Event ID 4719 — System audit policy was changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Audit Policy Change
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

System audit policy was changed.

Message #

System audit policy was changed.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Audit Policy Change:
	Category: %5
	Subcategory: %6
	Subcategory GUID: %7
	Changes: %8

Fields #

Name	Description
`SubjectUserSid` SID	[Subject] Security ID.
`SubjectUserName` UnicodeString	[Subject] Account Name.
`SubjectDomainName` UnicodeString	[Subject] Account Domain.
`SubjectLogonId` HexInt64	[Subject] Logon ID.
`CategoryId` UnicodeString	[Audit Policy Change] Category. Known values `%%8272` System `%%8273` Logon/Logoff `%%8274` Object Access `%%8275` Privilege Use `%%8276` Detailed Tracking `%%8277` Policy Change `%%8278` Account Management `%%8279` DS Access `%%8280` Account Logon
`SubcategoryId` UnicodeString	[Audit Policy Change] Subcategory. Known values `%%12288` Security State Change `%%12289` Security System Extension `%%12290` System Integrity `%%12291` IPsec Driver `%%12292` Other System Events `%%12544` Logon `%%12545` Logoff `%%12546` Account Lockout `%%12547` IPsec Main Mode `%%12548` Special Logon `%%12549` IPsec Quick Mode `%%12550` IPsec Extended Mode `%%12551` Other Logon/Logoff Events `%%12552` Network Policy Server `%%12553` User / Device Claims `%%12554` Group Membership `%%12800` File System `%%12801` Registry `%%12802` Kernel Object `%%12803` SAM `%%12804` Other Object Access Events `%%12805` Certification Services `%%12806` Application Generated `%%12807` Handle Manipulation `%%12808` File Share `%%12809` Filtering Platform Packet Drop `%%12810` Filtering Platform Connection `%%12811` Detailed File Share `%%12812` Removable Storage `%%12813` Central Policy Staging `%%13056` Sensitive Privilege Use `%%13057` Non Sensitive Privilege Use `%%13058` Other Privilege Use Events `%%13312` Process Creation `%%13313` Process Termination `%%13314` DPAPI Activity `%%13315` RPC Events `%%13316` Plug and Play Events `%%13317` Token Right Adjusted Events `%%13568` Audit Policy Change `%%13569` Authentication Policy Change `%%13570` Authorization Policy Change `%%13571` MPSSVC Rule-Level Policy Change `%%13572` Filtering Platform Policy Change `%%13573` Other Policy Change Events `%%13824` User Account Management `%%13825` Computer Account Management `%%13826` Security Group Management `%%13827` Distribution Group Management `%%13828` Application Group Management `%%13829` Other Account Management Events `%%14080` Directory Service Access `%%14081` Directory Service Changes `%%14082` Directory Service Replication `%%14083` Detailed Directory Service Replication `%%14336` Credential Validation `%%14337` Kerberos Service Ticket Operations `%%14338` Other Account Logon Events `%%14339` Kerberos Authentication Service
`SubcategoryGuid` GUID	[Audit Policy Change] Subcategory GUID. Known values `%%12288` Security State Change `%%12289` Security System Extension `%%12290` System Integrity `%%12291` IPsec Driver `%%12292` Other System Events `%%12544` Logon `%%12545` Logoff `%%12546` Account Lockout `%%12547` IPsec Main Mode `%%12548` Special Logon `%%12549` IPsec Quick Mode `%%12550` IPsec Extended Mode `%%12551` Other Logon/Logoff Events `%%12552` Network Policy Server `%%12553` User / Device Claims `%%12554` Group Membership `%%12800` File System `%%12801` Registry `%%12802` Kernel Object `%%12803` SAM `%%12804` Other Object Access Events `%%12805` Certification Services `%%12806` Application Generated `%%12807` Handle Manipulation `%%12808` File Share `%%12809` Filtering Platform Packet Drop `%%12810` Filtering Platform Connection `%%12811` Detailed File Share `%%12812` Removable Storage `%%12813` Central Policy Staging `%%13056` Sensitive Privilege Use `%%13057` Non Sensitive Privilege Use `%%13058` Other Privilege Use Events `%%13312` Process Creation `%%13313` Process Termination `%%13314` DPAPI Activity `%%13315` RPC Events `%%13316` Plug and Play Events `%%13317` Token Right Adjusted Events `%%13568` Audit Policy Change `%%13569` Authentication Policy Change `%%13570` Authorization Policy Change `%%13571` MPSSVC Rule-Level Policy Change `%%13572` Filtering Platform Policy Change `%%13573` Other Policy Change Events `%%13824` User Account Management `%%13825` Computer Account Management `%%13826` Security Group Management `%%13827` Distribution Group Management `%%13828` Application Group Management `%%13829` Other Account Management Events `%%14080` Directory Service Access `%%14081` Directory Service Changes `%%14082` Directory Service Replication `%%14083` Detailed Directory Service Replication `%%14336` Credential Validation `%%14337` Kerberos Service Ticket Operations `%%14338` Other Account Logon Events `%%14339` Kerberos Authentication Service
`AuditPolicyChanges` UnicodeString	[Audit Policy Change] Changes. Known values `%%8448` Success removed `%%8449` Success Added `%%8450` Failure removed `%%8451` Failure added `%%8452` Success include removed `%%8453` Success include added `%%8454` Success exclude removed `%%8455` Success exclude added `%%8456` Failure include removed `%%8457` Failure include added `%%8458` Failure exclude removed `%%8459` Failure exclude added
`ClientProcessId` UInt32	—
`ClientProcessStartKey` UInt64	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4719,
    "version": 1,
    "level": 0,
    "task": 13568,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2023-11-05T23:49:58.098445+00:00",
    "event_record_id": 112372,
    "correlation": {
      "ActivityID": "E4DB489E-1037-0001-0C49-DBE43710DA01"
    },
    "execution": {
      "process_id": 808,
      "thread_id": 8228
    },
    "channel": "Security",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "WINDEV2310EVAL$",
    "SubjectDomainName": "WORKGROUP",
    "SubjectLogonId": "0x3e7",
    "CategoryId": "%%8279",
    "SubcategoryId": "%%14080",
    "SubcategoryGuid": "0CCE923B-69AE-11D9-BED3-505054503030",
    "AuditPolicyChanges": "%%8449, %%8451",
    "ClientProcessId": 8540,
    "ClientProcessStartKey": 3659174697239635
  },
  "message": ""
}

Community Notes #

System audit policy changed. Attackers often disable auditing to reduce detection.

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Windows Event Auditing Disabled source low: Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.
Important Windows Event Auditing Disabled source high: Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.

Elastic # view in reference

Sensitive Audit Policy Sub-Category Disabled source medium: Identifies attempts to disable auditing for some security sensitive audit policy sub-categories. This is often done by attackers in an attempt to evade detection and forensics on a system.

Splunk # view in reference

Windows AD Domain Controller Audit Policy Disabled source: The following analytic detects the disabling of audit policies on a domain controller. It leverages EventCode 4719 from Windows Security Event Logs to identify changes where success or failure auditing is removed. This activity is significant as it suggests an attacker may have gained access to the domain controller and is attempting to evade detection by tampering with audit policies. If confirmed malicious, this could lead to severe consequences, including data theft, privilege escalation, and full network compromise. Immediate investigation is required to determine the source and intent of the change.
Windows Important Audit Policy Disabled source: The following analytic detects the disabling of important audit policies. It leverages EventCode 4719 from Windows Security Event Logs to identify changes where success or failure auditing is removed. This activity is significant as it suggests an attacker may have gained access to the domain controller and is attempting to evade detection by tampering with audit policies. If confirmed malicious, this could lead to severe consequences, including data theft, privilege escalation, and full network compromise. Immediate investigation is required to determine the source and intent of the change.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4719
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4719
Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 4719 — System audit policy was changed.

Description

Message #

Fields #

Example Event #

Community Notes #

Detection Rules #

Sigma # view in reference

Elastic # view in reference

Splunk # view in reference

Related Events #

References #