4735 A security-enabled local group was changed
Written when the attributes of a security-enabled local group (such as name or description) are changed. It captures changes to the group’s own settings (member changes are separate events).
Overview
The subcategory is Audit Security Group Management. It is generated when a local group’s properties are changed. Member add/remove are recorded separately by 4732/4733; 4735 indicates a change to the group’s own attributes.
How it is triggered
- A change to attributes such as the group name or comment (description).
Security review points
- A group name change can be masquerading as a legitimate group, or an alteration aimed at causing operational confusion. Confirm changes involving privileged groups in particular.
- On its own its security meaning is often limited. Read it as part of a sequence of group-related operations together with member changes 4732/4733 and group creation 4731.
Notes for log review
- It also occurs during legitimate operational changes. Match against normal patterns of the changed group, attribute, and subject.
- Check what changed (name, description) and note confusing changes such as renaming a privileged group.
Key fields
| Field | Meaning |
|---|---|
Group\Group Name | The changed group |
Subject\Account Name | The subject that made the change |