4904 An attempt was made to register a security event source
Written when a new security event source is registered. It captures the addition of a publisher able to write events to the Security log.
Overview
The subcategory is Audit Policy Change. It is generated when a new security event source (a publisher permitted to write events to the Security log) is registered.
How it is triggered
- When an application or component is registered as a security event source.
- Registration requires a privilege (
SeAuditPrivilege).
Security review points
- Adding a source that can write to the Security log can relate to a technique of injecting fake events to confuse investigation, or polluting the log. For an unexpected source registration, check the registering component and subject.
- Together with unregistration 4905, track changes to event sources. Separate whether it is from a legitimate monitoring or security product.
Notes for log review
- It occurs legitimately during product deployment and the like. Match against normal patterns of the registered source name and subject.
- Note registration of an unfamiliar source, or registration by an unexpected account holding
SeAuditPrivilege.
Key fields
| Field | Meaning |
|---|---|
Event Source | The registered event source name |
Subject\Account Name | The subject that performed the registration |