Hi, sorry for the late response. The rule 20053 gives a generic alert: `Windows Audit Policy changed` because it is triggered with different events: 612,643,4719,4907,4912. A way to obtain more information of the Events is to create customs rules for every Windows event. For example:
If I want to remark the alerts of the Windows Event 4719: "System audit policy was changed", I can write the rule:
<rule id="100000" level="8">
<if_sid>20053</if_sid>
<field name="EventChannel.System.EventID">^4719$</field>
<description>System audit policy was changed.</description>
<options>no_full_log</options>
<group>policy_changed,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,</group>
</rule>
That way the rule will alert you specifically what part of the audit configuration has been modified. I use the label <if_sid> because I can maintain the rule 20053 for the events that I don't need to remark and I will avoid duplicate alerts.
If I you have any doubt or I can help you in anything else, it will be a pleasure.
Regards, Pablo.