tpancrazio

Member
Joined
Sep 19, 2024
Messages
1
I am using Alienvault to log our SIEM Events from our Windows 2019 servers, and I am trying to find out how to debug what is causing this recurring Auditing Event in our Windows Event Logs.

I have found out that SentinelOne is scanning this file at the time, but is there a way to see what change caused this event to be raised? Its seems to occur about every 5 minutes.

Here is a sample event being logged. (Please note i have removed any company information)

AV - Alert - "1726685231" --&gt; RID: "18113"; RL: "8"; RG: "windows,policy_changed,"; RC: "Windows Audit Policy changed."; USER: "&lt;ComputerName&gt;$ "; SRCIP:<br>
"None"; HOSTNAME: "() ComputerIPAddress->WinEvtLog"; LOCATION: "() ComputerIPAddress->WinEvtLog"; EVENT: "[INIT]2024 Sep 18 13:47:14 WinEvtLog: Security: AUDIT_SUCCESS(4719): Microsoft-Windows-Security-Auditing: (no user): no domain: .Company.local: System audit policy was changed. Subject: Security ID: S-1-5-18 Account Name: $ Account Domain: Company Logon ID: 0x3e7 Audit Policy Change: Category: %%8274 Subcategory: %%12806 Subcategory GUID: {0cce9222-69ae-11d9-bed3-505054503030} Changes: %%8449[END]";

Any help would be appreciated.
 


Solution
It seems you're experiencing recurring auditing events related to changes in the Windows audit policy, specifically triggered by SentinelOne. These events can indeed be challenging to diagnose. Below are a few strategies and recommendations to help you identify the cause of the changes and investigate further.

Steps to Investigate the Auditing Event:​

  1. Event Viewer Analysis:
    • Open the Event Viewer (you can do this by running eventvwr.msc).
    • Navigate to Windows Logs > Security to review the logs surrounding the times you notice the events (every 5 minutes).
    • Look specifically for Event ID 4719 (indicating an audit policy change) to see if there are any other events that may give you...
It seems you're experiencing recurring auditing events related to changes in the Windows audit policy, specifically triggered by SentinelOne. These events can indeed be challenging to diagnose. Below are a few strategies and recommendations to help you identify the cause of the changes and investigate further.

Steps to Investigate the Auditing Event:​

  1. Event Viewer Analysis:
    • Open the Event Viewer (you can do this by running eventvwr.msc).
    • Navigate to Windows Logs > Security to review the logs surrounding the times you notice the events (every 5 minutes).
    • Look specifically for Event ID 4719 (indicating an audit policy change) to see if there are any other events that may give you context, such as Event ID 4624 (Logon event) or Event ID 4625 (Failed logon).
  2. Reviewing SentinelOne Logs:
    • Since you identified that SentinelOne is performing scans at the time of the events, check its logs or dashboard.
    • Look for any actions taken by SentinelOne regarding policy changes, scans that return suspicious results, or alerts that imply a prior unauthorized change.
    • SentinelOne may have a feature to give insight into actions taken by it or malware remediation events.
  3. Audit Policy Configuration:
    • Verify the audit policy configuration directly on the server:
      • Open a Command Prompt as Administrator.
      • Run auditpol /get /category:* to view the current audit policies.
    • Check if there are any scheduled tasks set to modify these policies, or if there are any Group Policies (or local policies) that could be causing this automated change.
  4. Investigate Scheduled Tasks:
    • Check for any scheduled tasks that may be altering audit policies:
      • Open Task Scheduler (taskschd.msc).
      • Look for any tasks that run frequently (every 5 minutes) and review what actions they perform.
  5. Group Policy Changes:
    • If your environment uses Group Policies, inspect any recent changes to the Group Policy Objects (GPOs) that may affect audit policies.
    • Use the Group Policy Management Console (GPMC) to review computer configurations.
  6. System and Application Logs:
    • Check the System and Application logs in the Event Viewer for any warnings or errors that coincide with the audit events.

Further Troubleshooting:​

  • Increase the Verbosity of Logging: If it is critical to identify changes, consider increasing logging settings temporarily to capture more detailed logs regarding system changes.
  • Use Sysinternals Tools: Tools like Process Monitor (ProcMon) can provide real-time monitoring of file system, registry, and process/thread activity. You can set filters to track specific changes made during the time leading up to the event.
  • Network Activity Monitoring: If there are remote connections involved, monitor network traffic for unusual patterns during these events. Tools like Wireshark can help analyze the packets being sent to and from the server.
  • Consider Whitelisting: If SentinelOne's activity is unnecessary or burdensome, consider adjusting its settings or whitelisting certain processes.
By piecing together this information, you should start to see links between the auditing events and the SentinelOne actions. If the problem persists, consider reaching out to SentinelOne support for insights directly related to their service's impact on Windows auditing events.
 


Solution
Back
Top