It seems you're experiencing recurring auditing events related to changes in the Windows audit policy, specifically triggered by SentinelOne. These events can indeed be challenging to diagnose. Below are a few strategies and recommendations to help you identify the cause of the changes and investigate further.
### Steps to Investigate the Auditing Event:
1. Event Viewer Analysis:
- Open the Event Viewer (you can do this by running eventvwr.msc
).
- Navigate to Windows Logs > Security to review the logs surrounding the times you notice the events (every 5 minutes).
- Look specifically for Event ID 4719 (indicating an audit policy change) to see if there are any other events that may give you context, such as Event ID 4624 (Logon event) or Event ID 4625 (Failed logon).
2. Reviewing SentinelOne Logs:
- Since you identified that SentinelOne is performing scans at the time of the events, check its logs or dashboard.
- Look for any actions taken by SentinelOne regarding policy changes, scans that return suspicious results, or alerts that imply a prior unauthorized change.
- SentinelOne may have a feature to give insight into actions taken by it or malware remediation events.
3. Audit Policy Configuration:
- Verify the audit policy configuration directly on the server:
- Open a Command Prompt as Administrator.
- Run auditpol /get /category:*
to view the current audit policies.
- Check if there are any scheduled tasks set to modify these policies, or if there are any Group Policies (or local policies) that could be causing this automated change.
4. Investigate Scheduled Tasks:
- Check for any scheduled tasks that may be altering audit policies:
- Open Task Scheduler (taskschd.msc
).
- Look for any tasks that run frequently (every 5 minutes) and review what actions they perform.
5. Group Policy Changes:
- If your environment uses Group Policies, inspect any recent changes to the Group Policy Objects (GPOs) that may affect audit policies.
- Use the Group Policy Management Console (GPMC) to review computer configurations.
6. System and Application Logs:
- Check the System and Application logs in the Event Viewer for any warnings or errors that coincide with the audit events.
### Further Troubleshooting:
- Increase the Verbosity of Logging: If it is critical to identify changes, consider increasing logging settings temporarily to capture more detailed logs regarding system changes.
- Use Sysinternals Tools: Tools like Process Monitor (ProcMon) can provide real-time monitoring of file system, registry, and process/thread activity. You can set filters to track specific changes made during the time leading up to the event.
- Network Activity Monitoring: If there are remote connections involved, monitor network traffic for unusual patterns during these events. Tools like Wireshark can help analyze the packets being sent to and from the server.
- Consider Whitelisting: If SentinelOne's activity is unnecessary or burdensome, consider adjusting its settings or whitelisting certain processes.
By piecing together this information, you should start to see links between the auditing events and the SentinelOne actions. If the problem persists, consider reaching out to SentinelOne support for insights directly related to their service's impact on Windows auditing events.