4865 A trusted forest information entry was added
Written when a trusted forest information entry is added. It captures changes to the definition of which namespaces/domains a forest trust accepts.
Overview
The subcategory is Audit Authentication Policy Change. It is generated when a new information entry (a domain within the trusted forest, a UPN suffix, a SID namespace, and so on) is added as a component of a forest trust. Related to trust creation 4706, it finely defines the scope a trust accepts.
How it is triggered
- When an accepted namespace entry is added in a forest-trust configuration.
Security review points
- Confirm the added namespace does not include a domain the attacker controls or a scope that should not be accepted. Expanding the trust scope means widening the path for accepting external authentication.
- Together with removal 4866, modification 4867, and namespace collision 4864, track forest-trust configuration changes.
Notes for log review
- It only carries meaning in environments with forest trusts. It is a rare change and, if unplanned, a target for investigation.
- Record the added entry (domain/namespace) and acting subject, and reconcile against change management.
Key fields
| Field | Meaning |
|---|---|
| Added namespace/domain | The scope added as accepted |
Subject\Account Name | The subject that made the change |