From e10771652b1b8a28489b6ad7274540e6f554f7fa Mon Sep 17 00:00:00 2001
From: Vasiliy Burov <vasebur@gmail.com>
Date: Fri, 9 Oct 2020 18:27:04 +0300
Subject: [PATCH] Update win_disable_event_logging.yml

---
 rules/windows/builtin/win_disable_event_logging.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/rules/windows/builtin/win_disable_event_logging.yml b/rules/windows/builtin/win_disable_event_logging.yml
index 52ef34e3f..e1ea29ef1 100644
--- a/rules/windows/builtin/win_disable_event_logging.yml
+++ b/rules/windows/builtin/win_disable_event_logging.yml
@@ -16,7 +16,9 @@ logsource:
 detection:
     selection:
         EventID: 4719
-        AuditPolicyChanges: 'removed'
+        AuditPolicyChanges|contains:
+            - '%%8448' # This is "Success removed"
+            - '%%8450' # This is "Failure removed" 
     condition: selection
 falsepositives:
     - Unknown