Chatta subito con l'assistenza
Chat con il supporto

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Configure AD Query Auditing

Previous Next

Configure AD Query Auditing
Introduction
AD Query Auditing page
AD Query Auditing wizard
AD Query settings

Introduction

Previous Next

Introduction

Because the overhead of recording each Active Directory query read operation is likely to be high, you can optimize the process by summarizing similar operations from the same client, and only record the summary periodically. Quest highly recommends that you perform the following steps to optimize the Active Directory query auditing/reporting process to reduce the number of events being generated:
Use the AD Query Auditing page to specify the containers to include and exclude from Active Directory query auditing.
Use the AD Query settings to optimize the auditing process and define the interval to be used for recording Active Directory query operations.

 

AD Query Auditing page

Previous Next

AD Query Auditing page

The AD Query Auditing page displays when you select AD Query from the Auditing task list in the navigation pane of the Administration Tasks tab. From this page you can specify the Active Directory containers to include and exclude in Active Directory query auditing.

* 
NOTE: Authorization to use the administration tasks on the Administrations Tasks tab is defined using the Application User Interface page under the Configuration task list. If you are denied access to the tasks on this page, refer to the Change Auditor User Guide for more information on how to gain access.
* 
NOTE:  
By default, all containers are included
Due to the high volume of Active Directory queries performed against the Schema, RootDSE, and the Configurations containers, Quest recommends that you add these to the exclusion list.

Inclusion and exclusion rules

Only objects that are included (and not excluded) are monitored. For example:

When an object is included and excluded at the same time, it will not be monitored.
When an object is included and some of its child objects are excluded, only child objects that are not excluded will be monitored.
When an object is excluded and some of its child objects are included, none of the child objects will be monitored.

AD Query Auditing page

The AD Query Auditing page contains an expandable view of Active Directory containers included and excluded from Active Directory query auditing.

Added containers display the following information:

Type

Displays the type of container.

Status

Indicates whether the container is temporarily included\excluded (enabled) or not included\excluded (disabled) from Active Directory query auditing.

Scope

Displays the scope of coverage:
Object - excludes this object only
Subtree - excludes this object and all child objects
Included Container

Displays the name of the container selected for inclusion.

Excluded Container

Displays the name of the container selected for exclusion.

To include a container to the AD Query audit list:
1
Open the Administration Tasks tab.
2
Click Auditing.
3
Select AD Query (under the Forest heading in the Auditing task list) to open the AD Query Auditing page.
4
Click Add to open the AD Query Auditing wizard.
5
Select the scope:
RootDSE - select this to include the RootDSE object.
This Object and All Child Objects - select this to specify the containers to include. (Selecting a container will also include any child objects.)
6
If the This Object and All Child Objects option is selected, use the Browse and Search pages to locate and select a directory object. Click Add to add the selected directory object to the inclusion list.

Repeat this step to add additional directory objects.

7
Click Finish to close the wizard and return to the AD Query Auditing page, where your selections will now be listed.
 
To exclude a container to the AD Query audit list:
1
Open the Administration Tasks tab.
2
Click Auditing.
3
Select AD Query (under the Forest heading in the Auditing task list) to open the AD Query Auditing page.
4
Click Add to open the AD Query Auditing wizard.
5
Select the scope:
RootDSE - select this option to exclude the RootDSE object. (Selecting this container will not exclude child objects.)
This Object and All Child Objects - select this option to specify the containers to exclude. (Selecting a container will also exclude any child objects.)
6
If the This Object and All Child Objects option is selected, use the Browse and Search pages to locate and select a directory object. Click Add to add the selected directory object to the exclusion list.

Repeat this step to add additional directory objects.

7
Click Finish to close the wizard and return to the AD Query Auditing page, where your selections will now be listed.
To disable the inclusion or exclusion of a container:

The disable feature allows you to temporarily stop including or excluding an individual container from Active Directory query auditing without having to remove it from the AD Query Auditing list.

1
On the AD Query Auditing page, use one of the following methods to disable the exclusion of a container:
Place your cursor in the Status cell for the container to be disabled, click the arrow control and select Disabled.
Right-click the container to be disabled and select Disable.

The entry in the Status column for the container will change to ‘Disabled’.

2
To re-enable the exclusion or inclusion of the selected container, use the Enable option in either the Status cell or right-click menu.
To delete a container from the inclusion or exclusion list:
1
On the AD Query Auditing page, select the container to be deleted and click Delete.
2
Click Yes to confirm to deletion.

AD Query Auditing wizard

Previous Next

AD Query Auditing wizard

The AD Query Auditing wizard is displayed when you click Add on the AD Query Auditing page. This wizard enables you to locate and select Active Directory containers to include and exclude from Active Directory query auditing.

Only objects that are included and not excluded are monitored. For example:

When an object is included and excluded at the same time, it will not be monitored.
When an object is included and some of its child objects are excluded, only child objects that are not excluded will be monitored.
When an object is excluded and some of its child objects are included, none of the child objects will be monitored.

The following table provides a description of the fields and controls in the AD Query Auditing wizard.

 

Table 2. AD Query Auditing wizard

Add Objects to include from AD Queries page

RootDSE

Select this option to include the RootDSE container.

This Object and All Child Objects

Select this option to specify the containers to include. When this option is selected, use the Browse and Search page to locate and select a container.

Browse page

Displays a hierarchical view of the containers in your environment allowing you to locate and select the required containers. Once you have selected a container, click Add to move the entry to the list at the bottom of the page.

Search page

Use the controls at the top of the Search page to search your environment to locate the required containers. Once you have selected a container, click Add to move the entry to the list at the bottom of the page.

Options page

Use the Options page to modify the search options used to retrieve directory objects.

Included Containers List

The containers selected for inclusion for Active Directory query auditing are displayed in the list box located across the bottom of this page. Use the buttons located above this list box to add and remove containers.
Add - Select a container in the Browse or Search page and click Add to add it to the list.
Remove - Select an entry in the list and then click Remove to remove it.

Add Objects to exclude from AD Queries page

RootDSE

Select this option to exclude the RootDSE container.

NOTE: Selecting this option will NOT exclude any child objects.

This Object and All Child Objects

Select this option to specify the containers to exclude. When this option is selected, use the Browse and Search pages to locate and select a container.

Browse page

Displays a hierarchical view of the containers in your environment allowing you to locate and select the containers to exclude from Active Directory query auditing.

Once you have selected a container, click Add to move the entry to the list at the bottom of the page.

Search page

Use the controls at the top of the Search page to search your environment to locate the containers to exclude from Active Directory query auditing.

Once you have selected a container, click Add to move the entry to the list at the bottom of the page.

Options page

Use the Options page to modify the search options used to retrieve directory objects.

Excluded Containers List

The containers selected for exclusion from Active Directory query auditing are displayed in the list box located across the bottom of this page. Use the buttons located above this list box to add and remove containers.
Add - Select a container in the Browse or Search page and click Add to add it to the list.
Remove - Select an entry in the list and then click e Remove to remove it.
Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione