4819 Central Access Policies on the machine have been changed
Written when the Central Access Policies (CAP) applied to a machine are changed. It captures changes to organization-wide access-control rules.
Overview
The subcategory is Audit Other Policy Change Events. It is generated when a Central Access Policy (CAP) (an access-control rule applied across the organization via Dynamic Access Control) is changed on that machine.
How it is triggered
- Addition, change, or removal of a CAP applied to the machine (via Group Policy, and so on).
Security review points
- A CAP change governs access decisions for target resources in bulk. An attacker may change a CAP to loosen restrictions or let their own access through, so investigate unexpected changes.
- Together with the staging difference 4818, track the proposed-to-live flow and the actual impact after going live.
Notes for log review
- It only carries meaning in environments running Dynamic Access Control.
- It is a rare change. Check the changing subject and the change, and note changes that weaken access control.
Key fields
| Field | Meaning |
|---|---|
Subject\Account Name | The subject that made the change |
| Changed CAP | The policy in question |