{
	"id": "1106d96e-a956-4e8e-a043-8b08ca492dc7",
	"created_at": "2026-04-06T00:14:04.396793Z",
	"updated_at": "2026-04-10T03:21:00.680221Z",
	"deleted_at": null,
	"sha1_hash": "64f5e4941e768294d1d30c433345dc3e23810b60",
	"title": "Advanced security audit policy settings - Windows 10",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 76324,
	"plain_text": "Advanced security audit policy settings - Windows 10\r\nBy vinaypamnani-msft\r\nArchived: 2026-04-05 22:49:05 UTC\r\nThis reference for IT professionals provides information about:\r\nThe advanced audit policy settings available in Windows\r\nThe audit events that these settings generate.\r\nThe security audit policy settings under Security Settings\\Advanced Audit Policy Configuration can help your\r\norganization audit compliance with important business-related and security-related rules by tracking precisely\r\ndefined activities, such as:\r\nA group administrator has modified settings or data on servers that contain finance information.\r\nAn employee within a defined group has accessed an important file.\r\nThe correct system access control list (SACL) - as a verifiable safeguard against undetected access - is\r\napplied to either of the following:\r\nevery file and folder\r\nregistry key on a computer\r\nfile share.\r\nYou can access these audit policy settings through the Local Security Policy snap-in (secpol.msc) on the local\r\ncomputer or by using Group Policy.\r\nThese advanced audit policy settings allow you to select only the behaviors that you want to monitor. You can\r\nexclude audit results for the following types of behaviors:\r\nThat are of little or no concern to you\r\nThat create an excessive number of log entries.\r\nIn addition, because security audit policies can be applied by using domain Group Policy Objects, audit policy\r\nsettings can be modified, tested, and deployed to selected users and groups with relative simplicity. Audit policy\r\nsettings under Security Settings\\Advanced Audit Policy Configuration are available in the following\r\ncategories:\r\nConfiguring policy settings in this category can help you document attempts to authenticate account data on a\r\ndomain controller or on a local Security Accounts Manager (SAM). Unlike Logon and Logoff policy settings and\r\nevents, Account Logon settings and events focus on the account database that is used. This category includes the\r\nfollowing subcategories:\r\nAudit Credential Validation\r\nAudit Kerberos Authentication Service\r\nAudit Kerberos Service Ticket Operations\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings\r\nPage 1 of 5\n\nAudit Other Account Logon Events\r\nThe security audit policy settings in this category can be used to monitor changes to user and computer accounts\r\nand groups. This category includes the following subcategories:\r\nAudit Application Group Management\r\nAudit Computer Account Management\r\nAudit Distribution Group Management\r\nAudit Other Account Management Events\r\nAudit Security Group Management\r\nAudit User Account Management\r\nDetailed Tracking security policy settings and audit events can be used for the following purposes:\r\nTo monitor the activities of individual applications and users on that computer\r\nTo understand how a computer is being used.\r\nThis category includes the following subcategories:\r\nAudit DPAPI Activity\r\nAudit PNP activity\r\nAudit Process Creation\r\nAudit Process Termination\r\nAudit RPC Events\r\nAudit Token Right Adjusted\r\nDS Access security audit policy settings provide a detailed audit trail of attempts to access and modify objects in\r\nActive Directory Domain Services (AD DS). These audit events are logged only on domain controllers. This\r\ncategory includes the following subcategories:\r\nAudit Detailed Directory Service Replication\r\nAudit Directory Service Access\r\nAudit Directory Service Changes\r\nAudit Directory Service Replication\r\nLogon/Logoff security policy settings and audit events allow you to track attempts to log on to a computer\r\ninteractively or over a network. These events are particularly useful for tracking user activity and identifying\r\npotential attacks on network resources. This category includes the following subcategories:\r\nAudit Account Lockout\r\nAudit User/Device Claims\r\nAudit IPsec Extended Mode\r\nAudit Group Membership\r\nAudit IPsec Main Mode\r\nAudit IPsec Quick Mode\r\nAudit Logoff\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings\r\nPage 2 of 5\n\nAudit Logon\r\nAudit Network Policy Server\r\nAudit Other Logon/Logoff Events\r\nAudit Special Logon\r\nObject Access policy settings and audit events allow you to track attempts to access specific objects or types of\r\nobjects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object,\r\nenable the appropriate Object Access auditing subcategory for success and/or failure events. For example, the file\r\nsystem subcategory needs to be enabled to audit file operations; the Registry subcategory needs to be enabled to\r\naudit registry accesses.\r\nProving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify\r\nthat the proper SACLs are set on all inherited objects. To address this issue, see Global Object Access Auditing.\r\nThis category includes the following subcategories:\r\nAudit Application Generated\r\nAudit Certification Services\r\nAudit Detailed File Share\r\nAudit File Share\r\nAudit File System\r\nAudit Filtering Platform Connection\r\nAudit Filtering Platform Packet Drop\r\nAudit Handle Manipulation\r\nAudit Kernel Object\r\nAudit Other Object Access Events\r\nAudit Registry\r\nAudit Removable Storage\r\nAudit SAM\r\nAudit Central Access Policy Staging\r\nPolicy Change audit events allow you to track changes to important security policies on a local system or network.\r\nBecause policies are typically established by administrators to help secure network resources, tracking changes (or\r\nits attempts) to these policies is an important aspect of security management for a network. This category includes\r\nthe following subcategories:\r\nAudit Audit Policy Change\r\nAudit Authentication Policy Change\r\nAudit Authorization Policy Change\r\nAudit Filtering Platform Policy Change\r\nAudit MPSSVC Rule-Level Policy Change\r\nAudit Other Policy Change Events\r\nPermissions on a network are granted for users or computers to complete defined tasks. Privilege Use security\r\npolicy settings and audit events allow you to track the use of certain permissions on one or more systems. This\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings\r\nPage 3 of 5\n\ncategory includes the following subcategories:\r\nAudit Non-Sensitive Privilege Use\r\nAudit Sensitive Privilege Use\r\nAudit Other Privilege Use Events\r\nSystem security policy settings and audit events allow you to track the following types of system-level changes to\r\na computer:\r\nNot included in other categories\r\nHave potential security implications.\r\nThis category includes the following subcategories:\r\nAudit IPsec Driver\r\nAudit Other System Events\r\nAudit Security State Change\r\nAudit Security System Extension\r\nAudit System Integrity\r\nGlobal Object Access Auditing policy settings allow administrators to define computer system access control lists\r\n(SACLs) per object type for the file system or for the registry. The specified SACL is then automatically applied\r\nto every object of that type. Auditors can prove that every resource in the system is protected by an audit policy.\r\nThey can do this task by viewing the contents of the Global Object Access Auditing policy settings. For example,\r\nif auditors see a policy setting called \"Track all changes made by group administrators,\" they know that this policy\r\nis in effect.\r\nResource SACLs are also useful for diagnostic scenarios. For example, administrators quickly identify which\r\nobject in a system is denying a user access by:\r\nSetting the Global Object Access Auditing policy to log all the activities for a specific user\r\nEnabling the policy to track \"Access denied\" events for the file system or registry can help\r\nNote\r\nIf a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and\r\na Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from\r\ncombining the file or folder SACL and the Global Object Access Auditing policy. This means that an audit event is\r\ngenerated if an activity matches the file or folder SACL or the Global Object Access Auditing policy.\r\nThis category includes the following subcategories:\r\nFile System (Global Object Access Auditing)\r\nRegistry (Global Object Access Auditing)\r\nBasic security audit policy settings\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings\r\nPage 4 of 5\n\nSource: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings"
	],
	"report_names": [
		"advanced-security-audit-policy-settings"
	],
	"threat_actors": [],
	"ts_created_at": 1775434444,
	"ts_updated_at": 1775791260,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/64f5e4941e768294d1d30c433345dc3e23810b60.pdf",
		"text": "https://archive.orkl.eu/64f5e4941e768294d1d30c433345dc3e23810b60.txt",
		"img": "https://archive.orkl.eu/64f5e4941e768294d1d30c433345dc3e23810b60.jpg"
	}
}