{
  "id": "4719",
  "source": "windows_security",
  "category": "AuditPolicy",
  "name": "System audit policy was changed",
  "priority": "P1",
  "applicable_version": "Windows Server 2008 R2 and later; Windows 7 and later",
  "last_reviewed": "2026-07-10",
  "definition": "Windows Security Event ID 4719 records a system audit policy change and can reveal attempts to reduce logging before malicious activity.",
  "trigger_scenarios": "Windows logs the event when one or more audit subcategories are enabled or disabled through policy or local configuration.",
  "key_fields": [
    {
      "field": "Audit Policy Changes",
      "explanation": "The subcategories and success or failure settings that changed. Disabling process, logon, or policy auditing is especially significant."
    },
    {
      "field": "Subject",
      "explanation": "The account that changed policy. Confirm that the action matches approved administration."
    },
    {
      "field": "Computer",
      "explanation": "The affected system. Changes on domain controllers and management servers have broad investigative impact."
    }
  ],
  "false_positives": [
    "Hardening projects and Group Policy deployments can legitimately change audit settings.",
    "Operating-system upgrades or baseline changes may modify multiple subcategories at once."
  ],
  "related_event_ids": [
    "1102",
    "4902",
    "4688"
  ],
  "attck_mapping": [
    {
      "technique_id": "T1562.002",
      "technique_name": "Impair Defenses: Disable Windows Event Logging"
    }
  ],
  "detection_notes": "T1562.002 occurs when Audit Policy Changes removes Success or Failure for Audit Process Creation, Logon, or other security-critical audit subcategories. Disabling both Success and Failure is materially different from enabling a category because it removes future visibility. Use a local correlation window=60 minutes to connect the same Subject Logon ID to 4688 policy-change tooling and any following 1102 log clear.",
  "kql_snippet": "SecurityEvent\n| where EventID == 4719\n| project TimeGenerated, Computer, Account, AuditPolicyChanges\n| order by TimeGenerated desc",
  "spl_snippet": "index=wineventlog EventCode=4719\n| table _time, host, SubjectUserName, AuditPolicyChanges",
  "sample_log": "Subject: Account Name: CORP\\admin.ops\nAudit Policy Changes: Audit Process Creation: Success removed\nComputer: DC01",
  "source_url": "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4719",
  "route": "/windows-events/4719/",
  "canonical_url": "https://soceventlookup.com/windows-events/4719/",
  "json_url": "/api/events/windows-security/4719.json"
}
