Chat now with support
Chat mit Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Introduction

Previous Next

Introduction

You can run built-in searches to retrieve user logon activity captured by deployed Change Auditor server and workstation agents. In addition, you can create custom queries to search for specific user logon activities that need to be tracked in your environment.

 

Built-in logon activity searches

Previous Next

Built-in logon activity searches

To see a complete list of built-in reports, see the Change Auditor Built-in Reports Reference Guide.

To run the All Logons in Past 24 hours search:

Running the All Logons in the Past 24 hours search will retrieve the all user logon activities for monitored servers and workstations.

1
Open the Searches page.
2
Expand and select the Shared | Built-in | Logon Activity folder to display the built-in searches available.
3
In the right-hand pane, locate the All Logons in the Past 24 hours search and use one of the following methods to run the selected search:
Double-click a search definition
Right-click a search definition and click the Run menu command
Select the search definition and click the Run tool bar button at the top of the Searches page
4
A new Search Results page appears populated with the events that met the search criteria.

Create custom user logon activity searches

Previous Next

Create custom user logon activity searches

The following procedures explain how to user the What tab to create custom user logon activity event queries.
 
* 
NOTE: If you wanted to, you can use the other search properties tabs to define additional criteria:
Who - allows you to search for events generated by a specific user, computer or group
Where - allows you to search for events captured by a specific agent or within a specific domain or site
When - allows you to search for events that occurred within a specific date/time range
Origin - allows you to search for events that originated from a specific workstation or server
To search for all network logon events captured this week:

This search captures both successful and failed logon attempts from a remote computer on the network.

* 
NOTE: The network logon events are disabled by default and must first be enabled in the client before they will be captured. Use the Audit Events page on the Administration Tasks tab to enable these events.
1
Open the Searches page.
2
In the explorer view (left pane), expand and select the folder where you want to save your search.

Select the Private folder to create a search that only you can run and view. Select the Shared folder to create a search which can be run and viewed by all Change Auditor users.

3
Click New.
4
On the Info tab, enter a name and description for the search.
5
Open the What tab, expand Add and select Subsystem | Logons.
6
On the Add Logons dialog, select Network, click Add to add it to the selection list, and click OK.
7
Click Run to save and run the newly created search.

A new Search Results page is populated with the results of your search.

To search for a specific logon event by failure reason or status code:

This search captures logon events that contain the specified failure reason or status code.

1
Open the Searches page.
2
In the explorer view (left pane), expand and select the folder where you want to save your search.

Select the Private folder to create a search that only you can run and view. Select the Shared folder to create a search which can be run and viewed by all Change Auditor users.

3
Click New.
4
On the Info tab, enter a name and description for the search.
5
Open the What tab, expand Add and select Subsystem | Logons.
* 
NOTE: Alternatively, you can use Add with Events | Subsystem | Logons to select an entry that already has an event in the database.
6
On the Add Logons dialog, select the logon type.
7
Click to enable the Logon Failure Reason filter, select the comparison operator to use (Like or Not Like) and enter the description. You can also use the wildcard character * for a partial search.

- or -

Click to enable the Logon Status Code filter, select the comparison operator to use (Equals or Does not equal) and enter the code.

8
Click Add to add the filter, Remove to remove a filter, or Update to apply a change to the filter, then click OK.
9
Click Run to save and run the newly created search.

A new Search Results page is populated with the results of your search.

To search a specific user’s logon activity over a specific time period:

This scenario uses the Runtime Prompt options to create a generic search definition where you can then specify the user and time interval each time you run the search.

1
Open the Searches page.
2
In the explorer view (left pane), expand and select the folder where you want to save your search.

Select the Private folder to create a search that only you can run and view. Select the Shared folder to create a search which can be run and viewed by all Change Auditor users.

3
Click New.
4
Open the Info tab, enter a name and description for the search.
5
Open the Who tab and select Runtime Prompt to specify the user to be audited each time you run this search.
6
Open the What tab, expand Add and select Subsystem | Logons.
7
On the Add Logons dialog, select each logon type and click Add. (You will need to add each logon type individually). Click OK to save your selections and close the dialog.
8
Open the When tab and select Runtime Prompt to specify the time interval each time you run this search.
9
Select Run to save and run the search.
10
Since you selected the Runtime Prompt options on both the Who tab and When tab, you will be prompted to specify the user who’s logon activity you want to audit and the time interval to be searched:
On the Select Active Directory Objects dialog, use the Browse or Search pages to locate one or more users. Click Add to add the selected user to the list at the bottom of the page. Click Select to save your selection and close the dialog.
On the When dialog enter the date range and/or time of day to be searched. Click OK to save your selection and close the dialog.

A new Search Results page will be displayed populated with the results of your search.

Search Results

Previous Next

Search Results

The user logon activity event information can be viewed on the Search Results page in the Change Auditor client. The user logon activity details appear on the following Change Auditor components:
Search Results Grid
Event Details Pane
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen