I understand that this thread is a bit old but I have searched for an answer everywhere and haven't found any. So, I was wondering if someone could actually help with this as I have a similar query. I am able to get which group policy changed and by whom, but I also need to know what exactly changed in a GPO. Can someone please tell me how can we do that? I am using Splunk app for Windows Infrastructure and it's set up correctly.