Audit Policies

Enumerate

Shows the logging settings for the current firewall profile, which can indirectly relate to auditing network activities:

netsh advfirewall show currentprofile logging

Filters the Security event log for events with ID 4719, which indicate changes to audit policy settings.

Get-WinEvent -LogName "Security" | Where-Object { $_.Id -eq 4719 }

Retrieves the 50 most recent security events with Event ID 4719, indicating changes to audit policies.

Get-EventLog -LogName Security -Newest 50 | Where-Object { $_.EventID -eq 4719 }

Modify

Disables auditing for all subcategories under Logon/Logoff:

auditpol /set /category:"Account Logon" /success:disable /failure:disable

Enables both success and failure auditing for the Logon events:

auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable

Deletes (resets) audit policy settings for all subcategories to default values.

auditpol /delete /subcategory:"*"

Uses PowerShell to enable success auditing and disable failure auditing for Account Management.

Set-AuditPolicy -Category "Account Logon" -Success Enable -Failure Disable

Sets success and failure auditing for the Logon subcategory using PowerShell:

Set-AuditPolicy -SubCategory "Credential Validation" -Success Failure

Enables auditing for all subcategories for both success and failure events using PowerShell:

Set-AuditPolicy -All -Success:enable -Failure:enable

Backs up the current audit policy settings to a file.

auditpol /backup /file:C:\auditpol_backup.txt

Restores audit policy settings from a backup file.

auditpol /restore /file:C:\audit_policy_backup.txt

Audit Policy Categories and Sub-Categories

The audit categories and subcategories in Windows are part of the Advanced Audit Policy Configuration, which allows administrators to get more granular with their audit policies.

Here's a summary of the main categories and some of their subcategories as of my last update:

Account Logon

Credential Validation

Kerberos Service Ticket Operations

Kerberos Authentication Service

Other Account Logon Events

Account Management

Computer Account Management

Security Group Management

Distribution Group Management

Application Group Management

Other Account Management Events

User Account Management

Detailed Tracking

DPAPI Activity

Process Creation

Process Termination

RPC Events

DS Access

Directory Service Access

Directory Service Changes

Directory Service Replication

Detailed Directory Service Replication

Logon/Logoff

Account Lockout

IPsec Main Mode

IPsec Quick Mode

IPsec Extended Mode

Special Logon

Logoff

Logon

Network Policy Server

Other Logon/Logoff Events

User / Device Claims

Object Access

Application Generated

Certification Services

Detailed File Share

File Share

File System

Filtering Platform Connection

Filtering Platform Packet Drop

Handle Manipulation

Kernel Object

Other Object Access Events

Registry

SAM

Policy Change

Audit Policy Change

Authentication Policy Change

Authorization Policy Change

MPSSVC Rule-Level Policy Change

Filtering Platform Policy Change

Other Policy Change Events

Privilege Use

Non-Sensitive Privilege Use

Other Privilege Use Events

Sensitive Privilege Use

System

IPsec Driver

Other System Events

Security State Change

Security System Extension

System Integrity

Global Object Access Auditing

File System

Registry

Each category and subcategory provides specific events that can be audited to give administrators insight into the security and operations of a Windows environment.

The availability of certain categories and subcategories can depend on the version of Windows you are using.