Windows Event 4719 — System Audit Policy Changed

WindowsEvents Windows Security Defense Evasion / Audit Tampering

What This Means

Monitor Windows Event 4719, generated when the system audit policy is modified. Detect defense evasion where attackers disable logging to cover their tracks in your environment.

Example Log

System audit policy was changed.

Subject:
  Security ID:    S-1-5-18
  Account Name:   SYSTEM
  Account Domain: NT AUTHORITY
  Logon ID:       0x3E7

Audit Policy Change:
  Category:       Logon/Logoff
  Subcategory:    Logon
  Subcategory GUID: {0cce9215-69ae-11d9-bed3-505054503030}
  Changes:        Success removed, Failure removed

Indicators of Suspicious Activity

Audit policies being weakened (Success removed or Failure removed)
Changes to Logon/Logoff auditing or Object Access auditing
Policy changes performed by non-SYSTEM accounts or from unexpected systems
Audit policy changes outside of scheduled Group Policy refresh cycles
Multiple subcategories being disabled in rapid succession
Policy changes coinciding with other suspicious events (4625, 4688, 1102)

How to Investigate

Identify who or what changed the audit policy (Subject field)
Determine which audit subcategories were modified and in what direction
Check if the change was part of a legitimate Group Policy update
Correlate timing with other suspicious events on the same system
Verify the current effective audit policy using auditpol /get /category:*
Review Group Policy Object (GPO) version history for unauthorized changes

Recommended Mitigations

Lock down audit policy configuration using GPO and prevent local overrides
Alert immediately on any Event 4719 where auditing is weakened
Monitor for auditpol.exe execution via Event 4688
Ensure domain controllers enforce audit policy via GPO (not local policy)
Implement GPO backup and change tracking
Forward Event 4719 to SIEM with high-priority alerting rules

Scan This Log Instantly

Paste a suspicious log line below and get an instant AI-powered security assessment.

0 / 2000

What is 1 + 1?

Need a Full Investigation?

Scan entire log files, detect attack patterns, reconstruct timelines, and generate a full investigation report.

Run Smart Scan

Related Log Types

Related Attack Patterns

Frequently Asked Questions

What does Event 4719 mean? ▼

Event 4719 is logged when the system audit policy is changed, such as when auditing for logon events or process creation is enabled or disabled. Attackers may weaken audit policies to reduce the evidence trail.

How can attackers change audit policies? ▼

With admin or SYSTEM privileges, attackers can use auditpol.exe, modify local Group Policy, or use PowerShell to disable specific audit subcategories, effectively blinding your security monitoring.

What should I do if audit policies are unexpectedly weakened? ▼

Treat it as a P1 security incident. Immediately restore the audit policy from your known-good GPO, investigate the account that made the change, and review other events around the same timeframe for compromise indicators.