4719

System audit policy was changed

System audit policy was changed on the machine. Documents enabling or disabling of specific audit categories.

Event ID 4719 logs modifications to the local or domain-enforced system audit policy (`auditpol.exe`). It details the specific Audit Category and Subcategory modified, along with whether Success, Failure, or No Auditing (`Changes: Audit disabled`) was configured. Attackers frequently disable event logging right after initial compromise to blind security tools and analysts.

Failure Reason / Root Cause:

Group Policy audit policy updates, administrative re-configuration, or attacker defense evasion turning off auditing.

CategoryPolicy Change
Audit typeSuccess Audit
SeverityCritical
Applies toWindows Server 2016, 2019, 2022 / Windows 10, 11
Keywordsaudit policy changed, audit disabled, auditpol, defense evasion, policy change, logging disabled
Raw Event XML snippet
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4719</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2026-07-17T09:54:44.888Z" />
    <EventRecordID>1048576</EventRecordID>
    <Correlation />
    <Execution ProcessID="612" ThreadID="1024" />
    <Channel>Security</Channel>
    <Computer>DC01.enterprise.internal</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">SYSTEM</Data>
    <Data Name="SubjectDomainName">NT AUTHORITY</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <!-- Event telemetry fields specific to System audit policy was changed -->
  </EventData>
</Event>

MITRE ATT&CK mapping

IDTechniqueTactic
T1562.002Impair Defenses: Disable Windows Event LoggingDefense Evasion

Recommended actions

Related events