EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4719Audit SuccessSecurityT1562.002

Windows Event ID 4719System Audit Policy Changed

Logged when the system's audit policy is modified — which controls what events get recorded in the Security log.

MITRE ATT&CK

Technique

T1562.002 · Disable Windows Event Logging

Tactic

Defense Evasion

View on attack.mitre.org →

Why It Matters

Attackers reduce audit policy coverage to blind defenders before carrying out their main actions. Disabling auditing for logon events or process creation before an attack leaves no trail.

Key Fields

Subject Account NameWho changed the policy
CategoryWhich audit category was changed (e.g. Logon/Logoff, Process Tracking)
SubcategoryThe specific subcategory changed
ChangesSuccess/Failure auditing enabled or disabled

Investigation Tips

  1. 1.Any reduction in audit policy coverage (Success/Failure removed) outside of authorized changes is suspicious.
  2. 2.Check if this was done via Group Policy (expected) or directly via auditpol.exe (potentially suspicious).

Seeing Event ID 4719 in your own logs? Upload an .evtx file — EventPeeker flags system audit policy changed automatically, maps it to MITRE ATT&CK, and writes the triage report. No account, files auto-deleted.

Analyze my logs →

Related Event IDs

1102Audit log cleared — often paired with policy changes to cover tracks
4688Process creation — look for auditpol.exe

Go deeper: the full Credential Dumping guide

Builds on this page with the attack chain, step-by-step investigation, immediate containment actions, KQL/Sigma detection queries, and an annotated example log.

Read the Credential Dumping guide

See Event ID 4719 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects system audit policy changed patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →