This detection rule identifies attempts to disable security-sensitive audit policies on Windows systems, specifically monitoring for events where audit policies are altered or removed. Such actions are typically performed by attackers looking to evade detection and impair forensic investigations on compromised systems. The rule leverages Windows event ID 4719 which signals a change in audit policy, filtering for particular sub-categories related to security that are prone to being disabled for malicious purposes. If a user initiated the disabling of an audit policy, a series of investigation steps should be followed to determine if the action was legitimate or part of malicious activity. These include examining the process execution chain for any suspicious executables, validating the identities of user accounts that performed the action, investigating recent logs for additional anti-forensic behaviors, and taking steps to remediate and respond to any identified threats.