Event ID 4817 — Auditing settings on object were changed.
Description
Auditing settings on object were changed.
Message #
Fields #
| Name | Description |
|---|---|
Security_ID SID | [Subject] Security ID. |
Account_Name UnicodeString | [Subject] Account Name. |
Account_Domain UnicodeString | [Subject] Account Domain. |
Logon_ID HexInt64 | [Subject] Logon ID. |
Object_Server UnicodeString | [Object] Object Server. |
Object_Type UnicodeString | [Object] Object Type. |
Object_Name UnicodeString | [Object] Object Name. |
Original_Security_Descriptor UnicodeString | [Auditing Settings] Original Security Descriptor. |
New_Security_Descriptor UnicodeString | [Auditing Settings] New Security Descriptor. |
SubjectUserSid SID | [Subject] Security ID |
SubjectUserName UnicodeString | [Subject] Account Name |
SubjectDomainName UnicodeString | [Subject] Account Domain |
SubjectLogonId HexInt64 | [Subject] Logon ID |
ObjectServer UnicodeString | [Object] Object Server |
ObjectType UnicodeString | [Object] Object Type |
ObjectName UnicodeString | [Object] Object Name |
OldSd UnicodeString | [Auditing Settings] Original Security Descriptor |
NewSd UnicodeString | [Auditing Settings] New Security Descriptor |
Community Notes #
Attackers that wish to suppress object-access logging can clear/replace the global SACL.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4817
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4817