4905 An attempt was made to unregister a security event source
Written when a security event source is unregistered. Paired with registration 4904, it tracks changes to log publishers.
Overview
The subcategory is Audit Policy Change. It is generated when an existing security event source (a publisher permitted to write to the Security log) is unregistered.
How it is triggered
- When an application or component unregisters a security event source.
Security review points
- Unregistering a legitimate monitoring or security product’s event source means that source’s log supply stops, which can reduce visibility (defense evasion). Investigate unexpected unregistrations.
- Together with registration 4904, understand changes to the monitoring configuration through additions/removals of event sources.
Notes for log review
- It occurs legitimately during product uninstalls and the like. Match against normal patterns of the unregistered source and subject.
- Note unregistration of sources important to monitoring.
Key fields
| Field | Meaning |
|---|---|
Event Source | The unregistered event source |
Subject\Account Name | The subject that performed the unregistration |