サポートと今すぐチャット
サポートとのチャット

Change Auditor 7.4 - PowerShell User Guide

Managing Windows File System auditing

Change Auditor for Windows File Server tracks, audits, and alerts on file and folder changes in real time, translating events into simple terms and eliminating the time and complexity required by system provided auditing. The auditing scope can be set on an individual file or folder or an entire file system recursive or non-recursive. You can include or exclude certain files or folders from the audit scope to ensure a faster and more efficient audit process.

Managing Windows file system auditing is available through the following PowerShell commands:

Use this command to define a folder or file paths to audit.

New-CAWindowsFSAuditObject -IncludePath "C:\ExampleDirectory" -IncludePathType SystemFolder -IncludeScope ScopeSubTree -AuditEvents $auditEvents -IncludeMask "*"
–ExcludeFolderPaths "C:\ExampleDirectory\ExcludedDirectory"

New-CAWindowsFSAuditObject -IncludePath "C:\ExampleDirectory" -IncludePathType SystemFolder -IncludeScope ScopeOneLevel -AuditEvents $auditEvents -IncludeMask "*" –ExcludeFilePaths "*.tmp"

To enable Windows File System auditing, you must first create an auditing template for each file or folder to audit. Each auditing template defines the files or folders to audit, the auditing scope, and the excluded processes.

Use this command to create a Windows file system auditing template.

New-CAWindowsFSAuditTemplate -Connection $connection -TemplateName 'New-FSTemplate' -AuditObjects $auditObject -ExcludeProcess $excludeProcess -DiscardTooltipEvents $true -DiscardBrowsingEvents $true -Disabled $false

Use this command to delete a Windows File System auditing template.

Remove-CAWindowsFSAuditTemplate -Connection $connection -Template $removeTemplate

 

Use this command to edit an existing Windows File System auditing template.

Set-CAWindowsFSAuditTemplate -Connection $connection -Template $Template -ExcludeProcess "avsoftware.exe" -TemplateName "NewTemplateName"

Use this command to see all the Windows File System auditing templates available within your installation.

Get-CAWindowsFSAuditTemplates -Connection $connection

$template = Get-CAWindowsFSAuditTemplates -Connection $connection | where TemplateName -eq TemplateName

Use this command to get a list of all available Windows File System auditing event classes.

Get-CAWindowsFSEventClassInfo -Connection $connection

Managing SQL Extended Events Auditing (Preview)

SQL Server Extended Events allow users to gather information on the performance of their SQL database. These commands allow you to create and manage SQL Extended Events auditing templates for auditing SQL Extended Events.

Use this command to retrieve the list of event names and filters available from the SQL server to use when configuring the SQL Extended Events template. Change Auditor audits event information from the Admin, Operational, and Analytic channels.

Get-CASQLExtendedEventsInfo –Connection $connection -SQLServerName $sqlservername -SQLServerLoginCredential $dbcredential

Use this command to specify a filter for the SQL Extended Events to audit when creating templates.

New-CASQLExtendedEventsFilter -EventsInfo $eventsInfo -FieldName database_name -Operator Equals -Value testdb1 -FilterType 'AND'

Use this command to specify the SQL Extended Events to audit.

New-CASQLExtendedEventsObject -EventsInfo $sqlExtendedEventClasses -EventNames "login_event","database_stopped","error_reported" -EventPackages "sqlserver","sqlserver","xesvlpkg"

Use this command to create SQL Extended Events auditing templates.

-Connection

A connection obtained by using the Connect-CAClient command.

-SQLServerName

The name or IP of the SQL Server and the instance name if a named instance. For example, SQLTestServer\InstanceName.

-SQLServerLogonCredential

The SQL server logon credential.

NOTE:  

-Name

A unique name for the template.

-ExtendedEvents

The list of events to audit using New-CASQLExtendedEventsObject.

-Filters (Optional)

A list of event filters using New-CASQLExtendedEventsFilter.

-MaxMemorySize (Optional)

SQL Extended Events maximum memory size in megabytes.

Minimum is 250 MB (default if parameter not specified).

-Disabled (Optional)

Set to determine if the template is enabled or disabled. By

default this is set to False.

-AgentInfo (Optional)

An agent object obtained using the Get-CAAgents command. If not specified, it will expect an agent installed on the SQL server to be audited. The agent is used for SQL Extended Events session management and event auditing.

New-CASQLExtendedEventsTemplate -Connection $connection -AgentInfo $Agent -SQLServerName $sqlServerName -SQLServerLoginCredential $sqlCredential -Name 'testXEventTemplate' -ExtendedEvents $events -Filters $filters

Use this command to see all the SQL Extended Events templates that have been created.

Get-CASqlExtendedEventsTemplates -Connection $connection

Get-CASqlExtendedEventsTemplates -Connection $connection | Filter.Where(_$.name = "MyTemplate")

Use this command to delete a specified SQL Extended Events template.

Remove-CASQLExtendedEventsTemplate -Connection $connection -Template $template

Managing Azure Active Directory auditing

Change Auditor audits activity in the Azure portal that corresponds to the events in the Azure Active Directory auditing logs and sign-in activity. Managing Azure Active Directory auditing is available through the following PowerShell commands:

NOTE: When you delete a template (see Remove-CAAgentTemplate), the web application created in Azure Active Directory remains. You can delete the web application using the Azure management portal. If you do not have the portal, see https://technet.microsoft.com/en-us/library/dn832618.aspx for instructions.

The following sample scripts are available in the Change Auditor client folder. By default they are located here: C:\Program Files\Quest\ChangeAuditor\Client\PowerShell Sample Scripts:

 

Use this command to create a template for auditing Azure Active Directory.

-AgentInfo

An agent object obtained using the Get-CAAgents command. The agent is used for Azure Active Directory auditing.

-Connection

A connection obtained by using the Connect-CAClient command.

-CreateWebApp (Optional)

Specifies that you want to create a new Azure web application.

You will need to login to register Change Auditor in the tenant and ensure the required consent has been granted. Note: Internet access is required.

The Azure Active Directory sign-in page opens automatically.

To apply the consent to all the users in your organization, click to enable Consent on behalf of your organization and click Accept.

-Tenant

The Azure Active Directory tenant/directory that you want to audit (for example: yourTenantName.onmicrosoft.com).

-AuditLogs

Specifies whether or not to audit the Azure Active Directory audit logs. You must enable at least one type of activity to audit using the
- AuditLogs or -SignIns parameter.

-SignIns

Specifies whether or not to audit Azure Active Directory sign-in activity. You must enable at least one type of activity to audit using the
- AuditLogs or -SignIns parameter.

-HistoricalEventCollectionHours (Optional)

Specifies how many hours the agent should go back in time to start event collection. The parameter accepts values from 1 to 720.

-HistoricalEventCollectionDays (Optional)

Specifies how many days the agent should go back in time to start event collection. The parameter accepts values from 1 to 30.

-Disabled (Optional)

Specifies whether auditing is enabled or disabled for Azure Active Directory.

$connection = Connect-CAClient –InstallationName ‘Default'

$agent = Get-CAAgents –Connection $connection | where{$_.agentfqdn -like "CAAGENT.DOMAIN.COM"} *Keep in Uppercase

New-CAAzureADTemplate -Connection $connection -CreateWebApp -Tenant $tenant
-AgentInfo $agent –HistoricalEventCollectionDays 30 -SignIns $True -AuditLogs $True

Alternatively, use these parameters if you are using a pre-created Azure web application that Change Auditor will use for authentication.

For details on integrating applications with Azure Active Directory and creating a web application, consult the Microsoft documentation. When creating a web application in the Azure Classic Portal, you are required to provide the following URLs: Sign-On URL, App ID URL. Specify any URL address that is unique to your tenant (for example: http://ChangeAuditorApp) for each of them.

The following permissions must be assigned to the Azure web application:

Once the required permissions are applied, click Grant admin consent for… and confirm with Yes.

-AgentInfo

An agent object obtained using the Get-CAAgents command. The agent will be used for Azure Active Directory auditing.

-Connection

A connection obtained by using the Connect-CAClient command.

-Tenant

The Azure Active Directory tenant/directory that you want to audit (for example: yourTenantName.onmicrosoft.com).

-AuditLogs

Specifies whether or not to audit the Azure Active Directory audit logs. You must enable at least one type of activity to audit using the
- AuditLogs or -SignIns parameter.

-SignIns

Specifies whether or not to audit Azure Active Directory sign-in activity. You must enable at least one type of activity to audit using the
- AuditLogs or -SignIns parameter.

-WebAppId

An Azure Active Directory web application Id. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

-WebAppKey

 

The key assigned to the web application specified for the WebAppId parameter. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

-HistoricalEventCollectionHours (Optional)

Specifies how many hours the agent should go back in time to start event collection. The parameter accepts values from 1 to 720.

-HistoricalEventCollectionDays (Optional)

Specifies how many days the agent should go back in time to start event collection. The parameter accepts values from 1 to 30.

-Disabled (Optional)

Specifies whether auditing is enabled or disabled for Azure Active Directory.

New-CAAzureADTemplate -Connection $connection -AgentInfo $agent -WebAppKey $webAppKey -WebAppId $webAppId -Tenant $tenant –HistoricalEventCollectionDays 30
-SignIns $True -AuditLogs $True

Use this command to edit the web application key and ID, and the agent in an existing Azure Active Directory template. This also allows you to replace an expired or revoked web application.

-AgentInfo

An agent object obtained using the Get-CAAgents command. The agent will be used for Azure Active Directory auditing.

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

A template object obtained by the Get-CAAzureADTemplates command.

-CreateWebApp (Optional)

Specifies that you want to create a new Azure web application.

You will need to login to register Change Auditor in the tenant and ensure the required consent has been granted. Note: Internet access is required.

The Azure Active Directory sign-in page opens automatically.

To apply the consent to all the users in your organization, click to enable Consent on behalf of your organization and click Accept.

-AuditLogs

Specifies whether or not to audit the Azure Active Directory audit logs. You must enable at least one type of activity to audit using the
- AuditLogs or -SignIns parameter.

-SignIns

Specifies whether or not to audit Azure Active Directory sign-in activity. You must enable at least one type of activity to audit using the
- AuditLogs or -SignIns parameter.

-WebAppId

An Azure Active Directory web application Id. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

-WebAppKey

 

The key assigned to the web application specified for the WebAppId parameter. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

Set-CAAzureADTemplate -Connection $connection -Template $template -WebAppKey $webAppKey -WebAppId $webAppId

Set-CAAzureADTemplate -Connection $connection -Template $template -SignIns $True
-AuditLogs $True

Use this command to see all the Azure Active Directory templates available within your installation.

Get-CAAzureADTemplates -Connection $connection

Managing Office 365 auditing

Change Auditor for Exchange and Change Auditor for SharePoint have been extended to include the auditing of activities taking place in Exchange Online, SharePoint Online, and OneDrive for Business. The following commands are available to manage Office 365 auditing:

NOTE: When you delete a template (see Remove-CAAgentTemplate), the web application created in Azure Active Directory remains. You can delete the web application using the Azure management portal. If you do not have the portal, see https://technet.microsoft.com/en-us/library/dn832618.aspx for instructions.

Use this command to create a template for auditing Office 365 Exchange Online, SharePoint Online, and OneDrive for Business.

 

-AgentInfo

An agent obtained by using the Get-CAAgents command.

-Connection

A connection obtained by using the Connect-CAClient command.

-CreateWebApp (Optional)

Specifies that you want to create a new Azure web application.

You will need to login to register Change Auditor in the tenant and ensure the required consent has been granted. Note: Internet access is required.

The Azure Active Directory sign-in page opens automatically.

To apply the consent to all the users in your organization, click to enable Consent on behalf of your organization and click Accept.

-Tenant

The Azure Active Directory tenant/directory that you want to audit (for example: yourTenantName.onmicrosoft.com).

-AuditAdministration (Optional)

Specifies whether to audit administration events.

-AuditOrganization (Optional)

Specifies whether to audit all Exchange Online mailboxes accessed by users other than the mailbox owner.

-CertificateFile (Optional)

The filename of an exported X509 certificate with private key.

-CertificateFilePassword (Optional)

The password for the certificate file.

NOTE:  

-CertificateThumbprint (Optional)

The thumbprint of a certificate that is located in the user's personal certificate store on the host workstation and must have a private key (string format).

NOTE:  

-GenerateCertificate (Optional)

If specified, will generate a new self-signed certificate.

-Disabled (Optional)

Specifies whether the auditing template is enabled or disabled.

-EnableExchangeOnline (Optional)

Specifies whether Exchange Online auditing is enabled or disabled.

-EnableOneDrive (Optional)

Specifies whether OneDrive for Business auditing is enabled or disabled.

-EnableSharePoint (Optional)

Specifies whether SharePoint Online auditing is enabled or disabled.

-HistoricalEventCollectionHours (Optional)

Specifies how many hours the agent should go back in time to start event collection. The parameter accepts values from 1 to 168.

-HistoricalEventCollectionDays (Optional)

Specifies how many days the agent should go back in time to start event collection. The parameter accepts values from 1 to 7.

-ExcludedOperations (Optional)

String that specifies events to exclude from the Office 365 OneDrive for Business event, Office 365 SharePoint Online event, and Office 365 Exchange Online event.

These generic dynamically constructed events are created when associated activity is detected that does not have a corresponding event defined in Change Auditor.

-OverwriteTenantMailboxAuditing (Optional)

Specifies whether the template auditing settings will overwrite the existing tenant auditing settings.

New-CAO365Template -Connection $connection -Tenant $tenant -AgentInfo $agent -CreateWebApp -GenerateCertificate -EnableExchangeOnline $true -AuditAdministration $true –AuditOrganization $true –HistoricalEventCollectionDays 7

When you create or edit an Office 365 auditing template and you select to use an existing web application, it must be configured to support certificate authentication. See the Azure Active Directory and Office 365 User Guide for the required steps.

For more details on integrating applications with Azure Active Directory and creating a web application, consult the Microsoft documentation. When creating a web application in the Azure Classic Portal, you are required to provide the following URLs: Sign-On URL, App ID URL. Specify any URL address that is unique to your tenant (for example: http://ChangeAuditorApp) for each of them.

-AgentInfo

An agent object obtained by using the Get-CAAgents command.

-Connection

A connection obtained by using the Connect-CAClient command.

-Tenant

The Azure AD tenant/Directory that you would like Change Auditor to audit (for example: yourTenantName.onmicrosoft.com).

-WebAppId

An Azure Active Directory web application Id. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

-WebAppKey

 

The key assigned to the web application specified for the WebAppId parameter. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

-AuditAdministration (Optional)

Specifies whether to audit administration events.

-CertificateFile (Optional)

The filename of an exported X509 certificate with private key.

-CertificateFilePassword (Optional)

The password for the certificate file.

NOTE:  

-CertificateThumbprint (Optional)

The thumbprint of a certificate that is located in the user's personal certificate store on the host workstation and must have a private key (string format).

NOTE:  

-AuditOrganization (Optional)

Specifies whether to audit all Exchange Online mailboxes accessed by users other than the mailbox owner.

-Disabled (Optional)

Specifies whether the auditing template is enabled or disabled.

-EnableExchangeOnline (Optional)

Specifies whether Exchange Online auditing is enabled or disabled.

-EnableOneDrive (Optional)

Specifies whether OneDrive for Business auditing is enabled or disabled.

-EnableSharePoint (Optional)

Specifies whether SharePoint Online auditing is enabled or disabled.

-HistoricalEventCollectionDays (Optional)

Specifies how many days the agent should go back in time to start event collection. The parameter accepts values from 1 to 7.

-HistoricalEventCollectionHours (Optional)

Specifies how many hours the agent should go back in time to start event collection. The parameter accepts values from 1 to 168.

-ExcludedOperations (Optional)

String that specifies events to exclude from the Office 365 OneDrive for Business event, Office 365 SharePoint Online event, and Office 365 Exchange Online event.

These generic dynamically constructed events are created when associated activity is detected that does not have a corresponding event defined in Change Auditor.

-OverwriteTenantMailboxAuditing (Optional)

Specifies whether the template auditing settings will overwrite the existing tenant auditing settings.

New-CAO365Template -Connection $connection -Tenant $tenant -AgentInfo $agent -WebAppId $webAppID -WebAppKey $webAppKey1 -CertificateFile 'C:\Users\user.domain\Desktop\CertificateFile.pfx' -CertificateFilePassword $password -EnableExchangeOnline $true -AuditAdministration $true –AuditOrganization $true –HistoricalEventCollectionDays 7

Use this command to edit the account used to access Office 365 Exchange Online, the type of service and events to audit, and select a new agent.

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

A template object obtained by using the Get-CAO365Templates command.

-CreateWebApp (Optional)

Specifies that you want to create a new Azure web application.

You will need to login to register Change Auditor in the tenant and ensure the required consent has been granted. Note: Internet access is required.

The Azure Active Directory sign-in page opens automatically.

To apply the consent to all the users in your organization, click to enable Consent on behalf of your organization and click Accept.

-WebAppId

An Azure Active Directory web application Id. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

-WebAppKey

 

The key assigned to the web application specified for the WebAppId parameter. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

-AgentInfo (Optional)

An agent object obtained by using the Get-CAAgents command.

-AuditAdministration (Optional)

Specifies whether to audit administration events.

-AuditOrganization (Optional)

Specifies whether to audit all Exchange Online mailboxes accessed by non-owners.

-CertificateFile (Optional)

The filename of an exported X509 certificate with private key.

-CertificateFilePassword (Optional)

The password for the certificate file.

NOTE:  

-CertificateThumbprint (Optional)

The thumbprint of a certificate that is located in the user's personal certificate store on the host workstation and must have a private key (string format).

NOTE:  

-GenerateCertificate (Optional)

If specified, will generate a new self-signed certificate.

-EnableExchangeOnline (Optional)

Specifies whether Exchange Online auditing is enabled or disabled.

-EnableOneDrive (Optional)

Specifies whether OneDrive for Business auditing is enabled or disabled.

-EnableSharePoint (Optional)

Specifies whether SharePoint Online auditing is enabled or disabled.

-ExcludedOperations (Optional)

String that specifies events to exclude from the Office 365 OneDrive for Business event, Office 365 SharePoint Online event, and Office 365 Exchange Online event.

These generic dynamically constructed events are created when associated activity is detected that does not have a corresponding event defined in Change Auditor.

-OverwriteTenantMailboxAuditing (Optional)

Specifies whether the template auditing settings will overwrite the existing tenant auditing settings.

Set-CAO365Template -Connection $connection -Template $template
-AuditOrganization $true

Set-CAO365Template -Connection $connection -Template $template -EnableSharePoint $true -EnableOneDrive $true

Set-CAO365Template -Connection $connection -Template $template -CreateWebApp -GenerateCertificate -AgentInfo $agent

Set-CAO365Template -Connection $connection -Template $template -WebAppId $webAppId -WebAppKey $webAppKey -CertificateThumbprint $certificateThumbprint -AgentInfo $agent

Set-CAO365Template -Connection $connection -Template $template -AgentInfo $agent

Use this command to see all the Office 365 templates available within your installation.

Get-CAO365Templates -Connection $connection

Use this command to remove a template for auditing Office 365 Exchange Online, SharePoint Online, and OneDrive for Business.

Remove-CAO365Template -Connection $connection -Tenant $tenant

Use this command to find specific mailboxes that can be added to an existing Office 365 Exchange Online template.

Get-CAO365ExchangeMailboxes -Connection $connection -Tenant $tenant -SearchText "a"

Use this command to audit specific mailboxes in your organization by adding them to an existing Office 365 Exchange Online template.

Add-CAO365ExchangeTemplateMailboxes -Connection $connection -Template $template -Mailboxes $mailboxes –AuditOwnerEvents

Use this command to remove mailboxes from an existing Office 365 Exchange Online template.

Remove-CAO365ExchangeTemplateMailboxes -Connection $connection -Template $template –All

Use this command to retrieve a list of mailboxes being audited by a particular Office 365 Exchange Online template.

Get-CAO365ExchangeTemplateMailboxes -Connection $connection -Template $template

Get-CAO365ExchangeTemplateMailboxes -Connection $connection -Template $template -DisplayNameFilter "Sam S" -AuditTypeFilter NonOwnerOnly

 

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択