New table for Window Audit Policy settings

[n0dec]

Feature request

What new feature do you want?

It would be great to have a table for Windows Audit policy settings. At the moment it can be only retrieved via registry table but data is in hex format. So the idea of this request is for creating a new table that will be able to parse data following the schema described in this paper:

https://www.kazamiya.net/files/PolAdtEv_Structure_en_rev2.pdf

Also take a look in the last part of this blog for reference: https://countuponsecurity.com/tag/auditpol-exe/

How is this new feature useful?

Query will return the current audit policy configuration like auditpol.exe tool does. Very helpful for system administration and forensic investigations.

[redplait]

something like in attach PolAdtEv.zip

[n0dec]

something like in attach PolAdtEv.zip

Awesome! Seems like it should work fine. @redplait Can you open a PR to add it as a new table?

[qwerty1q2w]

+1. We need to know about these policies especially on windows servers not included to domain.