Chatta subito con l'assistenza
Chat con il supporto

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Copy-CASearch

Previous Next

Copy-CASearch

Use this command to copy a search in the installation.

Table 36. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Search

The search info object obtained from the Get-CASearches command.

-IsPublic (Optional)

An optional switch that specifies if the search is public. The default is private.

-UserSid

An optional parameter that is used (when –IsPublic is not used) to specify the SID of the user that owns the directory where the copy of the search is placed.

-Path

A parameter that specifies a path where the copy is to be placed. The default is the root folder of the user/public folder specified with
–UserSid /-IsPublic.

-Name (Optional)

An optional parameter that specifies a new name for the copy of the search.

-PassThru (Optional)

A switch that specifies to return the updated search after the command runs.

Example: Copying a search named “New Search for Employee” to a user’s private folder Searches\New and giving it a new name “All My Events”

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

$search = Get-CASearches $connection | ? {$_.Name –eq “New Search for Employee”}

Copy-CASearch –Connection $connection –Search $search –UserSid S-1-5-21-3623811015-3361044348-30300820-1013 –Path Private\Searches\New –Name “All My Events” -PassThru

Add-CASearch

Use this command to create a search in the installation.

Table 37. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-XmlSearchDefinition

An XML string or object that represents a search definition.

-IsPublic

A switch that specifies if the search is public. The default is private.

-UserSid

A parameter that is used (when –IsPublic is not used) to specify the SID of the user who owns the new search.

-Path

A parameter that specifies a path where the new search will be placed. The default is the root folder of the user/public folder specified with –UserSid /-IsPublic.

-Name

A parameter that specifies a new name for the search.

-PassThru (Optional)

A switch that specifies to return the new search after the command runs.

Example: Adding a public search to the installation

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

$searchDefinition = Get-Content C:\Users\Admin\Documents\MySearchDefinition.xml

Add-CASearch –Connection $connection –XmlSearchDefinition $searchDefinition
–IsPublic –Path Shared\AllSearches\New –Name “All events in the past 23 hours”
-PassThru

Move-CASearch

Use this command to move a search from one folder path to another in the installation.

Table 38. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-IsPublic

A switch that specifies if the search is public. The default is private.

-UserSid

A parameter that is used (when –IsPublic is not used) to specify the SID of the user who owns the new search.

-Path

A parameter that specifies the path where the search will be placed. The default is the root folder of the user/public folder specified with –UserSid /-IsPublic.

-Search

The search info object obtained from the Get-CASearches command.

-PassThru (Optional)

A switch that specifies to return the updated search after the command runs.

Example: Moving the search named “All AD Queries in the last 30 days” to the private folder “Shared\SharePoint\” of the user with the SID “S-1-5-21-3623811015-3361044348-30300820-1013”

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

$search = Get-CASearches $connection | ? {$_.Name –eq “All AD Queries in the last 30 days”}

Move-CASearch $connection –Search $search –UserSid S-1-5-21-3623811015-3361044348-30300820-1013 –Path “Shared\SharePoint”

Remove-CASearch

Use this command to remove a public or private search from the installation.

Table 39. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Search

The search info object obtained from the Get-CASearches command.

-Force (Optional)

A parameter that removes the prompt before a search is removed.

Example 1: removing any search with the name “All Exchange Admin Events” from the installation

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

$search = Get-CASearches $connection | ? {$_.Name –eq “All Exchange Admin Events”}

Remove-CASearch $connection –Search $search

Example 2: Removing the search with the name “All Search Events”, owned by the user with the SID “S-1-5-21-3623811015-3361044348-30300820-1013”, which exists in that user’s folder “Security\Internal\Searches” from the installation

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

$search = Get-CASearches $connection | ? {$_.OwnerSid –eq “S-1-5-21-3623811015-3361044348-30300820-1013”} | ? {$_.FolderPath –eq “Security\Internal\Searches”} | ? {$_.Name –eq “All Search Events”}

Remove-CASearch $connection –Search $search

Add-CASearchFolder

Use this command to create a search folder in the installation.

Table 40. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-IsPublic

A switch that specifies if the search is public. The default is private.

-UserSid

A parameter that is used (when –IsPublic is not used) to specify the SID of the user who owns the new folder.

-Path

A parameter that specifies the path to create. The default is the root folder of the user/public folder specified with –UserSid /-IsPublic.

Example: Adding the public folder Searches\New to the installation

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

Add-CASearchFolder –Connection $connection –IsPublic –Path Shared\Searches\New

Remove-CASearchFolder

Use this command to remove a public or private folder from the installation.

Table 41. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-IsPublic

A switch that specifies the folder being removed is public.

-UserSid

A parameter that is used if –IsPublic is not specified to speci-fy the SID of the user that owns the private folder being removed.

-Path

A parameter that specifies the path to the folder to remove. The default is the root folder of the user/public folder specified with
–UserSid /-IsPublic.

-Force (Optional)

An optional parameter that removes the prompt before a search is removed.

Example: Removing the public folder in the installation Miscellaneous\OldSearches

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

Remove-CASearchFolder $connection –IsPublic –Path Shared\Miscellaneous\OldSearches

Managing Active Directory Database auditing

Previous Next

Managing Active Directory Database auditing

Change Auditor allows you to monitor the Active Directory database (NTDS.dit) file for possible unauthorized access attempts.

Extraction of this file could lead to parsing of usernames and passwords resulting in a security breach. The ability to audit changes to this file reduces the risk of the user account information from being accessed and tampered with by unwanted processes or users.

Managing Active Directory database auditing is available through the following PowerShell commands:
New-CAADDatabaseTemplate
Get-CAADDatabaseTemplates
Remove-CAADDatabaseTemplate
Set-CAADDatabaseTemplate

New-CAADDatabaseTemplate

Use this command to create an Active Directory Database auditing template.

Table 42. Parameter description

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-TemplateName

The template name.

-Disabled (Optional)

Set to true or false to enable or disable the template.

-ExcludedProcesses (Optional)

The list of processes to exclude from auditing. The default is none.

Example: Create a new Active Directory Database auditing template

New-CAADDatabaseTemplate -Connection $connection -TemplateName $template
-ExcludeProcess $excludeProcess -Disabled false

Get-CAADDatabaseTemplates

Use this command to see all the Active Directory Database auditing templates available within your installation.

Table 43. Parameter description

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Id (Optional)

The template GUID.

Example: Get a list of all Active Directory Database templates

Get-CAADDatabaseTemplates -Connection $connection

Remove-CAADDatabaseTemplate

Use this command to delete an Active Directory Database auditing template.

Table 44. Parameter description

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

The CAADDatabaseTemplate object to remove. Obtain the template objects using the Get-CAADDatabaseTemplates command and filter to select the object to remove.

-Force (Optional)

Removes template without prompting for a confirmation. The default is false.

Example: Remove a Active Directory Database auditing template

Remove-CAADDatabaseTemplate -Connection $connection -Template $removeTemplate

Set-CAADDatabaseTemplate

Use this command to modify an Active Directory Database auditing template.

Table 45. Parameter description

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-TemplateName

The new name that you want to use for the template.

-Template

The PSCAProtectionTemplate object to update.

Obtain the template objects using the Get-CAADDatabaseTemplates command and filter to select the object to update.

-Disabled (Optional)

Set to $true or $false to disable or enable the template respectively.

-ExcludedProcesses (Optional)

The list of processes to exclude from auditing. The default is none.

Example: Modify an Active Directory Database auditing template

Set-CAADDatabaseTemplate -Connection $connection -template $template -templatename "Name" -ExcludeProcess $excludeProcess -Disabled $false

Working with Active Directory Database protection templates

Previous Next

Working with Active Directory Database protection templates

Change Auditor allows you to protect the Active Directory database (NTDS.dit) file for possible unauthorized access attempts.

The following commands are available to manage Active Directory Database protection:
New-CAADDProtectionTemplate
Set-CAADDProtectionTemplate
Get-CAADDProtectionTemplates
Remove-CAADDProtectionTemplate

New-CAADDProtectionTemplate

Use this command to create an Active Directory Database protection template.

Table 46. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-TemplateName

The template name.

-Disabled (Optional)

Set to true or false to enable or disable the template.

-ExcludedProcesses (Optional)

The list of processes to exclude from protectoin. The default is none.

Example: Create an Active Directory Database protection template

New-CAADDProtectionTemplate -Connection $connection -TemplateName TemplateSample

Set-CAADDProtectionTemplate

Use this command to modify an Active Directory Database protection template.

Table 47. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

The CAADDProtectionTemplate object to edit. Obtain the template objects using the Get-CAADDProtectionTemplates command and filter to select the object to update.

-TemplateName (Optional)

The template name.

-Disabled (Optional)

Set to true or false to enable or disable the template.

-ExcludedProcesses (Optional)

The list of processes to exclude from protectoin. The default is none.

Example: Create an Active Directory Database protection template

set-caaddprotectiontemplate -connection $connection -template $template -templatename "templatesample"

Get-CAADDProtectionTemplates

Use this command to see all the Active Directory Database protection templates that have been created.

Table 48. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-ID (Optional)

GUID for a specific template.

Example: Get a list of all Active Directory Database Protection templates

Get-CAADDProtectionTemplates -Connection $connection

Remove-CAADDProtectionTemplate

Use this command to remove an Active Directory Database protection template.

Table 49. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

The PSCAProtectionTemplate object to remove.

Obtain the template objects using the Get-CAADDatabaseTemplates command and filter to select the object to remove.

-Force (Optional)

Removes the template without providing confirmation.

Example: Remove an Active Directory Database protection template

Remove-CAADProtectionTemplate -Connection $connection -Template $template

 

 

 

 

Managing Windows File System auditing

Previous Next

Managing Windows File System auditing

Change Auditor for Windows File Server tracks, audits, and alerts on file and folder changes in real time, translating events into simple terms and eliminating the time and complexity required by system provided auditing. The auditing scope can be set on an individual file or folder or an entire file system recursive or non-recursive. You can include or exclude certain files or folders from the audit scope to ensure a faster and more efficient audit process.

Managing Windows file system auditing is available through the following PowerShell commands:
New-CAWindowsFSAuditObject
New-CAWindowsFSAuditTemplate
Remove-CAWindowsFSAuditTemplate
Set-CAWindowsFSAuditTemplate
Get-CAWindowsFSAuditTemplates
Get-CAWindowsFSEventClassInfo

New-CAWindowsFSAuditObject

Use this command to define a folder or file paths to audit.

* 
NOTE:  
For All Drives - IncludePath is '*', IncludePathType is Folder and IncludeScope is ScopeOneLevel or ScopeSubtree.
When IncludePath is set to '[All Shares]', this is a SystemShare.

Table 50. Parameter description

Parameter

Description

-IncludePath

Specifies the folder or file to audit.

NOTE: Built-in folder values include Common Program Files, Program Files, System Drive, Windows Directory, and All Shares.

-IncludePathType

Specifies the type of path to audit based on one of the following values:
SystemFile
SystemFolder
SystemShare
NOTE: Only one type of path can be specified.

-IncludeScope

 

Specifies the scope to monitor for the Includepath based on one of the following values:

ScopeObject
ScopeOneLevel
ScopeSubtree

-AuditEvents

The events to audit.

Use Get-CAWindowsFSEventClassInfo to get the list of event classes.

-IncludeMask (Optional)

Specifies what to include in the selected folder or file path to audit. Entering * will audit all files and folders in the selected folder.

NOTE: Includemask is required for Systemfolder and systemshare types but not systemfile.

-ExcludeFilePaths (Optional)

Specifies the names and paths of any files to exclude from auditing.

The default is set to None.

-ExcludeFolderPaths (Optional)

Specifies the names and paths of any subfolders to exclude from auditing. The default is set to None.

-Disabled (Optional)

Specifies whether auditing is enabled or disabled on the selected path or folder. The default is set to false.

Example: Monitoring a directory for all file types and all subfolders but excluding one subfolder

New-CAWindowsFSAuditObject -IncludePath "C:\ExampleDirectory" -IncludePathType SystemFolder -IncludeScope ScopeSubTree -AuditEvents $auditEvents -IncludeMask "*"
–ExcludeFolderPaths "C:\ExampleDirectory\ExcludedDirectory"

Example: Monitoring a directory for one level for all file type except for .tmp files

New-CAWindowsFSAuditObject -IncludePath "C:\ExampleDirectory" -IncludePathType SystemFolder -IncludeScope ScopeOneLevel -AuditEvents $auditEvents -IncludeMask "*" –ExcludeFilePaths "*.tmp"

New-CAWindowsFSAuditTemplate

To enable Windows File System auditing, you must first create an auditing template for each file or folder to audit. Each auditing template defines the files or folders to audit, the auditing scope, and the excluded processes.

Use this command to create a Windows file system auditing template.

Table 51. Parameter description

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-TemplateName

The template name.

-AuditObjects

The folder or file path objects created using
New-CAWindowsFSAuditObject.

-ExcludeProcess (Optional)

The list of processes to exclude from auditing. The default is none.

-DiscardTooltipEvents (Optional)

Multiple folder open events are generated by tooltips (folder content information that is displayed when you hover your mouse over a folder) because Windows Explorer navigates the folder tree for all the sub-folders when you hover over the parent folder to see the tooltip. To ignore the folder opened events generated by this action set this parameter to 'true'.

-DiscardBrowsingEvents (Optional)

Multiple file open events are generated by file scans because Windows Explorer opens and reads the header of all files contained in an opened folder for information to display in the window. To ignore the file open events generated by this action set this parameter to 'true'.

-Disabled (Optional)

Specifies whether the template is enabled or disabled. Default is set to false.

Example: Create a Windows File System template

New-CAWindowsFSAuditTemplate -Connection $connection -TemplateName 'New-FSTemplate' -AuditObjects $auditObject -ExcludeProcess $excludeProcess -DiscardTooltipEvents $true -DiscardBrowsingEvents $true -Disabled $false

Remove-CAWindowsFSAuditTemplate

Use this command to delete a Windows File System auditing template.

Table 52. Parameter description

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

The CAWindowsFSAuditTemplate object to remove. Obtain the template objects using the Get-CAWindowsFSAuditTemplates command and filter to select the object to remove.

-Force (Optional)

Removes template without prompting for a confirmation. The default is false.

Example: Remove a Windows File System template

Remove-CAWindowsFSAuditTemplate -Connection $connection -Template $removeTemplate

 

Set-CAWindowsFSAuditTemplate

Use this command to edit an existing Windows File System auditing template.

Table 53. Parameter description

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

The CAWindowsFSAuditTemplate object to edit. Obtain the template objects using the Get-CAWindowsFSAuditTemplates command and filter to select the object to update.

-TemplateName (Optional)

The template name.

-AuditObjects (Optional)

The folder or file path objects created using
New-CAWindowsFSAuditObject.

-ExcludeProcess (Optional)

The list of processes to exclude from auditing. The default is none.

-DiscardTooltipEvents (Optional)

Multiple folder open events are generated by tooltips (folder content information that is displayed when you hover your mouse over a folder) because Windows Explorer navigates the folder tree for all the sub-folders when you hover over the parent folder to see the tooltip. To ignore the folder opened events generated by this action set this parameter to 'true'.

-DiscardBrowsingEvents (Optional)

Multiple file open events are generated by file scans because Windows Explorer opens and reads the header of all files contained in an opened folder for information to display in the window. To ignore the file open events generated by this action set this parameter to 'true'.

-Disabled (Optional)

Set to true or false to enable or disable the template.

Example: Excluding and changing the template name

Set-CAWindowsFSAuditTemplate -Connection $connection -Template $Template -ExcludeProcess "avsoftware.exe" -TemplateName "NewTemplateName"

Get-CAWindowsFSAuditTemplates

Use this command to see all the Windows File System auditing templates available within your installation.

Table 54. Parameter description

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

Example: Get a list of all Windows File Server templates

Get-CAWindowsFSAuditTemplates -Connection $connection

Example: Get a template based on name

$template = Get-CAWindowsFSAuditTemplates -Connection $connection | where TemplateName -eq TemplateName

Get-CAWindowsFSEventClassInfo

Use this command to get a list of all available Windows File System auditing event classes.

Table 55. Parameter description

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

Example: Get a list of all Windows File Server event classes

Get-CAWindowsFSEventClassInfo -Connection $connection

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione