Defender for Identity - Automatic Windows auditing configuration
MDI Automatic Windows Auditing Configuration
Query
DeviceEvents
| where ActionType == "AuditPolicyModification"
| extend polmod = parse_json(AdditionalFields)
| extend AuditPolicyChange = polmod.AuditPolicyChanges
| extend CategoryId = trim(@"[^\w]+",tostring(polmod.CategoryId))
| extend SubcategoryGuid = toupper(polmod.SubcategoryGuid)
| extend SubcategoryId = trim(@"[^\w]+",tostring(polmod.SubcategoryId))
| mv-expand split(AuditPolicyChange,",")
| extend AuditPolicyChange = trim(@"[^\w]+",tostring(AuditPolicyChange))
| extend AuditPolicyChangesName = case(
AuditPolicyChange == "8448","Success Removed",
AuditPolicyChange == "8450","Failure Removed",
AuditPolicyChange == "8449","Success Added",
AuditPolicyChange == "8451","Failure Added","undefined")
| extend CategoryName = case (
CategoryId == "8280","Account Logon",
CategoryId == "8278","Account Management",
CategoryId == "8276","Detrailed Tracking",
CategoryId == "8279","DS Access",
CategoryId == "8273","Logon/Logoff",
CategoryId == "8274","Object Access",
CategoryId == "8277","Policy Change",
CategoryId == "8275","Privilege Use",
CategoryId == "8272","System",
"undefined")
| extend SubcategoryName = case(
// Accont Logon
SubcategoryGuid == "0CCE923F-69AE-11D9-BED3-505054503030", "Credential Validation",
SubcategoryGuid == "0CCE9242-69AE-11D9-BED3-505054503030", "Kerberos Authentication Service ",
SubcategoryGuid == "0CCE9240-69AE-11D9-BED3-505054503030", "Kerberos Service Ticket Operations",
SubcategoryGuid == "0CCE9241-69AE-11D9-BED3-505054503030", "Other Account Logon Events",
// Account Managent
SubcategoryGuid == "0CCE9239-69AE-11D9-BED3-505054503030", "Application Group Management",
SubcategoryGuid == "0CCE9236-69AE-11D9-BED3-505054503030", "Computer Account Management",
SubcategoryGuid == "0CCE9238-69AE-11D9-BED3-505054503030", "Distribution Group Management",
SubcategoryGuid == "0CCE923A-69AE-11D9-BED3-505054503030", "Other Account Management Events",
SubcategoryGuid == "0CCE9237-69AE-11D9-BED3-505054503030", "Security Group Management",
SubcategoryGuid == "0CCE9235-69AE-11D9-BED3-505054503030", "User Account Management",
// Detailed Tracking
SubcategoryGuid == "0CCE922D-69AE-11D9-BED3-505054503030", "DPAPI Activity",
SubcategoryGuid == "0CCE9248-69AE-11D9-BED3-505054503030", "PNP Activity",
SubcategoryGuid == "0CCE922B-69AE-11D9-BED3-505054503030", "Process Creation",
SubcategoryGuid == "0CCE922C-69AE-11D9-BED3-505054503030", "Process Termination",
SubcategoryGuid == "0CCE922E-69AE-11D9-BED3-505054503030", "RPC Events",
SubcategoryGuid == "0CCE924A-69AE-11D9-BED3-505054503030", "Audit Token Right Adjusted",
// DS Access
SubcategoryGuid == "0CCE923E-69AE-11D9-BED3-505054503030", "Detailed Directory Service Replication",
SubcategoryGuid == "0CCE923B-69AE-11D9-BED3-505054503030", "Directory Service Access",
SubcategoryGuid == "0CCE923C-69AE-11D9-BED3-505054503030", "Directory Service Changes",
SubcategoryGuid == "0CCE923D-69AE-11D9-BED3-505054503030", "Directory Service Replication",
// Logon - Logoff
SubcategoryGuid == "0CCE9217-69AE-11D9-BED3-505054503030", "Account Lockout",
SubcategoryGuid == "0CCE9247-69AE-11d9-BED3-505054503030", "User/Device Claims",
SubcategoryGuid == "0CCE9249-69AE-11d9-BED3-505054503030", "Group Membership",
SubcategoryGuid == "0CCE921A-69AE-11D9-BED3-505054503030", "IPsec Extended Mode",
SubcategoryGuid == "0CCE9218-69AE-11D9-BED3-505054503030", "IPsec Main Mode",
SubcategoryGuid == "0CCE9219-69AE-11D9-BED3-505054503030", "IPsec Quick Mode",
SubcategoryGuid == "0CCE9216-69AE-11D9-BED3-505054503030", "Logoff",
SubcategoryGuid == "0CCE9215-69AE-11D9-BED3-505054503030", "Logon",
SubcategoryGuid == "0CCE9243-69AE-11D9-BED3-505054503030", "Network Policy Server",
SubcategoryGuid == "0CCE921C-69AE-11D9-BED3-505054503030", "Other Logon/Logoff Events",
SubcategoryGuid == "0CCE921B-69AE-11D9-BED3-505054503030", "Special Logon",
// Object Access
SubcategoryGuid == "0CCE9222-69AE-11D9-BED3-505054503030", "Application Generated",
SubcategoryGuid == "0CCE9221-69AE-11D9-BED3-505054503030", "Certification Services",
SubcategoryGuid == "0CCE9244-69AE-11D9-BED3-505054503030", "Detailed File Share",
SubcategoryGuid == "0CCE9224-69AE-11D9-BED3-505054503030", "File Share",
SubcategoryGuid == "0CCE921D-69AE-11D9-BED3-505054503030", "File System",
SubcategoryGuid == "0CCE9226-69AE-11D9-BED3-505054503030", "Filtering Platform Connection",
SubcategoryGuid == "0CCE9225-69AE-11D9-BED3-505054503030", "Filtering Platform Packet Drop",
SubcategoryGuid == "0CCE9223-69AE-11D9-BED3-505054503030", "Handle Manipulation",
SubcategoryGuid == "0CCE921F-69AE-11D9-BED3-505054503030", "Kernel Object",
SubcategoryGuid == "0CCE9227-69AE-11D9-BED3-505054503030", "Other Object Access",
SubcategoryGuid == "0CCE9227-69AE-11D9-BED3-505054503030", "Other Object Access",
SubcategoryGuid == "0CCE921E-69AE-11D9-BED3-505054503030", "Registry",
SubcategoryGuid == "0CCE9245-69AE-11D9-BED3-505054503030", "Removable Storage",
SubcategoryGuid == "0CCE9220-69AE-11D9-BED3-505054503030", "SAM",
SubcategoryGuid == "0CCE9246-69AE-11D9-BED3-505054503030", "Central Access Policy Staging",
// Policy Change
SubcategoryGuid == "0CCE922F-69AE-11D9-BED3-505054503030", "Audit Policy Change",
SubcategoryGuid == "0CCE9230-69AE-11D9-BED3-505054503030", "Authentication Policy Change",
SubcategoryGuid == "0CCE9231-69AE-11D9-BED3-505054503030", "Authorization Policy Change",
SubcategoryGuid == "0CCE9233-69AE-11D9-BED3-505054503030", "Filtering Platform Policy Change",
SubcategoryGuid == "0CCE9232-69AE-11D9-BED3-505054503030", "MPSSVC Rule-Level Policy Change",
SubcategoryGuid == "0CCE9234-69AE-11D9-BED3-505054503030", "Other Policy Change Events",
// Privilege Use
SubcategoryGuid == "0CCE9229-69AE-11D9-BED3-505054503030", "Non Sensitive Privilege Use",
SubcategoryGuid == "0CCE922A-69AE-11D9-BED3-505054503030", "Other Privilege Use Events",
SubcategoryGuid == "0CCE9228-69AE-11D9-BED3-505054503030", "Sensitive Privilege Use",
// System
SubcategoryGuid == "0CCE9213-69AE-11D9-BED3-505054503030", "IPsec Driver",
SubcategoryGuid == "0CCE9214-69AE-11D9-BED3-505054503030", "Other System Events",
SubcategoryGuid == "0CCE9210-69AE-11D9-BED3-505054503030", "Security State Change",
SubcategoryGuid == "0CCE9211-69AE-11D9-BED3-505054503030", "Security System Extension",
SubcategoryGuid == "0CCE9212-69AE-11D9-BED3-505054503030", "the System Integrity",
"undefined")
| project Timestamp, DeviceName, AuditPolicyChange, AuditPolicyChangesName, CategoryName, SubcategoryGuid, SubcategoryName, CategoryId,SubcategoryId, InitiatingProcessFileName
| sort by Timestamp
| extend Status = case(
AuditPolicyChangesName endswith "Added", "🟢",
AuditPolicyChangesName endswith "Removed", "🔴",
""
)
| extend EventIds = case(
// ACCOUNT LOGON
SubcategoryName == "Credential Validation", "4776",
// ACCOUNT MANAGEMENT
SubcategoryName == "Computer Account Management", "4741, 4743",
SubcategoryName == "Distribution Group Management", "4753, 4763",
SubcategoryName == "Security Group Management", "4728, 4729, 4730, 4732, 4733, 4756, 4757, 4758",
SubcategoryName == "User Account Management", "4726",
// DS ACCESS
SubcategoryName == "Directory Service Changes", "5136",
SubcategoryName == "Directory Service Access", "4662",
// SYSTEM
SubcategoryName == "Security System Extension", "7045",
// DEFAULT
"Unknown"
)
//| where InitiatingProcessFileName == @"senseidentity.exe"
//| distinct CategoryName, SubcategoryName, StatusAbout this query
Explanation
This KQL (Kusto Query Language) query is designed to analyze events related to automatic Windows event-auditing configuration changes in Microsoft Defender for Identity. Here's a simplified breakdown of what the query does:
-
Data Source: It starts by looking at
DeviceEvents, which contains various events logged by devices. -
Filter: The query filters events to only include those where the
ActionTypeis "AuditPolicyModification", indicating changes to audit policies. -
Data Parsing and Transformation:
- It extracts and parses additional fields related to audit policy changes.
- It identifies the specific changes made to audit policies (e.g., "Success Added", "Failure Removed") and assigns human-readable names to these changes.
- It categorizes the events into broader categories like "Account Logon", "Account Management", etc., based on
CategoryId. - It further breaks down these categories into subcategories (e.g., "Credential Validation", "Kerberos Authentication Service") using
SubcategoryGuid.
-
Data Presentation:
- The query projects (selects) relevant fields such as
Timestamp,DeviceName,AuditPolicyChange, and others for display. - It sorts the results by
Timestampto show the events in chronological order. - It adds a visual status indicator (🟢 for added policies, 🔴 for removed policies) to quickly identify the nature of the change.
- The query projects (selects) relevant fields such as
-
Event Mapping:
- It maps specific subcategories to corresponding Windows Event IDs, providing additional context about the type of events being audited.
-
Commented Out Sections:
- There are sections of the query that are commented out, such as filtering by
InitiatingProcessFileNameand distinct selection of categories and statuses, which can be used for more specific analysis if needed.
- There are sections of the query that are commented out, such as filtering by
Overall, this query helps administrators monitor and understand changes to Windows event-auditing settings across devices, ensuring consistent policy enforcement and simplifying the deployment process in Microsoft Defender for Identity.
Details

Alex Verboon
Released: December 9, 2025
Tables
Keywords
Operators