Chat now with support
Chat mit Support

Change Auditor 7.2 - Web Client User Guide

Install Change Auditor Web Client Web Client Overview Overview Page Shared Overviews Administration Page Searches Page Search Results Page Administration Tasks Page Configuration Tasks (Administration Tasks Page) Auditing Tasks (Administration Tasks Page) Protection Tasks (Administration Tasks Page) Change Auditor Client Comparison

What tab

Use the What tab to define 'what' entities are to be included (or excluded) in the search. More specifically, using this tab you can create a search for events based on:

When criteria is specified on the What tab, Change Auditor will retrieve only those events that match the criteria listed on the What tab. When multiple ‘what’ criteria is specified on this tab, Change Auditor uses the ‘AND’ operator to evaluate an event and returns only those events that meet all the specified criteria. However, when multiple subsystems (for example, Active Directory, ADAM and Exchange) are specified, Change Auditor uses the ‘OR’ operator to evaluate these entities, returning events that meet any of the specified subsystem criteria. This also applies when multiple event classes are specified. That is, when multiple event classes are specified, Change Auditor uses the ‘OR’ operator and returns any of the specified events.

By default, all events will be included in a new search definition and therefore the list box on the What tab will be empty. Once criteria is added, the list box contains an expandable view displaying the criteria defined for the search definition.

To add an entity to the What list, expand the Add command and select the appropriate option. On the dialog that appears, specify the ‘what’ criteria for your search. The following table provides a list of the Add command options available with a brief description, the dialog that is displayed and the criteria that can be specified on each of these dialogs.

NOTE: The different Change Auditor auditing modules must be licensed in order to capture and retrieve their associated events. See the License Required column in the table below to see the Change Auditor license required.

Event Class

Any

Select to search for events based on the event class or facility to which they belong.

Add Facilities or Event Classes dialog:

2
Click Add and select one of the following options:
4
Click OK to save selection and close dialog.
NOTE: Use Add With Events to limit the list to events that already have an event in the database.

Object Class

Change Auditor for Active Directory

Select to search for changes to specific object classes (classSchema objects).

Add Object Classes dialog:

2
Click Add.
3
Click OK to save selection and close dialog.
NOTE: Use Add With Events to limit the list to object classes that already have an event in the database.

Severity

Any

Select to search for events based on the severity assigned.

Add Severities dialog:

2
Click Add.
3
Click OK to save selection and close dialog.
NOTE: Use Add With Events to limit the list to severities that already have an event associated with it in the database.

Result

Any

Select to search for events based on the results of the operation mentioned in the event.

Add Results dialog:

2
Click Add.
3
Click OK to save selection and close dialog.
NOTE: Use Add With Events to select from a list of results that already have an event associated with it in the database.

Active Directory

Change Auditor for Active Directory

Select to search for changes to objects in selected Active Directory containers.

Add Active Directory Container dialog:

You can also select Import Objects to import a .csv file of a list of directory objects. Using this list, you can search for an exact object name or use a wildcard.
2
Click Add to add to selection list.
3
Click in Scope cell to change the scope of the search.
4
Click in Actions cell to change setting. All Actions is selected by default, meaning all activity associated with the object will generate an event.
5
Click in Transports cell to change setting. All Transports is selected by default, meaning all AD query operations regardless of the transport protocol used will be included in the search.
6
Click OK to save selections and close dialog.
NOTE: Use Add Wildcard to specify a wildcard expression to search for Active Directory objects.
NOTE: Use Add With Events to select from a list of Active Directory containers that already have an event associated with it in the database.
NOTE: Use Add Enterprise to add the enterprise to the selection list. When this option is selected, all other containers in the selection list are ignored (appear in red). Also, the scope setting cannot be changed.

AD Query

Change Auditor for Active Directory Queries

ChangeAuditor for LDAP (v 5.x)

Select to search for a specific Active Directory query that was performed against a specified Active Directory object.

Add Active Directory Container dialog:

2
Click Add to add to selection list.
3
Click in Scope cell to change the scope of the search.
4
Click in Filter cell to search for an LDAP filter string used in an Active Directory query.
5
Click in Attributes cell to search for attributes that are being queried.
6
Click in Results cell to search for queries that return a specific number of results.
7
Click in Elapsed cell to search for queries that take a specific amount of time to complete.
8
Click in Transports cell to change setting. All Transports is selected by default, meaning all Active Directory queries regardless of the transport protocol used will be included in the search.
9
Click OK to save selections and close dialog.
NOTE: Use Add With Events to select from a list of objects that already have an event in the database.
NOTE: Use Add Enterprise to search the entire enterprise. When this option is selected, all other objects in the selection list are ignored (appear in red). Also, the scope, filter, attributes, results and elapsed settings cannot be changed.

ADAM (AD LDS)

Change Auditor for Active Directory

Select to search for changes to objects in selected ADAM (AD LDS) containers.

Add ADAM (AD LDS) Container dialog:

1
Select CHOOSE COMPUTER link.
3
Click OK to browse the selected instance. If prompted, enter the credentials to be used to access the selected ADAM (AD LDS) instance.
5
Click Add to add to selection list.
6
Click in Scope cell to change the scope of the search.
7
Click in Actions cell to change setting. All Actions is selected by default, meaning that all activity associated with the object will generate an event.
8
Click in Transports cell to change setting. All Transports is selected by default, meaning that all AD query operations regardless of the transport protocol used will be included in the search.
9
Click OK to save selection and close dialog.
NOTE: Use Add With Events to select from a list of ADAM (AD LDS) containers that already have an event associated with it in the database.
NOTE: Use Add Enterprise to search the entire enterprise. When this option is selected, all other containers in the selection list are ignored (appear in red). Also, the scope setting cannot be changed.

Azure Active Directory

Change Auditor for Active Directory

Select to search for changes in Azure Active Directory.

Add Azure Active Directory dialog:

1
Select the Category filter to specify the event category to include in the search. Select a comparison operator (Like or Not like) and enter a category name. For example, for activities related to self-service password resets, choose the “Self-service Password Management” category.
2
Select the Activity Type filter to specify the activity to include in the search. Select a comparison operator (Like or Not like) and enter an activity type. For example, for user related activities, select “User” as the activity type.
3
Select the Activity Name filter to specify the activity to include in the search. (For sign-in risk events, this shows the detected activity that occurred on the risk event.) Select a comparison operator (Like or Not like) and enter an activity name (character string and the * wildcard character). For example: Like *delete* searches for events where Activity contains ‘delete’. For a list of all available activities, see the Microsoft article “Audit activity reports in the Azure Active Directory portal”.
4
Select the Activity Details filter to include activity details in the search. (For sign-in risk events use the status of the risk event, such as Resolved). Select a comparison operator (Like or Not like) and enter a full or partial string (character string and the * wildcard character). For example, the 'Self-serve password reset flow activity progress' activity provides several different details including: User started the mobile SMS verification option, User started the e-mail verification option, or User successfully reset password. Leave this filter blank to return events for all activities or narrow the search based on the activity details.

 

 

5
Select the Target filter to specify the target (primary and secondary targets) to include in the search. (For sign-in risk events, the field searches for the risk event type such as Sign-in from anonymous IP address). Select a comparison operator (Like or Not like) and enter a full or partial name (character string and the * wildcard character). The Target filter searches across the following properties: Object Name (Cloud Target Name), Target Display Name, On-Premises Target, Subject Name, Subject Display Name, and On-Premises Subject.
8
Click Add to add the expression to the selection list.
NOTE: Use Add Wildcard to specify a wildcard expression to search for Azure Active Directory changes.
NOTE: Use Add With Events to select from a list of Azure Active Directory changes that already have an event associated with it in the database.
NOTE: Use Add all events to add all Azure Active Directory events.

Exchange

Change Auditor for Exchange

Select to search for changes to objects in selected Exchange containers.

Add Exchange Container dialog:

You can also select Import Objects to import a .csv file of a list of directory objects. Using this list, you can search for an exact object name or use a wildcard.
2
Click Add to add to selection list.
3
Click in Scope cell to change the scope of the search.
4
Click in Actions cell to change setting. All Actions is selected by default, meaning all activities associated with the object will generate an event.
5
Click in Transports cell to change setting. All Transports is selected by default, meaning that all AD query operations regardless of the transport protocol used will be included in the search.
6
Click OK to save selection and close dialog.
NOTE: Use Add Wildcard to specify a wildcard expression to search for Exchange containers.
NOTE: Use Add With Events to select from a list of Exchange containers that already have an event associated with it in the database.
NOTE: Use Add Enterprise to search the entire enterprise. When this option is selected, all other containers in the selection list are ignored (appear in red). Also, the scope setting cannot be changed.

Office 365 Exchange Online

NOTE: Use Add With Events to select from a list of Exchange Online mailboxes that already have an event associated with them in the database.
NOTE: Expand Add All and select one of the following to search for ‘all’ Office 365 Exchange Online events: All Office 365 Exchange Online Events, All Office 365 Exchange Online Mailbox Events, or All Office 365 Exchange Online Administration Events. When one of these options is selected, all other entries in the selection list are ignored (appear in red).

Change Auditor for Exchange

Select to search for changes to a specific Exchange Online mailbox.

Office 365 Exchange Online dialog:

2
If Mailbox Event is selected:
Select Mailbox Name and/or Folder Name, select the comparison operator to be used: Contains or Does not contain. Enter the name (or partial name) of a mailbox/folder to be used to search for a match. (Case sensitivity is based on your SQL setting). Click Add to add criteria to selection list.
If both the Mailbox Name and Folder Name are specified, both expressions must be met.
Select On-Premises User Name, select the comparison operator to be used: Like or Not like and enter the name (or partial name) to be used to search for a match. (Case sensitivity is based on your SQL setting.) Click Add to add the criteria to the selection list.
Select On-Premises Target Name or Target Display Name, select the comparison operator to be used: Like or Not like and enter the name (or partial name) to be used to search for a match. Case sensitivity is based on your SQL setting. Click Add to add the expression to the selection list.
Select Target Sync Type, select In cloud to include mailbox accounts created in the cloud or Synced from AD to include mailbox accounts that have been synchronized from your on-premises Active Directory directories. Click Add to add the expression to the selection list.

 

 

If Administration Cmdlet Event is selected:

Select Cmdlet and/or Cmdlet Object check box.
Click Add to add criteria to selection list.
Click OK to save the selection and close the dialog.

File System

One of the following:

Change Auditor for Windows File Systems

Change Auditor for NetApp

Change Auditor for EMC

Select to search for specific file system events.

Add File System Path dialog:

2
Click Add to add to selection list.
3
Click in Scope cell to change the scope of the search.
4
Click in Actions cell to change setting. All Actions is selected by default, meaning that all activity associated with the file system will be included in the search.
5
Click in Types cell to change setting. All Types is selected by default, meaning all file system path types will be searched.
6
Click OK to save selections and close dialog.
NOTE: Use Add With Events to select from a list of file system paths that already have an event associated with it in the database.
NOTE: Use Add All File System Paths to search all file system paths. When this option is selected, all other file system paths in the selection list are ignored (appear in red). Also, the Scope and Types settings cannot be changed.

Group Policy

Change Auditor for Active Directory

Select to search for changes to objects in selected Group Policy containers.

Add Group Policy Container dialog:

You can also select Import Objects to import a .csv file of a list of directory objects. Using this list, you can search for an exact object name or use a wildcard.
2
Click Add.
3
Click OK to save selections and close dialog.
NOTE: Use Add Wildcard to specify a wildcard expression to search for Group Policy containers.
NOTE: Use Add With Events to select from a list of Group Policy containers that already have an event associated with it in the database.
NOTE: Use Add All Group Policies to search all group policies in the enterprise. When this option is selected, all other containers in the selection list are ignored (appear in red).

Local Account

Any

Select to search for changes to users or groups that reside in local SAM databases of a member server.

Add Local Account dialog:

2
Click Add.
3
Click OK to save selections and close dialog.
NOTE: Use Add All Local Accounts to search all local accounts in the enterprise. When this option is selected, all other accounts in the selection list are ignored (appear in red).

Logon Activity

Change Auditor for Logon Activity User for server agents

Change Auditor for Logon Activity Workstation for workstation agents

Select to search for a specific type of logon event.

Add Logons dialog:

2
Click Add.
3
Click OK to save selections and close dialog.
NOTE: Use Add With Events to select from a list of logon types that already have an event in the database.

Registry

Any

Select to search for changes to system registry keys that already have an event associated with it in the Change Auditor database.

Add Registry Key dialog:

2
Click Add.
3
Click in Scope cell to change the scope of the search.
4
Click in Actions cell to change setting. All Actions is selected by default, meaning all registry key actions will be included in the search.
5
Click OK to save selections and close dialog.
NOTE: Use Add All Registry Keys to search all registry keys in the enterprise. When this option is selected, all other registry keys in the selection list are ignored (appear in red). In addition, the Scope cannot be changed.

Service

Any

Select to search for changes to services which already have an event associated with it in the Change Auditor database.

Add Service dialog:

2
Click Add.
3
Click OK to save selections and close dialog.

SharePoint

Change Auditor for SharePoint

Select to search for changes to specific SharePoint components.

Add SharePoint Path dialog:

2
Click Add.
You can also use Add Wildcard to specify wildcard expressions.
4
Click OK to save selections and close dialog.
NOTE: Use Add With Events to limit this list to SharePoint paths that already have an event associated with it in the database.
NOTE: Use Add All SharePoint Paths to search all SharePoint paths in the enterprise. When this option is selected, all other paths in the selection list are ignored (appear in red).

SQL

Change Auditor for SQL Server

Select to search for changes to specific SQL instances.

Add SQL Instance dialog:

4
Click Add to add criteria to selection list.
5
Click OK to save selections and close dialog.
NOTE: Use Add With Events to select from a list of SQL instances that already have an event associated with it in the database.
NOTE: Use Add All SQL Instances to search all SQL instances in the enterprise. When this option is selected, all other instances in the selection list are ignored (appear in red).

SQL Data Level

Change Auditor for SQL Server

On the Add SQL Data Level Object, select one of the following and enter the search term:

1
Once you have specified the search term, click Add to add it to the Selection list at the bottom of the dialog.
2
Click OK to save your selection and close the dialog.

Where tab

The Where tab allows you to specify which agents to include (or exclude) in the search definition. You can select individual agents, all agents in a specific domain, or a given site. When multiple ‘where’ criteria is added to this tab, Change Auditor uses the ‘OR’ operator to evaluate change events, returning events captured by any of the specified agents, domains, or sites.

The Where tab contains the following information and controls:

Select this check box to prompt for the ‘where’ criteria when this search is executed. That is, when you select Run, the Select one or more Directory Objects dialog appears allowing you to locate and select the agents, domains, or sites to include in the search definition.
NOTE: When this check box is checked, the Add tool bar button will be deactivated.

Clicking the Add tool bar button displays the Add Agents, Domains, Sites dialog allowing you to specify the agent, domain or site to include in a custom search. Use the tabbed pages on this dialog as described below.

Select Object

2
Click Add to add criteria to the selection list.
4
Click OK to save your selections and close the dialog.

Add Agent

2
Click Add to add criteria to the selection list.
4
Click OK to save your selections and close the dialog.

Add Server Type

2
Click Add to add criteria to the selection list.
3
Click OK to close the dialog and add the server type to the ‘Where’ list.

Add Wildcard

4
Click Add to add the expression to the selection list.
5
Click OK to save your selection and close the dialog.

Add With Events

2
Click Add to add criteria to the selection list.
3
Click OK to save your selections and close the dialog.

When tab

Use the When tab to define a date and/or time range in order to limit your search to include only those events that occur during the selected ranges.

The When tab contains the following information/controls:

Select this check box to prompt for the date and/or time interval each time this search is run. That is, when you select Run, the When dialog appears allowing you to specify the date/time interval to use in your search.
NOTE: When this check box is checked, the Date Interval/Time Interval settings will be deactivated.
From/To: Select this check box and specify the starting and ending date for your date range. Click the calendar icon to select a date from the calendar control.
Last: Select this check box and the appropriate relative date and value (number of minutes, hours, days, weeks, months, quarters or years).
This: Select this option and click the arrow control to select the appropriate time interval (Day, Week or Month).
Select the Time Interval check box to specify a time range to further limit your search.
From: Enter the starting time for your time range or click the clock icon to select a time from the list. Only events that occurred at or after this time will be included in the search.
To: Enter the ending time for your time range or click the clock icon to select a time from the list. Only events that occurred before or at this time will be included in the search.

Origin tab

Use the Origin tab to search for events based on the NetBIOS name or IP address of the workstation or server from which the event originated. When multiple ‘origin’ criteria is specified on this tab, Change Auditor uses the ‘OR’ operator to evaluate events, returning events that originated from any of the specified workstations or servers.

The Origin tab contains the following information/controls:

Select this check box to prompt for the originating workstation or server when this search is executed. That is, when you select Run, the Add Origin dialog appears allowing you to enter the wildcard expression to locate a specific workstation or server.
NOTE: When this check box is checked, the Add tool bar button will be deactivated.

Clicking Add displays the Add Origin dialog allowing you to specify an originating workstation or server. Use the tabbed pages on this dialog as described below.

Add Wildcard

3
Click Add to add criteria to the selection list.
4
Click OK to save your selection and close the dialog.

Add With Events

2
Click Add to add criteria to the selection list.
3
Click OK to save your selection and close the dialog.
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen