Converse agora com nosso suporte
Chat com o suporte

Change Auditor 7.1 - Built-in Reports Reference Guide

Introduction Built-in reports
AD Query All Events Authentication Services Azure Active Directory Defender Office 365 Logon Activity Skype for Business Recommended Best Practices Regulatory Compliance
FISMA (Federal Information Security Management Act)
NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A01 – User Association NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A02 – Content of Audit Records NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A03 – Auditable Events NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A04 – Audit Processing NIST SP 800-53 | Technical Controls | Identification and Authentication | IA02 – Remote, Privileged Access Authentication NIST SP 800-53 | Technical Controls | Identification and Authentication | IA03 – Password Protection Mechanisms NIST SP 800-53 | Technical Controls | Identification and Authentication | IA04 – Password Life NIST SP 800-53 | Technical Controls | Identification and Authentication | IA05 – Password Content NIST SP 800-53 | Technical Controls | Identification and Authentication | IA12 – Remote Access Identification Authentication NIST SP 800-53 | Technical Controls | Identification and Authentication | IA16 – Password Management NIST SP 800-53 | Technical Controls | Logical Access Control | AC01 - Remote Access Restrictions NIST SP 800-53 | Technical Controls | Logical Access Control | AC02 - Logon Notification Message NIST SP 800-53 | Technical Controls | Logical Access Control | AC05 - Session Inactivity NIST SP 800-53 | Technical Controls | Logical Access Control | AC06 - Limited Connection Time NIST SP 800-53 | Technical Controls | Logical Access Control | AC09 - Enforcement Mechanisms NIST SP 800-53 | Technical Controls | Logical Access Control | AC10 - Automated Account Controls NIST SP 800-53 | Technical Controls | Logical Access Control | AC12 - Supervision and Review NIST SP 800-53 | Technical Controls | Logical Access Control | AC14 - Authorization Procedures NIST SP 800-53 | Technical Controls | System and Communications Protection | SP02 - Information System Partitioning NIST SP 800-53 | Technical Controls | System and Communications Protection | SP04 - Denial of Service Protection NIST SP 800-53 | Technical Controls | System and Communications Protection | SP05 - Resource Priority NIST SP 800-53 | Technical Controls | System and Communications Protection | SP06 - Boundary Protection NIST SP 800-53 | Technical Controls | System and Communications Protection | SP07 - Network Segregation NIST SP 800-53 | Technical Controls | System and Communications Protection | SP09 - Network Disconnect NIST SP 800-53 | Technical Controls | System and Communications Protection | SP11 - Trust Path NIST SP 800-53 | Technical Controls | System and Communications Protection | SP16 - Use of Encryption
GLBA (Gramm-Leach-Bliley Act) GDPR HIPAA (Health Insurance Portability and Accountability Act) Payment Card Industry SAS 70 (Statement on Auditing Standards, Service Organizations) SOX (Sarbanes-Oxley General IT Controls Evidence based on the COBIT Framework)
Security SharePoint SQL Data Level Threat Detection VMware

Introduction

Change Auditor provides predefined reports which allow you to quickly retrieve valuable configuration change information from various perspectives.

* 
NOTE: The terms ‘searches’ and ‘reports’ are used in conjunction to acquire the wanted output. You run a ‘search’ and the results returned are referred to as a ‘report’.
To run a built-in search:
1
Click the Searches tab or select View | Searches to open the Searches page.
2
Expand and select the appropriate folder in the explorer view to display the list of search definitions stored in the selected folder.
3
In the right pane, locate the search to run and use one of the following methods to run the selected search:
Double-click a search definition
Right-click a search definition and select Run
Select the search definition and click Run
4
A new Search Results page displays populated with the audited events that met the search criteria defined in the selected search definition.

This guide contains a list of the all the built-in reports provided with Change Auditor. They are listed according to the folder structure under the Shared folder on the Searches page.

* 
NOTE: Many of the built-in reports are only available when the appropriate Change Auditor license is applied For example, to capture Exchange events, Quest® Change Auditor for Exchange must be licensed. Some built-in reports also require auditing templates to define the auditing scope. For example, to capture File System events, you must first define a template to specify the files and folders and events to audit.

Change Auditor does not prevent you from running any of the built-in reports; however, associate events are not captured unless the proper license and auditing template is applied. See the individual Change Auditor user guides for more information about auditing key environments.

Built-in reports

The following criteria defines the contents of the default ‘My Favorite’ report that is displayed on the Overview page:

Change Auditor Real-Time
Who = All Users
What = All Event Classes
Where = All sources
When = Last 20 minutes
Origin = All workstations/servers
 

The other built-in reports provided with Change Auditor are available under the following folders:
AD Query
All Events
Authentication Services
Azure Active Directory
Defender
Office 365
Logon Activity
Skype for Business
Recommended Best Practices
Regulatory Compliance
Security
SharePoint
SQL Data Level
VMware

AD Query

* 
NOTE: By default, the AD Query reports include the following information on the Search Results page: Origin, LDAP Attributes, LDAP Scope, LDAP Filter, LDAP Type, LDAP Occurrences, LDAP Elapsed, LDAP Since, and LDAP Results. These additional columns are defined using the Layout tab.
All AD Queries grouped by AD search filter
Who = All Users
What = AD Query Performed
Where = All sources
When = N/A
Origin = All workstations/servers
Layout tab - Order By: Time Detected (Not Grouped); LDAP Filter (Grouped)
All AD Queries grouped by AD starting point
Who = All Users
What = AD Query Performed
Where = All sources
When = N/A
Origin = All workstations/servers
Layout Tab - Order By: Time Detected (Not Grouped); Object Canonical (Grouped)
All AD Queries grouped by number of results
Who = All Users
What = AD Query Performed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Layout Tab - Order By: Time Detected (Not Grouped); LDAP Results (Grouped)
All AD Queries grouped by originating hostname\IP address
Who = All Users
What = AD Query Performed
Where = All sources
When = N/A
Origin = All workstations/servers
Layout Tab - Order By: Time Detected (Not Grouped); Origin (Grouped)
All AD Queries grouped by time elapsed (query run time)
Who = All Users
What = AD Query Performed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Layout Tab - Order By: Time Detected (Not Grouped); LDAP Elapsed (Grouped)
All AD Queries in the last 1 week
Who = All Users
What = AD Query Performed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All AD Queries in last 30 days
Who = All Users
What = AD Query Performed
Where = All sources
When = Last 30 days
Origin = All workstations/servers

All Events

All Account Lockout events
Who = All Users
What = Local User Account Locked; Local User Account Unlocked; User Account Locked; User Account Unlocked
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All Active Directory events
Who = All Users
What = Active Directory subsystem
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All Active Directory events including ActiveRoles/GPOADmin initiator

(Returns all Active Directory events, displaying the Initiator UserName and EventSource in the Search Results)

Who = All Users
What = Active Directory subsystem
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Layout Tab - Selected Columns: Initiator UserName and EventSource are added to default list
All AD Query events
Who = All Users
What = AD Query facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All ADAM (AD LDS) events
Who = All Users
What = ADAM (AD LDS) subsystem
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All Change Auditor Internal Auditing events
Who = All Users
What = Change Auditor Internal Auditing facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All Computer events
Who = All Users
What = Custom Computer Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All Connection Object events
Who = All Users
What = Connection Object facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All DNS events
Who = All Users
What = DNS Service facility; DNS Zone facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All Domain Controller events
Who = All Users
What = Configuration Monitoring facility
Where = Domain Controller
When = Last 7 days
Origin = All domain controllers
All Domain events
Who = All Users
What = Domain Configuration facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All Dynamic Access Control events
Who = All Users
What = Dynamic Access Control facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All EMC events
Who = All Users
What = EMC facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Who = All Users
What = All Event Classes
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All events in the past 24 hours
Who = All Users
What = All Event Classes
Where = All sources
When = Last 24 hours
Origin = All workstations/servers
All Exchange events
Who = All Users
What = Exchange subsystem
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All Fault Tolerance events
Who = All Users
What = Fault Tolerance facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All File System events
Who = All Users
What = Custom File System Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All FluidFS events
Who = All Users
What = FLuidFS facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All Forest Configuration events
Who = All Users
What = Forest Configuration facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All FRS events
Who = All Users
What = FRS Service facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All Group events
Who = All Users
What = Member Added to Critical Enterprise Group; Member Removed from Critical Enterprise Group; Nested Member Added to Critical Enterprise Group; Nested Member Removed from Critical Enterprise Group
Custom Group Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All Group Policy events
Who = All Users
What = Group Policy Link Added to OU; Group Policy Link Removed from OU; Group Policy Link Setting Modified; Group Policy Link Added to Site; Group Policy Link Removed from Site
Group Policy Item facility; Group Policy Object facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All Group Policy events including GPOADmin initiator

Returns all Group Policy events, displaying the Initiator UserName and EventSource in the Search Results

Who = All Users
What = Group Policy subsystem
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Layout Tab - Selected Columns: Initiator UserName and EventSource are added to default list
All IP Security events
Who = All Users
What = IP Security facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All NetApp events
Who = All Users
What = NetApp facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All NETLOGON events
Who = All Users
What = NETLOGON Service facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All NTDS events
Who = All Users
What = NTDS Service facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All Object Restore events
Who = All Users
What = Computer Added; Domain Added; Exchange Group Added (Exchange 2003); Group Object Added; Group Policy Object Added; Subordinate OU Added; User Object Added
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All OU events
Who = All Users
What = OU facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All Registry events
Who = All Users
What = Registry subsystem
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All Replication events
Who = All Users
What = Replication Transport facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All Schema Configuration events
Who = All Users
What = Schema Configuration facility
Schema FSMO Role Owner Moved; Schema Modifications Allowed Flag Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All Services events
Who = All Users
What = Service Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All Site events
Who = All Users
What = Site Added; Site Removed; Site Renamed; Site Link Added; Site Link Removed; Site Link Bridge Added; Site Link Bridge Removed
Site Configuration facility; Site Link Bridge Configuration facility; Site Link Configuration facility; Subnets facility; Connection Object facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All System events
Who = All Users
What = System Events facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All SYSVOL events
Who = All Users
What = SYSVOL facility
SYSVOL Location Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All User events
Who = All Users
What = Custom User Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Ferramentas de autoatendimento
Base de conhecimento
Notificações e alertas
Suporte a produtos
Downloads de software
Documentação técnica
Fóruns de usuário
Tutorial em vídeo
Feed RSS
Fale conosco
Obtenha assistência de licenciamento
Suporte técnico
Visualizar tudo
Documentos relacionados

The document was helpful.

Selecione a classificação

I easily found the information I needed.

Selecione a classificação