{
  "id": "4715",
  "source": "windows_security",
  "category": "Policy",
  "name": "The audit policy (SACL) on an object was changed",
  "priority": "P2",
  "applicable_version": "Windows Server 2008 R2 and later",
  "last_reviewed": "2026-07-13",
  "definition": "Windows Security Event ID 4715 records a change to the local audit policy security descriptor.",
  "trigger_scenarios": "This event is generated every time the local audit policy security descriptor changes and is logged regardless of the Audit Policy Change subcategory setting.",
  "key_fields": [
    {
      "field": "OldSd / NewSd",
      "explanation": "The original and new Security Descriptor Definition Language strings for the audit policy. Removing SACL entries such as AU with SA or FA can reduce success or failure auditing."
    },
    {
      "field": "SubjectUserName / SubjectLogonId",
      "explanation": "Identifies the account and hexadecimal logon session that changed the audit policy security descriptor."
    },
    {
      "field": "SDDL rights and flags",
      "explanation": "Microsoft documents SDDL elements including S: for SACL, SA for successful access audit, FA for failed access audit, WD for Modify Permissions, WO for Modify Owner, and hex rights such as 0xf0007."
    }
  ],
  "false_positives": [
    "Approved audit delegation changes can legitimately change OldSd and NewSd.",
    "Security baseline deployment tools may reset the descriptor during controlled hardening windows."
  ],
  "related_event_ids": [
    "4719",
    "4907",
    "4624"
  ],
  "attck_mapping": [
    {
      "technique_id": "T1562.002",
      "technique_name": "Impair Defenses: Disable Windows Event Logging"
    }
  ],
  "detection_notes": "Use threshold=1 unplanned 4715 on high-value systems: Microsoft documents that this event is always logged when the local audit policy security descriptor changes. Compare OldSd and NewSd for removal of S: SACL entries, SA/FA audit flags, or rights such as WD/WO/0xf0007 assigned to unexpected trustees; removing those values impairs evidence collection and maps to T1562.002 Disable Windows Event Logging. Correlate SubjectLogonId with 4624 and any 4719 audit policy change before suppressing.",
  "kql_snippet": "SecurityEvent\n| where EventID == 4715\n| project TimeGenerated, Computer, Account",
  "spl_snippet": "index=wineventlog EventCode=4715 | table _time, host",
  "sample_log": "EventID: 4715\nSubjectUserName: dadmin\nSubjectLogonId: 0x11ae30\nOldSd: D:(A;;DCSWRPDTRC;;;BA)S:(AU;SAFA;DCLCRPCRSDWDWO;;;WD)\nNewSd: D:(A;;DCSWRPDTRC;;;BA)S:NO_ACCESS_CONTROL",
  "source_url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4715",
  "route": "/windows-events/4715/",
  "canonical_url": "https://soceventlookup.com/windows-events/4715/",
  "json_url": "/api/events/windows-security/4715.json"
}
