4907 Auditing settings on object were changed
Written when an object’s (file, registry key, etc.) SACL (audit setting) is changed. It captures weakening of auditing on a specific object, i.e. hiding traces.
Overview
The subcategory is Audit Policy Change. It is generated when the SACL (System Access Control List: the setting that defines what is audited on an object) of a file, registry key, and so on is changed. It is similar to 4715 (SACL change of audit policy), but 4907 broadly captures audit-setting changes on individual objects.
How it is triggered
- When the SACL (whose which access is audited) of an audited object is changed.
Security review points
- A change that weakens or removes the SACL on an important object can aim to stop recording access to that object (defense evasion). Investigate unexpected SACL changes.
- Together with permission change 4670 and audit-policy change 4719, track configuration changes on both the protection and auditing sides.
Notes for log review
- It also occurs during legitimate configuration changes (audit design reviews). Match against normal patterns of the target object and changing subject.
- Alerting narrowed to weakening of auditing on sensitive folders and registry keys is effective.
Key fields
| Field | Meaning |
|---|---|
Object Name / Object Type | The target whose audit setting was changed |
Subject\Account Name | The subject that made the change |