Audit Policy Changed
Enabled by default
Service: Microsoft Windows Security Auditing
Log type: Security
A change to the audit policy can mean that an unauthorized party is trying gain access to a location they shouldn't be or escalate their privilege use. This log is recommended for HIPAA and PCI DSS compliance and is recommended by the NSA Event Forwarding Guidance.
Get-WinEvent -FilterHashTable @{LogName='Security';ID='4719'} -MaxEvents 1 | Format-List auditpol /get /subcategory:"audit policy change"
auditpol /set /subcategory:"audit policy change" /Success:Disable /Failure:Disable
auditpol /set /subcategory:"audit policy change" /Success:Enable /Failure:Enable
Compliance
HIPAA
Level: Recommended
PCI DSS
Level: Required
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf?agreement=true&time=1631643252599
NSA Event Forwarding
Level: Recommended
https://github.com/nsacyber/Event-Forwarding-Guidance/tree/master/Events
Changes to the audit policy are logged by default in Windows 10 Professional. To view the logs, navigate to the Event Viewer Security tab and sort of filter by Event ID 4719.
To view this log in the command line with Get-WinEvent, open PowerShell as an administrator. From here, enter the command Get-WinEvent -FilterHashTable @{LogName='Security';ID='4719'} -MaxEvents 1 | Format-List
To view this log in the command line with wevtutil, open PowerShell or Command Prompt as an administrator. From here, enter the command wevtutil qe Security "/q:*[System [(EventID=4719)]]"
