Event ID: 4719System audit policy was changed
System audit policy was changed. Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Audit Policy Change: Category: %5 Subcategory: %6 Subcategory GUID: %7 Changes: %8
This event generates when the computer's audit policy changes.
This event is always logged regardless of the "Audit Policy Change" sub-category setting.
This event should always be monitored, since changes to the local audit policy, especially the disabling of one or more options, could allow attackers to perform destructive actions on a system without a trace.
Low, since audit policy changes usually do not happen on a regular basis.
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"Audit Policy Change"
LEFT/RIGHT arrow keys for navigationBack to List