4715 The audit policy (SACL) on an object was changed
Written when an object’s local audit policy (SACL: the setting for what is audited) is changed. Because disabling auditing leads to hiding traces, it is an important event that is always logged.
Overview
The subcategory is Audit Policy Change. It is generated whenever the local audit policy security descriptor changes. This event is always logged regardless of the “Audit Policy Change” subcategory setting.
How it is triggered
- When an object’s
SACL(System Access Control List: the setting that defines what is audited on that object) is changed.
Security review points
- An attacker may weaken or remove the SACL on an important object so that their activity is not recorded. Disabling auditing is a hallmark of defense evasion, and a SACL change can be a precursor to hiding traces.
- Check which object’s audit setting was changed, by whom, and how. Together with audit-policy change 4719, monitor changes to the auditing posture as a whole.
Notes for log review
- Since it is always logged, there is little worry of a configuration gap. Distinguish legitimate configuration changes (audit design reviews) from unexpected weakening.
- Alerting narrowed to SACL changes on important assets (sensitive folders, registry, AD objects) is effective.
Key fields
| Field | Meaning |
|---|---|
Object Name / Object Type | The target whose audit setting was changed |
Subject\Account Name | The account that made the change |