Converse agora com nosso suporte
Chat com o suporte

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Available Change Auditor auditing modules

Previous Next

Available Change Auditor auditing modules

Continually being in-the-know helps you to prove compliance, drive security, and improve uptime while proactively auditing changes to configurations and permissions. You can automatically generate intelligent, in-depth reports, protecting you against policy violations and avoiding the risks and errors associated with day-to-day modifications.

Quest provides the following products to help you track, audit, report, and receive alerts on vital changes and activity:

 

Table 1.  

Available auditing

Benefits

Quest Change Auditor for Active Directory

Drives the security and control of Active Directory by tracking vital configuration changes to users, groups, nested groups, GPOs, computers, services, registry, local users and groups and DNS — without the overhead costs of system provided auditing. You can also lock down critical Active Directory, ADAM (AD LDS), and Group Policy objects, to protect them from unauthorized or accidental modifications or deletions.

Change Auditor for Active Directory also audits activity in Microsoft Entra ID.

Correlating activity across the on-premises and cloud directories, provides a single pane-of-glass view of your hybrid environment and makes it easy to search all events regardless of where they occurred.

Quest Change Auditor for Exchange

Simplifies auditing the activities taking place in your entire Exchange environment. You can audit over 300 Exchange events covering owner and nonowner mailbox changes, server configurations and permissions, and more.

Through the Exchange Mailbox protection feature, you can prevent unwanted access to Exchange mailboxes, making it much more difficult for rogue administrators to access critical mailboxes.

You can also audit Microsoft 365 Exchange Online configuration and permission changes.

Quest Change Auditor for Windows File Servers

Enables administrators to achieve the comprehensive auditing coverage of system provided tools without the mass of cumbersome data that system provided event logs generate. You can audit activity related to files and folders, shares, and changes to permissions.

Change Auditor provides an access control model that allows administrators to protect business-critical files and folders on the file server.

Quest Change Auditor for EMC

Eliminates the time and complexity of system provided auditing by providing EMC Celerra/VNX file and folder changes in real time and translating events into plain English.

Quest Change Auditor for NetApp

Eliminates the time and complexity of system provided auditing by providing NetApp file and folder changes in real time and translating events into plain English.

Quest Change Auditor for SQL Server

Provides database auditing to secure SQL database assets with extensive, customizable auditing and reporting for all critical SQL changes including broker, database, object, performance, and transaction events, plus errors and warnings.

Helps tighten enterprise-wide change and control policies by tracking user and administrator activity such as database additions and deletions, granting and removing SQL access.

SQL Data Level auditing allows you to audit changes to databases and tables.

Quest Change Auditor for Active Directory Queries

Monitors directory access across all domain controllers in the environment and aggregates that information in a central database identifying LDAP-enabled applications and how they use Active Directory. The LDAP access data can then be used during Active Directory forest migration and restructuring projects.

Quest Change Auditor for SharePoint

Provides centralized auditing, including configuration, event collection and reporting, for Microsoft SharePoint 2016 and 2019 servers and farms. It provides built-in queries and reports that focus on auditing the following areas:
Access to content in SharePoint sites
Modifications of content (creation, modification, and deletion)
Changes to permissions and security settings

You can also audit Microsoft 365 SharePoint Online and OneDrive for Business changes.

Quest Change Auditor for Logon Activity

Change Auditor for Logon Activity has removed the dependency on InTrust and the Change Auditor Data Gateway Service to capture user logon activity. This auditing module consists of two licenses (one for server agents and another for workstation agents) and may be used to collect logon activity events for regulatory compliance and user activity tracking.
The Change Auditor for Logon Activity User license enables server agents to audit authentication activity, domain controller authentication activity (Kerberos), and user logon session activity (the actual time spent on a server).
The Change Auditor for Logon Activity Workstation license enables workstation agents to audit authentication activity and user logon session activity (the actual time spent on a workstation).

Quest Change Auditor for Authentication Services

Authentication Services enables organizations to extend the security and compliance of Active Directory to Unix, Linux, and Mac platforms and enterprise applications. Using Change Auditor for Authentication Services, users of Authentication Services can audit on critical changes to:
Unix/Linux/Mac-related data for Active Directory users, groups, computers, NIS objects, and Authentication Services personalities
Unix/Linux/Mac settings in Group Policy Objects
NOTE: Authentication Services auditing is only available if you have licensed Change Auditor for Active Directory. If you do not have a valid license you can use the features, however, associated events are not captured.

Quest Change Auditor for Defender

Enhances security by enabling two-factor authentication to network, Web, and applications-based resources. Defender was designed to base all administration and identity management on an organization’s existing investment in Active Directory and eliminates the costs and time involved in setting up and maintaining proprietary databases. Change Auditor for Defender tracks changes to user accounts enabled with Defender tokens in Active Directory.

Because Defender extends the Active Directory schema, once the Change Auditor for Defender auditing is enabled, agents installed on Domain Controllers detect any changes made to the Defender-specific attributes in Active Directory and generate events. No audit template is needed.

NOTE: Defender auditing is only available if you have licensed Change Auditor for Active Directory. If you do not have a valid license you can use the features, however, associated events are not captured. To verify that it is licensed, right-click the coordinator icon in the system tray and select Licensing.

 

Agent Deployment

Previous Next

Agent Deployment
Deployment page
Using group Managed Service Accounts (gMSA)
Deploy agents
Connect to a different foreign forest/update credentials
Change the agent installation location and system tray option
Enable auto deployment
Refresh or clear Deployment page information

Deployment page

Previous Next

Deployment page

The Deployment page displays all the servers and workstations discovered in your Active Directory environment. From here, you specify the servers and workstations (if the Change Auditor for Logon Activity Workstation license is applied) to host a Change Auditor agent.

The first time you open Change Auditor, the Deployment tab is available for you to deploy agents. After agents are deployed, use the View | Deployment menu to open the page.

* 
NOTE: The Deployment page does not display non-member objects, such as ADAM workgroup servers or non-Active Directory workstations, because agents cannot be deployed to non-member objects using the Deployment tab. See the Change Auditor Installation Guide for information about manually installing agents to workgroup servers or non-Active Directory workstations.

Filter the fields on the Deployment page

The Deployment page may contain the following for each server and workstation discovered in your Active Directory forest. To display fields other than the defaults, click the Field Chooser located to the far left of the column headings and select the columns to display.

 

Table 1. Deployment page: Field descriptions

Column

Default

Description

Agent Status

Yes

Displays the current deployment status:
Active
Inactive
Pending
Copying Files
Executing Installer
Uninstalled

Coordinator

No

Displays the computer name of the coordinator to which the agent is connected.

Creds

Yes

Indicates whether user credentials have been entered for the selected domain. To enter the credentials to use to install agents on a domain, click Credentials.

Deployment Result

Yes

Indicates the status of the last deployment task:
Success - agent was successfully deployed
Valid Creds - user credentials have been verified; you can schedule a deployment task
Access Denied - user credentials are not valid; use the Credentials command to enter the proper user credentials for installing an agent on the selected domain
The target version is already installed - no action required.
NOTE: You can select Clear Results to clear the entry in this column for the selected server.

DN

No

Displays the distinguished name of a server. (The ‘path’ to the server in the Active Directory schema.)

DNS Name

No

Displays the DNS name of a server.

Domain

Yes

Displays the name of the domain where a server is located.

Exchange Server

No

Indicates whether Exchange is installed on a server.

Foreign Forest

No

Indicates whether an agent is connected to a coordinator in a foreign forest.

Forest

No

Displays the name of the forest where the agent resides.

GC

No

Indicates whether the server is a Global Catalog server.

Installation

No

Displays the installation name assigned to the coordinator to which the agent is connected.

IP Address

No

Displays the IP address of a server.

Name

Yes

Displays the NetBIOS name of a server.

Operating System

No

Displays what version of the operating system is running on a server.

Read-Only DC

No

Displays the Read-Only DCs.

Site

No

Displays the name of the site where a server resides.

Type

No

Displays the type of server:

Server - member servers joined to the domain
Domain Controller - domain controllers joined to the domain
Read-Only - domain controller servers that are read-only
Global Catalog - domain controller servers designated as Global Catalog servers
Workstation - workstations that are joined to the domain
NOTE: Non-member objects are not included in the Deployment tab because you cannot use this tab to deploy agents to objects which are not a member of the local forest.

See the Change Auditor Installation Guide for information about deploying agents to workgroup servers or non-Active Directory workstations.

Version

Yes

Displays the version number of the Change Auditor agent currently installed on a server.

When

No

Displays the date and time for a scheduled deployment task. That is, the date and time entered on the Install or Update dialog (or Uninstall dialog) when the When option is selected.

NOTE: Based on the client’s current local date and time. The format used to display this date and time is determined by the local machine’s regional and language setting.
 

Workstation

No

Indicates whether the agent is a workstation agent used for capturing user logon activity when the Change Auditor for Logon Activity Workstation auditing module is licensed.

Filter the computers on the Deployment page

In addition to selecting the fields, you can define what type of computers to display.

The following table describes how to use these controls to filter the content displayed on the Deployment page.

 

Table 2. Deployment page: Filter controls

Control

Description

Type

Use the left-most control to specify the type of Active Directory objects to be included in the display:
All - select to display all domain controllers, member servers and workstations in the forest, domain or site
DCs - select to display all domain controllers in the forest, domain or site
Read-Only DCs - select to display the Read-Only domain controllers in the forest
Servers - select to display the servers in the forest, domain or site
Workstations - select to display the workstations in the forest, domain or site
NOTE: Non-member objects are not included in the Deployment tab because you cannot use this tab to deploy agents to objects which are not a member of the local forest.
NOTE: See the Change Auditor Installation Guide for information about deploying agents to workgroup servers or non-Active Directory workstations.

Active Directory view

By default, the Deployment page provides a forest view of the servers found. However, you can use the right-most controls to limit your view to an individual domain or site.

Use the middle control to select the Active Directory view (forest, domain, or site) then use the right-most control to select an individual forest, domain, or site for which servers and workstations are to be displayed.

Using group Managed Service Accounts (gMSA)

Previous Next

Using group Managed Service Accounts (gMSA)

* 
NOTE: By default, all services run as LocalSystem. Using gMSA accounts as the service account is not supported.

When using a group Managed Service Account for your agent deployment:

The account must end with '$' and the password must be blank.
The domain should be entered in the Fully Qualified Domain Name format.
The local Administrator group must be added to the group policy debug programs. (Found under Local Computer Policy | Windows Settings | Security Settings | Local Policies | User Rights Assignments | Debug programs.)
The Windows client must be run as the administrator. (Right-click and select Run as administrator.)
The agent host must be correctly configured to successfully retrieve the managed password for the specified group Managed Service Account.
The Coordinator Credential Configurator must be run as the administrator. (Right-click and select Run as administrator.)
For manual installations, the agent installer must be run as the administrator. (Right-click and select Run as administrator.)
For foreign domain agent deployments, the account name for the agent to connect to the coordinator should be specified with the Fully Qualified Domain Name (For example: domain.com\user.)
For foreign domain agent deployments, a trust relationship with the foreign domain and the coordinator's domain is required.

For information on group Managed Service Account implementations and requirements, refer to Microsoft documentation.

Documentos relacionados

The document was helpful.

Selecione a classificação

I easily found the information I needed.

Selecione a classificação