Audit Policy Change

Setup

Some detection rules require tracking changes to audit policies to detect unauthorized modifications or misconfigurations. Enabling this setting ensures visibility into audit policy changes, helping to maintain compliance and security.

Enable Audit Policy via Group Policy

To enable Audit Audit Policy Change across a group of servers using Active Directory Group Policies, administrators must enable the Audit Audit Policy Change policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:

  Computer Configuration > Windows Settings > Security Settings > Advanced Security Audit Policy Settings > Audit Policies > Policy Change > Audit Audit Policy Change (Success,Failure)  

Enable Locally using auditpol

To enable this policy on a local machine, run the following command in an elevated command prompt:

  auditpol.exe /set /subcategory:"Audit Policy Change" /success:enable /failure:enable  

Event IDs

When this audit policy is enabled, the following event IDs may be generated:

4715: The audit policy (SACL) on an object was changed.
4719: System audit policy was changed.
4817: Auditing settings on object were changed.
4902: The Per-user audit policy table was created.
4904: An attempt was made to register a security event source.
4905: An attempt was made to unregister a security event source.
4906: The CrashOnAuditFail value has changed.
4907: Auditing settings on object were changed.
4908: Special Groups Logon table modified.
4912: Per User Audit Policy was changed.

Use the following GitHub search to identify rules that use the events listed:

Elastic Detection Rules Github Repo Search

Audit Policy Change

Setup

Enable Audit Policy via Group Policy

Enable Locally using auditpol

Event IDs

Related Rules