4912 Per User Audit Policy was changed
Written when a per-user audit policy is changed. It is an important auditing-posture event that captures individually strengthening/weakening auditing of a specific account.
Overview
The subcategory is Audit Policy Change. It is generated when a per-user audit policy (a mechanism assigning audit settings to specific users different from the overall policy) is changed. Table creation 4902 indicates “existence,” while 4912 indicates a “content change.”
How it is triggered
- When a specific account’s audit settings (which categories are recorded for success/failure) are changed individually.
Security review points
- If an attacker plants a setting that weakens auditing only for their account, they can avoid recording their activity while leaving the overall policy intact (defense evasion). Note weakening of auditing for a specific account.
- Together with system audit-policy change 4719, monitor both overall and individual audit changes.
Notes for log review
- It is a rare change. Confirm changes that “weaken auditing for a specific user” at high priority in particular.
- Record the target account, the change, and the acting subject. If your policy does not use per-user settings, the very appearance of 4912 is anomalous.
Key fields
| Field | Meaning |
|---|---|
Target Account | The account whose audit settings were changed |
Category / Subcategory | The changed audit category |
Subject\Account Name | The subject that made the change |