SOC Event Lookup
Event ID 4719AuditPolicyP1

Windows Event ID 4719: System audit policy was changed

Windows Security Event ID 4719 records a system audit policy change and can reveal attempts to reduce logging before malicious activity.

Applicable version
Windows Server 2008 R2 and later; Windows 7 and later
Last reviewed
2026-07-10

Trigger Scenarios

Windows logs the event when one or more audit subcategories are enabled or disabled through policy or local configuration.

Key Fields

Audit Policy Changes

The subcategories and success or failure settings that changed. Disabling process, logon, or policy auditing is especially significant.

Subject

The account that changed policy. Confirm that the action matches approved administration.

Computer

The affected system. Changes on domain controllers and management servers have broad investigative impact.

Common False Positives

  • Hardening projects and Group Policy deployments can legitimately change audit settings.
  • Operating-system upgrades or baseline changes may modify multiple subcategories at once.

Related Events

MITRE ATT&CK Mapping

  • T1562.002Impair Defenses: Disable Windows Event Logging

Detection Notes

T1562.002 occurs when Audit Policy Changes removes Success or Failure for Audit Process Creation, Logon, or other security-critical audit subcategories. Disabling both Success and Failure is materially different from enabling a category because it removes future visibility. Use a local correlation window=60 minutes to connect the same Subject Logon ID to 4688 policy-change tooling and any following 1102 log clear.

Microsoft Sentinel KQL
SecurityEvent
| where EventID == 4719
| project TimeGenerated, Computer, Account, AuditPolicyChanges
| order by TimeGenerated desc
Splunk SPL
index=wineventlog EventCode=4719
| table _time, host, SubjectUserName, AuditPolicyChanges
Sample Log
Subject: Account Name: CORP\admin.ops
Audit Policy Changes: Audit Process Creation: Success removed
Computer: DC01

Source