Chat now with support
Chat with Support

Change Auditor 7.1 - Release Notes

Quest® Change Auditor 7.1

Quest® Change Auditor 7.1
These release notes provide information about the Quest Change Auditor release.
About Quest Change Auditor 7.1
New features
Important information
Resolved issues
Known issues
System requirements
Product licensing
Getting started with Change Auditor 7.1
About us

About Quest Change Auditor 7.1

Change Auditor provides total auditing and security coverage for your enterprise network. To protect your data and your business, Change Auditor Threat Detection uses advanced machine learning, user and entity behavioral analytics (UEBA), and SMART correlation technology to spot anomalous activity and identify the highest risk users in your environment. The users with the highest risk scores are then highlighted in the Threat Detection dashboard, enabling you to prioritize your response and adjust policies to strengthen your organization’s security and regulatory enforcement.

Change Auditor audits the activities taking place in your infrastructure and, with real-time alerts, delivers detailed information about vital changes and activities as they occur. Instantly know who made the change including the IP address of the originating workstation, where and when it occurred along with before and after values. Then automatically turn that information into intelligent, in-depth forensics for auditors and management — and reduce the risks associated with day-to-day modifications.
Audit all critical changes across your enterprise including Active Directory, Azure Active Directory, Office 365 Exchange Online\SharePoint Online\OneDrive For Business, Exchange, Windows File Servers, NetApp, EMC, SQL Server, VMware vCenter, SharePoint, Microsoft Skype for Business and Fluid File Systems.
Collect user login and log out activity for regulatory compliance and user activity tracking.
Automate ongoing compliance with tracking and reporting for compliance initiatives including SOX, PCI-DSS, HIPAA, FISMA, GLBA, and more.
Speed troubleshooting through real-time insight into changes with a comprehensive audit library including built-in audit alerts, reports, and powerful searches.
Proactively protect (lock down) critical Active Directory objects, Exchange mailboxes, and Windows files and folders from harmful changes that could open security holes or cause resources to become unavailable.
Modular approach allows separate product deployment and management for key environments including Active Directory, Exchange, Windows File Servers, NetApp, EMC, SQL Server, Active Directory Queries, SharePoint, Logon Activity, and Skype for Business.
Integrate with other Quest products to track, audit, report, and alert on critical changes made using Quest Authentication Services and Quest Defender.
Integrate with On Demand Audit to gain access to rich visualizations of on-premises and cloud events, responsive search across tenants, and long-term storage of audit data.

Change Auditor 7.1 is a major release, with enhanced features and functionality. See New features.

New features
Azure Active Directory and Office 365 updates
Change Auditor has implemented the updated Microsoft graph API which has resulted in the following additional built-in reports for risky events:
All Azure Active Directory sign-in from anonymous IP address events in the past 7 days
All Azure Active Directory sign-in from confirmed compromised user events in the past 7 days
All Azure Active Directory sign-in from IP address with malicious activity events in the past 7 days
All Azure Active Directory sign-in from IP address with suspicious activity events in the past 7 days
All Azure Active Directory sign-in from malware-infected device events in the past 7 days
All Azure Active Directory sign-in with impossible travel events in the past 7 days
All Azure Active Directory sign-in with valid credentials from blocked IP address events in the past 7 days
All Azure Active Directory sign-in with unfamiliar location or properties events in the past 7 days
All Azure Active Directory suspicious manipulation or rules in user's inbox events in the past 7 days
All Azure Active Directory user activity with known sign-in attack pattern events in the past 7 days
All Azure Active Directory user activity with known attack pattern events in the past 7 days
All Azure Active Directory unlikely travel between sign-in source locations events in the past 7 days
All Azure Active Directory users sign-in with leaked credentials events in the past 7 days
Increased performance of Azure Active Directory auditing allowing for more events to be processed.
Office 365 auditing page now displays whether SharePoint Online and OneDrive for Business events are being monitored.
Office 365 event details Item tab added that displays Id, rights, SID, Upn, name and path details for Exchange Online permission additions, removals, or modifications.
Additional Info tab added for Azure Active Directory risky events that displays information such as user agent, related event time in UTC, related user agent, device information, related location, request ID, correlation ID.
Ability to set whether or not mailbox auditing settings specified in the auditing template overwrite the existing mailbox auditing settings specified in the Office 365 tenant.
Ability to create a custom Azure Active Directory search based on location.
Active Directory updates
Ability to audit changes to Active Directory temporary groups where the members have a specified time to live. The time to live for each member is also reported in the event.
Ability to allow Managed Service Accounts to access protected Active Directory objects.
Foreign forest support
The following is supported in environments where a coordinator does not exist in the foreign forest where agents are deployed:
Ability to harvest the foreign forest topology.
Ability to deploy agents through the Change Auditor client.
Ability to audit logon activity with an agent in the foreign forest.
Ability to audit and protect Windows File System with an agent in the foreign forest.
Ability to audit and protect Active Directory objects with an agent in the foreign forest.
Ability to audit Active Directory attributes with an agent in the foreign forest.
Ability to select objects from the foreign forest in object pickers for search queries.
Ability to include and exclude objects from the foreign forest in AD queries.
On Demand Audit integration updates
Ability to send the Change Auditor version and list of coordinators to On Demand Audit after an upgrade so that On Demand Audit can display the most current Change Auditor information.
New events generated when event forwarding to On Demand Audit is suspended due to an error and then resumed:
On Demand Audit subscription has suspended
On Demand Audit subscription has resumed
New events generated when an On Demand administrator makes changes to the Change Auditor event forwarding settings within On Demand Audit:
Event sending to On Demand Audit has paused
Event sending to On Demand Audit has resumed
On Demand Audit configuration removed
New event generated when Change Auditor connects to On Demand Audit:
On Demand Audit configuration added
Authentication and Logon activity updates
Additional events:
User performed a successful NTLM V1 logon is created when a user successfully logged into server through NTLM V1.
User performed a successful NTLM V2 logon is created when a user successfully logged into server through NTLM V2.
User authenticated through NTLM (or User failed to authenticate through NTLM) is created when a user successfully authenticates (or fails to authenticate) to a domain controller using NTLM authentication.
Additional built-in searches:
All Kerberos Authentication Activity in the past 24 hours
All NTLM Authentication Activity in the past 24 hours
All NTLM version 1 logons in the last 7 days
Ability to search logon events by the failure reason or status code.
Ability to set Kerberos ticket lifetime in agent configuration and detect possible golden ticket use. When a Kerberos ticket lifetime that exceeds the value specified in the agent configuration is detected, the “Kerberos user ticket that exceeds the maximum lifetime detected” domain controller authentication event is generated. A valid Change Auditor Logon Acitvity User license is required.
Additional platform support
The following support has been added:
Windows Server Core 1909 (Active Directory, Windows File System, Registry, Services, and Local User and Group auditing only)
Microsoft Exchange Server 2016 CU15
Microsoft Exchange Server 2019 CU4
Microsoft SQL Server 2019 CU2 (coordinator database, SQL and SQL DLA auditing)
.NET Framework 4.6.2 for the agent
NetApp 9.7
Defender 5.9.6
GPOADmin 5.14
Active Roles Server 7.4.2
Fluid File System 6.0.3
The following support has been removed:
Microsoft Exchange Server 2010 is no longer supported for auditing or protection.
Windows Server 2008 R2 is no longer supported for agent installations.
Windows server 2008 SP2 is no longer supported for legacy agent installations.
Miscellaneous features and enhancements
Ability to manually specify a service name in the Services Auditing Template wizard.
Performance improvements when auditing a high volume of AD Query events.
Performance improvements have been made to the "Discard duplicate queries occurring within" event consolidation to reduce the amount of required memory. Note: Although improved, the agent will still consume considerably more memory when auditing high volume Active Directory Query events over longer periods of time compared to baseline agent memory usage.
SMTP Alert Failed event created when an SMTP alert notification fails enabling you to identify and fix SMTP server configuration issues.
Defender and Authentication Services auditing no longer requires a Change Auditor for Defender or a Change Auditor for Authentication Services license. Auditing for these applications is now enabled and disabled on a configuration basis from through the configuration setup. (After an agent upgrade from version 7.0.4 or earlier, you will need to update your configuration setup to enable Defender or Authentication Services auditing where required.)
Ability to use autofill software with the Change Auditor web client log on.
The "Refresh Status" button on the Deployment tab will now use the credentials defined in "Set credentials" dialog.

Important information
With Change Auditor database structure, you have access to larger volumes of data online without the need to archive data regularly. Here are a few pointers on auditing and accessing “big data”:
When building custom searches, keep in mind that the new schema organizes its event indexes in “hourly blocks”. The smaller the window of time in the when criteria, the better performance in the client for returning a result set.
While Change Auditor provides efficient event auditing with our agents, it is highly recommended that you maintain “focused” auditing. This ensures high performance when accessing large amounts of data in the Change Auditor client.
If excessive audits are received within the same hour, performance may decrease dramatically depending on the criteria selected.
General Exchange concepts:
Outlook “Show New Mail Desktop Alert” triggers the “Message Read by Owner” event: When this option is enabled, new email that arrives flashes a semi-transparent “alert” near the desktop system tray. Change Auditor captures a Message Read by Owner event when this occurs. The new email alert window opens each new email message as it arrives to build the alert. NOTE: The “Message Read by Owner” event is disabled by default in Audit Event configuration.
Microsoft Outlook/Exchange add-Ins: Change Auditor may be incompatible with Microsoft Outlook or Exchange “add-ins” (commercial or custom) that interact with Exchange Servers. While Quest makes every effort to ensure proper functionality and performance, we are unable to validate against the many add-ins available for Microsoft Outlook or Exchange Server.
“By Owner” auditing feature: Selecting ‘By Owner’ auditing for many mailboxes can produce many events. This adversely affects Change Auditor auditing and in severe cases the performance of the Exchange Server itself. In extreme cases, Outlook connections may be slowed or dropped. Select owner auditing for at most only a few critical mailboxes.
Auditing mailboxes with many delegates. Auditing normal mailboxes where access permission is granted to many delegates (more than 10), can produce large numbers of non-owner events. This will adversely affect Change Auditor auditing and in severe cases, the performance of the Exchange Server itself. If these mailboxes need to be audited, add them to the Shared Mailbox list (User Defined tab) to reduce unwanted non-owner events and to improve performance.
SMTP alert notifications on owner mailbox “event storm”: It is highly recommended that mailboxes configured to receive SMTP alerts are excluded from auditing “by Owner” events. An “event storm” could occur when a new SMTP alert is received on an audited mailbox by owner, generating a never-ending cycle of “Inbox opened by owner” and “Message read by owner” events.
Upgrading agents on high volume Exchange Servers: It is critical that agent upgrades be scheduled for maintenance intervals or other periods of low user mailbox activity for any configuration of Exchange Server. Change Auditor for Exchange agent upgrades should not be attempted on an active Exchange Server cluster node in any case.
Attempting to upgrade the agent on a busy Exchange Server may result in:
Exchange 2013 mailbox role: failed agent upgrade, unwanted RpcClientAccess service restart, or unscheduled Exchange cluster node failover.
Exchange 2013 client access role: unwanted IIS Exchange application pool restarts.
Exchange 2016 or 2019 mailbox role: failed agent upgrade, unwanted RpcClientAccess or IIS application pool restarts, or unscheduled Exchange cluster node failover.
To eliminate the possibility of unscheduled Exchange Server downtime, perform agent upgrades to Exchange Servers during periods of low or no mailbox activity.
General EMC concepts:
Control Stations: The Control Station is a dedicated management computer that monitors and controls cabinet components and allows access to the full functionality of the Celerra or VNX Network Server software. It contains utilities for installing and configuring the Celerra or VNX Network Server, maintaining the system, and monitoring system performance. The Control Station runs a set of programs that are collectively referred to as the Control Station software. The Control Station itself uses an EMC-customized version of Linux as its operating system.
Data Movers: Data Movers are the Celerra or VNX components that transfer data between the storage system and the network client. Data Movers are managed by using a Control Station. By default, Data Movers are named server_n, where n is the slot number of the Data Mover. For example, server_2 is the Data Mover in slot 2.
Troubleshooting EMC events: If EMC events are not being audited by the Change Auditor agent, first check to see if the EMC CAVA agent service is running on your Windows Server where the EMC events are being collected. Second, check to see if the CEPP service on the EMC Data Mover is running or if the state is offline, by using the command:
server_cepp {mover_name} -p -i
Resulting output of this command should be similar to the following:
IP = {mover IP}, state = ONLINE... etc
If the CEPP service is OFFLINE, you can fix this by first restarting the EMC CAVA service on the Windows Server. If that does not work, restart the EMC CEPP services on the Data Mover by using the following command:
server_cepp {mover_name} -service -start
Change Auditor agent requires File and Printer Sharing on Windows Server 2012: By default, File and Printer sharing are not enabled on Windows Server 2012 installations. To remotely install agents to Windows Server 2012 (Full UI and Server Core), enable the File and Printer Sharing (SMB-in) Inbound rule in the Windows Firewall (Port 445) on the target host machine.
The File and Printer Sharing for Microsoft Networks service on the network adapter is also required to be enabled for remote deployment.
File System auditing for NAS and mapped network drives: Change Auditor does not support File System auditing on NAS devices or mapped network drives other than EMC Celerra/VNX/Isilon or NetApp Data ONTAP filers.
Microsoft Office files: Since the Change Auditor for Windows File Servers, NetApp, and EMC drivers capture events related to file activity, it is possible that a folder containing files being opened and edited by Microsoft Office products (Word, Excel, PowerPoint, and so on) will generate unexpected results. Understanding how MS Office products interact with the file system might help explain some of the audit events captured. See http://support.microsoft.com/kb/211632 for more details.
File System Auditing for SAN: Support and engineering will attempt to troubleshoot and resolve issues to the best of their ability when the SAN is attached to a Windows-based file server such that it appears as a local drive on that host. In this configuration, the SAN generally behaves as an extra disk drive on the server which can be audited by a Change Auditor agent on that server. Success in this configuration depends on many factors and is not guaranteed.
File System auditing: Change Auditor does not audit files with a size of zero (0) bytes.
Recompiling the Change Auditor MOF file: Change Auditor no longer ships with a MOF file as part of the coordinator installer. Should the CA WMI namespace become corrupt, or should there be an installation failure, the file can be recompiled using the following command line:
ChangeAuditor.Service.exe --install
Blackberry Enterprise Server (or similar) services: To eliminate auditing of automated tasks, the Change Auditor agent attempts to automatically exclude auditing of mailbox accesses by Blackberry Enterprise Server (BES) or similar service accounts. These accounts have both ‘Receive All’ and ‘Administer Information Setup’ rights on the mailbox database. If these explicit rights are granted to user accounts, those accounts are also excluded from mailbox auditing, which may not be wanted. If necessary, this automated exclusion can be disabled on a server-by-server basis.
Changes to domain administration level security objects may generate subsequent DACL changes reported with Changed By information as “NT AUTHORITY\ANONYMOUS LOGON” up to an hour after the original change. According to Microsoft, an Active Directory domain controller that holds the primary domain controller (PDC) operations master role runs a thread every hour to check the access control lists of members of several built-in administrative groups. If a user account is a member of one of these administrative groups, even if only because of its membership with a distribution group, the user account's ACL is checked when the thread is run and may be reset to the ACL of the CN=AdminSDHolder,CN=System,DC=<domain> object.
Exclude Change Auditor components and monitored processes from antivirus software: Quest recommends excluding the following Change Auditor components and monitored processes from any antivirus software that uses technology similar to “Buffer Overrun Protection” or “On Access Scanner”:
DSAMain.exe
Lsass.EXE
Microsoft.Exchange.RpcClientAccess.Service.exe (Exchange 2013 only)
NPSRVhost.exe
Services.exe
‘Server’ service
Change Auditor coordinator service running under a service account (instead of Local System):
If the coordinator service is running under a service account (instead of Local System):
The user must re-save existing Forest or GC profiles using the Change Auditor client's connection wizard. This updates the SPN with the correct information.
The user must enter the coordinator’s IP address instead of its DNS name in the connection settings in:
The web.config for the Change Auditor web client
The manual option in the Change Auditor client's connection wizard
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating