• United States (English)
• Brazil (Português)
• China (中文)
• France (Français)
• Germany (Deutsch)
• Italy (Italiano)
• Japan (日本語)
• Korea (한국어)
• Mexico (Español)

• サインイン
• サポートアカウントの作成

FREE TRIALS

• ポータルについて詳しく知る
• ダウンロード
• 印刷
• MY ダウンロード ()

• サポート
• 技術文書
• Change Auditor 7.5
• Change Auditor 7.5 - User Guide

Change Auditor 7.5 - User Guide

コンテンツのナビゲーション  

Welcome to Change Auditor Help Change Auditor Core Functionality

Change Auditor Core Functionality Change Auditor Overview

Available Change Auditor auditing modules

Agent Deployment

Deployment page Using group Managed Service Accounts (gMSA) Deploy agents Connect to a different foreign forest/update credentials Change the agent installation location and system tray option Enable auto deployment Refresh or clear Deployment page information

Change Auditor Client Overview

Starting the Change Auditor client Accessing Change Auditor news and updates Managing connection profiles

Connection wizard

Client components Customize table content

Sort data Resize or move columns Add or remove columns Group data

Filter data

Using custom filters

Directory object picker

Overview Page

Overview My Favorite Search Define a favorite search Overview panes

Top Agent Activity Recent Event Activity Count of Events By Agent Status Coordinator Status

Event Details pane

Searches

Introduction Searches page

Explorer view Searches list Search Properties tabs

View a list of available searches Run searches Run a quick search

Search Results and Event Details

Introduction Search Results page

Search Results grid Search Properties tabs Event Details pane

View search results

Display results in different formats

Preview search results Compare results side-by-side View event details or search properties Copy event details Email event details Add comments View user context and run related searches Protect critical objects, mailboxes, files and folders Add search properties to existing event queries

Custom Searches and Search Properties

Introduction Create a custom search Search Properties tabs

Info tab Who tab What tab Where tab When tab Origin tab Alert tab Report tab Layout tab SQL tab XML tab

Enable Alert Notifications

Introduction Alert tab (Search Properties tabs) Enable alerts Disable alerts Alert History page View alert history View event details or alert properties

Administration Tasks

Administration Tasks tab Administration Task lists Export/import Administration Task settings

Agent Configurations

Introduction Agent Configuration page Define agent configurations Assign agent configurations to server agents Enable event logging

Coordinator Configuration

Coordinator Configuration page Configure email alert notifications/reports Manually create a Microsoft Entra web application for sending Microsoft 365 mail Customize alert email content Shared Folder Configuration Group Membership Expansion Add groups to Group Membership Expansion list Agent Heartbeat Check Disconnect client after 30 minutes of inactivity Scheduled Task Handling

Purging and Archiving your Change Auditor Database

Introduction Planning your jobs Purge and Archive page Create and maintain jobs Purge and Archive wizard Purge selected records

Working with Private Alerts and Reports

Introduction Private Alerts and Reports page Disable private alerts and reports Move and delete private searches

Generate and Schedule Reports

Schedule reports for distribution

Create global report template Define report content and layout Enable and schedule reporting

Launch Report Designer Publish reports Print or save a page's contents

SQL Reporting Services Configuration

Introduction SQL Reporting Services Page SQL Reporting Services Templates SQL Reporting Services Wizard

Change Auditor User Interface Authorization

Introduction Application User Interface Authorization page Add task definition Add role definition Add application group Remove a task definition

Client Authentication

Introduction Client Authentication Page

Changing authentication methods

Certificate authentication for client coordinator communication

Introduction

Installation settings Deployment Coordinator configuration Windows client configuration

Integrating with On Demand Audit

Managing a Quest On Demand Audit integration

Creating an On Demand Audit configuration Working with an On Demand Audit configuration

Enable/Disable Event Auditing

Introduction Audit Events page Enable/disable event auditing Modify event's severity level or event class description Define events to be captured based on results View event information

Account Exclusion

Introduction Excluded Accounts Auditing page Excluded Accounts templates Excluded Accounts wizard

Registry Auditing

Introduction Registry Auditing page Registry Auditing templates Registry Auditing wizard

Service Auditing

Introduction Services Auditing page Service Auditing templates Service Auditing wizard

Agent Statistics and Logs

Introduction Agent Statistics page

Agent Statistics grid Resource Properties pane

Machine Info page Processors page Drives page Shares page Services page Exchange Mailboxes page

Agent system tray icon

Change Auditor Agent Status dialog

View agent status/statistics Manage Change Auditor agents Agent Log page View and save agent trace logs

Coordinator Statistics and Logs

Introduction Coordinator Statistics page Coordinator system tray icon

Change Auditor Coordinator Status dialog Coordinator Configuration tool

View coordinator status and statistics Manage Change Auditor coordinators Coordinator Log page View and save coordinator trace logs

Change Auditor Commands

Menu commands Tool bar buttons Right-click commands

Change Auditor Email Tags

Microsoft 365 and Microsoft Entra ID Auditing

Microsoft 365 and Microsoft Entra ID Auditing Overview

Introduction System overview Client components and features Deployment requirements

System requirements License requirements Auditing and agent considerations Auditing in synchronized environments Upgrading Change Auditor

Configuring Microsoft 365 and Microsoft Entra ID auditing

Managing Microsoft 365 templates

Microsoft 365 auditing page Create an Microsoft 365 auditing template Edit a Microsoft 365 auditing template Using an existing web application Disable a template Delete a template

Microsoft 365 Auditing Wizard Managing Microsoft Entra templates

Microsoft Entra auditing page Create a Microsoft Entra auditing template Edit a Microsoft Entra auditing template Disable a template Delete a template

Considerations

Microsoft Entra Auditing Wizard

Reports and Searches

Introduction to Microsoft 365 and Microsoft Entra ID reporting Microsoft 365 built-in reports Microsoft Entra built-in reports Custom searches

Creating custom Exchange Online searches Creating a custom SharePoint Online and OneDrive for Business search

Displaying additional SharePoint Online and OneDrive for Business information

Creating custom Microsoft Entra searches

Displaying additional Microsoft Entra information

Additional information for synchronized environments Working with generic Microsoft 365 and Microsoft Entra events Additional Microsoft 365 and Microsoft Entra event details

Change Auditor for Active Directory

Change Auditor for Active Directory Overview

Introduction Deployment Requirements Client Components and Features

Custom Active Directory Searches and Reports

Introduction Run the All Active Directory Events report Run the All Group Policy Events report Create custom searches

Custom Active Directory Object Auditing

Introduction Active Directory Auditing page Custom Active Directory object auditing Active Directory Auditing wizard Active Directory event logging

Custom Active Directory Attribute Auditing

Introduction Active Directory Attribute Auditing page Custom Active Directory attribute auditing

Member of Group Auditing

Introduction Member of Group Auditing page Member of Group auditing list Member of Group Auditing wizard

Active Directory Federation Services Auditing

Introduction Active Directory Federation Services Auditing page Active Directory Federation Services auditing templates Active Directory Federation Services Auditing Wizard

ADAM (AD LDS) Auditing

Introduction ADAM (AD LDS) Auditing page Enable ADAM (AD LDS) auditing ADAM (AD LDS) Auditing wizard ADAM (AD LDS) event logging

Active Directory Database Auditing

Introduction Active Directory Database Auditing page Active Directory Database auditing templates Active Directory Database Auditing Wizard

Active Roles Integration

Requirements Deploying Change Auditor for Active Directory/Active Roles integration scripts Client components added to Change Auditor for Active Directory Removing deployed Change Auditor for Active Directory/Active Roles integration scripts Troubleshooting Tips

Quest GPOADmin Integration

Requirements GPOADmin and Change Auditor integration process Client components added to Change Auditor for Active Directory Troubleshooting tips

Active Directory Protection

Introduction Active Directory object protection

Active Directory protection page Active Directory protection templates Active Directory Protection wizard

Group Policy Object protection

Group Policy protection page Group Policy protection templates Group Policy Protection wizard

ADAM (AD LDS) object protection

ADAM (AD LDS) protection page ADAM (AD LDS) protection templates ADAM Protection Wizard

Active Directory Database protection

Active Directory Database protection page Active Directory Database protection templates Active Directory Database Protection wizard

Setting extra security on protected objects

Event Details Pane About us

Change Auditor for Authentication Services

Quest Change Auditor for Authentication Services Overview

Introduction Change Auditor for Authentication deployment requirements

Getting Started

Deployment requirements Enable Authentication Services auditing Enable and disable events as required Make changes and run a report

Authentication Services Searches/Reports

Introduction Authentication Services built-in reports Create custom searches Search results

Change Auditor for Defender

Change Auditor for Defender Overview

Introduction Deployment requirements

Getting Started

Deployment requirements and notes Enable Defender auditing Make changes and run a report Troubleshooting

Defender Searches/Reports

Defender built-in searches Search results

Change Auditor for EMC

Change Auditor for EMC Overview

Introduction System overview Deployment requirements

Install EMC Event Enabler Framework Create EMC Auditing template

Client components and features

Getting Started

Introduction Verify auditing template is applied Make changes and run a report Troubleshooting steps

EMC Auditing

Introduction EMC Auditing page EMC auditing templates EMC Auditing wizard File System events settings EMC event logging

EMC Searches/Reports

Introduction Create custom EMC searches

Performance Considerations

Change Auditor agent performance Configuring audit scope

EMC Events File/Folder Inclusion and Exclusion Examples

Inclusions tab Exclusions tab

Folder exclusion examples Volume exclusion examples All volume exclusion examples

EMC Isilon Auditing EMC Unity Auditing

Change Auditor for Exchange

Change Auditor for Exchange Overview

Introduction Deployment requirements Client components and features

Exchange Searches and Reports

Introduction Run the All Exchange Events report Create custom Exchange searches

Exchange Mailbox Auditing

Introduction Exchange Mailbox Auditing page Exchange Mailbox Auditing list Exchange Auditing wizard

Exchange Settings and Event Logging (Agent Configuration Page)

Introduction Exchange Folder Open Event setting Exchange event logging

Exchange Mailbox Protection

Exchange mailbox protection introduction Exchange Mailbox Protection page Exchange Mailbox Protection templates Exchange Protection wizard

Managing Shared Mailboxes

Shared Mailbox events

Disabled Exchange Events

Change Auditor for Windows File Servers

Change Auditor for Windows File Servers Overview

Introduction Deployment requirements Client components/features

Getting Started

Introduction Getting started Create File System Auditing template Make File System changes and run a report Troubleshooting steps

File System Auditing

Introduction File System Auditing page File System Auditing templates File System Auditing wizard File System Event settings File System event logging

File System Searches/Reports

Introduction Create custom File System search

File System Protection

Introduction File System Protection page File System Protection templates File System Protection wizard

File System Events File/Folder Inclusion and Exclusion Examples

Inclusions tab Exclusions tab

Change Auditor for Active Directory Queries

Change Auditor for Active Directory Queries Overview

Introduction Deployment requirements Client components/features

Configure AD Query Auditing

Introduction AD Query Auditing page AD Query Auditing wizard AD Query settings

Active Directory Query Searches/Reports

Introduction Run AD Query reports Create custom AD Query search

AD Query Event Details

Change Auditor for Logon Activity

Change Auditor for Logon Activity Overview

Introduction Benefits and features System requirements Client components and features

Getting Started

Deployment requirements Run reports

User Logon Activity Searches/Reports

Introduction Built-in logon activity searches Create custom user logon activity searches Search Results

Search Results Grid Event Details Pane

Appendix: Workstation Agent Deployment

Recommendations/deployment requirements Manual workstation agent deployment

Appendix: Agent Comparison

Change Auditor for NetApp

Change Auditor for NetApp Overview

Introduction System overview Deployment requirements FPolicy limitation Client components and features

Getting Started

Introduction Verify auditing template is applied Make changes and run a report Troubleshooting steps

NetApp Filer Auditing

Introduction NetApp Auditing page NetApp Auditing templates NetApp Auditing wizard File System events settings NetApp event logging

NetApp Searches/Reports

Introduction Create custom NetApp searches

Performance Considerations

Change Auditor agent performance Configuring audit scope

NetApp Filer Events File and Folder Inclusion and Exclusion Examples

Inclusions tab Exclusions tab

Folder exclusion examples Volume exclusion examples All volume exclusion examples

Change Auditor for SharePoint

Change Auditor for SharePoint Overview

Introduction System overview Deployment requirements

Enable SharePoint settings Add and deploy Change Auditor SharePoint Solution Create SharePoint Auditing template

Client components and features

Getting Started

Introduction Verify deployment status of Change Auditor SharePoint Solution Verify auditing template is applied Make changes and run a report Troubleshooting steps

SharePoint Auditing

Introduction SharePoint Auditing page SharePoint Auditing templates SharePoint Auditing wizard SharePoint event logging

SharePoint Searches and Reports

Introduction Create custom SharePoint searches

Manually Add and Deploy the Change Auditor SharePoint Solution SharePoint Event Requirements Upgrade Change Auditor for SharePoint

Step 1: Upgrade Change Auditor components Step 2: Run SharePoint Solution Manager Step 3: Edit existing SharePoint Auditing templates

Change Auditor for SQL Server

Change Auditor for SQL Server Overview

Introduction Deployment requirements Client components/features

Getting Started

Introduction Apply SQL Server auditing template Make changes to the default SQL instance and run a report

SQL Server Auditing

Introduction SQL Auditing page SQL Auditing templates SQL Auditing wizard SQL Server event logging

SQL Data Level Auditing

Introduction SQL Data Level Auditing page SQL Data Level Auditing templates SQL Data Level Auditing wizard

SQL Extended Events Auditing (Preview)

Introduction SQL Extended Events Auditing templates

SQL Searches/Reports

Introduction Create custom SQL searches Create custom SQL Data Level searches Create custom SQL Extended Events searches (Preview)

Disabled SQL Events

Change Auditor SIEM Integration Guide

Webhooks in Change Auditor

Webhooks in Change Auditor

Integrating Change Auditor and SIEM Tools

Webhooks in Change Auditor Webhook terminology Subscription configuration process

Subscription failover support

Subscription Management

Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions

New-CAEventWebhookSubscription Get-CAEventWebhookSubscriptions Set-CAEventWebhookSubscription Remove-CAEventWebhookSubscription Get-CAEventExportSubsystems

Working with event subscriptions in the client Managing a Splunk integration

Working with Splunk subscriptions through the client New-CASplunkEventSubscription Get-CASplunkEventSubscriptions Set-CASplunkEventSubscription Remove-CASplunkEventSubscription

Splunk event subscription wizard Managing an IBM QRadar integration

Working with QRadar subscriptions through the client New-CAQRadarExtension New-CAQRadarEventSubscription Get-CAQRadarEventSubscriptions Set-CAQRadarEventSubscription Remove-CAQRadarEventSubscription

QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration

Working with Change Auditor data within ArcSight Working with ArcSight subscriptions through the client New-CAArcSightEventSubscription Get-CAArcSightEventSubscriptions Set-CAArcSightEventSubscription Remove-CAArcSightEventSubscription

ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview)

Working with a Quest IT Security Search subscriptions through the client New-CAITSSEventSubscription Get-CAITSSEventSubscriptions Set-CAITSSEventSubscription Remove-CAITSSEventSubscription IT Security Search event subscription wizard

Managing a Syslog integration

Working with Syslog subscriptions through the client New-CASyslogEventSubscription Get-CASyslogEventSubscriptions Set-CASyslogEventSubscription Remove-CASyslogEventSubscription

Syslog event subscription wizard Managing a Microsoft Sentinel integration

Working with Microsoft Sentinel subscriptions through the client New-CASentinelEventSubscription Get-CASentinelEventSubscriptions Set-CASentinelEventSubscription Remove-CASentinelEventSubscription

Microsoft Sentinel event subscription wizard

Webhook technical insights

Handling webhook responses

Change Auditor Threat Detection Deployment

Deploying Threat Detection

Introduction to Change Auditor Threat Detection

Who should have input on the deployment plan? Components and workflow

Requirements and prerequisites Events to configure Port Requirements Maintaining the Change Auditor database size Deploying a Threat Detection server on ESX Deploying a Threat Detection server on Hyper-V

Hyper-V resource control settings

Upgrading the Threat Detection server

Upgrade from Change Auditor version 7.0.2

Update-CAThreatDetectionServer

Upgrade from Change Auditor version 7.0 and 7.0.1

Upload the update package to the Threat Detection server Upgrade the Threat Detection server Join the Threat Detection server to the coordinator's domain Configure the service account

Creating a Threat Detection configuration Reviewing configuration status

Configured server deployment details

Removing a configuration Historical events and your baseline calculations

Threat Detection configuration commands

Adding the PowerShell module Viewing available commands and help Threat Detection sample scripts Connecting to Change Auditor

Connect-CAClient

Managing a Threat Detection configuration

New-CAThreatDetectionConfiguration Get-CAThreatDetectionConfiguration Set-CAThreatDetectionConfiguration Remove-CAThreatDetectionConfiguration

Appendix: System Architecture

Threat Detection system overview

Change Auditor Threat Detection Dashboard

Introduction to Change Auditor Threat Detection

Overview Which Change Auditor modules are monitored? Threat Detection server events Threat detection concepts

Baselines Threat indicators SMART alerts Risk scoring

Threat Detection process

Using the Threat Detection Dashboard

Deployment and installation Accessing the dashboard Overview tab

High Risk Users SMART Alerts All Users Alerts Status Alerts Severity

Users tab

Filters

Risk Navigator User severity calculation

Users Grid

Alerts Tab

Alert severity calculation Alert List Alert Filter How to perform an alert investigation

Common functions

Alert and indicator reference

Alert types Threat indicators

Change Auditor PowerShell Command Guide

PowerShell Commands

Adding the PowerShell module Viewing available commands and help Installing Change Auditor coordinators and web clients Setting the master time zone Finding Change Auditor installations and coordinators Connecting to and disconnecting from Change Auditor installations and coordinators Importing and exporting configuration settings Managing client authentication options Gathering Change Auditor system information Deploying Change Auditor agents Managing auditing templates Working with searches

Copy-CASearch

Managing Active Directory Database auditing Working with Active Directory Database protection templates Managing Windows File System auditing Managing SQL Extended Events Auditing (Preview) Managing Microsoft Entra ID auditing Managing Office 365 auditing Configuring a Quest On Demand Audit integration Working with Active Directory protection templates Working with GPO protection templates

Change Auditor Dialogs

Change Auditor dialogs

Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog

Exchange page Active Directory page

Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog

About Us

About us

• Viewing Topics 673 - 676 of 805

×

Threat Detection server events

---

Threat Detection server events

Threat Detection server activity is also monitored. Events are generated when:

•	A risky user is identified.

•	Risky user severity is increased or decreased.

•	An alert is generated.

•	An alert is marked as a risk.

•	An alert is marked as not a risk.

To view Threat Detection events in the Change Auditor client:

•	Open the Audit Events page on the Administration Tasks tab | Auditing

The events are listed under the Threat Detection - Risky User" facility and the "Threat Detection - Alert" facility.

The event details pane contains information to help gain a better understanding of the activities taking place on the Threat Detection server including:

▪	The number of alerts and their name, severity, score.

▪	User risk score, severity, old and new severity.

▪	When the Threat Detection server started processing the alert.

▪	Indicator s associated with the alert.

▪	Contribution to user score .

For more information on the details displayed for these events, see the Change Auditor Event Reference guide.

Threat detection concepts

---

Threat detection concepts

The following section describes the terms and concepts used within Change Auditor Threat Detection to help you understand how risk is assessed and alerts are determined.

•

Baselines

•	Threat indicators

•	SMART alerts

•	Risk scoring

Baselines

---

Baselines

Change Auditor Threat Detection applies machine learning to build behavioral features and a multi-dimensional baseline of typical behavior for each user in your environment. The baseline comprises a unique set of identifiers to ensure that only abnormal behaviors are flagged. For example, the baseline can include information about when a user typically logs on, which workstation they use, whether they tend to log on from remote locations, which files they typically access and so on.

As the baselines are refined over time, the Threat Detection server makes logical assumptions around what to expect, which minimizes the chances for any alarms around normal changes in activity. Change Auditor Threat Detection requires 30 days of audit history to establish the initial user behavior baselines.

Threat indicators

---

Threat indicators

Indicators define risky activity, such as suspicious user logons, brute-force password attacks, unusual Active Directory changes, and abnormal file access. However, threat indicators are not constrained to a specific raw event — they use machine learning to identify patterns of events that together could indicate a threat.

Specifically, as raw events stream in, the Threat Detection server analyzes human actors, accounts, locations and operations to identify behavior that deviates from established baselines.

Abnormal and risky behaviors are evaluated to produce threat indicators. These indicators are based on present and historical patterns, as well as specifically defined risky object attributes. An indicator consolidates all activities that are detected as abnormal.

Anomalous behavior that corresponds with a threat indicator is identified based on the event’s rarity and criticality. This strategy ensures that only behavioral changes that are important and potentially indicative of a suspicious activity are highlighted out of the raw events.

Threat indicators are the basis for the formation of alerts. Sorted by severity to reflect the security importance, alerts are managed by the analyst providing investigation and feedback.

•  前回
• Viewing Topics 673 - 676 of 805
• 次へ 

この文書を検索 この製品バージョンに対応するすべての文書を検索 この製品に対応するすべての文書を検索 すべての文書を検索

×

 サポートへようこそ

Quest *product*のオンラインサポートヘルプは、関連会社のサポートサイトで参照できます。「Continue（続行）」をクリックすると、*product*の適切なサポートコンテンツとアシスタンスへ移動します。

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択