4719 System audit policy was changed
Written when the computer’s audit policy is changed. It captures toggling auditing on or off, making it a top-tier event for catching an attacker stopping auditing (hiding traces).
Overview
The subcategory is Audit Policy Change. It is generated when the audit policy (which subcategories are recorded for success/failure) changes. This event is always logged regardless of the “Audit Policy Change” subcategory setting, so the very fact that someone tried to stop auditing tends to remain.
How it is triggered
- A change to the audit policy via
auditpol, Group Policy, APIs, and so on. - It records which subcategory’s auditing changed and how (enabled/disabled).
Security review points
- An attacker may disable auditing so their activity is not recorded. Disabling important subcategories such as
Process Creation(4688) orLogon(4624) is a strong sign of defense evasion. - Audit policy is normally changed only deliberately by a limited set of administrators. Always investigate a change by an unexpected subject or at an unexpected time. Together with SACL change 4715, monitor changes to the auditing posture as a whole.
Notes for log review
- Since it is always logged, the 4719 itself tends to remain even if auditing is stopped. Alert at high priority on changes in the “disable auditing” direction.
- Distinguish legitimate audit design changes (applying a baseline) from unexpected weakening. Record the changing subject and target subcategory.
Key fields
| Field | Meaning |
|---|---|
Category / Subcategory | The changed audit category/subcategory |
Changes | The change to the audit setting (success/failure enabled/disabled) |
Subject\Account Name | The account that made the change |