add volume to audit

2025-05-12 13:27:23 +00:00 · 2023-01-09 14:48:56 -05:00 · 2023-01-09 14:48:56 -05:00 · 3231ccf3f5
commit 3231ccf3f5
parent c2b331c811
1 changed files with 56 additions and 0 deletions
--- a/windows/client-management/mdm/policy-csp-audit.md
+++ b/windows/client-management/mdm/policy-csp-audit.md
@ -42,6 +42,7 @@ This policy setting allows you to audit events generated by validation tests on
 <!-- AccountLogon_AuditCredentialValidation-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: High on domain controllers.
 <!-- AccountLogon_AuditCredentialValidation-Editable-End -->
 <!-- AccountLogon_AuditCredentialValidation-DFProperties-Begin -->
@ -102,6 +103,7 @@ This policy setting allows you to audit events generated by Kerberos authenticat
 <!-- AccountLogon_AuditKerberosAuthenticationService-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: High on Kerberos Key Distribution Center servers.
 <!-- AccountLogon_AuditKerberosAuthenticationService-Editable-End -->
 <!-- AccountLogon_AuditKerberosAuthenticationService-DFProperties-Begin -->
@ -162,6 +164,7 @@ This policy setting allows you to audit events generated by Kerberos authenticat
 <!-- AccountLogon_AuditKerberosServiceTicketOperations-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Low.
 <!-- AccountLogon_AuditKerberosServiceTicketOperations-Editable-End -->
 <!-- AccountLogon_AuditKerberosServiceTicketOperations-DFProperties-Begin -->
@ -282,6 +285,7 @@ This policy setting allows you to audit events generated by a failed attempt to
 <!-- AccountLogonLogoff_AuditAccountLockout-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Low.
 <!-- AccountLogonLogoff_AuditAccountLockout-Editable-End -->
 <!-- AccountLogonLogoff_AuditAccountLockout-DFProperties-Begin -->
@ -342,6 +346,7 @@ This policy allows you to audit the group memberhsip information in the user's l
 <!-- AccountLogonLogoff_AuditGroupMembership-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Low on a client computer. Medium on a domain controller or a network server.
 <!-- AccountLogonLogoff_AuditGroupMembership-Editable-End -->
 <!-- AccountLogonLogoff_AuditGroupMembership-DFProperties-Begin -->
@ -402,6 +407,7 @@ This policy setting allows you to audit events generated by Internet Key Exchang
 <!-- AccountLogonLogoff_AuditIPsecExtendedMode-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: High.
 <!-- AccountLogonLogoff_AuditIPsecExtendedMode-Editable-End -->
 <!-- AccountLogonLogoff_AuditIPsecExtendedMode-DFProperties-Begin -->
@ -462,6 +468,7 @@ This policy setting allows you to audit events generated by Internet Key Exchang
 <!-- AccountLogonLogoff_AuditIPsecMainMode-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: High.
 <!-- AccountLogonLogoff_AuditIPsecMainMode-Editable-End -->
 <!-- AccountLogonLogoff_AuditIPsecMainMode-DFProperties-Begin -->
@ -522,6 +529,7 @@ This policy setting allows you to audit events generated by Internet Key Exchang
 <!-- AccountLogonLogoff_AuditIPsecQuickMode-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: High.
 <!-- AccountLogonLogoff_AuditIPsecQuickMode-Editable-End -->
 <!-- AccountLogonLogoff_AuditIPsecQuickMode-DFProperties-Begin -->
@ -582,6 +590,7 @@ This policy setting allows you to audit events generated by the closing of a log
 <!-- AccountLogonLogoff_AuditLogoff-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Low.
 <!-- AccountLogonLogoff_AuditLogoff-Editable-End -->
 <!-- AccountLogonLogoff_AuditLogoff-DFProperties-Begin -->
@ -642,6 +651,7 @@ This policy setting allows you to audit events generated by user account logon a
 <!-- AccountLogonLogoff_AuditLogon-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Low on a client computer. Medium on a domain controller or a network server.
 <!-- AccountLogonLogoff_AuditLogon-Editable-End -->
 <!-- AccountLogonLogoff_AuditLogon-DFProperties-Begin -->
@ -702,6 +712,7 @@ This policy setting allows you to audit events generated by RADIUS (IAS) and Net
 <!-- AccountLogonLogoff_AuditNetworkPolicyServer-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Medium or High on NPS and IAS server. No volume on other computers.
 <!-- AccountLogonLogoff_AuditNetworkPolicyServer-Editable-End -->
 <!-- AccountLogonLogoff_AuditNetworkPolicyServer-DFProperties-Begin -->
@ -762,6 +773,7 @@ This policy setting allows you to audit other logon/logoff-related events that a
 <!-- AccountLogonLogoff_AuditOtherLogonLogoffEvents-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Low.
 <!-- AccountLogonLogoff_AuditOtherLogonLogoffEvents-Editable-End -->
 <!-- AccountLogonLogoff_AuditOtherLogonLogoffEvents-DFProperties-Begin -->
@ -822,6 +834,7 @@ This policy setting allows you to audit events generated by special logons such
 <!-- AccountLogonLogoff_AuditSpecialLogon-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Low.
 <!-- AccountLogonLogoff_AuditSpecialLogon-Editable-End -->
 <!-- AccountLogonLogoff_AuditSpecialLogon-DFProperties-Begin -->
@ -882,6 +895,7 @@ This policy allows you to audit user and device claims information in the user's
 <!-- AccountLogonLogoff_AuditUserDeviceClaims-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Low on a client computer. Medium on a domain controller or a network server.
 <!-- AccountLogonLogoff_AuditUserDeviceClaims-Editable-End -->
 <!-- AccountLogonLogoff_AuditUserDeviceClaims-DFProperties-Begin -->
@ -942,6 +956,7 @@ This policy setting allows you to audit events generated by changes to applicati
 <!-- AccountManagement_AuditApplicationGroupManagement-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Low.
 <!-- AccountManagement_AuditApplicationGroupManagement-Editable-End -->
 <!-- AccountManagement_AuditApplicationGroupManagement-DFProperties-Begin -->
@ -1002,6 +1017,7 @@ This policy setting allows you to audit events generated by changes to computer
 <!-- AccountManagement_AuditComputerAccountManagement-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Low.
 <!-- AccountManagement_AuditComputerAccountManagement-Editable-End -->
 <!-- AccountManagement_AuditComputerAccountManagement-DFProperties-Begin -->
@ -1064,6 +1080,7 @@ This policy setting allows you to audit events generated by changes to distribut
 <!-- AccountManagement_AuditDistributionGroupManagement-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Low.
 <!-- AccountManagement_AuditDistributionGroupManagement-Editable-End -->
 <!-- AccountManagement_AuditDistributionGroupManagement-DFProperties-Begin -->
@ -1124,6 +1141,7 @@ This policy setting allows you to audit events generated by other user account c
 <!-- AccountManagement_AuditOtherAccountManagementEvents-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Low.
 <!-- AccountManagement_AuditOtherAccountManagementEvents-Editable-End -->
 <!-- AccountManagement_AuditOtherAccountManagementEvents-DFProperties-Begin -->
@ -1184,6 +1202,7 @@ This policy setting allows you to audit events generated by changes to security
 <!-- AccountManagement_AuditSecurityGroupManagement-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Low.
 <!-- AccountManagement_AuditSecurityGroupManagement-Editable-End -->
 <!-- AccountManagement_AuditSecurityGroupManagement-DFProperties-Begin -->
@ -1244,6 +1263,7 @@ This policy setting allows you to audit changes to user accounts. Events include
 <!-- AccountManagement_AuditUserAccountManagement-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Low.
 <!-- AccountManagement_AuditUserAccountManagement-Editable-End -->
 <!-- AccountManagement_AuditUserAccountManagement-DFProperties-Begin -->
@ -1304,6 +1324,7 @@ This policy setting allows you to audit events generated when encryption or decr
 <!-- DetailedTracking_AuditDPAPIActivity-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Low.
 <!-- DetailedTracking_AuditDPAPIActivity-Editable-End -->
 <!-- DetailedTracking_AuditDPAPIActivity-DFProperties-Begin -->
@ -1364,6 +1385,7 @@ This policy setting allows you to audit when plug and play detects an external d
 <!-- DetailedTracking_AuditPNPActivity-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Low.
 <!-- DetailedTracking_AuditPNPActivity-Editable-End -->
 <!-- DetailedTracking_AuditPNPActivity-DFProperties-Begin -->
@ -1424,6 +1446,7 @@ This policy setting allows you to audit events generated when a process is creat
 <!-- DetailedTracking_AuditProcessCreation-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Depends on how the computer is used.
 <!-- DetailedTracking_AuditProcessCreation-Editable-End -->
 <!-- DetailedTracking_AuditProcessCreation-DFProperties-Begin -->
@ -1484,6 +1507,7 @@ This policy setting allows you to audit events generated when a process ends. If
 <!-- DetailedTracking_AuditProcessTermination-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Depends on how the computer is used.
 <!-- DetailedTracking_AuditProcessTermination-Editable-End -->
 <!-- DetailedTracking_AuditProcessTermination-DFProperties-Begin -->
@ -1544,6 +1568,7 @@ This policy setting allows you to audit inbound remote procedure call (RPC) conn
 <!-- DetailedTracking_AuditRPCEvents-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: High on RPC servers.
 <!-- DetailedTracking_AuditRPCEvents-Editable-End -->
 <!-- DetailedTracking_AuditRPCEvents-DFProperties-Begin -->
@ -1604,6 +1629,7 @@ This policy setting allows you to audit events generated by adjusting the privil
 <!-- DetailedTracking_AuditTokenRightAdjusted-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: High.
 <!-- DetailedTracking_AuditTokenRightAdjusted-Editable-End -->
 <!-- DetailedTracking_AuditTokenRightAdjusted-DFProperties-Begin -->
@ -1664,6 +1690,7 @@ This policy setting allows you to audit events generated by detailed Active Dire
 <!-- DSAccess_AuditDetailedDirectoryServiceReplication-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: High.
 <!-- DSAccess_AuditDetailedDirectoryServiceReplication-Editable-End -->
 <!-- DSAccess_AuditDetailedDirectoryServiceReplication-DFProperties-Begin -->
@ -1724,6 +1751,7 @@ This policy setting allows you to audit events generated when an Active Director
 <!-- DSAccess_AuditDirectoryServiceAccess-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: High on domain controllers. None on client computers.
 <!-- DSAccess_AuditDirectoryServiceAccess-Editable-End -->
 <!-- DSAccess_AuditDirectoryServiceAccess-DFProperties-Begin -->
@ -1786,6 +1814,7 @@ This policy setting allows you to audit events generated by changes to objects i
 <!-- DSAccess_AuditDirectoryServiceChanges-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: High on domain controllers only.
 <!-- DSAccess_AuditDirectoryServiceChanges-Editable-End -->
 <!-- DSAccess_AuditDirectoryServiceChanges-DFProperties-Begin -->
@ -1846,6 +1875,7 @@ This policy setting allows you to audit replication between two Active Directory
 <!-- DSAccess_AuditDirectoryServiceReplication-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Medium on domain controllers. None on client computers.
 <!-- DSAccess_AuditDirectoryServiceReplication-Editable-End -->
 <!-- DSAccess_AuditDirectoryServiceReplication-DFProperties-Begin -->
@ -1906,6 +1936,7 @@ This policy setting allows you to audit applications that generate events using
 <!-- ObjectAccess_AuditApplicationGenerated-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Depends on the applications that are generating them.
 <!-- ObjectAccess_AuditApplicationGenerated-Editable-End -->
 <!-- ObjectAccess_AuditApplicationGenerated-DFProperties-Begin -->
@ -1966,6 +1997,7 @@ This policy setting allows you to audit access requests where the permission gra
 <!-- ObjectAccess_AuditCentralAccessPolicyStaging-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Potentially high on a file server when the proposed policy differs significantly from the current central access policy.
 <!-- ObjectAccess_AuditCentralAccessPolicyStaging-Editable-End -->
 <!-- ObjectAccess_AuditCentralAccessPolicyStaging-DFProperties-Begin -->
@ -2026,6 +2058,7 @@ This policy setting allows you to audit Active Directory Certificate Services (A
 <!-- ObjectAccess_AuditCertificationServices-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Medium or Low on computers running Active Directory Certificate Services.
 <!-- ObjectAccess_AuditCertificationServices-Editable-End -->
 <!-- ObjectAccess_AuditCertificationServices-DFProperties-Begin -->
@ -2088,6 +2121,7 @@ This policy setting allows you to audit attempts to access files and folders on
 <!-- ObjectAccess_AuditDetailedFileShare-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: High on a file server or domain controller because of SYSVOL network access required by Group Policy.
 <!-- ObjectAccess_AuditDetailedFileShare-Editable-End -->
 <!-- ObjectAccess_AuditDetailedFileShare-DFProperties-Begin -->
@ -2150,6 +2184,7 @@ This policy setting allows you to audit attempts to access a shared folder. If y
 <!-- ObjectAccess_AuditFileShare-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: High on a file server or domain controller because of SYSVOL network access required by Group Policy.
 <!-- ObjectAccess_AuditFileShare-Editable-End -->
 <!-- ObjectAccess_AuditFileShare-DFProperties-Begin -->
@ -2212,6 +2247,7 @@ This policy setting allows you to audit user attempts to access file system obje
 <!-- ObjectAccess_AuditFileSystem-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Depends on how the file system SACLs are configured.
 <!-- ObjectAccess_AuditFileSystem-Editable-End -->
 <!-- ObjectAccess_AuditFileSystem-DFProperties-Begin -->
@ -2272,6 +2308,7 @@ This policy setting allows you to audit connections that are allowed or blocked
 <!-- ObjectAccess_AuditFilteringPlatformConnection-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: High.
 <!-- ObjectAccess_AuditFilteringPlatformConnection-Editable-End -->
 <!-- ObjectAccess_AuditFilteringPlatformConnection-DFProperties-Begin -->
@ -2332,6 +2369,7 @@ This policy setting allows you to audit packets that are dropped by Windows Filt
 <!-- ObjectAccess_AuditFilteringPlatformPacketDrop-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: High.
 <!-- ObjectAccess_AuditFilteringPlatformPacketDrop-Editable-End -->
 <!-- ObjectAccess_AuditFilteringPlatformPacketDrop-DFProperties-Begin -->
@ -2394,6 +2432,7 @@ This policy setting allows you to audit events generated when a handle to an obj
 <!-- ObjectAccess_AuditHandleManipulation-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Depends on how SACLs are configured.
 <!-- ObjectAccess_AuditHandleManipulation-Editable-End -->
 <!-- ObjectAccess_AuditHandleManipulation-DFProperties-Begin -->
@ -2456,6 +2495,7 @@ This policy setting allows you to audit attempts to access the kernel, which inc
 <!-- ObjectAccess_AuditKernelObject-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: High if auditing access of global system objects is enabled.
 <!-- ObjectAccess_AuditKernelObject-Editable-End -->
 <!-- ObjectAccess_AuditKernelObject-DFProperties-Begin -->
@ -2516,6 +2556,7 @@ This policy setting allows you to audit events generated by the management of ta
 <!-- ObjectAccess_AuditOtherObjectAccessEvents-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Low.
 <!-- ObjectAccess_AuditOtherObjectAccessEvents-Editable-End -->
 <!-- ObjectAccess_AuditOtherObjectAccessEvents-DFProperties-Begin -->
@ -2578,6 +2619,7 @@ This policy setting allows you to audit attempts to access registry objects. A s
 <!-- ObjectAccess_AuditRegistry-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Depends on how registry SACLs are configured.
 <!-- ObjectAccess_AuditRegistry-Editable-End -->
 <!-- ObjectAccess_AuditRegistry-DFProperties-Begin -->
@ -2700,6 +2742,7 @@ This policy setting allows you to audit events generated by attempts to access t
 <!-- ObjectAccess_AuditSAM-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: High on domain controllers. For more information about reducing the number of events generated by auditing the access of global system objects, see [Audit the access of global system objects](/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects).
 <!-- ObjectAccess_AuditSAM-Editable-End -->
 <!-- ObjectAccess_AuditSAM-DFProperties-Begin -->
@ -2762,6 +2805,7 @@ This policy setting allows you to audit events generated by changes to the authe
 <!-- PolicyChange_AuditAuthenticationPolicyChange-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Low.
 <!-- PolicyChange_AuditAuthenticationPolicyChange-Editable-End -->
 <!-- PolicyChange_AuditAuthenticationPolicyChange-DFProperties-Begin -->
@ -2822,6 +2866,7 @@ This policy setting allows you to audit events generated by changes to the autho
 <!-- PolicyChange_AuditAuthorizationPolicyChange-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Low.
 <!-- PolicyChange_AuditAuthorizationPolicyChange-Editable-End -->
 <!-- PolicyChange_AuditAuthorizationPolicyChange-DFProperties-Begin -->
@ -2882,6 +2927,7 @@ This policy setting allows you to audit events generated by changes to the Windo
 <!-- PolicyChange_AuditFilteringPlatformPolicyChange-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Low.
 <!-- PolicyChange_AuditFilteringPlatformPolicyChange-Editable-End -->
 <!-- PolicyChange_AuditFilteringPlatformPolicyChange-DFProperties-Begin -->
@ -2942,6 +2988,7 @@ This policy setting allows you to audit events generated by changes in policy ru
 <!-- PolicyChange_AuditMPSSVCRuleLevelPolicyChange-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Low.
 <!-- PolicyChange_AuditMPSSVCRuleLevelPolicyChange-Editable-End -->
 <!-- PolicyChange_AuditMPSSVCRuleLevelPolicyChange-DFProperties-Begin -->
@ -3002,6 +3049,7 @@ This policy setting allows you to audit events generated by other security polic
 <!-- PolicyChange_AuditOtherPolicyChangeEvents-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Low.
 <!-- PolicyChange_AuditOtherPolicyChangeEvents-Editable-End -->
 <!-- PolicyChange_AuditOtherPolicyChangeEvents-DFProperties-Begin -->
@ -3064,6 +3112,7 @@ This policy setting allows you to audit changes in the security audit policy set
 <!-- PolicyChange_AuditPolicyChange-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Low.
 <!-- PolicyChange_AuditPolicyChange-Editable-End -->
 <!-- PolicyChange_AuditPolicyChange-DFProperties-Begin -->
@ -3124,6 +3173,7 @@ This policy setting allows you to audit events generated by the use of non-sensi
 <!-- PrivilegeUse_AuditNonSensitivePrivilegeUse-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Very High.
 <!-- PrivilegeUse_AuditNonSensitivePrivilegeUse-Editable-End -->
 <!-- PrivilegeUse_AuditNonSensitivePrivilegeUse-DFProperties-Begin -->
@ -3244,6 +3294,7 @@ This policy setting allows you to audit events generated when sensitive privileg
 <!-- PrivilegeUse_AuditSensitivePrivilegeUse-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: High.
 <!-- PrivilegeUse_AuditSensitivePrivilegeUse-Editable-End -->
 <!-- PrivilegeUse_AuditSensitivePrivilegeUse-DFProperties-Begin -->
@ -3304,6 +3355,7 @@ This policy setting allows you to audit events generated by the IPsec filter dri
 <!-- System_AuditIPsecDriver-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Low.
 <!-- System_AuditIPsecDriver-Editable-End -->
 <!-- System_AuditIPsecDriver-DFProperties-Begin -->
@ -3364,6 +3416,7 @@ This policy setting allows you to audit any of the following events: Startup and
 <!-- System_AuditOtherSystemEvents-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Low.
 <!-- System_AuditOtherSystemEvents-Editable-End -->
 <!-- System_AuditOtherSystemEvents-DFProperties-Begin -->
@ -3424,6 +3477,7 @@ This policy setting allows you to audit events generated by changes in the secur
 <!-- System_AuditSecurityStateChange-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Low.
 <!-- System_AuditSecurityStateChange-Editable-End -->
 <!-- System_AuditSecurityStateChange-DFProperties-Begin -->
@ -3484,6 +3538,7 @@ This policy setting allows you to audit events related to security system extens
 <!-- System_AuditSecuritySystemExtension-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Low. Security system extension events are generated more often on a domain controller than on client computers or member servers.
 <!-- System_AuditSecuritySystemExtension-Editable-End -->
 <!-- System_AuditSecuritySystemExtension-DFProperties-Begin -->
@ -3544,6 +3599,7 @@ This policy setting allows you to audit events that violate the integrity of the
 <!-- System_AuditSystemIntegrity-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 Volume: Low.
 <!-- System_AuditSystemIntegrity-Editable-End -->
 <!-- System_AuditSystemIntegrity-DFProperties-Begin -->