Chatee ahora con Soporte
Chat con el soporte

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Eligible Change Auditor Agents dialog

Previous Next

Eligible Change Auditor Agents dialog

The Eligible Change Auditor Agents dialog displays a list of Change Auditor agents that are eligible for selection. This dialog is used throughout the Change Auditor client and the agent list displayed is based on where the dialog was launched.

NetApp Auditing wizard

When accessed from the NetApp Auditing wizard (Add button on the agent selection screen), this dialog displays a list of Change Auditor agents. It also shows whether an agent is assigned to a NetApp Auditing template to capture NetApp events (NetApp cell contains ‘None’ if it is not assigned to a template, or ‘Auditing’ if it is assigned to a template). From this list, select the Change Auditor agent to be used to connect to the specified NetApp filer to receive NetApp events.

EMC Auditing wizard

When accessed from the EMC Auditing wizard (Add button on the agent selection screen), this dialog displays a list of Change Auditor agents that have EMC installed. t also shows whether an agent is assigned to an EMC Auditing template to capture EMC events (EMC cell contains ‘None’ if it is not assigned to a template, or ‘Auditing’ if it is assigned to a template). From this list, select the Change Auditor agent to be used to connect to the EMC file server (CIFS) to receive EMC events.

SharePoint Auditing wizard

When accessed from the SharePoint Auditing wizard (Find a SharePoint Farm drop-down menu option on first screen or Browse button on agent selection screen), this dialog displays a list of the Change Auditor agents that have SharePoint installed. It also shows whether an agent is assigned to a SharePoint Auditing template to capture SharePoint events (SharePoint cell contains ‘None’ if it is not assigned to a template, or ‘Auditing’ if it is assigned to a template). From this list, select the Change Auditor agent that is to be used to connect to the specified SharePoint farm to receive SharePoint events.

Microsoft 365 Auditing wizard

When accessed from the Microsoft 365 Auditing wizard (Select agents button), this dialog displays a list of available server agents. It also shows whether an agent is assigned to an Microsoft 365 auditing template. Microsoft 365 cell contains ‘None’ if it is not assigned to a template, or ‘Auditing’ if it is assigned to a template. From this list, select the Change Auditor agent that is to be used to capture the Microsoft 365 Exchange Online, SharePoint Online, and OneDrive for Business events.

* 
NOTE: Multiple Microsoft 365 Exchange Online organizations can be audited; however, each organization must be monitored by a separate auditing template and different Change Auditor agent.

Event Logging dialog

Previous Next

Event Logging dialog

The Event Logging dialog appears when the Event Logging tool bar button is clicked on the Agent Configuration page (Administration Tasks tab). From this dialog you can enable or disable event logging for the following:
Active Directory
ADAM (AD LDS)
AD Query
Microsoft Entra ID
Change Auditor
EMC
Exchange
File System
Local Account
NetApp
Service
SharePoint
SQL
Registry
* 
NOTE: If an option is disabled, this indicates that you do not have the corresponding component licensed. For example, if the SQL check box is disabled, you do not have a Change Auditor for SQL Server license.

Event logging for each of the above is disabled by default. Enabling event logging writes Change Auditor events locally to a Windows event log.

 

Export/Import dialog

Previous Next

Export/Import dialog

Appears when the Action | Export or Action | Import menu command is selected from the Administration Tasks tab. From this dialog you can select the configuration settings, and auditing and protection settings/templates that are to be exported from/imported into your existing environment. Using the Export feature, Change Auditor saves the selected settings in an XML file which can then be imported.

Configuration

This section corresponds to the tasks in the Configuration task list on the Administration Tasks tab.

Agent

Select to save the agent configurations and settings currently defined using the Agent Configuration page.

* 
NOTE: When selected, the auditing and protection templates that require agent assignments are selected by default and cannot be cleared.

Coordinator

Select to save the coordinator configurations (such as email notifications and group membership expansion) currently defined using the Coordinator Configuration page.

Application User Interface

* 
NOTE: This setting is not selected by default.

Select to save the current application user interface settings that define who is authorized to use the various Change Auditor features.

 
* 
NOTE: This setting is not selected by default.

Report Layouts

Select to save the report layout templates currently defined.

Purge Jobs

Select to save the purge jobs currently defined.

Auditing

This section corresponds to the tasks in the Auditing task list on the Administration Tasks tab.

Audit Events

Select to save the current settings for the events, including enabled/disabled, severity level and description.

Excluded Accounts

Select to save the current Excluded Accounts Auditing templates that define individual accounts that are to be excluded from Change Auditor auditing.

Active Directory

* 
NOTE: When the Agent option is selected in the Configuration section of this dialog, this option is also selected and cannot be cleared. This is because this type of template must be assigned to an agent configuration in order to work properly.

Select to save the Active Directory object class auditing currently defined.

Active Directory | Attributes

Select to save the custom Active Directory attribute auditing currently defined.

Active Directory | Member of Group

Select to save the current Member of Group auditing list.

Active Directory | AD Query

Select to save the current Active Directory containers lists that are being included and excluded from AD Query auditing.

ADAM (AD LDS)

Select to save the custom ADAM (AD LDS) object auditing currently defined.

ADAM (AD LDS) | Attributes

Select to save the custom ADAM (AD LDS) attribute auditing currently defined.

Microsoft 365 Online

Select to save the Microsoft 365 Exchange Online Auditing templates currently defined.

Exchange Mailbox

Select to save the current Exchange Mailbox auditing list.

SQL

Select to save the SQL Auditing templates currently defined.

 
* 
NOTE: When the Agent option is selected in the Configuration section of this dialog, this option is also selected and cannot be cleared. This is because this type of template must be assigned to an agent configuration in order to work properly.

SharePoint

Select to save the SharePoint Auditing templates currently defined to audit SharePoint farms.

File System

Select to save the File System Auditing templates currently defined to audit Windows File Systems.

 
* 
NOTE: When the Agent option is selected in the Configuration section of this dialog, this option is also selected and cannot be cleared. This is because this type of template must be assigned to an agent configuration in order to work properly.

Registry

Select to save the Registry Auditing templates currently defined to audit registry keys.

 
* 
NOTE: When the Agent option is selected in the Configuration section of this dialog, this option is also selected and cannot be cleared. This is because this type of template must be assigned to an agent configuration in order to work properly.

Services

Select to save the Services Auditing templates currently defined to audit system services.

 
* 
NOTE: When the Agent option is selected in the Configuration section of this dialog, this option is also selected and cannot be cleared. This is because this type of template must be assigned to an agent configuration in order to work properly.

EMC

Select to save the EMC auditing templates currently defined.

NetApp

Select to save the NetApp auditing templates currently defined.

Protection

This section corresponds to the tasks in the Protection task list of the Administration Tasks tab.

Active Directory

Select to save the global protection templates defined to protect critical Active Directory objects.

ADAM (AD LDS)

Select to save the global protection templates defined to protect critical ADAM (AD LDS) objects.

Group Policy

Select to save the global protection templates defined to protect critical Group Policy objects.

Exchange Mailbox

Select to save the global protection templates defined to protect critical Exchange mailboxes.

File System

Select to save the server-level protection templates defined to protect critical files and folders.

 
* 
NOTE: When the Agent option is selected in the Configuration section of this dialog, this option is also selected and cannot be cleared. This is because this type of template must be assigned to an agent configuration in order to work properly.

Install or Upgrade/Uninstall/Update Foreign Agent Credentials

Previous Next

Install or Upgrade/Uninstall/Update Foreign Agent Credentials

On this dialog, you can select the options to schedule a deployment or credential update task.

Select one of the following options to schedule the task:
Now - This option is selected by default and will initiate the task immediately.
When - Select this option to schedule the task for a later date and/or time.

When this option is selected, the date/time field will be enabled allowing you to enter the date and time when the task is to occur. To specify a different date, you can either enter the date in the text box or use the arrow control to select a day from the calendar grid. To change the time, you must enter the time in the text box.

* 
NOTE: Based on client’s current local date and time. The format used is determined by the local computer’s regional and language setting.

If the agent server is from a foreign forest, enter the Active Directory credential information to allow the agent to connect to the coordinator in the remote forest, and click OK.
Coordinator Forest Root (example.com): Enter the coordinator forest root domain to be used by the agent to connect to the coordinator.
Account Name (domain\user): Enter the name of the account that can find and connect to a coordinator in the Active Directory forest.
Account Password: Enter the password associated with the specified account.
Account Type: Select the account type of the specified account.

If you are using a group Account:
The account must end with '$' and the password must be blank.
The domain should be entered in the Fully Qualified Domain Name format.
The local Administrator group must be added to the group policy debug programs. (Found under Local Computer Policy | Windows Settings | Security Settings | Local Policies | User Rights Assignments | Debug programs.)
The Windows client must be run as the administrator. (Right-click and select Run as administrator.)
The agent host must be correctly configured to successfully retrieve the managed password for the specified group Managed Service Account.
The Coordinator Credential Configurator must be run as the administrator. (Right-click and select Run as administrator.)
For manual installations, the agent installer must be run as the administrator. (Right-click and select Run as administrator.)
For foreign domain agent deployments, the account name for the agent to connect to the coordinator should be specified with the Fully Qualified Domain Name (For example: domain.com\user.)
For foreign domain agent deployments, a trust relationship with the foreign domain and the coordinator's domain is required.
(Install or upgrade only) Add this user to the “ChangeAuditor Agents - <InstallationName>” domain local security group: This is selected by default indicating that the specified user account will be added to the ChangeAuditor Agents security group in the supplied Active Directory domain. User accounts must be added to this security group to properly authenticate.

You may need to pre-stage\create the "ChangeAuditor Agents – <InstallationName>" domain local security group and manually add the configured user account to the security group in additional domains within the forest where coordinators reside. If using a group Managed Service Account this step is required and must be performed manually.

You can add the domain user account to the ChangeAuditor Agents – <InstallationName> security group, if appropriate LDAP and network protocol access is available.

Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación