Chatta subito con l'assistenza
Chat con il supporto

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Audit Events page

Previous Next

Audit Events page

The Audit Events page is displayed when Audit Events is selected from the Auditing task list in the navigation pane of the Administration Tasks tab, and lists all of the events available for auditing. It also displays the facility and subsystem to which the event belongs, the severity assigned to each event, if the event is enabled or disabled and the type of license that is required.

* 
NOTE: Changes made on this page are global and will apply to all Change Auditor agents.

The Audit Events page contains an alphabetical list of all the Change Auditor events, including the following information:

 

Table 1. Audit Events page: Field descriptions

Column

Description

Severity

Indicates the severity level assigned to each event:
Low
Medium
High

When your cursor is placed in this cell, a drop-down arrow is added allowing you to change an event’s severity setting.

Facility Name

Displays the name of the facility to which each event belongs.

Event Class

Displays a descriptive title for each event.

Status

Indicates whether the event is enabled or disabled.

When your cursor is placed in this cell, a drop-down arrow is added allowing you to either enable or disable the event.

License Type

Displays the type of Change Auditor license required for each event:
Any License
Active Directory
AD Query
EMC
Exchange
File System
Logon Activity
NetApp
SharePoint
SQL

Results

Displays the result criteria used to capture change events. That is, you can use the options in this column to specify if an event is to be captured based on the results of the operation mentioned in the event.

All Results (default)
Success Only
Success and Failed Only
Success and Protected Only

For example, if you only want to capture successful events where the operation occurred as stated in the event, you would set this to Success Only. Then, if the change was prevented from occurring as stated in the event (because the object was protected by Change Auditor or the operation was prevented due to a factor/setting outside of Change Auditor’s control) the associated event would not be captured.

Subsystem

Displays the name of the subsystem to which each event belongs.

Enable/disable event auditing

Previous Next

Enable/disable event auditing

You can enable or disable events to best suit your organization. To view or modify the current event auditing settings, use the Audit Events page, which is accessible through the Administration Tasks tab.

* 
NOTE: If event logging is enabled, enabling or disabling events in Change Auditor does not impact this setting and events will continue to be sent to the appropriate Windows event log.
To disable/enable individual events:
1
Open the Administration Tasks tab and click Auditing.
2
Select Audit Events (under the Configuration heading in the Auditing task list) to display the Audit Events page.
3
To disable an event, select one or more enabled events and click Disable. (Use the Shift or Ctrl keys to select multiple events.)
4
To enable an event,select one or more disabled events and click Enable. (Use the Shift or Ctrl keys to select multiple events.)
* 
NOTE: You can also disable or enable an event using the Disable/Enable tool bar button at the top of the Event Details pane on a Search Results page.

Modify event's severity level or event class description

Previous Next

Modify event’s severity level or event class description

Each event has been assigned a severity level and a description, which can also be changed based on your organization’s operation. To view or modify the current event auditing settings, use the Audit Events page, which is accessible through the Administration Tasks tab.

To modify an event’s severity level:
1
Open the Audit Events page.
2
Select one or more events and click the appropriate Severity (High, Medium or Low) tool bar button. Use the Shift or Ctrl keys to select multiple events.
3
To reset an event’s severity to the factory default, select one or more events and click Default.
To modify an event class description:
1
Open the Audit Events page.
2
Select the event from the list and click Edit.

This displays the Rename dialog listing the existing description and allowing you to enter a new description for the selected event.

3
In the New field, enter the new description for the selected event and click OK.

Define events to be captured based on results

Previous Next

Define events to be captured based on results

The Results column on the Audit Events page allows you to specify if an individual event is to be captured by Change Auditor based on the results of the operation performed in the event. That is, you can specify to capture an individual event based on the following results:
All Results - capture event regardless of the result returned.
Success Only - capture event only if the operation occurred as stated in the event.
Success and Failed Only - capture event if the operation occurred as stated in the event or if it was prevented due to a factor/setting outside of Change Auditor’s control.
Success and Protected Only - capture event if the operation occurred as stated in the event or if it was prevented because the object was protected using Change Auditor’s protection feature.
To change the results criteria for capturing an event:
1
Open the Audit Events page.
2
Locate the event to modify.
3
Place your cursor in the Results cell for that event, click the arrow control and select one of the following options:
All Results (default)
Success Only
Success and Failed Only
Success and Protected Only
4
Change Auditor will now only capture and return the event if the operation mentioned if the event meets the results criteria selected.
Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione