
Summary
This rule detects when Windows event log auditing is disabled, which indicates a potential effort to evade detection by bypassing local logging. The rule triggers on Event ID 4719 when changes to the audit policy occur, particularly if it includes specific audit policy changes related to administrative tasks. Effective auditing is critical for security monitoring to ensure compliance and traceability of actions within a Windows environment. Disabling auditing can mask malicious activities and thus presents a security risk. Moreover, the rule outlines that it's generally advisable to disable 'Local Group Policy Object Processing' via Group Policy Objects (GPO), to ensure that only Active Directory GPOs are executed, reducing the risk of local policy alterations that may lead to security loopholes. While disabling local policy processing may affect specific GPOs, managing these through Active Directory is preferred for overall security enforcement.
Categories
- Windows
- Endpoint
Data Sources
- Windows Registry
- Logon Session
Created: 2017-11-19