Chatta subito con l'assistenza
Chat con il supporto

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Quest Change Auditor dialog

Previous Next

Quest Change Auditor dialog

Use the Help | About command to start the Quest Change Auditor dialog which displays general release information, including the version, copyright, patent, and licensing information. To close this dialog, click Done.

The Quest Change Auditor dialog contains the following tabbed pages and information:

About page

The About page displays the following information about the currently installed version:
Version and build number
Patent information
Trademark information
Copyright statement

Licenses page

The Licenses page lists the Change Auditor auditing modules that have valid licenses. This list includes the following information for each license:
License — name of the Change Auditor auditing module that is licensed.
Type — type of license currently applied. ‘Ongoing’ indicates a production license.
Expires — the date a trial license is set to expire. ‘No Expiration’ indicates a production license that does not expire.
License Metric - the metric used for the license.
Managed Mailbox represents the number of Exchange managed mailboxes.
Managed Workstation represents the number of Logon Workstation licenses.
Enterprise License represents all Enterprise licenses.
Managed Person represents the number of managed persons in a Managed Person licenses. The Seats Licensed displays the count of managed persons; Seats Used displays as N/A since this type of license does not count seats.
Enabled User Account represents the user count for the associated license.
Seats Licensed — the number of seats licensed.
Seats Used — the number of seats actually being used.

Update License

Click Select License to apply a new Change Auditor license. The Select License File dialog is displayed allowing you to locate and select the Change Auditor license file to be applied.

Legal Notices page

The Legal Notices page displays the acknowledgments for third-party components that are used in Change Auditor.

Contact page

The Contact page provides the following contact information:
Technical Support — a hypertext link that takes you directly to the company’s support portal where you can access new product releases and service packs, product documentation, and our extensive support knowledge base.
Contacting Quest- the phone number for sales and other inquiries.

Add Administrator

Previous Next

Add Administrator

The Add Administrator dialog opens when you select Add | Administrator in the Who search properties tab. This dialog allows you to select whether to include or exclude events generated by administrators in your search results.
Select Yes to include results where the user has the administrator right; and select No to exclude users with the administrator right.
Select to Add your selection and OK to apply the changes.

Add Agents, Domains, Sites dialog

Previous Next

Add Agents, Domains, Sites dialog

The Add Agents, Domains, Sites dialog is displayed when Add With Events is clicked in the Where search properties tab. This dialog contains a list of all the agents, domains, and sites that have an event associated with it in the Change Auditor database.

To include an agent, domain, or site in your search query, select one or more items from the data grid at the top of the dialog and click Add to add the items to the selection list. After you have selected all the items to include in your search, click OK to save your selections and close the dialog.

This dialog contains the following information and controls:

Data grid

The data grid displays a list of all the agents, domains, and sites that have an event associated with it in the Change Auditor database. For each object listed, the following information is displayed:
Name — displays the name of the item that has an event associated with it in the database.
Type — displays the type of object: Server, Domain Controller, Workstation, Domain, or Site.

Selection list

The list box at the bottom of this dialog displays the agents, domains, and sites selected for inclusion in the search definition. That is, only the objects listed are searched for changes. Use the buttons located above this list box to add or remove an object:
Add — Select an item from the data grid and click Add to add it to the selection list box.
Remove — Select the object to remove from the selection list and click Remove.

Add Wildcard Expression

Click this button to display the Add Where dialog where you can enter a wildcard expression to use to search for an agent (NetBIOS name), domain, or site.

On the Add Where dialog:

1
Select the comparison operator to use: Like or Not Like.
2
In the field to the right of the operator, enter the pattern (character string and * wildcard character) to be used to search for a match. Use the * wildcard character to match any string of zero or more characters.

By default, the wildcard expression is used to search for an agent. To search for a domain or site, select the Domain or Site option.

Add Container dialog

Previous Next

Add Container dialog

An Add Container dialog is displayed when one of the following buttons are used on the What search properties tab (Searches page or the Purge Options page in the Purge Jobs wizard):
Add | Subsystem | Active Directory displays the Add Active Directory Container dialog
Add With Events | Subsystem | Active Directory displays the Add Active Directory Container dialog
Add | Subsystem | Exchange displays the Add Exchange Container dialog
Add With Events | Subsystem | Exchange displays the Add Exchange Container dialog
Add | Subsystem | ADAM (AD LDS) displays the Select the agent that hosts the ADAM/ AD LDS instance dialog
Add With Events | Subsystem | ADAM (D LDS) displays the Add ADAM (AD LDS) Container dialog

From this dialog, select the Active Directory, Exchange, or ADAM (AD LDS) objects to include in the search.

A similar dialog, Choose the Agents, Domains, or Sites to Include dialog is displayed when the Add button is used on the Where tab. When accessed from the Where tab, use this dialog to locate and select an individual agent, domain or site to include in the search.

The following information and controls are included on this dialog:

Scope

* 
NOTE: The scope options do not apply to the Choose the Agents, Domains, or Site to Include dialog or the Select the agent that hosts the ADAM/AD LDS instance dialog.

To define the scope of coverage, select one of the following options:
All Active Directory Objects (All Exchange Objects or All ADAM (AD LDS) Objects) — select this option to include all objects (Default when Add is used)
This Object — select this option to include the selected object only (Default when Add With Events is used)
This Object and Child Objects Only - select this option to include the selected objects and its direct child objects.
This Object and All Child Objects - select this option to include the selected objects and all subordinate objects (in all levels).
Members of this group - select this option to show changes made to users in a specified group. Nested groups are not supported.
* 
NOTE: You cannot exclude selections or use the *Like wildcard option when the scope is specified as Members of this group.

Actions

The Actions check boxes allow you to define what types of actions to include in the search definition.

By default, All Actions is selected meaning that all the activity associated with the object is included. However, you can clear the All Actions option and select individual options to include specific actions in your search definition. The options available are:
All Actions — select this option to include when any of the following actions occur (Default)
Add Attribute — select this option to include when an attribute is added
Delete Attribute — select this option to include when an attribute is deleted
Modify Attribute — select this option to include when an attribute is modified
Rename Object — select this option to include when an object is renamed
Add Object — select this option to include when an object is added
Delete Object — select this option to include when an object is deleted
Move Object — select this option to include when an object is moved
Other — select to include other types of activities against the selected object

The Transport check boxes allow you to specify the type of transport protocol used to secure Active Directory changes that are initiated through an AD query.

By default, All Transports is selected. However, you can clear the All Transports option and select the individual options to include specific transports. The options available are:
All Transports - select to include LDAP operation or LDAP queries regardless of the transport protocol used (Default)
SSL/TLS - select to include LDAP operation or LDAP queries that are secured using SSL or TLS technology
Kerberos- select to include LDAP operation or LDAP queries that are signed using Kerberos-based encryption
Simple Bind - select to include LDAP operation or LDAP queries that are secured using simple bind authentication (neither SSL\TLS or Kerberos used)
Port - select to identify a specific port used for communication
* 
NOTE: When you clear the All Transports check box and select both the SSL/TLS and Kerberos check boxes, only AD queries using both of these transport protocols are included in the search results.
* 
NOTE: The Actions section does not apply to the Choose the Agents, Domains, or Sites to Include dialog or the Select the agent that hosts the ADAM/AD LDS instance dialog.

Directory Object Picker

If you have selected a scope other than the All Active Directory Objects, the directory object picker is enabled allowing you to select the objects to include in the search definition. Use either the Browse or Search page to search your environment to locate and select the directory objects to include.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

Use the Options page to view or modify the search options used to retrieve directory objects.

See Directory object picker for more information about using the Browse, Search, or Options page of the Directory Object Picker.

 
* 
NOTE: The directory object picker is only displayed when this dialog is accessed using one of the Add options on the What tab.
* 
NOTE: The directory object picker is displayed when the Explorer View option is selected at the top of the Choose the Agents, Domains, or Sites to Include dialog and the Select the agent that hosts the ADAM/AD LDS instance dialog.

You can also select Import Objects to import a .csv (comma separated value) file containing a list of directory objects. Using this list, you can specify object names and optional values for the search criteria. You can use the * wildcard character to match any string of zero or more characters when specifying the Name values.

* 
NOTE: For optimal performance, do not include more than 1000 objects in your import file.

The import will fail and an error message will be displayed if any errors are detected with the column names or specified values.

* 
NOTE: Column names and values must be separated with a comma.
* 
NOTE: If an optional column name is not specified, then the default All is used for the value for each object. The default All is also used if the optional column is specified, but the value is empty. Mandatory Name values cannot be empty.
Columns
Description

Name (Required)

The name of the directory object to import. Name values must be specified in canonical name format.

NOTE: The first column must be Name.
NOTE: Wildcard characters are only supported for the Name values.

Examples:

Column: Name

Values:

test.domain.ca/OU1/User1
test.domain.ca/*/Group1
test.domain.ca/OU1/*User*

Actions (Optional)

Possible values include: Add Attribute, Delete Attribute, Modify Attribute, Rename Object, Add Object, Delete Object, Move Object or Other.

When specifying multiple values they must be separated by the Pipe character '|'.

Examples:

Columns: Name,Actions

Values:

test.domain.ca/OU1/User1,Move Object|Modify Attribute
test.domain.ca/OU1/Group*,

Transports (Optional)

Possible values include SSL/TLS, Kerberos or Simple Bind.

When specifying multiple values they must be separated by the Pipe character '|'.

Examples:

Columns: Name,Actions,Transports

Values:

test.domain.ca/OU1/User1,Move Object|Modify Attribute,Kerberos
test.domain.ca/OU1/Group1,,Kerberos |SSL/TLS

Port (Optional)

The number of the required port.

Examples:

Columns: Name,Actions,Transports,Port

Values:

test.domain.ca/OU1/*,Move Object|Modify Attribute,Kerberos,389
test.domain.ca/OU1/Group1,Add Attribue,Kerberos,
NOTE: When importing a file in the web client, the default value (All Ports) will be applied if port values are specified.

Data Grid

The data grid replaces the directory object picker when the Add With Events option is selected. This grid displays a list of all the objects that have an audited event associated with it in the Change Auditor database.

 
* 
NOTE: The data grid is displayed when Grid View is selected at the top of the Choose the Agents, Domains, or Sites to Include dialog and the Select the agent that hosts the ADAM/AD LDS instance dialog. This data grid displays a list of the agents located within your environment.

Wildcard expression fields

When the This Object scope option is selected, the wildcard expression fields are enabled. Use the wildcard expression fields to specify the expression to use to search for Active Directory (or Exchange) objects (Object Name column in Search Results grid).

1
Select the comparison operator to use: Like or Not Like.
2
In the field to the right of the operator, enter the pattern (character string and * wildcard character) to be used to search for a match. Use the * wildcard character to match any string of zero or more characters.

For example, LIKE *admin* finds all Active Directory (or Exchange) objects that contain 'admin' anywhere in their name.

3
Click Add to add the wildcard expression to the Selected Objects list at the bottom of the dialog.
* 
NOTE: The Wildcard Expression fields do not apply to the Choose the Agents, Domains, or Sites to Include dialog, the Select the agent that hosts the ADAM/AD LDS instance dialog or the Add ADAM (AD LDS) Container dialog.

Selected objects list

The list box at the bottom of this dialog displays the objects selected for the search definition. That is, only the objects listed are included in the search (or excluded from the search if the Exclude the Above Selection(s) is selected). Use the buttons located above this list box to add, remove, or update an object:
Add - Click the Add button to add the selected object to the search definition.
Remove - From the Selected objects list, select the object to remove, and click Remove.
Update Scope, Action(s) - Select an object in the list, modify the scope or actions as required, then click Update Scope, Action(s to apply the changes made.
* 
NOTE: The Update Scope, Action(s) button does not display on the Choose the Agents, Domains, or Sites to Include dialog. These buttons are not displayed on the Select the agent that hosts the ADAM/AD LDS instance dialog; click OK to save your selection.

Exclude the Above Selection(s)

Select this option to exclude the selected directory objects from the search. When this check box is selected, Change Auditor returns events generated in all directory objects except those listed in the Selected Objects list.Runtime Prompt

* 
NOTE: This option is not available on the Select the agent that hosts the ADAM/AD LDS instance dialog.
* 
NOTE: This option is available on the Where tab instead of the Choose the Agents, Domains, or Sites to Include dialog.

Select the Runtime Prompt check box to prompt for the Active Directory/Exchange/ADAM(AD LDS) objects to include whenever the search is run. That is, when Run is selected, the appropriate Add Container dialog is displayed allowing you to select the containers to search.

* 
NOTE: When Runtime Prompt is selected, the Active Directory, Exchange, or ADAM (AD LDS) option is disabled on the Add tool bar buttons on the What tab.
* 
NOTE: This option is not available on the Select the agent that hosts the ADAM/AD LDS instance dialog or when this dialog is started from the Purge Job wizard.
* 
NOTE: This option is available on the Where tab instead of the Choose the Agents, Domains, or Sites to Include dialog.
Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione