Qual é o ID do evento que identifica quando a auditoria foi desativada?
Você está procurando 4719: A política de auditoria do sistema foi alterada:
This event is always logged when an audit policy is disabled, regardless of the "Audit Policy Change" sub-category setting. This and several other events can help identify when someone attempts to disable auditing to cover their tracks.
4719: A política de auditoria do sistema foi alterada
This computer's system level audit policy was modified - either via Local Security Policy, Group Policy in Active Directory or the audipol command.
According to Microsoft, this event is always logged when an audit policy is disabled, regardless of the "Audit Policy Change" sub-category setting. This and several other events can help identify when someone attempts to disable auditing to cover their tracks.
If group policy was used to configure audit policy unfortunately the Subject fields don't identify who actually changed the policy. In such cases this event always shows the local computer as the one who changed the policy since the computer is the security principal under which gpupdate runs.
If auditpol was used to configure audit policy will properly reflect the user in Subject:.
Subject:
The ID and logon session of the user that changed the policy - always the local system - see note above.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
Consulte o link da fonte abaixo para ver uma lista completa de categorias e subcategorias do evento.
Fonte 4719: A política de auditoria do sistema foi alterada