4867 A trusted forest information entry was modified
Written when a trusted forest information entry is modified. Alongside addition 4865 and removal 4866, it is a forest-trust accepted-scope change event.
Overview
The subcategory is Audit Authentication Policy Change. It is generated when an existing forest-trust information entry (the acceptance setting for a namespace/domain) is modified.
How it is triggered
- A change to the attributes of a forest-trust namespace entry (such as toggling acceptance on/off).
Security review points
- Confirm a modification does not cause scope expansion, such as making a previously-excluded namespace accepted. Be alert to an attacker altering trust settings to widen the authentication path.
- Together with addition 4865, removal 4866, and namespace collision 4864, track changes to the whole trust configuration.
Notes for log review
- It only carries meaning in forest-trust environments. It is a rare change and, if unplanned, a target for investigation.
- Check the acceptance setting before and after, and the acting subject.
Key fields
| Field | Meaning |
|---|---|
| Modified namespace/domain | The entry whose setting changed |
Subject\Account Name | The subject that made the change |