Chat now with support
Chat mit Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Filter data

Previous Next

Filter data

Traditional search capabilities provide the first phase of details, but locating individual events typically requires more granular search capabilities and additional steps. Change Auditor provides advanced filtering options to modify the results of a search without changing the original search. With this capability, filtering can be performed on one or more columns of a result, ultimately reducing the need to build the same search multiple times with minor customizations.

To filter data:

Throughout the client, you will see a row of data filtering cells under the headings row in each of the data grids. These cells provide data filtering options which allow you to filter and sort the data displayed.

1
Place your cursor in one of these cells, and click Click here to filter data.
2
In the selected cell, enter the word or string to use to filter the data displayed. Filtering will take place as you type your entry.
3
By default, Change Auditor will use either the ‘starts with’ or ‘contains’ expression to filter the data. However, if you click the search criteria button, you can select a different expression.
4
To remove the filtering and return to the original data grid, click the Remove Filter button to the far left of the cells.
5
To remove the filtering of an individual cell, click the Remove Filter button to the right of that cell.
To create a custom filter:

When you place your cursor in a data filtering cell, a drop-down arrow displays to the right of this cell. This drop-down displays all the items available for selection, including (Custom), (Blanks), and (NonBlanks). Selecting an item from this list displays entries based on the item selected.

1
To create a custom filter, place your cursor in the cell beneath the column to filter. Click the arrow control and select (Custom). The Custom Filter dialog opens.
2
Select the appropriate option in the Filter based on <All | Any> of the following conditions.
Select All if all the criteria entered has to be met in order to be included.
Select Any if only one of the criteria entered has to be met in order to be included.
3
In the field to the right of the column heading, click the arrow control to select the comparison operation to be used (for example, Like, Equals, Contains, and so forth).
4
In the field to the right of the comparison operator, enter the pattern (character string or value) to be used to search for a match.

Use the * wildcard character to match any string of zero or more characters. For example, entering LIKE *change* in the Event column, will find events that contain the string ‘change’, such as changed, Change Auditor, etc.

5
To add additional criteria, click Add. This allows you to add a row to the custom filter to specify additional criteria for the selected column.
6
After you have created the custom filter, click OK to close the dialog and filter the data based on the criteria entered.

Using custom filters

Previous Next

Using custom filters

The following procedures walk you through a few scenarios using custom filters.

To find events generated when a member is added to a group:
1
Run the All Events search.
2
On the Search Results page, place your cursor in the data filtering cell of the Event column, click the arrow control and select (Custom).
3
Select All.
4
Specify the following criteria:
Contains | group
Contains | added
Does not contain | group policy
5
Click OK.
To find delete object operations related to a forest container:
1
Run the All Events search.
2
On the Search Results page, place your cursor in the data filtering cell of the Action column, click the arrow control and select (Custom).
3
Select All.
4
Specify the following criteria:
Contains | delete
Contains | object
5
Click OK.
6
On the Search Results page, place your cursor in the data filtering cell of the Facility column and enter: forest.

Directory object picker

Previous Next

Directory object picker

Throughout the client, the directory object picker is used to locate and select Active Directory objects from the environment. This object picker is displayed in either a stand-alone dialog (such as the Select Active Directory Objects dialog) or as a page in a wizard. The client needs to be able to connect to a Global Catalog (GC) to display the object picker and query objects. The client contacts the coordinator to get the Global Catalog that should be used. The coordinator attempts to choose a GC in its local domain and site. If none is found, it chooses one in its domain, then in the local site, and lastly the entire forest. It is recommended to have the coordinator and the client reside in the same site and/or domain so that the directory object picker performs more efficiently.

The object picker consists of the following pages:
Browse - use the Browse page to select a directory object from a hierarchical view of your environment
* 
NOTE: If Active Directory integrated DNS is deployed, you can access the ForestDNSZones or DomainDNSZones partitions by right-clicking on the top-level domain object.
Search - use the Search page to search your environment to locate and select a directory object
* 
NOTE: Disabled objects on these two pages are represented by a red X icon.
Options - use the Options page to view or modify search options used to retrieve directory objects

Browsing for a directory object

To browse for a directory object:
1
Open the Browse page.
2
In the Forest field, select the forest that contains the required directory objects.
* 
NOTE: The Forest field is available in directory object picker in the following areas:
Group membership expansion, Email Alerts Configuration, and shared folder configuration
Purge and archive jobs
Active Directory, AD Query, ADAM (AD LDS), Exchange, Group Policy, Local accounts, Registry, Service, and SQL Server searches
Report and alert email configuration
Windows File System and AD Query auditing wizard
Active Directory auditing and protection wizard
File System protection wizard
3
In the Find field, either enter or use the drop-down menu to select the type of directory object.

You can enter multiple classes, separated by either a comma or semi-colon. Note that when you type in an entry, you must use the Enter key or the Apply Filter button to display the objects.

 
* 
NOTE: Most of the time, this field will be automatically filled in with the appropriate entry. Thus, when this field is grayed out, this is a read-only field which cannot be changed.
4
In the explorer view (left pane), single-click on the expansion state box to the left of a container or double-click a container to expand the view to display subordinate objects.

Select a container in this pane to populate the object list (right pane) with the objects that belong to the selected container.

* 
NOTE: Right-clicking the root domain in the explorer view displays a drop-down menu listing any peer domains. To view a different domain’s objects, select the desired domain from those listed.

Use the F5 button to force a refresh of the contents of this pane.

5
In the object list, click the object to select it and use the Add button to add it to the Selected Objects list at the bottom of the dialog.
 
* 
NOTE: The Selected Objects list is used for both the Browse and Search pages and will contain the objects selected from either of these pages.
6
Once you have added objects to this list, use the Select button to save your selection and close the dialog. Or if the directory object picker is part of a wizard, click Next to save your selection and continue.

Searching for a directory object

To search your environment for a directory object:
1
Open the Search page and use the controls at the top of the page to search your environment to locate the desired objects.
2
In the Find field, either enter or use the drop-down menu to select the type of directory object to be located.

You can enter multiple classes, separated by either a comma or semi-colon. Note that when you type in an entry, either click the Enter key or use the Search button to display the objects.

3
In the Name field, specify a search expression to be used to search Active Directory to locate a particular object. In most cases, this field will contain an asterisk (*) indicating to search for all objects of the type specified in the Find field.
* 
NOTE: Most of the time, this field will be automatically filled in with the appropriate entry. Thus, when this field is grayed out, this is a read-only field which cannot be changed.

Select the ANR check box to use Ambiguous Name Resolution (ANR) as the search algorithm, which allows you to enter limited input (partial data) to find multiple objects in your network.

When the ANR check box is checked, use one of the following methods to enter your search expression:
Enter a partial string to return exact matches or a list of possible matches. For example, entering ‘Admin’ will return objects that contain the names ‘Admin’, ‘Admins’, ‘Administrator’, Administrators’, etc.
Enter a string preceded by the equal sign (=Admins) to return only exact matches. For example, entering ‘=Admin’ will return only those objects containing the name ‘Admin’.

By default, ANR will search the following attribute fields in Active Directory:
First Name (GivenName)
Last Name (Surname)
Display Name (displayName)
LegacyExchangeDN
msExchMailNickname
Relative Discontinued Name of the object (RDN)
Office (physicalDeliveryOfficeName)
Email address (proxyAddress)
Security Account Manager account (sAMAccountName)

When the ANR check box is not checked, the search expression entered will be used to search only the Display Name of directory objects to locate a particular object.

To use this search mechanism, enter a string of characters and the wildcard (*) character as described below.
n* will return objects that start with the letter ‘n’
*n will return objects that end in the letter ‘n’
*n* will return objects that contain the letter ‘n’ within their Display Name.
4
After entering a search expression, use the Search button to initiate the search and return the results of the search.
5
The object list displays the objects found as a result of your search. To select an object, click on the object to highlight it and use the Add button to add it to the Selected Objects list.
 
* 
NOTE: The Selected Objects list is used for both the Browse and Search pages and will contain the objects selected from either of these pages.
6
Once you have added objects to this list, use the Select button to save your selection and close the dialog. Or if the directory object picker is part of a wizard, click Next to save your selection and continue.
To view or modify the search options to use to retrieve directory objects:
1
Open the Options page and modify the options as required.
* 
NOTE: The settings on the Options page only apply to the current user and do not impact other users using a Change Auditor client.
2
The Search Limit field specifies the maximum number of records to return for an Active Directory object search. The default is 2000 records.

To change this limit, enter a value between 100 and 9999.

Or to allow an unlimited number of records to be returned, select the No Search Limit check box.

3
The Page Size field displays the maximum number of records to return per LDAP polling cycle.
* 
TIP: Care should be taken when modifying this value, because it could impact the performance of your searches.
4
Once you have made changes on the Options page, use the Select button to save your selection and close the dialog. If the directory object picker is part of a wizard, click Next to save your selection and continue.

Overview Page

Previous Next

Overview Page
Overview
My Favorite Search
Define a favorite search
Overview panes
Event Details pane
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen