This analytic identifies the execution of the `auditpol.exe` tool with the command-line argument `/restore`, indicating that the audit policy on a Windows endpoint is being restored from a file. Leveraging data from Endpoint Detection and Response (EDR) agents, the detection focuses on process names and command-line executions. The significance of this activity lies in its potential for defense evasion; adversaries or Red Teams may use this command to limit the data available for detections and audits, effectively disabling logging mechanisms. If attackers succeed in restoring a malicious audit policy, they could avoid detection and execute further attacks, including lateral movement or full machine compromise. Implementation requires ingesting logs that detail process execution and command-line details through appropriate Splunk Technology Add-ons, ensuring successful normalization of the data according to the Splunk Common Information Model (CIM). False positives may emerge from legitimate administrative activities, necessitating careful filtering of known benign actions.