4913 Central Access Policy on the object was changed
Written when the Central Access Policy (CAP) applied to an object is changed. It captures changes to access-control rules for individual resources.
Overview
The subcategory is Audit Authorization Policy Change. It is generated when the Central Access Policy (CAP) (an access-control rule based on claims and attributes) assigned to an object such as a file/folder is changed. Whereas machine-wide CAP change is 4819, 4913 indicates a change to the application on an individual object.
How it is triggered
- A change to the CAP applied to a file/folder (changing or removing the assignment, and so on).
Security review points
- A change that loosens or removes the CAP on a sensitive resource can allow unexpected access. Be alert when an attacker changes a target object’s CAP to bypass access restrictions.
- Together with resource attribute change 4911, track changes on both the attribute and policy sides.
Notes for log review
- It only carries meaning in environments running Dynamic Access Control.
- Note CAP changes on sensitive objects (especially loosening), and the target and acting subject.
Key fields
| Field | Meaning |
|---|---|
Object Name | The object whose CAP was changed |
Central Access Policy | The applied/changed policy |
Subject\Account Name | The subject that made the change |