지금 지원 담당자와 채팅
지원 담당자와 채팅

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Introduction

Previous Next

Introduction

You can use predefined reports to retrieve valuable change information from a variety of perspectives.

* 
NOTE: The terms ‘searches’ and ‘reports’ are used in conjunction to acquire the desired output. You run a ‘search’ and the results returned are referred to as a ‘report’.

You can also create custom search definitions to search for the configuration changes that need to be tracked in your environment. You will use the search properties tabs across the bottom of the Searches page to define new custom searches.

 

Authentication Services built-in reports

Previous Next

Authentication Services built-in reports

To see a complete list of built-in reports, see the Change Auditor Built-in Reports Reference Guide.

To run a built-in search:
1
Click on the Searches tab or select View | Searches.
2
Expand and select the appropriate folder in the explorer view (left-hand pane) to display the list of search definitions stored in the selected folder. For example, selecting the Shared | Built-in | Authentication Services will display all the built-in searches available for One Identity Authentication Services.
3
In the right-hand pane, locate the search to be run and use one of the following methods to run the selected search:
Double-click a search definition
Right-click a search definition and select the Run menu command
Select the search definition and click the Run tool bar button at the top of the Searches page
4
A new Search Results Page will be displayed populated with the audited events that met the search criteria defined in the selected search definition.
* 
NOTE: To modify a built-in search or create a custom Authentication Services search, see the Change Auditor User Guide.

Create custom searches

Previous Next

Create custom searches

The following scenario explain how to use the What tab to create custom searches.

 
* 
NOTE: If you wanted to, you can use the other search properties tabs to define additional criteria:
Who - allows you to search for events generated by a specific user, computer or group
Where - allows you to search for events captured by a specific agent or within a specific domain or site
When - allows you to search for events that occurred within a specific date/time range
Origin - allows you to search for events that originated from a specific workstation or server
To search for a specific event class:
1
Open the Searches page.
2
In the explorer view (left pane), expand and select the folder where you want to save your search.

Selecting the Private folder will create a search that only you can run and view, whereas selecting the Shared folder will create a search which can be run and viewed by all Change Auditor users.

3
Click New at the top of the Searches page.

This will activate the Search Properties tabs across the bottom of the Searches page.

4
On the Info tab, enter a name and description for the search.
5
Open the What tab, click Add (or expand the Add tool bar button and select Event Class).
6
On the Add Facilities or Event Classes dialog, enter Authentication Services Monitoring in the data filter field under the Facility heading to display all of the Authentication Services events.
7
From this list, select one or more events and use the Add | Add This Event option to add the selected events to the list box at the bottom of the dialog. Click OK to save your selection and close the dialog.
8
Click Run to save and run the search. Click Save to save the search definition without running it.
9
When this search runs, Change Auditor searches for the Authentication Services events based on the search criteria specified on the What tab and display the results in a new search results page.

Search results

Previous Next

Search results

The event information (including key information like who, what, when, where, why, the event origin, and the file information) can be viewed on the Event Details pane.

Table 1. Event Details pane: Authentication Services events

ChangeAuditor

Description

Severity

Displays “Low”, “Medium”, or “High” depending on the event.

Who

Specifies the name of the user who initiated the change.

When

Specifies the date and time when the change occurred.

Where

Displays the name of the workstation where the change occurred.

Source

Displays ‘Change Auditor’ which is the application from which the event was retrieved.

Origin

Displays the NetBIOS name and IP address of the workstation from which the event was generated.

What

Displays a description of the activity that occurred.

NOTE: For lengthy descriptions, hover your cursor over the description field to view the entire event description.

Facility

Displays that it is Authentication Services Monitoring activity.

 

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택