From 3231ccf3f55fa10e6732f86c4af21ec8ccf12e25 Mon Sep 17 00:00:00 2001
From: Liz Long <104389055+lizgt2000@users.noreply.github.com>
Date: Mon, 9 Jan 2023 14:48:56 -0500
Subject: [PATCH] add volume to audit

---
 .../client-management/mdm/policy-csp-audit.md | 56 +++++++++++++++++++
 1 file changed, 56 insertions(+)

diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md
index c039ded0e0..b2e381fcca 100644
--- a/windows/client-management/mdm/policy-csp-audit.md
+++ b/windows/client-management/mdm/policy-csp-audit.md
@@ -42,6 +42,7 @@ This policy setting allows you to audit events generated by validation tests on
 
 <!-- AccountLogon_AuditCredentialValidation-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: High on domain controllers.
 <!-- AccountLogon_AuditCredentialValidation-Editable-End -->
 
 <!-- AccountLogon_AuditCredentialValidation-DFProperties-Begin -->
@@ -102,6 +103,7 @@ This policy setting allows you to audit events generated by Kerberos authenticat
 
 <!-- AccountLogon_AuditKerberosAuthenticationService-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: High on Kerberos Key Distribution Center servers.
 <!-- AccountLogon_AuditKerberosAuthenticationService-Editable-End -->
 
 <!-- AccountLogon_AuditKerberosAuthenticationService-DFProperties-Begin -->
@@ -162,6 +164,7 @@ This policy setting allows you to audit events generated by Kerberos authenticat
 
 <!-- AccountLogon_AuditKerberosServiceTicketOperations-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Low.
 <!-- AccountLogon_AuditKerberosServiceTicketOperations-Editable-End -->
 
 <!-- AccountLogon_AuditKerberosServiceTicketOperations-DFProperties-Begin -->
@@ -282,6 +285,7 @@ This policy setting allows you to audit events generated by a failed attempt to
 
 <!-- AccountLogonLogoff_AuditAccountLockout-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Low.
 <!-- AccountLogonLogoff_AuditAccountLockout-Editable-End -->
 
 <!-- AccountLogonLogoff_AuditAccountLockout-DFProperties-Begin -->
@@ -342,6 +346,7 @@ This policy allows you to audit the group memberhsip information in the user's l
 
 <!-- AccountLogonLogoff_AuditGroupMembership-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Low on a client computer. Medium on a domain controller or a network server.
 <!-- AccountLogonLogoff_AuditGroupMembership-Editable-End -->
 
 <!-- AccountLogonLogoff_AuditGroupMembership-DFProperties-Begin -->
@@ -402,6 +407,7 @@ This policy setting allows you to audit events generated by Internet Key Exchang
 
 <!-- AccountLogonLogoff_AuditIPsecExtendedMode-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: High.
 <!-- AccountLogonLogoff_AuditIPsecExtendedMode-Editable-End -->
 
 <!-- AccountLogonLogoff_AuditIPsecExtendedMode-DFProperties-Begin -->
@@ -462,6 +468,7 @@ This policy setting allows you to audit events generated by Internet Key Exchang
 
 <!-- AccountLogonLogoff_AuditIPsecMainMode-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: High.
 <!-- AccountLogonLogoff_AuditIPsecMainMode-Editable-End -->
 
 <!-- AccountLogonLogoff_AuditIPsecMainMode-DFProperties-Begin -->
@@ -522,6 +529,7 @@ This policy setting allows you to audit events generated by Internet Key Exchang
 
 <!-- AccountLogonLogoff_AuditIPsecQuickMode-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: High.
 <!-- AccountLogonLogoff_AuditIPsecQuickMode-Editable-End -->
 
 <!-- AccountLogonLogoff_AuditIPsecQuickMode-DFProperties-Begin -->
@@ -582,6 +590,7 @@ This policy setting allows you to audit events generated by the closing of a log
 
 <!-- AccountLogonLogoff_AuditLogoff-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Low.
 <!-- AccountLogonLogoff_AuditLogoff-Editable-End -->
 
 <!-- AccountLogonLogoff_AuditLogoff-DFProperties-Begin -->
@@ -642,6 +651,7 @@ This policy setting allows you to audit events generated by user account logon a
 
 <!-- AccountLogonLogoff_AuditLogon-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Low on a client computer. Medium on a domain controller or a network server.
 <!-- AccountLogonLogoff_AuditLogon-Editable-End -->
 
 <!-- AccountLogonLogoff_AuditLogon-DFProperties-Begin -->
@@ -702,6 +712,7 @@ This policy setting allows you to audit events generated by RADIUS (IAS) and Net
 
 <!-- AccountLogonLogoff_AuditNetworkPolicyServer-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Medium or High on NPS and IAS server. No volume on other computers.
 <!-- AccountLogonLogoff_AuditNetworkPolicyServer-Editable-End -->
 
 <!-- AccountLogonLogoff_AuditNetworkPolicyServer-DFProperties-Begin -->
@@ -762,6 +773,7 @@ This policy setting allows you to audit other logon/logoff-related events that a
 
 <!-- AccountLogonLogoff_AuditOtherLogonLogoffEvents-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Low.
 <!-- AccountLogonLogoff_AuditOtherLogonLogoffEvents-Editable-End -->
 
 <!-- AccountLogonLogoff_AuditOtherLogonLogoffEvents-DFProperties-Begin -->
@@ -822,6 +834,7 @@ This policy setting allows you to audit events generated by special logons such
 
 <!-- AccountLogonLogoff_AuditSpecialLogon-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Low.
 <!-- AccountLogonLogoff_AuditSpecialLogon-Editable-End -->
 
 <!-- AccountLogonLogoff_AuditSpecialLogon-DFProperties-Begin -->
@@ -882,6 +895,7 @@ This policy allows you to audit user and device claims information in the user's
 
 <!-- AccountLogonLogoff_AuditUserDeviceClaims-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Low on a client computer. Medium on a domain controller or a network server.
 <!-- AccountLogonLogoff_AuditUserDeviceClaims-Editable-End -->
 
 <!-- AccountLogonLogoff_AuditUserDeviceClaims-DFProperties-Begin -->
@@ -942,6 +956,7 @@ This policy setting allows you to audit events generated by changes to applicati
 
 <!-- AccountManagement_AuditApplicationGroupManagement-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Low.
 <!-- AccountManagement_AuditApplicationGroupManagement-Editable-End -->
 
 <!-- AccountManagement_AuditApplicationGroupManagement-DFProperties-Begin -->
@@ -1002,6 +1017,7 @@ This policy setting allows you to audit events generated by changes to computer
 
 <!-- AccountManagement_AuditComputerAccountManagement-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Low.
 <!-- AccountManagement_AuditComputerAccountManagement-Editable-End -->
 
 <!-- AccountManagement_AuditComputerAccountManagement-DFProperties-Begin -->
@@ -1064,6 +1080,7 @@ This policy setting allows you to audit events generated by changes to distribut
 
 <!-- AccountManagement_AuditDistributionGroupManagement-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Low.
 <!-- AccountManagement_AuditDistributionGroupManagement-Editable-End -->
 
 <!-- AccountManagement_AuditDistributionGroupManagement-DFProperties-Begin -->
@@ -1124,6 +1141,7 @@ This policy setting allows you to audit events generated by other user account c
 
 <!-- AccountManagement_AuditOtherAccountManagementEvents-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Low.
 <!-- AccountManagement_AuditOtherAccountManagementEvents-Editable-End -->
 
 <!-- AccountManagement_AuditOtherAccountManagementEvents-DFProperties-Begin -->
@@ -1184,6 +1202,7 @@ This policy setting allows you to audit events generated by changes to security
 
 <!-- AccountManagement_AuditSecurityGroupManagement-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Low.
 <!-- AccountManagement_AuditSecurityGroupManagement-Editable-End -->
 
 <!-- AccountManagement_AuditSecurityGroupManagement-DFProperties-Begin -->
@@ -1244,6 +1263,7 @@ This policy setting allows you to audit changes to user accounts. Events include
 
 <!-- AccountManagement_AuditUserAccountManagement-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Low.
 <!-- AccountManagement_AuditUserAccountManagement-Editable-End -->
 
 <!-- AccountManagement_AuditUserAccountManagement-DFProperties-Begin -->
@@ -1304,6 +1324,7 @@ This policy setting allows you to audit events generated when encryption or decr
 
 <!-- DetailedTracking_AuditDPAPIActivity-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Low.
 <!-- DetailedTracking_AuditDPAPIActivity-Editable-End -->
 
 <!-- DetailedTracking_AuditDPAPIActivity-DFProperties-Begin -->
@@ -1364,6 +1385,7 @@ This policy setting allows you to audit when plug and play detects an external d
 
 <!-- DetailedTracking_AuditPNPActivity-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Low.
 <!-- DetailedTracking_AuditPNPActivity-Editable-End -->
 
 <!-- DetailedTracking_AuditPNPActivity-DFProperties-Begin -->
@@ -1424,6 +1446,7 @@ This policy setting allows you to audit events generated when a process is creat
 
 <!-- DetailedTracking_AuditProcessCreation-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Depends on how the computer is used.
 <!-- DetailedTracking_AuditProcessCreation-Editable-End -->
 
 <!-- DetailedTracking_AuditProcessCreation-DFProperties-Begin -->
@@ -1484,6 +1507,7 @@ This policy setting allows you to audit events generated when a process ends. If
 
 <!-- DetailedTracking_AuditProcessTermination-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Depends on how the computer is used.
 <!-- DetailedTracking_AuditProcessTermination-Editable-End -->
 
 <!-- DetailedTracking_AuditProcessTermination-DFProperties-Begin -->
@@ -1544,6 +1568,7 @@ This policy setting allows you to audit inbound remote procedure call (RPC) conn
 
 <!-- DetailedTracking_AuditRPCEvents-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: High on RPC servers.
 <!-- DetailedTracking_AuditRPCEvents-Editable-End -->
 
 <!-- DetailedTracking_AuditRPCEvents-DFProperties-Begin -->
@@ -1604,6 +1629,7 @@ This policy setting allows you to audit events generated by adjusting the privil
 
 <!-- DetailedTracking_AuditTokenRightAdjusted-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: High.
 <!-- DetailedTracking_AuditTokenRightAdjusted-Editable-End -->
 
 <!-- DetailedTracking_AuditTokenRightAdjusted-DFProperties-Begin -->
@@ -1664,6 +1690,7 @@ This policy setting allows you to audit events generated by detailed Active Dire
 
 <!-- DSAccess_AuditDetailedDirectoryServiceReplication-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: High.
 <!-- DSAccess_AuditDetailedDirectoryServiceReplication-Editable-End -->
 
 <!-- DSAccess_AuditDetailedDirectoryServiceReplication-DFProperties-Begin -->
@@ -1724,6 +1751,7 @@ This policy setting allows you to audit events generated when an Active Director
 
 <!-- DSAccess_AuditDirectoryServiceAccess-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: High on domain controllers. None on client computers.
 <!-- DSAccess_AuditDirectoryServiceAccess-Editable-End -->
 
 <!-- DSAccess_AuditDirectoryServiceAccess-DFProperties-Begin -->
@@ -1786,6 +1814,7 @@ This policy setting allows you to audit events generated by changes to objects i
 
 <!-- DSAccess_AuditDirectoryServiceChanges-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: High on domain controllers only.
 <!-- DSAccess_AuditDirectoryServiceChanges-Editable-End -->
 
 <!-- DSAccess_AuditDirectoryServiceChanges-DFProperties-Begin -->
@@ -1846,6 +1875,7 @@ This policy setting allows you to audit replication between two Active Directory
 
 <!-- DSAccess_AuditDirectoryServiceReplication-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Medium on domain controllers. None on client computers.
 <!-- DSAccess_AuditDirectoryServiceReplication-Editable-End -->
 
 <!-- DSAccess_AuditDirectoryServiceReplication-DFProperties-Begin -->
@@ -1906,6 +1936,7 @@ This policy setting allows you to audit applications that generate events using
 
 <!-- ObjectAccess_AuditApplicationGenerated-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Depends on the applications that are generating them.
 <!-- ObjectAccess_AuditApplicationGenerated-Editable-End -->
 
 <!-- ObjectAccess_AuditApplicationGenerated-DFProperties-Begin -->
@@ -1966,6 +1997,7 @@ This policy setting allows you to audit access requests where the permission gra
 
 <!-- ObjectAccess_AuditCentralAccessPolicyStaging-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Potentially high on a file server when the proposed policy differs significantly from the current central access policy.
 <!-- ObjectAccess_AuditCentralAccessPolicyStaging-Editable-End -->
 
 <!-- ObjectAccess_AuditCentralAccessPolicyStaging-DFProperties-Begin -->
@@ -2026,6 +2058,7 @@ This policy setting allows you to audit Active Directory Certificate Services (A
 
 <!-- ObjectAccess_AuditCertificationServices-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Medium or Low on computers running Active Directory Certificate Services.
 <!-- ObjectAccess_AuditCertificationServices-Editable-End -->
 
 <!-- ObjectAccess_AuditCertificationServices-DFProperties-Begin -->
@@ -2088,6 +2121,7 @@ This policy setting allows you to audit attempts to access files and folders on
 
 <!-- ObjectAccess_AuditDetailedFileShare-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: High on a file server or domain controller because of SYSVOL network access required by Group Policy.
 <!-- ObjectAccess_AuditDetailedFileShare-Editable-End -->
 
 <!-- ObjectAccess_AuditDetailedFileShare-DFProperties-Begin -->
@@ -2150,6 +2184,7 @@ This policy setting allows you to audit attempts to access a shared folder. If y
 
 <!-- ObjectAccess_AuditFileShare-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: High on a file server or domain controller because of SYSVOL network access required by Group Policy.
 <!-- ObjectAccess_AuditFileShare-Editable-End -->
 
 <!-- ObjectAccess_AuditFileShare-DFProperties-Begin -->
@@ -2212,6 +2247,7 @@ This policy setting allows you to audit user attempts to access file system obje
 
 <!-- ObjectAccess_AuditFileSystem-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Depends on how the file system SACLs are configured.
 <!-- ObjectAccess_AuditFileSystem-Editable-End -->
 
 <!-- ObjectAccess_AuditFileSystem-DFProperties-Begin -->
@@ -2272,6 +2308,7 @@ This policy setting allows you to audit connections that are allowed or blocked
 
 <!-- ObjectAccess_AuditFilteringPlatformConnection-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: High.
 <!-- ObjectAccess_AuditFilteringPlatformConnection-Editable-End -->
 
 <!-- ObjectAccess_AuditFilteringPlatformConnection-DFProperties-Begin -->
@@ -2332,6 +2369,7 @@ This policy setting allows you to audit packets that are dropped by Windows Filt
 
 <!-- ObjectAccess_AuditFilteringPlatformPacketDrop-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: High.
 <!-- ObjectAccess_AuditFilteringPlatformPacketDrop-Editable-End -->
 
 <!-- ObjectAccess_AuditFilteringPlatformPacketDrop-DFProperties-Begin -->
@@ -2394,6 +2432,7 @@ This policy setting allows you to audit events generated when a handle to an obj
 
 <!-- ObjectAccess_AuditHandleManipulation-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Depends on how SACLs are configured.
 <!-- ObjectAccess_AuditHandleManipulation-Editable-End -->
 
 <!-- ObjectAccess_AuditHandleManipulation-DFProperties-Begin -->
@@ -2456,6 +2495,7 @@ This policy setting allows you to audit attempts to access the kernel, which inc
 
 <!-- ObjectAccess_AuditKernelObject-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: High if auditing access of global system objects is enabled.
 <!-- ObjectAccess_AuditKernelObject-Editable-End -->
 
 <!-- ObjectAccess_AuditKernelObject-DFProperties-Begin -->
@@ -2516,6 +2556,7 @@ This policy setting allows you to audit events generated by the management of ta
 
 <!-- ObjectAccess_AuditOtherObjectAccessEvents-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Low.
 <!-- ObjectAccess_AuditOtherObjectAccessEvents-Editable-End -->
 
 <!-- ObjectAccess_AuditOtherObjectAccessEvents-DFProperties-Begin -->
@@ -2578,6 +2619,7 @@ This policy setting allows you to audit attempts to access registry objects. A s
 
 <!-- ObjectAccess_AuditRegistry-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Depends on how registry SACLs are configured.
 <!-- ObjectAccess_AuditRegistry-Editable-End -->
 
 <!-- ObjectAccess_AuditRegistry-DFProperties-Begin -->
@@ -2700,6 +2742,7 @@ This policy setting allows you to audit events generated by attempts to access t
 
 <!-- ObjectAccess_AuditSAM-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: High on domain controllers. For more information about reducing the number of events generated by auditing the access of global system objects, see [Audit the access of global system objects](/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects).
 <!-- ObjectAccess_AuditSAM-Editable-End -->
 
 <!-- ObjectAccess_AuditSAM-DFProperties-Begin -->
@@ -2762,6 +2805,7 @@ This policy setting allows you to audit events generated by changes to the authe
 
 <!-- PolicyChange_AuditAuthenticationPolicyChange-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Low.
 <!-- PolicyChange_AuditAuthenticationPolicyChange-Editable-End -->
 
 <!-- PolicyChange_AuditAuthenticationPolicyChange-DFProperties-Begin -->
@@ -2822,6 +2866,7 @@ This policy setting allows you to audit events generated by changes to the autho
 
 <!-- PolicyChange_AuditAuthorizationPolicyChange-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Low.
 <!-- PolicyChange_AuditAuthorizationPolicyChange-Editable-End -->
 
 <!-- PolicyChange_AuditAuthorizationPolicyChange-DFProperties-Begin -->
@@ -2882,6 +2927,7 @@ This policy setting allows you to audit events generated by changes to the Windo
 
 <!-- PolicyChange_AuditFilteringPlatformPolicyChange-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Low.
 <!-- PolicyChange_AuditFilteringPlatformPolicyChange-Editable-End -->
 
 <!-- PolicyChange_AuditFilteringPlatformPolicyChange-DFProperties-Begin -->
@@ -2942,6 +2988,7 @@ This policy setting allows you to audit events generated by changes in policy ru
 
 <!-- PolicyChange_AuditMPSSVCRuleLevelPolicyChange-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Low.
 <!-- PolicyChange_AuditMPSSVCRuleLevelPolicyChange-Editable-End -->
 
 <!-- PolicyChange_AuditMPSSVCRuleLevelPolicyChange-DFProperties-Begin -->
@@ -3002,6 +3049,7 @@ This policy setting allows you to audit events generated by other security polic
 
 <!-- PolicyChange_AuditOtherPolicyChangeEvents-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Low.
 <!-- PolicyChange_AuditOtherPolicyChangeEvents-Editable-End -->
 
 <!-- PolicyChange_AuditOtherPolicyChangeEvents-DFProperties-Begin -->
@@ -3064,6 +3112,7 @@ This policy setting allows you to audit changes in the security audit policy set
 
 <!-- PolicyChange_AuditPolicyChange-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Low.
 <!-- PolicyChange_AuditPolicyChange-Editable-End -->
 
 <!-- PolicyChange_AuditPolicyChange-DFProperties-Begin -->
@@ -3124,6 +3173,7 @@ This policy setting allows you to audit events generated by the use of non-sensi
 
 <!-- PrivilegeUse_AuditNonSensitivePrivilegeUse-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Very High.
 <!-- PrivilegeUse_AuditNonSensitivePrivilegeUse-Editable-End -->
 
 <!-- PrivilegeUse_AuditNonSensitivePrivilegeUse-DFProperties-Begin -->
@@ -3244,6 +3294,7 @@ This policy setting allows you to audit events generated when sensitive privileg
 
 <!-- PrivilegeUse_AuditSensitivePrivilegeUse-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: High.
 <!-- PrivilegeUse_AuditSensitivePrivilegeUse-Editable-End -->
 
 <!-- PrivilegeUse_AuditSensitivePrivilegeUse-DFProperties-Begin -->
@@ -3304,6 +3355,7 @@ This policy setting allows you to audit events generated by the IPsec filter dri
 
 <!-- System_AuditIPsecDriver-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Low.
 <!-- System_AuditIPsecDriver-Editable-End -->
 
 <!-- System_AuditIPsecDriver-DFProperties-Begin -->
@@ -3364,6 +3416,7 @@ This policy setting allows you to audit any of the following events: Startup and
 
 <!-- System_AuditOtherSystemEvents-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Low.
 <!-- System_AuditOtherSystemEvents-Editable-End -->
 
 <!-- System_AuditOtherSystemEvents-DFProperties-Begin -->
@@ -3424,6 +3477,7 @@ This policy setting allows you to audit events generated by changes in the secur
 
 <!-- System_AuditSecurityStateChange-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Low.
 <!-- System_AuditSecurityStateChange-Editable-End -->
 
 <!-- System_AuditSecurityStateChange-DFProperties-Begin -->
@@ -3484,6 +3538,7 @@ This policy setting allows you to audit events related to security system extens
 
 <!-- System_AuditSecuritySystemExtension-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Low. Security system extension events are generated more often on a domain controller than on client computers or member servers.
 <!-- System_AuditSecuritySystemExtension-Editable-End -->
 
 <!-- System_AuditSecuritySystemExtension-DFProperties-Begin -->
@@ -3544,6 +3599,7 @@ This policy setting allows you to audit events that violate the integrity of the
 
 <!-- System_AuditSystemIntegrity-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Volume: Low.
 <!-- System_AuditSystemIntegrity-Editable-End -->
 
 <!-- System_AuditSystemIntegrity-DFProperties-Begin -->