_value values(eval(if(OperationType=="%%14674",AttributeValue,null))) as new_value values(OperationType) as OperationType by ObjectClass ObjectDN OpCorrelationID src_user SubjectLogonId 
| rex field=old_value max_match=10000 "(?P<old_values>\{.*?\})" 
| rex field=new_value max_match=10000 "(?P<new_values>\{.*?\})" 
| rex field=ObjectDN max_match=10000 "CN=(?P<policy_guid>\{.*?\})" 
| mvexpand new_values 
| where NOT new_values IN (old_values,"{00000000-0000-0000-0000-000000000000}",policy_guid) AND match(new_values, "^\{[A-Z
|\d]+\-[A-Z
|\d]+\-[A-Z
|\d]+\-[A-Z
|\d]+\-[A-Z
|\d]+\}") 
| lookup msad_guid_lookup guid as new_values OUTPUTNEW displayName as policyType 
| eval newPolicy=if(policyType like "%",policyType,new_values) 
| join ObjectDN  [
| search `admon` objectCategory="CN=Group-Policy-Container*" admonEventType=Update 
| stats latest(displayName) as displayName by distinguishedName 
| eval ObjectDN=upper(distinguishedName)] 
| stats values(OpCorrelationID) as OpCorrelationID values(src_user) as src_user values(SubjectLogonId) as SubjectLogonId values(newPolicy) as newPolicy values(displayName) as policyName by ObjectDN 
| `windows_ad_gpo_new_cse_addition_filter`