4817 Auditing settings on object were changed (Global Object Access)
Written when the Global Object Access Auditing policy is changed. It captures a change to the auditing posture that, if weakened, leads to hiding traces.
Overview
The subcategory is Audit Policy Change. It is generated when the Global Object Access Auditing policy (a mechanism that applies auditing (SACL) across the whole file system or registry at once) is changed. Unlike an individual object’s SACL change 4715, it affects the system-wide audit scope.
How it is triggered
- A change to the Global Object Access Auditing policy (file/registry).
Security review points
- Weakening or removing the global audit policy means disabling broad access auditing in one stroke, leading to hiding traces (defense evasion). Investigate unexpected changes.
- Together with audit-policy change 4719 and individual SACL change 4715, monitor changes to the auditing posture as a whole.
Notes for log review
- It is a rare change. Confirm unplanned weakening changes at high priority.
- Record the changing subject, target (file/registry), and the change, and match against the audit design intent.
Key fields
| Field | Meaning |
|---|---|
Subject\Account Name | The subject that changed the policy |
| Change details | The details of the global audit policy change |