Hello,
Thank you so much for posting here.
We could kindly have a check whether something here could be helpful.
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6281
We mainly focus on on-premises AD. As per my understanding, this issue is more related to system integrity issue. Audit System Integrity determines whether the operating system audits events that violate the integrity of the security subsystem. Once we audit this, there will be event logs recorded such as 6281.
Thank you so much for your understanding and support.
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.