Combed the LEM documentation, couldn't find a clue (it might be ind documentation somewhere, I couldn't find it after an hour of digging)
This morning I got 22 TriGeo alerts in this pattern:
system audit policy changed: logon/logoff (network policy server) at 2016-07-29 04:52:40.0
system audit policy changed: logon/logoff (account lockout) at 2016-07-29 04:52:40.0
system audit policy changed: logon/logoff (ipsec extended mode) at 2016-07-29 04:52:40.0
system audit policy changed: logon/logoff (ipsec quick mode) at 2016-07-29 04:52:40.0
... and so on.
A sampling of the nDepth view of this is attached. (Host name mostly obscured, but I left a little bit visible so we can see that it's the same host).
To me it seems like something restarted, and the policies were just enumerated again, or something, but I want to know what is going on. I can't respond to my boss with unconfirmed theories.
Can anyone tell me what this is, or direct me to documentation that explains this?
Thanks