Chat now with support
Chat mit Support

Change Auditor 7.3 - PowerShell User Guide

Managing Windows File System auditing

Change Auditor for Windows File Server tracks, audits, and alerts on file and folder changes in real time, translating events into simple terms and eliminating the time and complexity required by system provided auditing. The auditing scope can be set on an individual file or folder or an entire file system recursive or non-recursive. You can include or exclude certain files or folders from the audit scope to ensure a faster and more efficient audit process.

Managing Windows file system auditing is available through the following PowerShell commands:

Use this command to define a folder or file paths to audit.

NOTE:  

-IncludePath

Specifies the folder or file to audit.

-IncludePathType

Specifies the type of path to audit based on one of the following values:

-IncludeScope

 

Specifies the scope to monitor for the Includepath based on one of the following values:

-AuditEvents

The events to audit.

Use Get-CAWindowsFSEventClassInfo to get the list of event classes.

-IncludeMask (Optional)

Specifies what to include in the selected folder or file path to audit. Entering * will audit all files and folders in the selected folder.

-ExcludeFilePaths (Optional)

Specifies the names and paths of any files to exclude from auditing.

The default is set to None.

-ExcludeFolderPaths (Optional)

Specifies the names and paths of any subfolders to exclude from auditing. The default is set to None.

-Disabled (Optional)

Specifies whether auditing is enabled or disabled on the selected path or folder. The default is set to false.

New-CAWindowsFSAuditObject -IncludePath "C:\ExampleDirectory" -IncludePathType SystemFolder -IncludeScope ScopeSubTree -AuditEvents $auditEvents -IncludeMask "*"
–ExcludeFolderPaths "C:\ExampleDirectory\ExcludedDirectory"

New-CAWindowsFSAuditObject -IncludePath "C:\ExampleDirectory" -IncludePathType SystemFolder -IncludeScope ScopeOneLevel -AuditEvents $auditEvents -IncludeMask "*" –ExcludeFilePaths "*.tmp"

To enable Windows File System auditing, you must first create an auditing template for each file or folder to audit. Each auditing template defines the files or folders to audit, the auditing scope, and the excluded processes.

Use this command to create a Windows file system auditing template.

-Connection

A connection obtained by using the Connect-CAClient command.

-TemplateName

The template name.

-AuditObjects

The folder or file path objects created using
New-CAWindowsFSAuditObject.

-ExcludeProcess (Optional)

The list of processes to exclude from auditing. The default is none.

-DiscardTooltipEvents (Optional)

Multiple folder open events are generated by tooltips (folder content information that is displayed when you hover your mouse over a folder) because Windows Explorer navigates the folder tree for all the sub-folders when you hover over the parent folder to see the tooltip. To ignore the folder opened events generated by this action set this parameter to 'true'.

-DiscardBrowsingEvents (Optional)

Multiple file open events are generated by file scans because Windows Explorer opens and reads the header of all files contained in an opened folder for information to display in the window. To ignore the file open events generated by this action set this parameter to 'true'.

-Disabled (Optional)

Specifies whether the template is enabled or disabled. Default is set to false.

New-CAWindowsFSAuditTemplate -Connection $connection -TemplateName 'New-FSTemplate' -AuditObjects $auditObject -ExcludeProcess $excludeProcess -DiscardTooltipEvents $true -DiscardBrowsingEvents $true -Disabled $false

Use this command to delete a Windows File System auditing template.

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

The CAWindowsFSAuditTemplate object to remove. Obtain the template objects using the Get-CAWindowsFSAuditTemplates command and filter to select the object to remove.

-Force (Optional)

Removes template without prompting for a confirmation. The default is false.

Remove-CAWindowsFSAuditTemplate -Connection $connection -Template $removeTemplate

 

Use this command to edit an existing Windows File System auditing template.

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

The CAWindowsFSAuditTemplate object to edit. Obtain the template objects using the Get-CAWindowsFSAuditTemplates command and filter to select the object to remove.

-TemplateName (Optional)

The template name.

-AuditObjects (Optional)

The folder or file path objects created using
New-CAWindowsFSAuditObject.

-ExcludeProcess (Optional)

The list of processes to exclude from auditing. The default is none.

-DiscardTooltipEvents (Optional)

Multiple folder open events are generated by tooltips (folder content information that is displayed when you hover your mouse over a folder) because Windows Explorer navigates the folder tree for all the sub-folders when you hover over the parent folder to see the tooltip. To ignore the folder opened events generated by this action set this parameter to 'true'.

-DiscardBrowsingEvents (Optional)

Multiple file open events are generated by file scans because Windows Explorer opens and reads the header of all files contained in an opened folder for information to display in the window. To ignore the file open events generated by this action set this parameter to 'true'.

-Disabled (Optional)

Set to true or false to enable or disable the template.

Set-CAWindowsFSAuditTemplate -Connection $connection -Template $Template -ExcludeProcess "avsoftware.exe" -TemplateName "NewTemplateName"

Use this command to see all the Windows File System auditing templates available within your installation.

-Connection

A connection obtained by using the Connect-CAClient command.

Get-CAWindowsFSAuditTemplates -Connection $connection

$template = Get-CAWindowsFSAuditTemplates -Connection $connection | where TemplateName -eq TemplateName

Use this command to get a list of all available Windows File System auditing event classes.

-Connection

A connection obtained by using the Connect-CAClient command.

Get-CAWindowsFSEventClassInfo -Connection $connection

Managing SQL Extended Events Auditing (Preview)

SQL Server Extended Events allow users to gather information on the performance of their SQL database. These commands allow you to create and manage SQL Extended Events auditing templates for auditing SQL Extended Events.

NOTE:  

Use this command to retrieve the list of event names and filters available from the SQL server to use when configuring the SQL Extended Events template. Change Auditor audits event information from the Admin, Operational, and Analytic channels.

-Connection

A connection obtained by using the Connect-CAClient command.

-SQLServerName

The instance name of the SQL server.

-SQLServerLoginCredential

The SQL server credentials used to retrieve the list of available events and filters from the SQL server.

Get-CASQLExtendedEventsInfo –Connection $connection -SQLServerName $sqlservername -SQLServerLoginCredential $dbcredential

Use this command to specify a filter for the SQL Extended Events to audit when creating templates.

-EventsInfo

The available event and filter information obtained using the Get-CASQLExtendedEventsInfo command.

-FieldName

The field on which to filter.

-Operator

The operator to be used for comparison. See the output obtained from the Get-CASQLExtendedEventsInfo command for available operators for the specified filter field.

-Value

The value to be used for comparison.

-FilterType

The type of filter AND or OR.

New-CASQLExtendedEventsFilter -EventsInfo $eventsInfo -FieldName database_name -Operator Equals -Value testdb1 -FilterType 'AND'

Use this command to specify the SQL Extended Events to audit.

-EventsInfo

The available event and filter information obtained using thee Get-CASQLExtendedEventsInfo command.

-EventNames

A string array of event names to be included.

-EventPackages

A string array of event packages to be applied for the specified array of event names when the object is created.

The array values for parameters -EventNames and -EventPackages must be the same length as each index element of each array is paired with one another.

You can specify an empty value for the default package.

New-CASQLExtendedEventsObject -EventsInfo $sqlExtendedEventClasses -EventNames "login_event","database_stopped","error_reported" -EventPackages "sqlserver","sqlserver","xesvlpkg"

Use this command to create SQL Extended Events auditing templates.

-Connection

A connection obtained by using the Connect-CAClient command.

-SQLServerName

The name of the SQL server.

-SQLServerLogonCredential

The SQL server logon credential.

NOTE:  

-Name

A unique name for the template.

-ExtendedEvents

The list of events to audit using New-CASQLExtendedEventsObject.

- Filters (Optional)

A list of event filters using New-CASQLExtendedEventsFilter.

-MaxMemorySize (Optional)

SQL Extended Events maximum memory size in megabytes.

Minimum is 250 MB (default if parameter not specified).

-Disabled (Optional)

Set to determine if the template is enabled or disabled. By

default this is set to False.

-AgentInfo (Optional)

An agent object obtained using the Get-CAAgents command. If not specified, it will expect an agent installed on the SQL server to be audited. The agent is used for SQL Extended Events session management and event auditing.

New-CASQLExtendedEventsTemplate -Connection $connection -AgentInfo $Agent -SQLServerName $sqlServerName -SQLServerLoginCredential $sqlCredential -Name 'testXEventTemplate' -ExtendedEvents $events -Filters $filters

Use this command to see all the SQL Extended Events templates that have been created.

-Connection

A connection obtained by using the Connect-CAClient command.

Get-CASqlExtendedEventsTemplates -Connection $connection

Get-CASqlExtendedEventsTemplates -Connection $connection | Filter.Where(_$.name = "MyTemplate")

Use this command to delete a specified SQL Extended Events template.

-Connection

A connection obtained by using Connect-CAClient.

-Template

The template object obtained using Get-CASQLExtendedEventsTemplates.

Remove-CASQLExtendedEventsTemplate -Connection $connection -Template $template

 

 

 

 

Managing Fluid File System auditing

Change Auditor for Fluid File System tracks, audits, reports, and alerts on file and folder changes in real time, translating events into simple text and eliminating the time and complexity required by system provided auditing. The auditing scope can be set on an individual file or folder or an entire file system recursive or non-recursive. Change Auditor also allows you to include or exclude certain files or folders from the audit scope to ensure a fast and efficient audit process.

Change Auditor captures events and provides detailed information relating to the following activities:

The following commands are available to manage Fluid File System auditing:

Use this command to see a list of all Fluid File Service clusters available to audit.

-Connection

A connection obtained by using the Connect-CAClient command.

Get-CAFluidFSClusters -Connection $connection

Use this command to see if encryption has been set. Encryption protects the data as it passes between the FluidFS cluster and the Change Auditor agents.

-Connection

A connection obtained by using the Connect-CAClient command.

-ClusterName

The name of the FluidFS cluster to audit.

-ClusterConfigurationCredential

Administrator credentials to access Enterprise Manager.

Get-CAFluidFSEncryptionStatus -Connection $connection -ClusterName $clustername -ClusterConfigurationCredential $credential

Use this command to get a list of all available FluidFS event classes.

-Connection

A connection obtained by using the Connect-CAClient command.

Get-CAFluidFSEventClassInfo -Connection $connection

Use this command to see all the Fluid File System templates available within your installation.

-Connection

A connection obtained by using the Connect-CAClient command.

Example: Get a list of all FluidFS templates

Get-CAFluidFSTemplates -Connection $connection

Use this command to get a list of all volumes on a specified cluster.

-Connection

A connection obtained by using the Connect-CAClient command.

-ClusterName

The name of the cluster from which to retrieve volume names.

-ClusterConfigurationCredential

Administrator credentials to access Enterprise Manager. This allows the Coordinator to connect with the Enterprise Manager Data Collector service and populate the list of available volumes to audit.

Example: See a list of all available volumes on a cluster

Get-CAFluidFSVolumes -Connection $connection -ClusterName $clustername -ClusterConfigurationCredential $credential

Use this command to define which volumes to audit.

 

-Volume

The name of the volume to audit.

-IncludePaths

The folders\files to include.

-EventClasses

The events to audit.

-ExcludeFilePaths (Optional)

The name and path of files to exclude from auditing.

-ExcludeFolderPaths (Optional)

The name and path of subfolders to exclude from auditing.

-Disabled (Optional)

Specifies whether auditing is enabled or disabled on the volume. The disable feature allows you to temporarily stop auditing the specified volume without having to remove the auditing template or individual volume from a template.

$auditVolume = New-CAFluidFSAuditVolume -Volume $volumes[0] -IncludePaths $includePaths -EventClasses $fluidFSEventClasses -ExcludeFilePaths $excludeFilePaths -ExcludeFolderPaths $excludeFolderPaths -Disabled $False

To enable FluidFS auditing in Change Auditor, you must first create an auditing template for each file server to audit. Each auditing template defines the location of the file server, the auditing scope, and the Change Auditor agents that are to receive the events.

Use this command to create a Fluid File System auditing template.

Returns: A FluidFS template object.

-Connection

A connection obtained by using the Connect-CAClient command.

-ClusterName

The name of the cluster to audit.

-Agents

The Change Auditor agents that are to receive the FluidFS events.

-AuditItems

The volumes and their list of exclusions and inclusions.

-ClusterConfigurationCredential

Administrator credentials to access Enterprise Manager. This allows the Coordinator to connect with the Enterprise Manager Data Collector service and populate the list of available volumes to audit.

-Disabled (Optional)

Specifies whether the template is enabled or disabled.

New-CAFluidFSTemplate -Connection $connection -ClusterName $clustername -Agents $agents -AuditItems $auditItems -ClusterConfigurationCredential $credential
-Disabled $False

Use this command to delete a FluidFS to delete a template when a connection cannot be made with the FluidFS cluster.

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

The template to delete.

Clear-FluidFSTemplate -Connection $connection -Template $template

Use this command to edit an existing Fluid File System template.

NOTE: You can also use the Enable-CAAgentTemplate and Disable-CAAgentTemplate to enable or disable the template.

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

The template to edit.

-ClusterConfigurationCredential

Administrator credentials to access Enterprise Manager. This allows the Coordinator to connect with the Enterprise Manager Data Collector service and populate the list of available volumes to audit.

-Agents (Optional)

The Change Auditor agents that are to receive the FluidFS events.

-AuditItems (Optional)

The volumes and their list of exclusions and inclusions.

-Enable (Optional)

Set to true or false to enable and disable the template.

Set-CAFluidFSTemplate -Connection $connection -Template $template -ClusterConfigurationCredential $credential -Enable True -Agents $agents -AuditItems $auditItems

Use this command to enable or disable encryption for auditing on the Fluid File System cluster. Encryption allows you to protect the event traffic as it passes between the FluidFS cluster and the Change Auditor agents.

-Connection

A connection obtained by using the Connect-CAClient command.

-ClusterName

The name of the cluster to audit.

-ClusterConfigurationCredential

Administrator credentials to access Enterprise Manager.

-EncryptionCredential

The service account credentials for the cluster to use when encrypting events.

Set-CAFluidFSEncryptionCredential -Connection $connection -ClusterName $clustername -ClusterConfigurationCredential $credential -EncryptionCredential $EncryptionCredential

Managing Azure Active Directory auditing

Change Auditor audits activity in the Azure portal that corresponds to the events in the Azure Active Directory auditing logs and sign-in activity. Managing Azure Active Directory auditing is available through the following PowerShell commands:

NOTE: When you delete a template (see Remove-CAAgentTemplate), the web application created in Azure Active Directory remains. You can delete the web application using the Azure management portal. If you do not have the portal, see https://technet.microsoft.com/en-us/library/dn832618.aspx for instructions.

The following sample scripts are available in the Change Auditor client folder. By default they are located here: C:\Program Files\Quest\ChangeAuditor\Client\PowerShell Sample Scripts:

 

Use this command to create a template for auditing Azure Active Directory.

-AgentInfo

An agent object obtained using the Get-CAAgents command. The agent is used for Azure Active Directory auditing.

-Connection

A connection obtained by using the Connect-CAClient command.

-CreateWebApp (Optional)

Specifies that you want to create a new Azure web application.

You will need to login to register Change Auditor in the tenant and ensure the required consent has been granted. Note: Internet access is required.

The Azure Active Directory sign-in page opens automatically.

To apply the consent to all the users in your organization, click to enable Consent on behalf of your organization and click Accept.

-Tenant

The Azure Active Directory tenant/directory that you want to audit (for example: yourTenantName.onmicrosoft.com).

-AuditLogs

Specifies whether or not to audit the Azure Active Directory audit logs. You must enable at least one type of activity to audit using the
- AuditLogs or -SignIns parameter.

-SignIns

Specifies whether or not to audit Azure Active Directory sign-in activity. You must enable at least one type of activity to audit using the
- AuditLogs or -SignIns parameter.

-HistoricalEventCollectionHours (Optional)

Specifies how many hours the agent should go back in time to start event collection. The parameter accepts values from 1 to 720.

-HistoricalEventCollectionDays (Optional)

Specifies how many days the agent should go back in time to start event collection. The parameter accepts values from 1 to 30.

-Disabled (Optional)

Specifies whether auditing is enabled or disabled for Azure Active Directory.

$connection = Connect-CAClient –InstallationName ‘Default'

$agent = Get-CAAgents –Connection $connection | where{$_.agentfqdn -like "CAAGENT.DOMAIN.COM"} *Keep in Uppercase

New-CAAzureADTemplate -Connection $connection -CreateWebApp -Tenant $tenant
-AgentInfo $agent –HistoricalEventCollectionDays 30 -SignIns $True -AuditLogs $True

Alternatively, use these parameters if you are using a pre-created Azure web application that Change Auditor will use for authentication.

For details on integrating applications with Azure Active Directory and creating a web application, consult the Microsoft documentation. When creating a web application in the Azure Classic Portal, you are required to provide the following URLs: Sign-On URL, App ID URL. Specify any URL address that is unique to your tenant (for example: http://ChangeAuditorApp) for each of them.

The following permissions must be assigned to the Azure web application:

Office 365 Management APIs

Application Permissions:

 

Microsoft Graph

Application Permissions:

Once the required permissions are applied, click Grant admin consent for… and confirm with Yes.

-AgentInfo

An agent object obtained using the Get-CAAgents command. The agent will be used for Azure Active Directory auditing.

-Connection

A connection obtained by using the Connect-CAClient command.

-Tenant

The Azure Active Directory tenant/directory that you want to audit (for example: yourTenantName.onmicrosoft.com).

-AuditLogs

Specifies whether or not to audit the Azure Active Directory audit logs. You must enable at least one type of activity to audit using the
- AuditLogs or -SignIns parameter.

-SignIns

Specifies whether or not to audit Azure Active Directory sign-in activity. You must enable at least one type of activity to audit using the
- AuditLogs or -SignIns parameter.

-WebAppId

An Azure Active Directory web application Id. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

-WebAppKey

 

The key assigned to the web application specified for the WebAppId parameter. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

-HistoricalEventCollectionHours (Optional)

Specifies how many hours the agent should go back in time to start event collection. The parameter accepts values from 1 to 720.

-HistoricalEventCollectionDays (Optional)

Specifies how many days the agent should go back in time to start event collection. The parameter accepts values from 1 to 30.

-Disabled (Optional)

Specifies whether auditing is enabled or disabled for Azure Active Directory.

New-CAAzureADTemplate -Connection $connection -AgentInfo $agent -WebAppKey $webAppKey -WebAppId $webAppId -Tenant $tenant –HistoricalEventCollectionDays 30
-SignIns $True -AuditLogs $True

Use this command to edit the web application key and ID, and the agent in an existing Azure Active Directory template. This also allows you to replace an expired or revoked web application.

NOTE:  

-AgentInfo

An agent object obtained using the Get-CAAgents command. The agent will be used for Azure Active Directory auditing.

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

A template object obtained by the Get-CAAzureADTemplates command.

-CreateWebApp (Optional)

Specifies that you want to create a new Azure web application.

You will need to login to register Change Auditor in the tenant and ensure the required consent has been granted. Note: Internet access is required.

The Azure Active Directory sign-in page opens automatically.

To apply the consent to all the users in your organization, click to enable Consent on behalf of your organization and click Accept.

-AuditLogs

Specifies whether or not to audit the Azure Active Directory audit logs. You must enable at least one type of activity to audit using the
- AuditLogs or -SignIns parameter.

-SignIns

Specifies whether or not to audit Azure Active Directory sign-in activity. You must enable at least one type of activity to audit using the
- AuditLogs or -SignIns parameter.

-WebAppId

An Azure Active Directory web application Id. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

-WebAppKey

 

The key assigned to the web application specified for the WebAppId parameter. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

Set-CAAzureADTemplate -Connection $connection -Template $template -WebAppKey $webAppKey -WebAppId $webAppId

Set-CAAzureADTemplate -Connection $connection -Template $template -SignIns $True
-AuditLogs $True

Use this command to see all the Azure Active Directory templates available within your installation.

-Connection

A connection obtained by using the Connect-CAClient command.

Get-CAAzureADTemplates -Connection $connection

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen