Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Change Auditor 7.0.4 - Built-in Reports Reference Guide

Table of Contents

Introduction Built-in reports

AD Query All Events Authentication Services Azure Active Directory Defender Office 365

Exchange Online OneDrive for Business SharePoint Online

Logon Activity Skype for Business Recommended Best Practices

Auditing Service Administrator Activity

Domain Wide Configuration Activity | Domain Admins Forest Changes by Activity Forest Wide Configuration Activity | Enterprise Admins Forest Wide Configuration Activity | Schema Admins Service Admins Group Membership

Domain Controller Changes Domain-Level Changes Exchange Forest-Level Changes Severity Based Changes SQL

Regulatory Compliance

FISMA (Federal Information Security Management Act)

NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A01 – User Association NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A02 – Content of Audit Records NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A03 – Auditable Events NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A04 – Audit Processing NIST SP 800-53 | Technical Controls | Identification and Authentication | IA02 – Remote, Privileged Access Authentication NIST SP 800-53 | Technical Controls | Identification and Authentication | IA03 – Password Protection Mechanisms NIST SP 800-53 | Technical Controls | Identification and Authentication | IA04 – Password Life NIST SP 800-53 | Technical Controls | Identification and Authentication | IA05 – Password Content NIST SP 800-53 | Technical Controls | Identification and Authentication | IA12 – Remote Access Identification Authentication NIST SP 800-53 | Technical Controls | Identification and Authentication | IA16 – Password Management NIST SP 800-53 | Technical Controls | Logical Access Control | AC01 - Remote Access Restrictions NIST SP 800-53 | Technical Controls | Logical Access Control | AC02 - Logon Notification Message NIST SP 800-53 | Technical Controls | Logical Access Control | AC05 - Session Inactivity NIST SP 800-53 | Technical Controls | Logical Access Control | AC06 - Limited Connection Time NIST SP 800-53 | Technical Controls | Logical Access Control | AC09 - Enforcement Mechanisms NIST SP 800-53 | Technical Controls | Logical Access Control | AC10 - Automated Account Controls NIST SP 800-53 | Technical Controls | Logical Access Control | AC12 - Supervision and Review NIST SP 800-53 | Technical Controls | Logical Access Control | AC14 - Authorization Procedures NIST SP 800-53 | Technical Controls | System and Communications Protection | SP02 - Information System Partitioning NIST SP 800-53 | Technical Controls | System and Communications Protection | SP04 - Denial of Service Protection NIST SP 800-53 | Technical Controls | System and Communications Protection | SP05 - Resource Priority NIST SP 800-53 | Technical Controls | System and Communications Protection | SP06 - Boundary Protection NIST SP 800-53 | Technical Controls | System and Communications Protection | SP07 - Network Segregation NIST SP 800-53 | Technical Controls | System and Communications Protection | SP09 - Network Disconnect NIST SP 800-53 | Technical Controls | System and Communications Protection | SP11 - Trust Path NIST SP 800-53 | Technical Controls | System and Communications Protection | SP16 - Use of Encryption

GLBA (Gramm-Leach-Bliley Act)

6801 – Protection of Non Public Personal Information | 6801(a) – Privacy Obligation Policy 6805 – Enforcement | 6805(b) – Enforcement of Section 6801

Administrative Control Audit and Accountability Responsibility of the Controller Integrity and Confidentiality Security of Processing

HIPAA (Health Insurance Portability and Accountability Act)

164.308 – Administrative Safeguards | Security Management 164.308 – Administrative Safeguards | Workforce Security 164.308 – Administrative Safeguards | Information Access Management 164.308 – Administrative Safeguards | Security Awareness and Training 164.310 – Physical Safeguards | Standard Workstation Security 164.310 – Physical Safeguards | Standard Workstation Use 164.312 – Technical Safeguards | Standard Person or entity authentication 164.312 – Technical Safeguards | Standard Access Control 164.312 – Technical Safeguards | Standard Audit Control

Payment Card Industry

Build and Maintain a Secure Network and Systems Implement Strong Access Control Measures Maintain a Vulnerability Management Program Regularly Monitor and Test Networks

SAS 70 (Statement on Auditing Standards, Service Organizations)

Service Auditor's Reports: Type I

SOX (Sarbanes-Oxley General IT Controls Evidence based on the COBIT Framework)

Section 404 | Acquisition and Implementation Section 404 | Delivery and Support Section 404 | Planning and Organization

Access Control - Administrator Account Activity Access Control - Administrator Group Activity Access Control – File System Access Management Computer Activity Critical GPO Changes Domain Controller Security

Domain Controller Configuration Changes

Domain Security Exchange Group Activity Group Management Organizational Unit Management

Group Policy Changed last 30 days

Severity Based Changes Trust Activity User Activity User Management

SharePoint SQL Data Level Threat Detection VMware

164.310 – Physical Safeguards | Standard Workstation Security

| Standard Workstation Security

Detailed list of GPO workstation access modifications

Who = All Users

What = Deny Access to this Computer from the Network Policy Changed; Access this Computer from the Network Policy Changed

Where = All sources

When = Last 7 days

Origin = All workstations/servers

Detailed list of user workstation access modifications

Who = All Users

What = User userWorkstations Added; User userWorkstations Removed

Where = All sources

When = Last 7 days

Origin = All workstations/servers

164.310 – Physical Safeguards | Standard Workstation Use

| Standard Workstation Use

Detailed list of GPO disk access modifications

Who = All Users

What = Devices: Restrict CD-ROM Access to Locally Logged-on User Only Policy Changed; Devices: Allowed to Format and Eject Removable Media Policy Changed; Devices: Restrict Floppy Access to Locally Logged-Out User Only Policy Changed

Where = All sources

When = Last 7 days

Origin = All workstations/servers

Detailed list of hard disk modifications

Who = All Users

What = Disk Size Changed

Where = All sources

When = Last 7 days

Origin = All workstations/servers

Detailed list of GPO workstation access modifications

Who = All Users

What = Deny Access to this Computer from the Network Policy Changed; Access this Computer from the Network Policy Changed

Where = All sources

When = Last 7 days

Origin = All workstations/servers

164.312 – Technical Safeguards | Standard Person or entity authentication

| Standard Person or entity authentication

All Defender events in last 30 days

Who = All Users

What = Defender facility

Where = All sources

When = Last 30 days

Origin = All workstations/servers

Defender – Member added to access node in last 30 days

Who = All Users

What = Member Added to Access Node

Where = All sources

When = Last 30 days

Origin = All workstations/servers

Defender – Member removed from access node in last 30 days

Who = All Users

What = Member Removed from Access Node

Where = All sources

When = Last 30 days

Origin = All workstations/servers

Defender access node added in last 30 days

Who = All Users

What = Defender Access Node Added

Where = All sources

When = Last 30 days

Origin = All workstations/servers

Defender access node removed in last 30 days

Who = All Users

What = Defender Access Node Removed

Where = All sources

When = Last 30 days

Origin = All workstations/servers

Defender password events in last 30 days

Who = All Users

What = Defender Password Changed; Defender Password Cleared; Defender Password Expiry Cleared; Defender Password Expiry Set; Defender Password Set

Where = All sources

When = Last 30 days

Origin = All workstations/servers

Defender policy added in last 30 days

Who = All Users

What = Defender Policy Added

Where = All sources

When = Last 30 days

Origin = All workstations/servers

Defender policy change events in last 30 days

Who = All Users

What = Defender Policy Changed for Access Node; Defender Policy Changed for Group; Defender Policy Changed for Security Server; Defender Policy Changed for User

Where = All sources

When = Last 30 days

Origin = All workstations/servers

164.312 – Technical Safeguards | Standard Access Control

| Standard Access Control

Automatic Logoff

Detailed list of Authentication modifications

Who = All Users

What = Deny Log On Locally Policy Changed; Deny Log On As a Service Policy Changed; Deny Access to this Computer from the Network Policy Changed; Allow Log On Through Terminal Services Policy Changed; Allow Log On Locally Policy Changed; Deny Log On As a Batch Job Policy Changed; Deny Log On Through Terminal Services/Remote Desktop Services Policy Changed

Where = All sources

When = Last 7 days

Origin = All workstations/servers

Detailed list of dial-in modifications

Who = All Users

What = User Dial-in Static Route Added; User Dial-in Static Route Removed; User Dial-in Callback Options Changed; User Dial-in Static IP Address Changed; User Dial-in Remote Access Permission Changed; User Dial-in Verify Caller ID Changed

Where = All sources

When = Last 7 days

Origin = All workstations/servers

Detailed list of forced logoff modifications

Who = All Users

What = Network Security: Force Logoff When Logon Hours Expire Policy Changed

Where = All sources

When = Last 7 days

Origin = All workstations/servers

Detailed list of GPO workstation access modifications

Who = All Users

What = Deny Access to this Computer from the Network Policy Changed; Access this Computer from the Network Policy Changed

Where = All sources

When = Last 7 days

Origin = All workstations/servers

Detailed list of logon hours modifications

Who = All Users

What = User logonHours Changed

Where = All sources

When = Last 7 days

Origin = All workstations/servers

Detailed list of user account policy modifications

Who = All Users

What = Maximum Password Age Policy Changed; Enforce Password History Policy Changed; Account Lockout Threshold Policy Changed; Account Lockout Duration Policy Changed; Enforce User Logon Restrictions Policy Changed

Where = All sources

When = Last 7 days

Origin = All workstations/servers

Detailed list of user workstation modifications

Who = All Users

What = User userWorkstations Added; User userWorkstations Removed

Where = All sources

When = Last 7 days

Origin = All workstations/servers

Unique User Identification

Authentication Services

Users set to UNIX-enabled and created in last 30 days

Who = All Users

What = UNIX-Enabled Changed for User

Where = All sources

When = Last 30 days

Origin = All workstations/servers

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center