Windows Security Log Event ID 4715
4715: The audit policy (SACL) on an object was changed
On this page
The description is poorly worded but this event is logged whenever you set the security descriptor used to delegate access to the audit policy. You can delegate authority to the system's audit policy using "auditpol /sd:".
According to Microsoft, this event is always logged when an audit policy is disabled, regardless of the "Audit Policy Change" sub-category setting. This and several other events can help identify when someone attempts to disable auditing to cover their tracks.
Free Security Log Resources by Randy
Subject:
The user and logon session that performed the action.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
Audit Policy Change
Setup PowerShell Audit Log Forwarding in 4 Minutes
The audit policy (SACL) on an object was changed.
Subject:
Security ID: ACME\administrator
Account Name: administrator
Account Domain: ACME
Logon ID: 0x4bfd71
Audit Policy Change:
Original Security Descriptor: D:(A;;DCSWRPDTRC;;;BA)(A;;DCSWRPDTRC;;;SY)
New Security Descriptor: D:(A;;DCSWRPDTRC;;;BA(A;;DCSWRPDTRC;;;SY)S:NO_ACCESS_CONTROL
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection