When we look at the XML representation of an AuditPolicyChange event, we see some values like%%8278 or %%13827 or %%8448 in Category, SubCategory, and Changes fields respectively (See the screenshot#1.) However, looking at the same event inGeneral tab of the EventViewer gives me "Account Management", "Distribution Group Management", and"Success removed" for the respective fields (See the screenshot #2).
I've been trying to find the possible values (PlatformSDK, Bing, Google, ...) for those fields with no success. Can anyone from the team shed some light regarding how to decode these values? (Note: I've found the SubCategoryGUIDs to SubCategoryNames but not sure if these values are subject to change)
SCREENSHOT#1
SCREENSHOT#2