Chat now with support
Chat mit Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Creating custom Microsoft Entra searches

Previous Next

Creating custom Microsoft Entra searches

To create a custom search for all Microsoft Entra events:
1
Open the Searches page.
2
In the explorer view (left pane), expand and select the folder where you want to save your search.
3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
4
On the Info tab, enter a name and description for the search.
5
On the What tab, expand Add and click Subsystem | Microsoft Entra.
* 
NOTE: You can use Add with Events | Subsystem | Microsoft Entra to select an existing event from the database and use its properties as a filter for a new search.
6
Select All Events.
7
Select the Layout tab and choose the Microsoft Entra information to include.
8
Click OK to save your selection and close the dialog.

After you have defined the search criteria, you can either save the search definition or run the search.
To save the search definition without running it, click Save.
To save and run the search, click Run.
To create a custom search for Microsoft Entra events based on facility or event:
1
Open the Searches page.
2
In the explorer view, expand and select the folder where you want to save your search.
3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
4
On the Info tab, enter a name and description for the search.
5
On the What tab, expand Add. Select Event Class.
6
Group by the Facility column.
To add all events within a facility, select the required Microsoft Entra facility, click Add | Add All Events in Facility, and click OK.

OR

To add a specific event, select the required event class, click Add | Add This Event, and click OK.
7
Select the Layout tab and choose the Microsoft Entra ID information to include.
8
After you have defined the search criteria, you can either save the search definition or run the search.
To save the search definition without running it, click Save.
To save and run the search, click Run.
To create a custom search for Microsoft Entra events based on specific filter options:
1
Open the Searches page.
2
In the explorer view (left pane), expand and select the folder where you want to save your search.
3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
4
On the Info tab, enter a name and description for the search.
5
On the What tab, expand Add and click Subsystem | Microsoft Entra.
* 
NOTE: You can use Add with Events | Subsystem | Microsoft Entra to select an existing event from the database and use its properties as a filter for a new search.
6
Select Selected Events to configure the search.
Select the Category filter to specify the event category to include in the search. Select a comparison operator (Like or Not like) and enter a category name. For example, if you are interested only in activities related to self-service password resets, you would choose the “Self-service Password Management” category.
Select the Activity Type filter to specify the activity to include in the search. Select a comparison operator (Like or Not like) and enter an activity type. For example, to only show user related activities you would select “User” as the activity type.
Select the Activity Name filter to specify the activity to include in the search. (For sign-in risk events, this will show the detected activity that occurred on the risk event.) Select a comparison operator (Like or Not like) and enter an activity name (character string and the * wildcard character). For example: Like *delete* will search for events where Activity contains ‘delete’.
Select the Activity Details filter to include activity details in the search. (For sign-in risk events use the status of the risk event, such as Resolved). Select a comparison operator (Like or Not like) and enter a full or partial string (character string and the * wildcard character). For example, the 'Self-serve password reset flow activity progress' activity provides several different details including: User started the mobile SMS verification option, User started the e-mail verification option, or User successfully reset password. You can leave this filter blank to return events for all activities or narrow the search based on the activity details.
Select the Target filter to specify the target (primary and secondary targets) to include in the search. (For sign-in risk events, the field searches for the risk event type such as Sign-in from anonymous IP address). Select a comparison operator (Like or Not like) and enter a full or partial name (character string and the * wildcard character). The Target filter searches across the following properties: Object Name (Cloud Target Name), Target Display Name, On-Premises Target, Subject Name, Subject Display Name, and On-Premises Subject.
* 
NOTE: When Microsoft Entra events include multiple targets, Change Auditor identifies these as Target (primary target) and Subject (secondary target).
Select the Location filter to specify the country, state, or city to include in the search. Select a comparison operator (Like or Not like) and enter a full or partial name (character string and the * wildcard character).
Select the Activity Origin filter to specify the activity origin to include in the search. You can choose between Cloud (event activity was performed directly in the cloud) or AD (event activity was originally performed on-premises and was synchronized to the cloud).
Select the Sync Type filter to specify the target (primary and secondary targets) synchronization type to include in the search. You can choose between In Cloud (target object exists only in the cloud) and Synced from AD (target object was synchronized from Active Directory).
* 
NOTE: When Microsoft Entra events include multiple targets, Change Auditor identifies these as Target (primary target) and Subject (secondary target).
7
Click Add to add the expression to the selection list.
8
Repeat this process to add any additional expressions to the search query.
* 
NOTE: When multiple entries are added to the selection list at the bottom of the page, Change Auditor uses the ‘OR’ operator to evaluate events, returning events that meet any of the entries listed.
9
Select the Layout tab and choose the Microsoft Entra ID information to include.
10
After you have defined the search criteria, you can either save the search definition or run the search.
To save the search definition without running it, click Save.
To save and run the search, click Run.

Displaying additional Microsoft Entra information

Previous Next

Displaying additional Microsoft Entra information

When auditing Microsoft Entra ID, you can add columns to display extra information through the search Layout tab:

Table 6. Available columns

Layout Tab

Search Column Name

Description

Microsoft Entra - Activity Type

Activity Type

The activity resource type.

Microsoft Entra - Activity Name/Operation

Activity Name/Operation

The activity that was performed as part of the event.

Microsoft Entra - Activity Details

Activity Details

Additional information about audited activity. For example, for ‘Self-serve password reset flow activity progress’ it shows what step the user is performing.

For sign-in risk events, this shows the status of the risk event, such as "Closed (resolved)".

Microsoft Entra - Category

Category

The activity category, such as Terms of use, Core Directory, Application Proxy, Account Provisioning, Invited Users, etc.

Microsoft Entra - Sign-in City

City

The city from which the user signed in or attempted to sign in to an application.

Microsoft Entra - Sign-in State

State

The state from which the user signed in or attempted to sign in to an application.

Microsoft Entra - Sign-in Country

Country

The country from which the user signed in or attempted to sign in to an application.

* 
NOTE: The sign-in columns are only applicable to Microsoft Entra sign in and sign in risk events.
* 
NOTE: For Microsoft Entra sign in events the time detected in the search results references the sign in time.

 

Additional information for synchronized environments

Previous Next

Additional information for synchronized environments

When auditing Microsoft 365 and Microsoft Entra ID in a synchronized environment, you can add columns to display extra mapping information through the search Layout tab:

Table 7. Available columns

Layout Tab

Search Column Name

Description

Microsoft Entra - Activity Origin

Activity Origin

‘Cloud’ indicates that the event activity was performed directly in the cloud.

‘AD’ indicates that the event activity was originally performed on-premises and was synchronized to the cloud.

Microsoft Entra - On-premises User

On-premises User

Domain and sAMAccountName of the on-premises user that corresponds to the cloud user that initiated the event.

Microsoft Entra - On-premises Target

On-premises Target

Domain and sAMAccountName of the on-premises object that corresponds to the cloud object that was the target of the event.

Microsoft Entra - Target Sync Type

Target Sync Type

‘In Cloud’ indicates that the target object exists only in the cloud

‘Synced from AD’ indicates that the target object was synchronized from Active Directory.

Microsoft Entra - Target Display Name

Target Display Name

Display the on-premises object display name for synchronized environments or the cloud object display name only for cloud-only objects.

Microsoft Entra - Tenant Initial Domain

Tenant Initial Domain

Default Microsoft Entra domain name.

Microsoft Entra - Tenant Display Name

Tenant Display Name

Tenant display name.

Microsoft Entra - Subject Sync Type

Subject Sync Type

‘SyncedFromAD’ indicates that the subject object was synchronized from Active Directory.

‘In Cloud’ indicates that the subject object exists only in the cloud.

Microsoft Entra - Subject Display Name

Subject Display Name

Displays the Active Directory on-premises name if a hybrid object and the Microsoft Entra name if a cloud object.

Microsoft Entra - On-premises Subject

On-premises Subject

Domain and sAMAccountName of the on-premises object that corresponds to the cloud object that was the subject of the event.

Subject Name

Subject Name

Microsoft Entra object name regardless of whether a cloud or hybrid object.

In addition to the search columns, the ‘Who’ field shows the mapping information in the event details pane. In cloud only deployments, this field displays the cloud user that initiated the event. If it is a synchronized deployment, the associated on-premises user is displayed after the cloud user in square brackets.

Working with generic Microsoft 365 and Microsoft Entra events

Previous Next

Working with generic Microsoft 365 and Microsoft Entra events

The Microsoft Entra ID audit reports and the Microsoft 365 audit logs are continuously evolving. To ensure that Change Auditor is synchronized with these updates, generic events have been introduced. Each Microsoft Entra and Microsoft 365 facility in Change Auditor has one generic event defined.

The generic event is generated each time an activity occurs that does not have a corresponding event defined in Change Auditor. For example, “Microsoft Entra- User event” is generated when activities such as “Reset password (self-service)” or “Unlock user account” are performed in Microsoft Entra ID. Activity information is populated in additional columns and the description for the event (What statement) is dynamically constructed based upon the activity and target object name.

When working with these events, you can add additional columns to the search layout to view information about the activity.

Table 8. Available columns

Layout Tab

Search Column Name

Description

Microsoft Entra - Activity Name/Operation

Activity Name/Operation

Represents the activity that was performed as part of the event.

For sign-in risk events, this shows the risk event type.

Microsoft Entra - Activity Details

Activity Details

Provides additional information about audited activity.

For example:

For ‘Self-serve password reset flow activity progress’, it shows what step the user is performing.
For sign-in events it shows why the sign-in failed.
For sign-in risk events, this shows the risk event status.

For a complete list of the activities available see Microsoft documentation on “Audit activity reports” and “Search the audit log in the Microsoft 365 Security & Compliance Center”.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen