Chat now with support
Chat with Support

Change Auditor 7.0.3 - User Guide

Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Disable Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags

Introduction

Change Auditor can generate alerts when certain kinds of configuration changes occur. These alerts appear in the client and are then dispatched to designated recipients via email (SMTP), SNMP or WMI events.

Smart Alert Technology provides intelligent event correlation by notifying you when event patterns cause potential security risks. You can customize the Smart Alerts to match your security policies. For example, if a privileged account is attempting to log on with a bad password at multiple computers within a predetermined time period, a proactive alert can be generated.

Alert tab (Search Properties tabs)

The Alert tab displays the current alert configuration for the selected search definition. From the Alert tab, you can enable/disable an alert notification for the selected search definition, define how and where to dispatch the alert (via SMTP (email), SNMP and/or WMI), and modify the alert configuration settings.

Use the controls on the Alert tab as described below.

Alert Enabled

Select the Alert Enabled check box to enable an alert for the current search definition.

This option will became available only after one of the transport methods are selected in the Send Alert To setting on this tab.

Send Alert To

Select all of the transport options that are to be applied to this search definition:

SNMP - Select this option to dispatch alerts for this search definition via SNMP traps.
WMI - Select this option to dispatch alerts for this search definition via WMI (Windows Management Instrumentation) events.
SMTP - Select this option to dispatch alerts for this search definition via email. Selecting this option will display the Alert Custom Email dialog allowing you to specify the email address of the persons who are to receive the email notification.

History Search Limit

By default, up to 50,000 events can be included in the alert history. Use the arrow controls to increase or decrease this value to define the maximum number of events to be included in the alert history.

NOTE: The History Search Limit setting is a global setting and changes made to this setting will be applied to ALL alerts.

Configure Email

For SMTP alerts, click Configure Email to change the details about the alert email to be sent, including the To address, the Reply To address, and the Subject Line. In addition, from the Alert Custom Email dialog you can access the Alert Body Configuration dialog to configure the body of the email alert.

Events Per Email

For SMTP alerts, a maximum of 100 events will be included in a single alert email by default. Use the arrow controls to increase or decrease this value to define the maximum number of events to be included in an email.

Time zone

For SMTP alerts, use this field to specify the time zone to be used for the alert’s date/time stamp in the notification emails. By default, the time zone of the machine where client resides will be used.

Smart Alert Enabled

Select this check box to specify under what conditions an alert is to be sent. This feature is only available for SMTP and SNMP notifications.

Send Alert When <nn> Events Occur Within <nn> <interval>

Select this option to specify the number of events that must occur within a specified time interval before generating/dispatching the alert.

Where: <interval> is one of the following: minutes, hours or days

On A Single Object

Select this check box to specify that the event must occur for the same object the specified number of times before the alert will be triggered. When this check box is cleared (default), the event can occur on any object the specified number of times to trigger the alert.

Enable alerts

Using the Searches page, you can enable/disable alert notifications for individual search definitions and dispatch them via SMTP (email), SNMP or WMI.

2
Expand the Private or Shared folders in the explorer view to locate the search to which an alert is to be associated. Select the search from the Search list in the right-hand pane.
Right-click the search and select the Alert | Enable Transport | SMTP command.
Open the Alert tab and select the SMTP check box and then the Alert Enabled check box. (If the Search Properties tabs are not being displayed, right-click the search definition and select Show Properties).
NOTE: You can enter an individual email address or distribution list address in the To, Cc or Bcc fields. You can also send the alert notification to additional recipients by selecting the appropriate check box, as described below:
Add Who - Select this check box to send an alert to the user who initiated the change that triggered the alert.
Add Users - When selected, alerts for user object changes are sent to the user; alerts for mailbox objects are sent to the mailbox owner.
Add Managers - When selected, alerts for user object changes are sent to the user manager (if set); alerts for group objects are sent to the managed-by user (if set). Alerts for mailbox objects are sent to the owner's manager (if set).

Once a check box is selected, select the corresponding option to add it to the To, Cc or Bcc field.

Once you have finished specifying the recipient email addresses, click OK to save your selections and close the dialog.
By default, up to 50,000 events will be included in the alert history. Use the History Search Limit setting to change this value. (This setting is a global setting and changes made to this setting will be applied to ALL alerts.)
If you want to specify under what conditions an alert is to be sent, select the Smart Alert Enabled check box and specify the number of events that must occur within a specified time interval before generating/dispatching the alert.
By default, a smart alert is generated when the event occurs on any object the specified number of times. You can however, select the On a Single Object option to have the smart alert triggered when the event occurs on the same object the specified number of times.
NOTE: If using the Alert tab, be sure to click Save to save the alert definition.
Type - the icon for the search (magnifying glass) changes to a check mark and the label changes from ‘Search’ to ‘Alert’ (e.g., Shared Alert)
Alert - displays ‘Enabled’
Alert To - displays the email address of any users who are to receive the alert email
Alert Cc - if specified, displays the email address of any users who are to receive a copy of the alert email
Alert Bcc - if specified, displays the email address of any users who are to receive a blind copy of the alert email
2
Expand the Private and Shared folders in the explorer view to locate the search to which an alert is to be associated. Select the search from the Search list in the right-hand pane.
Right-click the search and select Alert | Enable Transport | SNMP.
Open the Alert tab at the bottom of the page, select the SNMP check box, then the Alert Enabled check box. (If the Search Properties tabs are not being displayed, right-click the alert definition and select Show Properties).
By default, up to 50,000 events will be included in the alert history. Use the History Search Limit setting to change this value. (This setting is a global setting and changes made to this setting will be applied to ALL alerts.)
If you want to specify under what conditions an alert is to be sent, select the Smart Alert Enabled check box and specify the number of events that must occur within a specified time interval before generating/dispatching the alert.
By default, a smart alert is generated when the event occurs on any object the specified number of times. You can however, select the On a Single Object option to have the smart alert triggered when the event occurs on the same object the specified number of times.
NOTE: If using the Alert tab, be sure to click Save to save the alert definition.
Type - the icon for the search (magnifying glass) changes to a check mark and the label changes from ‘Search’ to ‘Alert’ (e.g., Shared Alert)
Alert - displays ‘Enabled’
2
Expand the Private and Shared folders in the explorer view to locate the search to which an alert is to be associated. Select the search from the Search list in the right-hand pane.
Right-click the search and select the Alert | Enable Transport | WMI command.
On the Alert tab, select the WMI check box and then the Alert Enabled check box. (If the Search Properties tabs are not being displayed, right-click the alert definition and select the Show Properties menu command).
By default, up to 50,000 events will be included in the alert history. Use the History Search Limit setting to change this value. (This setting is a global setting and changes made to this setting will be applied to ALL alerts.)
NOTE: If using the Alert tab, be sure to click Save to save the alert definition.
Type - the icon for the search (magnifying glass) changes to a check mark and the label changes from ‘Search’ to ‘Alert’ (e.g., Shared Alert)
Alert - displays ‘Enabled’

Disable alerts

2
Expand the Private and Shared folders in the explorer view to locate the alert-enabled search to be disabled. Select the alert from the Search list box in the right-hand pane.
Right-click the alert and select Alert | Disable Alert. A message box is displayed asking you to confirm that you want to disable the alert. Click Yes.
Open the Alert tab, clear the Alert Enabled check box. (If the Search Properties tabs are not being displayed, right-click the alert definition and select the Show Properties menu command.)
4
When the alert is disabled, the Alert column displays ‘Disabled’.
NOTE: If using the Alert tab, click the Save button to apply the change.

In addition to disabling an alert, you can also disable the alerting transports for an alert-enabled search.

2
Expand the Private and Shared folders in the explorer view to locate the alert-enabled search to be disabled. Select the alert from the Search list in the right-hand pane.
Right-click the alert and select Alert | Disable Transport | SMTP. A message box will be displayed asking you to confirm that you want to disable the alert. Click Yes.
Open the Alert tab, clear the SMTP check box and the Alert Enabled check box. (If the Search Properties tabs are not being displayed, right-click the alert definition and select the Show Properties menu command.)
NOTE: If using the Alert tab, click Save to apply the change.
2
Expand the Private and Shared folders in the explorer view to locate the alert-enabled search to be disabled. Select the alert from the Search list in the right-hand pane.
Right-click the alert and select Alert | Disable Transport | SNMP. A message box will be displayed asking you to confirm that you want to disable the alert. Click Yes.
Open the Alert tab, clear the SNMP check box and the Alert Enabled check box. (If the Search Properties tabs are not being displayed, right-click the alert definition and select Show Properties.)
NOTE: If using the Alert tab, click Save to apply the change.
2
Expand the Private and Shared folders in the explorer view to locate the alert-enabled search to be disabled. Select the alert from the Search list in the right-hand pane.
Right-click the alert and select Alert | Disable Transport | WMI. A message box will be displayed asking you to confirm that you want to disable the alert. Click Yes.
Open the Alert tab, clear the WMI check box and the Alert Enabled check box. (If the Search Properties tabs are not being displayed, right-click the alert definition and select the Show Properties menu command.)
NOTE: If using the Alert tab, click Save to apply the change.
Related Documents