Details of the event with ID 4874 of the source Microsoft-Windows-Security-Auditing

Event Source:	Microsoft Windows Security Auditing
Event ID:	4874 (0x130A)
Event log:	Security
Event type:	Information
Event text (English):	One or more certificate request attributes changed. Request ID: %1 Attributes: %2
Event text (German):	At least one certificate request attribute has been changed. Request ID: %1 Attributes: %2

Parameter

The parameters contained in the event text are filled with the following fields:

• %1: RequestId (win:UnicodeString)
• %2: Attributes (win:UnicodeString)
• %3: SubjectUserSid (win:SID)
• %4: SubjectUserName (win:UnicodeString)
• %5: SubjectDomainName (win:UnicodeString)
• %6: SubjectLogonId (win:HexInt64)

In contrast to operational events, which are often understood under the term "monitoring", auditing for the certification authority is the configuration of logging of security-relevant events.

Example events

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

 One or more certificate request attributes changed.
 	
 Request ID: 166141
 Attributes: CN:www.adcslabor.de
 O=ADCS Laboratory 

Description

No description has been written for this yet.

Safety assessment

The security assessment is based on the three dimensions of confidentiality, integrity and availability.

No description has been written for this yet.

Microsoft rating

Microsoft evaluates this event in the Securing Public Key Infrastructure (PKI) Whitepaper with a severity rating of "Medium".

The reasoning behind this is:

If this functionality is not used by the CA, it may indicate tampering with a request

Related links:

• Overview of audit events generated by the Certification Authority
• Overview of the audit events generated by the online responder (OCSP)

External sources

• Securing Public Key Infrastructure (PKI) (Microsoft)