What are the new features and what has been resolved in Change Auditor 7.2?
対策
New Features:
Certificate authentication for Office 365:
Due to the fact that basic authentication has been deprecated by Microsoft for Office 365 Exchange Online certificate authentication is now required for Office 365 auditing. Newly created auditing templates and the associated web application will have the required permissions and certificate. However, If you are using an existing web application, you will need to provide a certificate and ensure that it has the required permissions. See the Azure Active Directory and Office 365 Auditing User Guide for details. The following events have also been added:
Azure Active Directory web application certificate created
Office 365 auditing web application certificate changed
Cyber security enhancements:
Additional Active Directory events and built-in searches have been added that can be used as indicators of possible cyber security attacks.
Additional Active Directory events and built-in searches have been added that can be used as indicators of possible cyber security attacks:
changes to the SIDHistory attribute for user and group objects.
changes to the AdminCount attribute for user, group, and computer objects.
changes to the ServicePrincipalName for users.
irregular domain controller registration activity that could identify a possible DCShadow threat. DCShadow is a command within Mimikatz that simulates the behavior of a domain controller to push changes to an Active Directory domain through replication, bypassing most of the common security controls.
Ability to create an Active Directory protection template and select a root domain object to prevent users from linking GPOs.
Active Directory Federation Services auditing enhancements:
Additional events and associated built-in searches to audit:
Active Directory Federation Services - Endpoints events
Active Directory Federation Services - Server Farm events
Active Directory Federation Services - Claims Provider Trust events
Additional columns added that allow you to display extra search information.
Additional foreign forest support:
The following is supported in environments where a coordinator does not exist in the foreign forest where agents are deployed:
Ability to select objects in a foreign forest in the Exchange protection wizard.
Ability to select objects in a foreign forest in the Group Policy protection wizard.
Users are notified in the client when the foreign forest cannot be contacted when performing a “Force Refresh”.
Support for foreign forest objects in the Add-CASearch and Set-CASearchProperties commands.
Additional events:
Events to audit when a change is made to the coordinators selected for purge, archive or report jobs:
Coordinator added to scheduled task processing
Coordinator removed from scheduled task processing
Scheduled task processing assignment changed
Scheduled task processing setting changed
Events to audit failed client logons:
Change Auditor unknown client logon failed
Change Auditor Windows client logon failed
Change Auditor web client logon failed
Change Auditor PowerShell client logon failed
Events to audit changes to the “Inheritance” option on the security tab for Active Directory objects:
Inheritance setting changed on computer object
Inheritance setting changed on group object
Inheritance setting changed on user object
Inheritance setting changed on AdminSDHolder object
Inheritance setting changed on OU object
Inheritance setting changed on group policy object
Internal events are now generated when changes are made to file system templates through PowerShell commands. Previously these events were only generated when changes were made through the Windows client.
Additional platform support:
The following support has been added:
Microsoft Exchange Server 2016 CU19, CU20, CU21, and CU22
Microsoft Exchange Server 2019 CU8, CU9, CU10, and CU11
Windows Server 2022 for Active Directory, Registry, Group Policy, Service, Local Account, AD Query, Logon Activity, and ADFS auditing
Windows 11 for client installations
CEE 8.7.8.2 for EMC auditing
One Identity Defender 5.11
Active Roles 7.4 and 7.5
Authentication Services 5.0 and 5.0.1
NetApp 9.8
GPOADmin 5.16
The following support has been removed:
NetApp auditing on 7-Mode servers
NetApp cluster mode auditing on servers older than 8.1
Windows Serve Core 1809, 1903, 1909
Auditing of SharePoint 2010
Auditing of VMware. Note that auditing will still be supported with 7.1.1 (and older) agents.
Miscellaneous features and enhancements:
Update to the label on the SIEM and On Demand Audit event subscription pages to indicate that “Last event time” is show in UTC time.
Performance improvements in sending events to Splunk.
Added the email address and the “managed by” property of a user as new columns available for searches. Additional associated email tags are also available: %AD_USERMAIL% and %AD_MANAGEDBY%.
Performance improvements made to the process of retrieving the site information when doing a topology scan in environments that have a large number of subnets.
Resolved Issues:
Actions caused by the Search-Mailbox command are not audited by Change Auditor - 6893
"Appointment created in shared mailbox” event is not recorded when the appointment is autocreated - 20245
No event is recorded and an exception is logged when adding appointment to shared calendar through OWA - 20246
Invalid license is recorded when the agent connects to the coordinator after a restart - 279044
Error in the web client when exporting search results that contain the Description column - 214779
Add ability to disable the Active Directory dynamic object hook - 235440
Event sending to a Syslog subscription is stopped due to an error encountered when sending GPO permission change events - 240118
The coordinator stops unexpectedly during group expansion of Active Directory groups - 244649
SNMP alerts display the TimeZoneTimeDetected value for the TimeZoneTimeReceived field - 246827
Azure Active Directory sign-in event collection fails and generates the following error: "The operation has timed out" - 246877
Invalid object name - key not found error is generated when selecting 'Add with Events' on Who tab and on What tab for some subsystems - 208501
Upgrade fails if the Change Auditor database is part of a SQL high availability group - 245141
Unable to create VMWare auditing template - 252258
Azure events are not collected when there is a failed request and Change Auditor retries using an expired token - 256044
Administration tasks tab slow to open and Audit Events page does not populate data - 261659
Unable to log on to Change Auditor if the ISAdmin check fails to complete - 236083
Domain controller becomes unresponsive when CAADHook encounters a timeout sending to the Agent process and attempts to write a dump file - 252612
Continuous 429 error responses recorded in the Cloudplugin log when collecting Azure Active Directory sign-in events - 259291
Deleting a criteria from What tab does not update the search when the object is selected or is added from the wildcard expression field or import objects - 6880
Warning message should be displayed when attempting to use the same Azure web application for Azure Active Directory and Office 365 auditing templates - 274336
Agent consumes a lot of CPU when processing large DnsNode changes - 273671
Unable to create Azure Active Directory or Office 365 auditing templates due to changes made by Microsoft in the way the associated web application is created - 317817
"Irregular domain replication activity detected" event is not generated for Windows 2016, Windows 2012, and Windows 2012 R2 domain controllers after recent Windows updates - 318991
Update OpenSSL library to 1.0.2u - 86166
Documentation updated for following known issue: Change Auditor for Windows File Server Agents may fail to provide Origin information if remote users are already connected when the agent is started. Quest suggests that the server is restarted after the agent is installed or upgraded - 224348
Webhook subscription events should be sent using the maximum batch size - 224726
Documentation updated to state that protection templates stored in Active Directory cannot be managed with PowerShell commands - 245339
dumper.exe to be removed from the Change Auditor agent installation - 229068