Chat now with support
Chat mit Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Run the All Active Directory Events report

Previous Next

Run the All Active Directory Events report

Running this report retrieves changes (all actions and results) to all Active Directory objects being audited.

1
From the Searches tab, expand the Shared | Built-in | All Events folder.
2
Locate and double-click All Active Directory Events in the right pane.

This displays a new Search Results page displaying the Active Directory events captured over the last seven days.

Run the All Group Policy Events report

Previous Next

Run the All Group Policy Events report

Running this report retrieves changes (all actions and results) to all Group Policy objects.

1
From the Searches tab, expand the Shared | Built-in | All Events folder.
2
Locate and double-click All Group Policy Events in the right pane.

This displays a new Search Results page displaying the Group Policy events captured over the last seven days.

Create custom searches

Previous Next

Create custom searches

The following scenarios explain how to use the What tab to create custom searches.

 
* 
NOTE: You can use the other search properties tabs to define additional criteria:
Who - allows you to search for events generated by a specific user, computer or group
Where - allows you to search for events captured by a specific agent or within a specific domain or site
When - allows you to search for events that occurred within a specific date/time range
Origin - allows you to search for events that originated from a specific workstation or server
To search for changes to a specific Active Directory container:
1
Open the Searches page.
2
In the explorer view (left pane), expand and select the folder where you want to save your search.

Selecting the Private folder creates a search that only you can run and view, whereas selecting the Shared folder creates a search which can be run and viewed by all users.

3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
4
On the Info tab, enter a name and description for the search.
5
On the What tab, expand Add and select Subsystem | Active Directory.
* 
NOTE: You can use Add with Events | Subsystem | Active Directory (instead of Add | Subsystem | Active Directory) to search for an entity that already has an event associated with it in the database.
6
On the Add Active Directory Container dialog, select one of the following options to define the scope of coverage:
All Active Directory Objects - select to include all objects. (Default when the Add tool bar button is used).
This Object - select to include the selected objects only. (Default when the Add With Events tool bar button is used).
This Object and Child Objects Only - select to include the selected objects and its direct child objects.
This Object and All Child Objects - select to include the selected objects and all subordinate objects (in all levels).
Members of this group - select this option to show changes made to users in a specified group. Nested groups are not supported.
* 
NOTE: You cannot exclude selections or use the *Like wildcard option when the scope is specified as Members of this group.
7
By default, All Actions is selected meaning that all the activity associated with the object generate an audited event. However, you can clear the All Actions option and select individual options. The options available are:
All Actions - select to include when any of the following actions occur (Default)
Add Attribute - select to include when an attribute is added
Delete Attribute - select to include when an attribute is deleted
Modify Attribute - select to include when an attribute is modified
Rename Object - select to include when an object is renamed
Add Object - select to include when an object is added
Delete Object - select to include when an object is deleted
Move Object - select to include when an object is moved
Other - select to include other types of activity against the selected object
8
By default, All Transports is selected indicating that all Active Directory events regardless of the transport protocol used are included in the search. However, you can clear the All Transports option and select individual options. The transport options available are:
All Transports - select to include LDAP operation or LDAP queries regardless of the transport protocol used (Default)
SSL/TLS - select to include LDAP operation or LDAP queries that are secured using SSL or TLS technology
Kerberos- select to include LDAP operation or LDAP queries that are signed using Kerberos-based encryption
Simple Bind - select to include LDAP operation or LDAP queries that are secured using simple bind authentication (neither SSL\TLS or Kerberos used)
Port - select to identify a specific port used for communication
* 
NOTE: When you clear the All Transports check box and select both the SSL/TLS and Kerberos check boxes, only AD queries using both of these transport protocols will be included in the search results.
9
When a scope other than All Active Directory Objects is selected, the directory object picker is enabled allowing you to select the objects to include in the search definition.

Use either the Browse or Search page to search your environment to locate and select the Active Directory objects to include. Use the Options page to view or modify the search options to be used to retrieve directory objects.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

You can also select Import Objects to import a .csv (comma separated value) file containing a list of directory objects. Using this list, you can specify object names and optional values for the search criteria. You can use the * wildcard character to match any string of zero or more characters when specifying the Name values.

* 
NOTE: For optimal performance, do not include more than 1000 objects in your import file.

The import will fail and an error message will be displayed if any errors are detected with the column names or specified values.

* 
NOTE: Column names and values must be separated with a comma.
* 
NOTE: If an optional column name is not specified, then the default All is used for the value for each object. The default All is also used if the optional column is specified, but the value is empty. Mandatory Name values cannot be empty.
Columns
Description

Name (Required)

The name of the directory object to import. Name values must be specified in canonical name format.

NOTE: The first column must be Name.
NOTE: Wildcard characters are only supported for the Name values.

Examples:

Column: Name

Values:

test.domain.ca/OU1/User1
test.domain.ca/*/Group1
test.domain.ca/OU1/*User*

Actions (Optional)

Possible values include: Add Attribute, Delete Attribute, Modify Attribute, Rename Object, Add Object, Delete Object, Move Object or Other.

When specifying multiple values they must be separated by the Pipe character '|'.

Examples:

Columns: Name,Actions

Values:

test.domain.ca/OU1/User1,Move Object|Modify Attribute
test.domain.ca/OU1/Group*,
Transports (Optional)

Possible values include SSL/TLS, Kerberos or Simple Bind.

When specifying multiple values they must be separated by the Pipe character '|'.

Examples:

Columns: Name,Actions,Transports

Values:

test.domain.ca/OU1/User1,Move Object|Modify Attribute,Kerberos
test.domain.ca/OU1/Group1,,Kerberos |SSL/TLS
Port (Optional)

The number of the required port.

Examples:

Columns: Name,Actions,Transports,Port

Values:

test.domain.ca/OU1/*,Move Object|Modify Attribute,Kerberos,389
test.domain.ca/OU1/Group1,Add Attribue,Kerberos,
NOTE: When importing a file in the web client, the default value (All Ports) will be applied if port values are specified.

 

* 
NOTE: Select the Exclude the Above Selection(s) check box to search for changes to all directory objects except those listed in the ‘what’ list.
* 
NOTE: Select the Runtime Prompt check box on this dialog to prompt for a directory object every time the search is run.
10
Once you have added all the Active Directory objects to be included in the search, click OK to save your selection and close the dialog.
11
Once you have defined the search criteria, you can either save the search definition or run the search.
To save the search definition without running it, click Save.
To save and run the search, click Run.

When this search is run, Change Auditor searches for changes to the Active Directory objects specified on the What tab.

To construct an Active Directory object search using a wildcard expression:
1
Open the Searches page.
2
In the explorer view (left pane), expand and select the folder where you want to save your search.

Selecting the Private folder will create a search that only you can run and view, whereas selecting the Shared folder will create a search which can be run and viewed by all Change Auditor users.

3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
4
On the Info tab, enter a name and description for the search.
5
On the What tab, expand Add and select Subsystem | Active Directory.
6
On the Add Active Directory Container dialog, select the This Object scope.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

7
By default, All Actions and All Transports are included. To change any of these settings, clear the corresponding check box and select the individual options.
8
Use the wildcard expression fields in the middle of the dialog to specify the expression to be used to search for Active Directory objects (Object Name column in Search Results grid).
Select the comparison operator to be used: Like or Not Like.
In the field to the right, enter the pattern (character string and * wildcard character) to be used to search for a match.

Use the * wildcard character to match any string of zero or more characters. For example: LIKE *admin* will find Active Directory objects that contain ‘admin’ anywhere in their name.
Use Add to add the wildcard expression to the Selected Objects list box at the bottom of the dialog.
9
After entering the wildcard expression to be used, click OK to close the dialog and add the wildcard expression to the ‘what’ list.
10
Once you have defined the search criteria, you can either save the search definition or run the search.
To save the search definition without running it, click Save.
To save and run the search, click Run.
To search for changes to a specific Group Policy container:
1
Open the Searches page.
2
In the explorer view (left pane), expand and select the folder where you want to save your search.

Selecting the Private folder will create a search that only you can run and view, whereas selecting the Shared folder will create a search which can be run and viewed by all Change Auditor users.

3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
4
On the Info tab, enter a name and description for the search.
5
On the What tab, expand Add and select Subsystem | Group Policy.
* 
NOTE: You can use Add with Events | Subsystem | Group Policy (instead of Add | Subsystem | Group Policy) to search for an entity that already has an event associated with it in the database.
6
On the Add Group Policy Container dialog, select one of the following options to define the scope of coverage:
All Objects - select to include all objects (Default)
This Object - select to include the selected object only
7
When the This Object scope option is selected, use either the Browse or Search page to search your environment to locate and select the Group Policy objects to include in the search.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

8
Use the Options page to view or modify the search options to be used to retrieve directory objects.
* 
NOTE: On the Add Group Policy Container, the Search page is initially displayed which contains GroupPolicyContainer in the Find field and an * wildcard character in the Canonical Name field. Simply click the Search button on this page to locate the Group Policy containers in your environment.

You can also select Import Objects to import a .csv (comma separated value) file containing a list of directory objects. Using this list, you can specify object names for the search criteria. You can use the * wildcard character to match any string of zero or more characters when specifying the Name values.

* 
NOTE: For optimal performance, do not include more than 1000 objects in your import file.

The import will fail and an error message will be displayed if any errors are detected.

Columns
Description

Name (Required)

The name of the directory object to import. Name values must be specified in canonical name format.

Examples:

Column: Name

Values:

test.domain.ca/System/Policies/{D72618D2-1413-4352-8EC9-FA4A33CBE99C}
test.domain.ca/System/Policies/*

 

* 
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for changes to all Group Policy Objects except those listed in the ‘what’ list.
* 
NOTE: Select the Runtime Prompt check box on this dialog to prompt for a Group Policy Object every time the search is run.
9
Once you have added all the Group Policy Objects to be included in the search, click OK to save your selection and close the dialog.
10
Once you have defined the search criteria, you can either save the search definition or run the search.
To save the search definition without running it, click Save.
To save and run the search, click Run.

When this search is run, Change Auditor searches for changes to the Group Policy Objects specified on the What tab.

To construct a Group Policy object search using a wildcard expression:
1
Open the Searches page.
2
In the explorer view (left pane), expand and select the folder where you want to save your search.

Selecting the Private folder will create a search that only you can run and view, whereas selecting the Shared folder will create a search which can be run and viewed by all Change Auditor users.

3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
4
On the Info tab, enter a name and description for the search.
5
On the What tab, expand Add and select Subsystem | Group Policy.
6
On the Add Group Policy Container dialog, select the This Object scope.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

7
By default, All Results will be included. To change this setting, clear the All Results check box and select the individual results to be included.
8
Use the wildcard expression fields in the middle of the dialog to specify the expression to be used to search for Group Policy objects (Object and Canonical Name columns in Search Results grid).
Select the comparison operator to be used: Like or Not Like.
In the field to the right, enter the pattern (character string and * wildcard character) to be used to search for a match.

Use the * wildcard character to match any string of zero or more characters. For example: LIKE Default* will find Group Policy objects whose name begins with the word ‘Default’.
Use the Add button to add the wildcard expression to the Selected Objects list box at the bottom of the dialog.
9
After entering the wildcard expression to be used, click OK to close the dialog and add the wildcard expression to the ‘what’ list.
10
Once you have defined the search criteria, you can either save the search definition or run the search.
To save the search definition without running it, click Save.
To save and run the search, click Run.
To search for changes to a specific object class (classSchema object):
1
Open the Searches page.
2
In the explorer view (left pane), expand and select the folder where you want to save your search.

Selecting the Private folder will create a search that only you can run and view, whereas selecting the Shared folder will create a search which can be run and viewed by all Change Auditor users.

3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
4
On the Info tab, enter a name and description for the search.
5
On the What tab, expand Add and select Object Class.
* 
NOTE: You can use Add with Events | Object Class (instead of Add | Object Class) to search for an entity that already has an event associated with it in the database.
6
On the Add Object Class dialog select an object class and click Add to add it to the list box located across the bottom of the dialog. Repeat this step to add additional object classes.
* 
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for changes to all object classes except those listed in the ‘what’ list.
* 
NOTE: Select the Runtime Prompt check box on this dialog to prompt for an object class every time the search is run.
7
Once you have made your selections, click OK to save your selection and close the dialog.
8
Once you have defined the search criteria, you can either save the search definition or run the search.
To save the search definition without running it, click Save.
To save and run the search, click Run.

When this search is run, Change Auditor searches for changes to the object classes specified on the What tab.

To search for changes to a specific ADAM (AD LDS) container:
1
Open the Searches page.
2
In the explorer view (left pane), expand and select the folder where you want to save your search.

Selecting the Private folder will create a search that only you can run and view, whereas selecting the Shared folder will create a search which can be run and viewed by all Change Auditor users.

3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
4
On the Info tab, enter a name and description for the search.
5
On the What tab, expand Add and select Subsystem | ADAM (AD LDS).
* 
NOTE: You can use Add with Events | Subsystem | ADAM (AD LDS) (instead of Add | Subsystem | ADAM (AD LDS)) to search for an entity that already has an event associated with it in the database.
6
On the Select the agent that hosts the ADAM/AD LDS instance dialog, use the Browse or Search page to locate and select the agent that hosts the ADAM (AD LDS) instance to be searched.
* 
NOTE: The Explorer View is displayed by default; however, this display will not include member servers. Therefore, if you have installed ADAM (AD LDS) on a workgroup server, select the Grid View option at the top of the dialog to select from a list of workgroup servers.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forest credentials which can be entered on the Credentials Required dialog.

If credentials are required, a Credentials Required dialog is displayed allowing you to enter the credentials to be used to access the selected instance.

7
On the Add ADAM (AD LDS) Container dialog, select one of the following options to define the scope of coverage:
All ADAM (AD LDS) Objects - select to include all objects. (Default when the Add tool bar button is used.)
This Object - select to include the selected objects only. (Default when the Add With Events tool bar button is used).
This Object and Child Objects Only - select to include the selected objects and its direct child objects.
This Object and All Child Objects - select to include the selected objects and all subordinate objects (in all levels).
Members of this group - select this option to show changes made to users in a specified group. Nested groups are not supported.
* 
NOTE: You cannot exclude selections or use the *Like wildcard option when the scope is specified as Members of this group.
8
By default, All Actions is selected meaning that all of the activity associated with the object will generate an audited event. However, you can clear the All Actions option and select individual options. The options available are:
All Actions - select to include when any of the following actions occur (Default)
Add Attribute - select to include when an attribute is added
Delete Attribute - select to include when an attribute is deleted
Modify Attribute - select to include when an attribute is modified
Rename Object - select to include when an object is renamed
Add Object - select to include when an object is added
Delete Object - select to include when an object is deleted
Move Object - select to include when an object is moved
Other - select to include other types of activity against the selected object
9
By default, All Transports is selected indicating that all Active Directory events regardless of the transport protocol used will be included in the search. However, you can clear the All Transports option and select individual options. The transport options available are:
All Transports - select to include LDAP operation or LDAP queries regardless of the transport protocol used (Default)
SSL/TLS - select to include LDAP operation or LDAP queries that are secured using SSL or TLS technology
Kerberos- select to include LDAP operation or LDAP queries that are signed using Kerberos-based encryption
* 
NOTE: When you clear the All Transports check box and select both the SSL/TLS and Kerberos check boxes, only AD queries using both of these transport protocols will be included in the search results.
Port - select to identify a specific port used for communication
10
When a scope other than All ADAM (AD LDS) Objects is selected, the directory object picker is activated allowing you to select the ADAM (AD LDS) containers to be included in the search definition.

Use either the Browse or Search page to search your environment to locate and select the ADAM (AD LDS) containers to be included.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

Use the Options page to view or modify the search options or ADAM instance to be used to retrieve directory objects.

Once you select a container to be included, click Add to add it to the list at the bottom of the dialog.

* 
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for changes to all ADAM (AD LDS) containers except those listed in the ‘what’ list.
* 
NOTE: Select the Runtime Prompt check box on this dialog to prompt for an ADAM (AD LDS) container every time the search is run.
11
Once you have added all the ADAM (AD LDS) containers to be included in the search, click OK to save your selection and close the dialog.
12
Once you have defined the search criteria, you can either save the search definition or run the search.
To save the search definition without running it, click Save.
To save and run the search, click Run.

When this search is run, Change Auditor searches for changes to the ADAM containers specified on the What tab.

Custom Active Directory Object Auditing

Previous Next

Custom Active Directory Object Auditing
Introduction
Active Directory Auditing page
Custom Active Directory object auditing
Active Directory event logging
Active Directory Auditing wizard
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen