지금 지원 담당자와 채팅
지원 담당자와 채팅

Change Auditor 7.4 - Built-in Reports Reference Guide

Introduction Built-in reports
Active Directory Federation Services AD Query All Events Authentication Services Azure Active Directory Defender Office 365 Logon Activity Skype for Business Recommended Best Practices Regulatory Compliance
FISMA (Federal Information Security Management Act)
NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A01 – User Association NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A02 – Content of Audit Records NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A03 – Auditable Events NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A04 – Audit Processing NIST SP 800-53 | Technical Controls | Identification and Authentication | IA02 – Remote, Privileged Access Authentication NIST SP 800-53 | Technical Controls | Identification and Authentication | IA03 – Password Protection Mechanisms NIST SP 800-53 | Technical Controls | Identification and Authentication | IA04 – Password Life NIST SP 800-53 | Technical Controls | Identification and Authentication | IA05 – Password Content NIST SP 800-53 | Technical Controls | Identification and Authentication | IA12 – Remote Access Identification Authentication NIST SP 800-53 | Technical Controls | Identification and Authentication | IA16 – Password Management NIST SP 800-53 | Technical Controls | Logical Access Control | AC01 - Remote Access Restrictions NIST SP 800-53 | Technical Controls | Logical Access Control | AC02 - Logon Notification Message NIST SP 800-53 | Technical Controls | Logical Access Control | AC05 - Session Inactivity NIST SP 800-53 | Technical Controls | Logical Access Control | AC06 - Limited Connection Time NIST SP 800-53 | Technical Controls | Logical Access Control | AC09 - Enforcement Mechanisms NIST SP 800-53 | Technical Controls | Logical Access Control | AC10 - Automated Account Controls NIST SP 800-53 | Technical Controls | Logical Access Control | AC12 - Supervision and Review NIST SP 800-53 | Technical Controls | Logical Access Control | AC14 - Authorization Procedures NIST SP 800-53 | Technical Controls | System and Communications Protection | SP02 - Information System Partitioning NIST SP 800-53 | Technical Controls | System and Communications Protection | SP04 - Denial of Service Protection NIST SP 800-53 | Technical Controls | System and Communications Protection | SP05 - Resource Priority NIST SP 800-53 | Technical Controls | System and Communications Protection | SP06 - Boundary Protection NIST SP 800-53 | Technical Controls | System and Communications Protection | SP07 - Network Segregation NIST SP 800-53 | Technical Controls | System and Communications Protection | SP09 - Network Disconnect NIST SP 800-53 | Technical Controls | System and Communications Protection | SP11 - Trust Path NIST SP 800-53 | Technical Controls | System and Communications Protection | SP16 - Use of Encryption
GLBA (Gramm-Leach-Bliley Act) GDPR HIPAA (Health Insurance Portability and Accountability Act) Payment Card Industry SAS 70 (Statement on Auditing Standards, Service Organizations) SOX (Sarbanes-Oxley General IT Controls Evidence based on the COBIT Framework)
Security SharePoint SQL Data Level SQL Extended Events Threat Detection

A summary report containing events from all of the following reports.

164.308 – Administrative Safeguards | Workforce Security

| Workforce Security
Authorization and Supervision
Authentication Services
Authentication Services computers added in last 30 days
Who = All Users
What = Authentication Services Computer object added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Authentication Services computers deleted in last 30 days
Who = All Users
What = Authentication Services Computer object deleted
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Groups set to UNIX-disabled in last 30 days
Who = All Users
What = UNIX-Enabled Changed for Group - Restriction = To: Disabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Groups set to UNIX-enabled in last 30 days
Who = All Users
What = UNIX-Enabled Changed for Group - Restriction = To: Enabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
UNIX home directory changed in last 30 days
Who = All Users
What = UNIX Home Directory Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
UNIX login shell changed in last 30 days
Who = All Users
What = UNIX Login Shell Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
UNIX-enabled groups deleted in last 30 days
Who = All Users
What = UNIX-Enabled Group Deleted
Where = All sources
When = Last 30 days
Origin = All workstations/servers
UNIX-enabled users deleted in last 30 days
Who = All Users
What = UNIX-Enabled User Deleted
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users set to UNIX-disabled in last 30 days
Who = All Users
What = UNIX-Enabled Changed for User - Restriction = To: Disabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users set to UNIX-enabled in last 30 days
Who = All Users
What = UNIX-Enabled Changed for User - Restriction = To: Enabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Computer Activity
Computers added in the last 30 days
Who = All Users
What = Computer Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Computers disabled in the last 30 days
Who = All Users
What = Computer Account Disabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Computers enabled in the last 30 days
Who = All Users
What = Computer Account Enabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Computers moved in the last 30 days
Who = All Users
What = Computer Moved
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Computers removed in the last 30 days
Who = All Users
What = Computer Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Computers renamed in the last 30 days
Who = All Users
What = Computer Renamed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Exchange
All Exchange Administrative Group Events
Who = All Users
What = Exchange Administrative Group facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All Exchange Distribution List (Group) Events
Who = All Users
What = Exchange Security Group facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All Exchange Permission Tracking Events
Who = All Users
What = Exchange Permission Tracking facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Group Management
Group added in last 30 days
Who = All Users
What = Group Object Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group deleted in last 30 days
Who = All Users
What = Group Object Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group member added changes in last 30 days
Who = All Users
What = Member Added to Group
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group member removed changes in last 30 days
Who = All Users
What = Member Removed from Group
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group moved in last 30 days
Who = All Users
What = Group Object Moved
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group nested member added changes in last 30 days
Who = All Users
What = Nested Member Added to Group
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group nested member removed changes in last 30 days
Who = All Users
What = Nested Member Removed from Group
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group permissions changed in last 30 days
Who = All Users
What = DACL Changed on Group Object
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group renamed (SAM account name) changes in last 30 days
Who = All Users
What = Group samAccountName Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group renamed in last 30 days
Who = All Users
What = Group Renamed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group type changes in last 30 days
Who = All Users
What = Group Type Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
SQL
All SQL Add Roles, User, and Login Events in the last 24 hours
Who = All Users
What = Audit Add DB User; Audit Add Login; Audit Add Login to Server Role; Audit Add Member to DB Role; Audit Add Role
Where = All sources
When = Last 24 hours
Origin = All workstations/servers
Audit Add Login
Who = All Users
What = Audit Add Login
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Add Login to Server Role
Who = All Users
What = Audit Add Login to Server Role
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Add Member to DB Role
Who = All Users
What = Audit Add Member to DB Role
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Add Role
Who = All Users
What = Audit Add Role
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Alter Database
Who = All Users
What = Audit Alter Database
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Alter Database Object
Who = All Users
What = Audit Alter Database Object
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Alter Database Principal
Who = All Users
What = Audit Alter Database Principal
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Alter Object Derived Permission
Who = All Users
What = Audit Alter Object Derived Permission
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Alter Schema Object
Who = All Users
What = Audit Alter Schema Object
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Alter Server Object
Who = All Users
What = Audit Alter Server Object
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Alter Server Principal
Who = All Users
What = Audit Alter Server Principal
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Trust Activity
Cross Forest level trust added in last 30 days
Who = All Users
What = Cross-forest Trust Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Cross Forest level trust deleted in last 30 days
Who = All Users
What = Cross-forest Trust Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Trusts added in last 30 days
Who = All Users
What = Trust Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Trusts deleted in last 30 days
Who = All Users
What = Trust Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
User Management
Changes to user profiles in last 30 days
Who = All Users
What = Home Folder Changed on User Object; Home Folder Mapped Drive Changed on User Object; Level of Control Changed for User Object; Primary Group ID Changed for User Object; Profile Path Changed on User Object
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Permissions on user accounts changed in last 30 days
Who = All Users
What = DACL Changed on User Object; Required User’s Permissions Changed for User Object
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users added in last 30 days
Who = All Users
What = User Object Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users added to group in last 30 days
Who = All Users
What = User Member-of Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users deleted in last 30 days
Who = All Users
What = User Object Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users disabled in last 30 days
Who = All Users
What = User Account Disabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users display name changed in last 30 days
Who = All Users
What = Display Name Changed on User Object
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users enabled in last 30 days
Who = All Users
What = User Account Enabled; User Account Re-enabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users first name changed in last 30 days
Who = All Users
What = First Name Changed on User Object
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users last name changed in last 30 days
Who = All Users
What = Last Name Changed on User Object
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users locked out in last 30 days
Who = All Users
What = User Account Locked
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users logon hours changed in last 30 days
Who = All Users
What = User logonHours Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users moved in last 30 days
Who = All Users
What = User Object Moved
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users name(s) changed in last 30 days
Who = All Users
What = Display Name Changed on User Object; First Name Changed on User Object; User samAccountName Changed; Last Name Changed on User Object; User userPrincipal Name Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users principal name changed in last 30 days
Who = All Users
What = User userPrincipalName Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users removed from group in last 30 days
Who = All Users
What = User Member-of Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users renamed in last 30 days
Who = All Users
What = Domain User Renamed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users SAM account name changed in last 30 days
Who = All Users
What = User samAccountName Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users status changed in last 30 days (Enabled, Disabled, Created, Deleted, Locked, Unlocked)
Who = All Users
What = User Account Enabled; User Account Disabled; User Object Added; User Object Removed; User Account Locked; User Account Unlocked; User Account Re-enabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users unlocked in last 30 days
Who = All Users
What = User Account Unlocked
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users workstation access restrictions changed in last 30 days
Who = All Users
What = User userWorkstations Added; User userWorkstations Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Workforce Clearance Procedures
Access Control - File System
Directory shares added in last 30 days
Who = All Users
What = Active Directory Share Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Directory shares removed in last 30 days
Who = All Users
What = Active Directory Share Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder added in last 30 days
Who = All Users
What = File Created; Folder Created
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder attribute changed in last 30 days
Who = All Users
What = File Attribute Changed; Folder Attribute Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder auditing changed in last 30 days
Who = All Users
What = File Auditing Changed; Folder Auditing Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder modified date changed in last 30 days
Who = All Users
What = File Last Write Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder moved in last 30 days
Who = All Users
What = File Moved; Folder Moved
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder ownership changed in last 30 days
Who = All Users
What = File Ownership Changed; Folder Ownership Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder permission changed in last 30 days
Who = All Users
What = File Access Rights Changed; Folder Access Rights Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder removed in last 30 days
Who = All Users
What = File Deleted; Folder Deleted
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder renamed in last 30 days
Who = All Users
What = File Renamed; Folder Renamed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Local share added in last 30 days
Who = All Users
What = Local Share Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Local share auditing changed in last 30 days
Who = All Users
What = Local Share Auditing changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Local share permission changed in last 30 days
Who = All Users
What = Local Share Permissions Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Local share removed in last 30 days
Who = All Users
What = Local Share Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Shares added in last 30 days
Who = All Users
What = Active Directory Share Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Shares removed in last 30 days
Who = All Users
What = Active Directory Share Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
EMC
EMC file access rights changed
Who = All Users
What = EMC file access rights changed
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file contents written
Who = All Users
What = EMC file contents written
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file contents created
Who = All Users
What = EMC file contents created
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file contents deleted
Who = All Users
What = EMC file contents deleted
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file contents moved
Who = All Users
What = EMC file contents moved
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file contents opened
Who = All Users
What = EMC file contents opened
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file ownership changed
Who = All Users
What = EMC file ownership changed
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file renamed
Who = All Users
What = EMC file renamed
Where = All sources
When = This Week
Origin = All workstations/servers
EMC folder access rights changed
Who = All Users
What = EMC folder access rights changed
Where = All sources
When = This Week
Origin = All workstations/servers
EMC folder created
Who = All Users
What = EMC folder created
Where = All sources
When = This Week
Origin = All workstations/servers
EMC folder deleted
Who = All Users
What = EMC folder deleted
Where = All sources
When = This Week
Origin = All workstations/servers
EMC folder moved
Who = All Users
What = EMC folder moved
Where = All sources
When = This Week
Origin = All workstations/servers
EMC folder ownership changed
Who = All Users
What = EMC folder ownership changed
Where = All sources
When = This Week
Origin = All workstations/servers
EMC folder renamed
Who = All Users
What = EMC folder renamed
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp
NetApp file access rights changed (no from-value)
Who = All Users
What = NetApp file access rights changed (no from-value)
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file access rights changed
Who = All Users
What = NetApp file access rights changed
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file contents written
Who = All Users
What = NetApp file contents written
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file created
Who = All Users
What = NetApp file created
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file deleted
Who = All Users
What = NetApp file deleted
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file moved
Who = All Users
What = NetApp file moved
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file opened
Who = All Users
What = NetApp file opened
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file ownership changed
Who = All Users
What = NetApp file access rights changed
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file ownership changed (no from-value)
Who = All Users
What = NetApp file access rights changed (no from-value)
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file renamed
Who = All Users
What = NetApp file renamed
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder access rights changed (no from-value)
Who = All Users
What = NetApp folder access rights changed (no from-value)
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder access rights changed
Who = All Users
What = NetApp folder access rights changed
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder created
Who = All Users
What = NetApp folder created
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder deleted
Who = All Users
What = NetApp folder deleted
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder moved
Who = All Users
What = NetApp folder moved
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder ownership changed
Who = All Users
What = NetApp folder access rights changed
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder ownership changed (no from-value)
Who = All Users
What = NetApp folder access rights changed (no from-value)
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder renamed
Who = All Users
What = NetApp folder renamed
Where = All sources
When = This Week
Origin = All workstations/servers
SharePoint
Permission changes in the last 7 days
Who = All Users
What = All permission levels revoked; Permission level created; Permission level deleted; Permission level granted; Permission level permissions modified; Permission level revoked
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Permission inheritance changes in the last 7 days
Who = All Users
What = Permission inheritance broken; Permission inheritance restored; Permission level inheritance broken; Permission level permissions modified
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Site Collection Groups created and deleted in the last 7 days
Who = All Users
What = Security group created; Security group deleted
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Site Collection Groups membership changes in the last 7 days
Who = All Users
What = Member added to security group; Member removed from security group
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Site Collection ownership changes in the last 7 days
Who = All Users
What = Site collection ownership granted; Site collection ownership revoked
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Site Collections created and deleted in the last 7 days
Who = All Users
What = Site collection created; Site collection deleted
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Sites created and deleted in the last 7 days
Who = All Users
What = Site created; Site deleted
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Sites moved in the last 7 days
Who = All Users
What = Site moved
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Termination Procedures
(Executive Summary) – Termination Procedures

A summary report containing events from all of the following reports.

Detailed list of deleted user modifications
Who = All Users
What = User Object Removed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of disabled user modifications
Who = All Users
What = User Account Disabled
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Group Management
Group added in last 30 days
Who = All Users
What = Group Object Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group deleted in last 30 days
Who = All Users
What = Group Object Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group member added changes in last 30 days
Who = All Users
What = Member Added to Group
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group member removed changes in last 30 days
Who = All Users
What = Member Removed from Group
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group moved in last 30 days
Who = All Users
What = Group Object Moved
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group nested member added changes in last 30 days
Who = All Users
What = Nested Member Added to Group
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group nested member removed changes in last 30 days
Who = All Users
What = Nested Member Removed from Group
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group permissions changed in last 30 days
Who = All Users
What = DACL Changed on Group Object
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group renamed (SAM account name) changes in last 30 days
Who = All Users
What = Group samAccountName Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group renamed in last 30 days
Who = All Users
What = Group Renamed
Where = All sources
When = Last 30 days
Origin = All workstations/servers

164.308 – Administrative Safeguards | Information Access Management

| Information Access Management
Access Establishment and Modification
Access Control - File System
Directory shares added in last 30 days
Who = All Users
What = Active Directory Share Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Directory shares removed in last 30 days
Who = All Users
What = Active Directory Share Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder added in last 30 days
Who = All Users
What = File Created; Folder Created
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder attribute changed in last 30 days
Who = All Users
What = File Attribute Changed; Folder Attribute Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder auditing changed in last 30 days
Who = All Users
What = File Auditing Changed; Folder Auditing Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder modified date changed in last 30 days
Who = All Users
What = File Last Write Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder moved in last 30 days
Who = All Users
What = File Moved; Folder Moved
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder ownership changed in last 30 days
Who = All Users
What = File Ownership Changed; Folder Ownership Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder permission changed in last 30 days
Who = All Users
What = File Access Rights Changed; Folder Access Rights Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder removed in last 30 days
Who = All Users
What = File Deleted; Folder Deleted
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder renamed in last 30 days
Who = All Users
What = File Renamed; Folder Renamed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Local share added in last 30 days
Who = All Users
What = Local Share Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Local share auditing changed in last 30 days
Who = All Users
What = Local Share Auditing changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Local share permission changed in last 30 days
Who = All Users
What = Local Share Permissions Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Local share removed in last 30 days
Who = All Users
What = Local Share Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Shares added in last 30 days
Who = All Users
What = Active Directory Share Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Shares removed in last 30 days
Who = All Users
What = Active Directory Share Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Critical GPO Changes
Default domain audit policy changes in last 30 days

Report generated for each domain

Who = All Users
What = Audit Account Logon Events Policy Changed; Audit Account Management Policy Changed; Audit Directory Service Access Policy Changed; Audit Logon Events Policy Changed; Audit Object Access Policy Changed; Audit Policy Change Policy Changed; Audit Privilege Use Policy Changed; Audit Process Tracking Policy Changed; Audit System Event Policy Changed
Group Policy subsystem – Default Domain Policy container
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Default domain Kerberos policy changes in last 30 days

Report generated for each domain

Who = All Users
What = Enforce User Logon Restrictions Policy Changed; Maximum Lifetime for Service Ticket Policy Changed; Maximum Lifetime for User Ticket Policy Changed; Maximum Lifetime for User Ticket Renewal Policy Changed; Maximum Tolerance for Computer Clock Synchronization Policy Changed
Group Policy subsystem – Default Domain Policy container
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Default domain password policy changes in last 30 days

Report generated for each domain

Who = All Users
What = Enforce Password History Policy Changed; Maximum Password Age Policy Changed; Minimum Password Age Policy Changed; Minimum Password Length Policy Changed; Password Must Meet Complexity Requirements Policy Changed; Store Passwords Using Reversible Encryption Policy Changed
Group Policy subsystem – Default Domain Policy container
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Detailed list of GPO modifications
Who = All Users
What = Accounts: Administrator Account Status Policy Changed; Accounts: Guest Account Status Policy Changed; Accounts: Limit Local Account Use of Blank Passwords to Console Only Policy Changed; Accounts: Rename Administrator Account Policy Changed; Accounts: Rename Guest Account Policy Changed; Audit: Audit the Access of Global System Objects Policy Changed; Audit: Audit the User of Backup and Restore Privilege Policy Changed; Audit: Shut Down System Immediately if Unable to Log Security Audits Policy Changed; Devices: Allow Undock Without Having to Logon Policy Changed; Devices: Allowed to Format and Eject Removable Media Policy Changed; Devices: Prevent Users from Installing Printer Drivers Policy Changed; Devices: Restrict CD-ROM Access to Locally Logged-on User Only Policy Changed; Devices: Restrict Floppy Access to Locally Logged-on User Only Policy Changed; Devices: Unsigned Driver Installation Behavior Policy Changed; Domain Controller: Allow Server Operators to Schedule Tasks Policy Changed; Domain Controller: LDAP Server Signing Requirements Policy Changed; Domain Controller: Refuse Machine Account Password Changes Policy Changed; Domain Member: Digitally Encrypt or Sign Secure Channel Data (Always) Policy Changed; Enforce Password History Policy Changed; Enforce User Logon Restrictions Policy Changed; Maximum Lifetime for Service Ticket Policy Changed; Maximum Lifetime for User Ticket Policy Changed; System Objects: Strengthen Default Permissions of Global System Objects Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Domain policy changes in last 30 days

Report generated for each domain

Who = All Users
What = Linked Group Policy or Domain Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Organizational unit policy changes in last 30 days

Report generated for each domain

Who = All Users
What = Linked Group Policy on OU Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Domain Security
Changes to Domain account policies (GPO filter) in last 30 days
Who = All Users
What = Account Lockout Duration Policy Changed; Account Lockout Threshold Policy Changed; Enforce Password History Policy Changed; Enforce User Logon Restrictions Policy Changed; Maximum Lifetime for Service Ticket Policy Changed; Maximum Lifetime for User Ticket Policy Changed; Maximum Lifetime for User Ticket Renewal Policy Changed; Maximum Password Age Policy Changed; Maximum Tolerance for Computer Clock Synchronization Policy Changed; Minimum Password Age Policy Changed; Minimum Password Length Policy Changed; Password Must Meet Complexity Requirements Policy Changed; Store Passwords Using Reversible Encryption Policy Changed; Reset Account Lockout Counter After Change Policy Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Changes to Domain Audit policies (GPO filter) in last 30 days
Who = All Users
What = Audit Account Logon Events Policy Changed; Audit Account Management Policy Changed; Audit Directory Service Access Policy Changed; Audit Logon Events Policy Changed; Audit Object Access Policy Changed; Audit Policy Change Policy Changed; Audit Privilege Use Policy Changed; Audit Process Tracking Policy Changed; Audit System Event Policy Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Changes to Domain Kerberos policies (GPO filter) in last 30 days
Who = All Users
What = Enforce User Logon Restrictions Policy Changed; Maximum Lifetime for Service Ticket Policy Changed; Maximum Lifetime for User Ticket Policy Changed; Maximum Lifetime for User Ticket Renewal Policy Changed; Maximum Tolerance for Computer Clock Synchronization Policy Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
GPO Link changes on Domain objects in last 30 days
Who = All Users
What = DACL Changed on Group Policy Object; Group Policy Linked; Group Policy Unlinked; Group Policy Block Inheritance Setting Changed on Domain; Group Policy No Override Setting Changed on Domain; Group Policy Disabled Setting on Domain Changed; Owner Changed on Group Policy Object
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Permission changes on domains in last 30 days
Who = All Users
What = DACL Changed on Domain Object
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Permissions to AdminSDHolder Changes in last 30 days
Who = All Users
What = DACL Changed on AdminSDHolder Object
Where = All sources
When = Last 30 days
Origin = All workstations/servers
EMC
EMC file access rights changed
Who = All Users
What = EMC file access rights changed
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file contents written
Who = All Users
What = EMC file contents written
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file contents created
Who = All Users
What = EMC file contents created
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file contents deleted
Who = All Users
What = EMC file contents deleted
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file contents moved
Who = All Users
What = EMC file contents moved
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file contents opened
Who = All Users
What = EMC file contents opened
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file ownership changed
Who = All Users
What = EMC file ownership changed
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file renamed
Who = All Users
What = EMC file renamed
Where = All sources
When = This Week
Origin = All workstations/servers
EMC folder access rights changed
Who = All Users
What = EMC folder access rights changed
Where = All sources
When = This Week
Origin = All workstations/servers
EMC folder created
Who = All Users
What = EMC folder created
Where = All sources
When = This Week
Origin = All workstations/servers
EMC folder deleted
Who = All Users
What = EMC folder deleted
Where = All sources
When = This Week
Origin = All workstations/servers
EMC folder moved
Who = All Users
What = EMC folder moved
Where = All sources
When = This Week
Origin = All workstations/servers
EMC folder ownership changed
Who = All Users
What = EMC folder ownership changed
Where = All sources
When = This Week
Origin = All workstations/servers
EMC folder renamed
Who = All Users
What = EMC folder renamed
Where = All sources
When = This Week
Origin = All workstations/servers
Exchange
All ActiveSync Mailbox Policy Events
Who = All Users
What = ActiveSync Mailbox Policy Added to Organization Client Access Configuration; ActiveSync Mailbox Policy Allow Attachments to be Downloaded Option Changed; ActiveSync Mailbox Policy Allow Non-Provisionable Devices Options Changed; ActiveSync Mailbox Policy Allow Simple Password Option Changed; ActiveSync Mailbox Policy Enable Password Recovery Option Changed; ActiveSync Mailbox Policy Maximum Attachment Size Changed; ActiveSync Mailbox Policy Minimum Password Length Changed; ActiveSync Mailbox Policy Password Expiration Changed; ActiveSync Mailbox Policy Password History Changed; ActiveSync Mailbox Policy Password Required Option Changed; ActiveSync Mailbox Policy Removed from Organization Client Access Configuration; ActiveSync Mailbox Policy Renamed; ActiveSync Mailbox Policy Require Alphanumeric Password Option Changed; ActiveSync Mailbox Policy Require Encryption On Device Option Changed; ActiveSync Mailbox Policy User Idle Timeout Changed; ActiveSync Mailbox Policy Windows File Shares Access Option Changed; ActiveSync Mailbox Policy Windows SharePoint Services Access Option Changed; ActiveSync Mailbox Policy Number of Failed Attempts Allowed Changed; ActiveSync Mailbox Policy Refresh Interval Changed; ActiveSync Mailbox Policy Require Encryption On Device Option Changed; Mobile Device - ActiveSync Device Policy
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All Email Address Policy Events
Who = All Users
What = Email Address Policy Added to Organization Configuration; Email Address Policy Email Address Filter List Changed; Email Address Policy Priority Changed; Email Address Policy Query Filter Changed; Email Address Policy Removed from Organization Configuration; Email Address Policy Renamed; Email Address Policy Storage Filter Changed; Distribution List - Email Address Policy Enabled Changed; Mailbox - Email Address Policy Enabled Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All Exchange Permission Tracking Events
Who = All Users
What = Exchange Permission Tracking facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All Journaling Rule Change Events
Who = All Users
What = Journaling Rule Added to Organization Configuration; Journaling Rule Changed; Journaling Rule Removed from Organization Configuration; Journaling Rule Renamed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Deleted Items Retention Period Changed for a user
Who = All Users
What = Deleted Item Retention Period Changed; Deleted Item Retention Use Defaults Storage Option Changed; Mailbox - End Date Retention Hold; Mailbox - Retention Hold Enabled; Mailbox - Retention Policy; Mailbox - Start Date for Retention Hold; Mailbox - Use Database Retention Defaults
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Message Tracking Options Changed on an Exchange 2007 Server
Who = All Users
What = Message Tracking Option Changed on Server
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Group Management
Group added in last 30 days
Who = All Users
What = Group Object Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group deleted in last 30 days
Who = All Users
What = Group Object Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group member added changes in last 30 days
Who = All Users
What = Member Added to Group
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group member removed changes in last 30 days
Who = All Users
What = Member Removed from Group
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group moved in last 30 days
Who = All Users
What = Group Object Moved
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group nested member added changes in last 30 days
Who = All Users
What = Nested Member Added to Group
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group nested member removed changes in last 30 days
Who = All Users
What = Nested Member Removed from Group
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group permissions changed in last 30 days
Who = All Users
What = DACL Changed on Group Object
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group renamed (SAM account name) changes in last 30 days
Who = All Users
What = Group samAccountName Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group renamed in last 30 days
Who = All Users
What = Group Renamed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users removed from group in last 30 days
Who = All Users
What = User member-of removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Logon Activity
All Failed Logons in the last 7 days
Who = All Users
What = User failed to authenticate through Kerberos, User failed to authenticate through NTLM, User failed to log on interactively, User failed to log on interactively from a remote computer, User failed to perform a network logon from a remote computer
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All Interactive Logons in the past 24 hours
Who = All Users
What = User failed to log on interactively; User logged on interactively
Where = All sources
When = Last 24 hours
Origin = All workstations/servers
All Logons in the past 24 hours
Who = All Users
What = Authentication Activity; Domain Controller Authentication; Logon Session
Where = All sources
When = Last 24 hours
Origin = All workstations/servers
All Remote Interactive Logons in the past 24 hours
Who = All Users
What = User failed to log on interactively from a remote computer; User failed to perform a network logon from a remote computer; User logged on interactively from a remote computer; User performed a successful network logon from a remote computer
Where = All sources
When = Last 24 hours
Origin = All workstations/servers
All User Sessions in the past 24 hours
Who = All Users
What = Logon Session facility
Where = All sources
When = Last 24 hours
Origin = All workstations/servers
NetApp
NetApp file access rights changed (no from-value)
Who = All Users
What = NetApp file access rights changed (no from-value)
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file access rights changed
Who = All Users
What = NetApp file access rights changed
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file contents written
Who = All Users
What = NetApp file contents written
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file created
Who = All Users
What = NetApp file created
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file deleted
Who = All Users
What = NetApp file deleted
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file moved
Who = All Users
What = NetApp file moved
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file opened
Who = All Users
What = NetApp file opened
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file ownership changed
Who = All Users
What = NetApp file access rights changed
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file ownership changed (no from-value)
Who = All Users
What = NetApp file access rights changed (no from-value)
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file renamed
Who = All Users
What = NetApp file renamed
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder access rights changed (no from-value)
Who = All Users
What = NetApp folder access rights changed (no from-value)
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder access rights changed
Who = All Users
What = NetApp folder access rights changed
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder created
Who = All Users
What = NetApp folder created
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder deleted
Who = All Users
What = NetApp folder deleted
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder moved
Who = All Users
What = NetApp folder moved
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder ownership changed
Who = All Users
What = NetApp folder access rights changed
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder ownership changed (no from-value)
Who = All Users
What = NetApp folder access rights changed (no from-value)
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder renamed
Who = All Users
What = NetApp folder renamed
Where = All sources
When = This Week
Origin = All workstations/servers
Organizational Unit Management
Organizational Units added in last 30 days
Who = All Users
What = Subordinate OU Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Organizational Units deleted in last 30 days
Who = All Users
What = Subordinate OU Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Organizational Units renamed in last 30 days
Who = All Users
What = Subordinate OU Renamed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Organizational Units set to block GPO inheritance in last 30 days
Who = All Users
What = Group Policy Block Inheritance Setting Changed on OU
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group Policy Changed last 30 days
Group Policy block inheritance changes
Who = All Users
What = Group Policy Block Inheritance Setting Changed on OU; Group Policy Block Inheritance Setting Changed on Site; Group Policy Block Inheritance Setting Changed on Domain
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group Policy disabled setting changes
Who = All Users
What = Group Policy Disabled Setting on OU Changed; Group Policy Disabled Setting on Site Changed; Group Policy Disabled Setting on Domain Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group Policy no override changes
Who = All Users
What = Group Policy No Override Setting Changed on OU; Group Policy No Override Setting Changed on Site; Group Policy No Override Setting Changed on Domain
Where = All sources
When = Last 30 days
Origin = All workstations/servers
SharePoint
Permission changes in the last 7 days
Who = All Users
What = All permission levels revoked; Permission level created; Permission level deleted; Permission level granted; Permission level permissions modified; Permission level revoked
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Permission inheritance changes in the last 7 days
Who = All Users
What = Permission inheritance broken; Permission inheritance restored; Permission level inheritance broken; Permission level permissions modified
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Site Collection Groups created and deleted in the last 7 days
Who = All Users
What = Security group created; Security group deleted
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Site Collection Groups membership changes in the last 7 days
Who = All Users
What = Member added to security group; Member removed from security group
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Site Collection ownership changes in the last 7 days
Who = All Users
What = Site collection ownership granted; Site collection ownership revoked
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Site Collections created and deleted in the last 7 days
Who = All Users
What = Site collection created; Site collection deleted
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Sites created and deleted in the last 7 days
Who = All Users
What = Site created; Site deleted
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Sites moved in the last 7 days
Who = All Users
What = Site moved
Where = All sources
When = Last 7 days
Origin = All workstations/servers
관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택