Converse agora com nosso suporte
Chat com o suporte

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Change Auditor for Active Directory Queries Overview

Previous Next

Change Auditor for Active Directory Queries Overview
Introduction
Deployment requirements
Client components/features

Introduction

Previous Next

Introduction

Many applications use Active Directory as an LDAP directory to provide user credentials, group membership information, and other application data. During a directory migration or restructuring project, such as a corporate acquisition, it is important to understand the ways that applications use the directory before migrating the directory structure, to avoid unnecessary application downtime. Obtaining this information from Windows audit logs is extremely difficult, as it requires setting SACLs and aggregating security audit logs from all domain controllers in the environment.

Change Auditor monitors directory access across all domain controllers in the environment and aggregates that information in a central database identifying LDAP-enabled applications and how they use Active Directory. The LDAP access data gathered by Change Auditor can then be used during Active Directory forest migration and restructuring projects.

* 
NOTE: Active Directory query auditing is only available if you have licensed Change Auditor for Active Directory Queries. If you do not have a valid license you can use the features, however, associated events are not captured. To verify that it is licensed, right-click the coordinator icon in the system tray and select Licensing.
 

Deployment requirements

Previous Next

Deployment requirements

For a successful deployment, ensure that your environment meets the minimum system requirements. For information on system requirements, see the Change Auditor Release Notes. For details on installing Change Auditor, see the Change Auditor Installation Guide.

Client components/features

Previous Next

Client components/features

The following table lists the client components and features that require a valid Change Auditor for Active Directory Queries license. The product will not prevent you from using these features; however, associated events will not be captured unless the proper license is applied.

* 
NOTE: To hide unlicensed Change Auditor features from the Administration Tasks tab (including unavailable audit events throughout the client), use the Action | Hide Unlicensed Components menu command. Note this command is only available when the Administration Tasks tab is the active page.
 

Table 1. Change Auditor for Active Directory Queries client components/features

Client page

Feature

Administration Tasks tab

Agent Configuration page:
Configuration Setup Dialog - AD Query Events settings
Discard query results less than nn records
Discard queries taking less than nn milliseconds
Discard duplicate queries occurring within nn minutes
AD Query auditing enabled

Audit Task list:
AD Query
NOTE: See Configure AD Query Auditing for information on using these settings for Active Directory query auditing.

Event Details pane

What details:
Type
Scope
Results
SSL/TLS
Kerberos
Simple Bind
Port
Occurrences
Since
Elapsed
Filter
Attributes
NOTE: See the AD Query Event Details appendix for a description of these fields.

Events

Facilities:
AD Query

Search Properties

What tab:
Subsystem | AD Query
NOTE: See Active Directory Query Searches/Reports for information on using the What tab to create custom Active Directory query search queries.

Searches page

Built-in Reports:
All reports that include the event in the AD Query facility.

Advanced tab/Search Results page

Columns:
LDAP Attributes
LDAP Elapsed
LDAP Filter
LDAP Occurrences
LDAP Results
LDAP Scope
LDAP Since
LDAP Type

Alert Body Configuration dialog - Event Details tab

Variables (email tags):
LDAP_ATTRIBUTES
LDAP_ELAPSED
LDAP_FILTER
LDAP_OCCURRENCES
LDAP_RESULTS
LDAP_SCOPE
LDAP_SINCE
LDAP_TYPE
NOTE: See the Change Auditor User Guide for a description of these email tags and how to configure alert email notifications.
 

 

Documentos relacionados

The document was helpful.

Selecione a classificação

I easily found the information I needed.

Selecione a classificação