6422 A device was enabled
Written when a device is enabled. Paired with the request 6421, it captures the completion of a device enable.
Overview
The subcategory is Audit PNP Activity. It is generated when a device is actually enabled.
How it is triggered
- When a device-enable request 6421 is processed and the device becomes enabled.
Security review points
- Enabling a restricted device can lead to evading device control. Check the target device and subject.
- Together with allowing a forbidden device 6424 or re-enabling from a disable 6420, track the device’s state changes.
Notes for log review
- It also occurs during legitimate operations. Match the target device and subject against normal patterns.
- Confirm enabling of restricted devices at high priority.
Key fields
| Field | Meaning |
|---|---|
Device ID | The enabled device |
Subject\Account Name | The subject that performed the operation |