diff --git a/detections/application/windows_ad_gpo_disabled.yml b/detections/application/windows_ad_gpo_disabled.yml
index d7b122d2bd..ee6167057a 100644
--- a/detections/application/windows_ad_gpo_disabled.yml
+++ b/detections/application/windows_ad_gpo_disabled.yml
@@ -10,7 +10,7 @@ data_source:
 description: This detection identifies when an Active Directory Group Policy is disabled using the Group Policy Management Console. 
 search: '`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=flags OperationType="%%14674" AttributeValue!=0
   | eval AttributeValueExp=case(AttributeValue==0,"Enabled",AttributeValue==1,"User configuration settings disabled",AttributeValue==2,"Computer configuration settings disabled",AttributeValue==3,"Disabled"), ObjectDN=upper(ObjectDN)
-  | join ObjectDN type=outer [| search `admon` objectCategory="CN=Group-Policy-Container*" admonEventType=Update | eval ObjectDN=upper(distinguishedName) | stats latest(displayName) as displayName by ObjectDN ]
+  | join ObjectDN type=inner [| search `admon` objectCategory="CN=Group-Policy-Container*" admonEventType=Update | eval ObjectDN=upper(distinguishedName) | stats latest(displayName) as displayName by ObjectDN ]
   | stats min(_time) as _time values(AttributeValue) as AttributeValue values(AttributeValueExp) as AttributeValueExp values(OpCorrelationID) as OpCorrelationID values(displayName) as policyName values(src_user) as src_user by ObjectDN SubjectLogonId
   | `windows_ad_gpo_disabled_filter`'
 how_to_implement: Ensure you are ingesting Active Directory audit logs - specifically event 5136, admon data is also used to display