4 Replies Latest reply on Aug 1, 2016 7:40 PM by ehumphrey

    System Audit Policy Changed - 22 alerts

    ehumphrey

      Combed the LEM documentation, couldn't find a clue (it might be ind documentation somewhere, I couldn't find it after an hour of digging)

       

      This morning I got 22 TriGeo alerts in this pattern:

       

      system audit policy changed: logon/logoff (network policy server) at 2016-07-29 04:52:40.0
      system audit policy changed: logon/logoff (account lockout) at 2016-07-29 04:52:40.0
      system audit policy changed: logon/logoff (ipsec extended mode) at 2016-07-29 04:52:40.0
      system audit policy changed: logon/logoff (ipsec quick mode) at 2016-07-29 04:52:40.0

      ... and so on.

       

      A sampling of the nDepth view of this is attached. (Host name mostly obscured, but I left a little bit visible so we can see that it's the same host).

      Capture.PNG

       

      To me it seems like something restarted, and the policies were just enumerated again, or something, but I want to know what is going on. I can't respond to my boss with unconfirmed theories.

       

      Can anyone tell me what this is, or direct me to documentation that explains this?

       

      Thanks

        • Re: System Audit Policy Changed - 22 alerts
          blsanner

          I don't think this is an instance of something just being enumerated again.  A couple of fields to look at in those events.  First, the ChangeDetails field shows that failure auditing was removed, meaning that it was enabled previously.  What that means is that you will no longer get failure events for those categories.  Assuming that success auditing is still enabled, you would still see successful events in those categories.  Second, the fact that the SourceAccount field shows the local machine account indicates that this change came from a GPO.

           

          Another alternative may be that someone turned on failure auditing for all of those categories and, when group policy refreshed, it overwrote it back to the standard GPO settings.  In this case, you should see events in LEM for failure auditing being enabled for these categories.

           

          I would start digging into my GPOs to see which one caused this change as well as looking for events in LEM for changes in group policy, assuming you are logging those.

            • Re: System Audit Policy Changed - 22 alerts
              ehumphrey

              Blsanner, yes, you're correct. Looking in the host machine's logs, I see an informational entry at the correct time stamp: Event 1704 "Security policy in the Group policy objects has been applied successfully." But there are a lot of entries for Event 1704; only this one triggered an alarm.

               

              My default domain GPO is set to audit logon events -failure only. My default domain DC GPO audits several items, including policy change. This host in question is not a DC, so I wouldn't expect those other audit events to be enabled (unless I misunderstand).

               

              Wolram-- when you say it's logged as a change, do you mean that even though the other audit events are not enabled, logging will treat that as a "change" and list them out as disabled?

            • Re: System Audit Policy Changed - 22 alerts
              ehumphrey

              This happened four more times over the weekend. Same host, same batch of 22 alerts. Something automated? Not a the same time each day, however.