Defense Evasion (TA0005)(external, opens in a new tab or window)
text code block:from logs-windows.forwarded*, logs-system.security* metadata _id, _version, _index | where host.os.type == "windows" and event.code == "4719" and winlog.event_data.AuditPolicyChangesDescription in ("Success removed", "Success Added") and winlog.event_data.SubCategory in ( "Logon", "Audit Policy Change", "Process Creation", "Other System Events", "Security Group Management", "User Account Management" ) | eval Esql.time_window = DATE_TRUNC(5m, @timestamp) // Aggregate policy changes within each 5m window per host and sub-category, // then keep only removals that were not re-enabled in the same window | inline stats Esql.winlog_AuditPolicyChangesDescription_values = VALUES(winlog.event_data.AuditPolicyChangesDescription) by host.id, winlog.event_data.SubCategory, Esql.time_window | where winlog.event_data.AuditPolicyChangesDescription == "Success removed" and not MV_CONTAINS(Esql.winlog_AuditPolicyChangesDescription_values, "Success Added") // Wait 5m for a potential "Success Added" to arrive before alerting | where @timestamp < NOW() - 5m | keep *
Install detection rules in Elastic Security
Detect Sensitive Audit Policy Sub-Category Disabled in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).