tpancrazio
Member
- Joined
- Sep 19, 2024
- Messages
- 1
- Thread Author
- #1
I am using Alienvault to log our SIEM Events from our Windows 2019 servers, and I am trying to find out how to debug what is causing this recurring Auditing Event in our Windows Event Logs.
I have found out that SentinelOne is scanning this file at the time, but is there a way to see what change caused this event to be raised? Its seems to occur about every 5 minutes.
Here is a sample event being logged. (Please note i have removed any company information)
AV - Alert - "1726685231" --> RID: "18113"; RL: "8"; RG: "windows,policy_changed,"; RC: "Windows Audit Policy changed."; USER: "<ComputerName>$ "; SRCIP:<br>
"None"; HOSTNAME: "() ComputerIPAddress->WinEvtLog"; LOCATION: "() ComputerIPAddress->WinEvtLog"; EVENT: "[INIT]2024 Sep 18 13:47:14 WinEvtLog: Security: AUDIT_SUCCESS(4719): Microsoft-Windows-Security-Auditing: (no user): no domain: .Company.local: System audit policy was changed. Subject: Security ID: S-1-5-18 Account Name: $ Account Domain: Company Logon ID: 0x3e7 Audit Policy Change: Category: %%8274 Subcategory: %%12806 Subcategory GUID: {0cce9222-69ae-11d9-bed3-505054503030} Changes: %%8449[END]";
Any help would be appreciated.
I have found out that SentinelOne is scanning this file at the time, but is there a way to see what change caused this event to be raised? Its seems to occur about every 5 minutes.
Here is a sample event being logged. (Please note i have removed any company information)
AV - Alert - "1726685231" --> RID: "18113"; RL: "8"; RG: "windows,policy_changed,"; RC: "Windows Audit Policy changed."; USER: "<ComputerName>$ "; SRCIP:<br>
"None"; HOSTNAME: "() ComputerIPAddress->WinEvtLog"; LOCATION: "() ComputerIPAddress->WinEvtLog"; EVENT: "[INIT]2024 Sep 18 13:47:14 WinEvtLog: Security: AUDIT_SUCCESS(4719): Microsoft-Windows-Security-Auditing: (no user): no domain: .Company.local: System audit policy was changed. Subject: Security ID: S-1-5-18 Account Name: $ Account Domain: Company Logon ID: 0x3e7 Audit Policy Change: Category: %%8274 Subcategory: %%12806 Subcategory GUID: {0cce9222-69ae-11d9-bed3-505054503030} Changes: %%8449[END]";
Any help would be appreciated.