System audit policy was changed
System audit policy was changed on the machine. Documents enabling or disabling of specific audit categories.
Event ID 4719 logs modifications to the local or domain-enforced system audit policy (`auditpol.exe`). It details the specific Audit Category and Subcategory modified, along with whether Success, Failure, or No Auditing (`Changes: Audit disabled`) was configured. Attackers frequently disable event logging right after initial compromise to blind security tools and analysts.
Failure Reason / Root Cause:
Group Policy audit policy updates, administrative re-configuration, or attacker defense evasion turning off auditing.
Raw Event XML snippet
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4719</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2026-07-17T09:54:44.888Z" />
<EventRecordID>1048576</EventRecordID>
<Correlation />
<Execution ProcessID="612" ThreadID="1024" />
<Channel>Security</Channel>
<Computer>DC01.enterprise.internal</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">SYSTEM</Data>
<Data Name="SubjectDomainName">NT AUTHORITY</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<!-- Event telemetry fields specific to System audit policy was changed -->
</EventData>
</Event>MITRE ATT&CK mapping
| ID | Technique | Tactic |
|---|---|---|
T1562.002 | Impair Defenses: Disable Windows Event Logging | Defense Evasion |
Recommended actions
- Alert immediately on any Event ID 4719 where critical subcategories (Logon/Logoff, Process Tracking, Account Management) have auditing disabled (`Audit disabled`).
- Verify that the `SubjectUserName` changing audit policies corresponds to automated Group Policy deployment engines or authorized security architects.
- Re-enforce canonical audit settings automatically via continuous Group Policy refresh (`gpupdate /force`).