Event Details
User Activity->Policy Changes->Windows 2008->EventID 4907 - Auditing settings on object were changed.
EventID 4907 - Auditing settings on object were changed.
 Sample: 
        Auditing settings on object were changed.

        Subject:
        Security ID:		%1
        Account Name:		%2
        Account Domain:		%3
        Logon ID:		%4

        Object:
        Object Server:	%5
        Object Type:	%6
        Object Name:	%7
        Handle ID:	%8

        Process Information:
        Process ID:	%11
        Process Name:	%12

        Auditing Settings:
        Original Security Descriptor:	%9
        New Security Descriptor:		%10
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows Vista (2008)
Windows 7 (2008 R2)
Windows 8 (2012)
Windows 8.1 (2012 R2)
Windows 10 (2016)
Category Policy Change
Source Microsoft-Windows-Security-Auditing
TaskCategory Audit Policy Change
EventId 4907
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. DateTime 10.10.2000 19:00:00
Who Account or user name under which the activity occured. Subject: Account Name
What The type of activity occurred (e.g. Logon, Password Changed, etc.) "Object Auditing settings change" Object Auditing settings change
Where The name of the workstation/server where the activity was logged. Computer DC1
Where From The name of the workstation/server where the activity was initiated from. - 10.10.10.10
Severity Specify the seriousness of the event. "High" High
WhoDomain Subject: Account Domain
WhereDomain -
Policy Name The name of the affected policy. "Object-level" Object-level
Object Type Object Type Object: Object Type
Object Name Object Name Object: Object Name
Old Settings Old Settings Auditing Settings: Original Security Descriptor
New Settings New Settings Auditing Settings: New Security Descriptor
Comments
You must be logged in to comment