This rule identifies potential defense evasion tactics executed by adversaries or Red Teams on Windows environments, specifically through the use of the legacy command-line tool `auditpol.exe`. This tool is used to modify Windows auditing policies, particularly to disable specific logging categories with the `/disable` command or category flags set to 'none'. The detection leverages logs collected from Endpoint Detection and Response (EDR) solutions to monitor process names and command-line arguments associated with this tool. If leave unchecked, such behavior can result in significant evasion of security controls, enabling attackers to obscure their activities and potentially conduct further attacks with minimal detection risk. Given its critical nature in auditing and logging, any instance where the audit policy is disabled warrants immediate investigation and response to ensure system integrity remains intact.