4911 Resource attributes of the object were changed
Written when a file system object’s resource attributes are changed. It captures changes to the attributes (such as a sensitivity classification) used by Dynamic Access Control for access decisions.
Overview
The subcategory is Audit Authorization Policy Change. It is generated when resource attributes (classification tags assigned to files/folders, e.g. sensitivity = high) are changed. A Central Access Policy (CAP) decides access by matching these attributes against a user’s claims, so an attribute change affects access control.
How it is triggered
- A change to a file/folder’s resource attributes (sensitivity classification, department tag, and so on).
Security review points
- A change that lowers an attribute such as a sensitivity classification can make a file accessible to someone who should not access it. Be alert to an attacker lowering the classification of a sensitive file to bypass exfiltration restrictions.
- Together with Central Access Policy change 4913, track changes on both the attribute and policy sides.
Notes for log review
- It only carries meaning in environments running Dynamic Access Control.
- Note attribute changes that lower sensitivity, and the target file and acting subject.
Key fields
| Field | Meaning |
|---|---|
Object Name | The object whose attributes were changed |
Resource Attributes | The changed resource attributes |
Subject\Account Name | The subject that made the change |