Chat now with support
Chat with Support

Change Auditor 7.0.4 - Built-in Reports Reference Guide

Introduction Built-in reports
AD Query All Events Authentication Services Azure Active Directory Defender Office 365 Logon Activity Skype for Business Recommended Best Practices Regulatory Compliance
FISMA (Federal Information Security Management Act)
NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A01 – User Association NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A02 – Content of Audit Records NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A03 – Auditable Events NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A04 – Audit Processing NIST SP 800-53 | Technical Controls | Identification and Authentication | IA02 – Remote, Privileged Access Authentication NIST SP 800-53 | Technical Controls | Identification and Authentication | IA03 – Password Protection Mechanisms NIST SP 800-53 | Technical Controls | Identification and Authentication | IA04 – Password Life NIST SP 800-53 | Technical Controls | Identification and Authentication | IA05 – Password Content NIST SP 800-53 | Technical Controls | Identification and Authentication | IA12 – Remote Access Identification Authentication NIST SP 800-53 | Technical Controls | Identification and Authentication | IA16 – Password Management NIST SP 800-53 | Technical Controls | Logical Access Control | AC01 - Remote Access Restrictions NIST SP 800-53 | Technical Controls | Logical Access Control | AC02 - Logon Notification Message NIST SP 800-53 | Technical Controls | Logical Access Control | AC05 - Session Inactivity NIST SP 800-53 | Technical Controls | Logical Access Control | AC06 - Limited Connection Time NIST SP 800-53 | Technical Controls | Logical Access Control | AC09 - Enforcement Mechanisms NIST SP 800-53 | Technical Controls | Logical Access Control | AC10 - Automated Account Controls NIST SP 800-53 | Technical Controls | Logical Access Control | AC12 - Supervision and Review NIST SP 800-53 | Technical Controls | Logical Access Control | AC14 - Authorization Procedures NIST SP 800-53 | Technical Controls | System and Communications Protection | SP02 - Information System Partitioning NIST SP 800-53 | Technical Controls | System and Communications Protection | SP04 - Denial of Service Protection NIST SP 800-53 | Technical Controls | System and Communications Protection | SP05 - Resource Priority NIST SP 800-53 | Technical Controls | System and Communications Protection | SP06 - Boundary Protection NIST SP 800-53 | Technical Controls | System and Communications Protection | SP07 - Network Segregation NIST SP 800-53 | Technical Controls | System and Communications Protection | SP09 - Network Disconnect NIST SP 800-53 | Technical Controls | System and Communications Protection | SP11 - Trust Path NIST SP 800-53 | Technical Controls | System and Communications Protection | SP16 - Use of Encryption
GLBA (Gramm-Leach-Bliley Act) GDPR HIPAA (Health Insurance Portability and Accountability Act) Payment Card Industry SAS 70 (Statement on Auditing Standards, Service Organizations) SOX (Sarbanes-Oxley General IT Controls Evidence based on the COBIT Framework)
Security SharePoint SQL Data Level Threat Detection VMware

SOX (Sarbanes-Oxley General IT Controls Evidence based on the COBIT Framework)

The SOX reports are available under the following folders:
Section 404 | Acquisition and Implementation
Section 404 | Delivery and Support
Section 404 | Planning and Organization

Section 404 | Acquisition and Implementation

| Acquisition and Implementation

The Acquisition and Implementation reports are available under the following folders:
BAI2.1 - Define and maintain business functional and technical requirements
BAI2.2 - Perform a feasibility study and formulate alternative solutions
BAI3.10 – Maintain solutions
Authentication Services
Computer Activity
Exchange
BAI3.9 – Manage changes to requirements
BAI6.1 – Evaluate, prioritize and authorize change requests
Organizational Unit Management
BAI6.2 – Manage emergency changes
Organizational Unit Management
BAI6.3 – Track and report change status
Organizational Unit Management
BAI7.5 - Perform acceptance tests
BAI7.6 - Promote to production and manage releases
BAI7.8 – Perform a post-implementation review
BAI2.1 - Define and maintain business functional and technical requirements
BAI2.2 - Perform a feasibility study and formulate alternative solutions
(Executive Summary) Identify Automated Solutions

A summary report containing events from all of the following reports.

Detailed list of all registry changes
Who = All Users
What = Registry subsystem
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of all schema changes
Who = All Users
What = Schema Configuration facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of service changes
Who = All Users
What = Service Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI3.10 – Maintain solutions
(Executive Summary) BAI3.10 - Acquire and Maintain Technology Infrastructure

A summary report containing events from all of the following reports.

(Executive Summary) BAI3.10 - Acquire and Maintain Application Software

A summary report containing events from all of the following reports.

BAI3.10 – Detailed list of all hot fixes applied
Who = All Users
What = Hotfix Applied
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI3.10 – Detailed list of all registry changes
Who = All Users
What = Registry subsystem
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI3.10 – Detailed list of hot fixes rolled back
Who = All Users
What = Hotfix Rolled Back
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI3.10 – Detailed list of schema modifications
Who = All Users
What = Schema Configuration facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI3.10 – Detailed list of service packs applied
Who = All Users
What = Computer Service Pack Applied
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI3.10 – Detailed list of service packs rolled back
Who = All Users
What = Computer Service Pack Rolled Back
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI3.10 – Detailed list of software installations via GPO added
Who = All Users
What = Computer Software Installation Policy Added
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI3.10 – Detailed list of software installations via GPO modified
Who = All Users
What = Computer Software Installation Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI3.10 – Detailed list of software installations via GPO removed
Who = All Users
What = Computer Software Installation Policy Removed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Authentication Services
BAI3.10 – Authentication Services computers added in the last 30 days
Who = All Users
What = Authentication Services Computer Object Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
BAI3.10 – Authentication Services computers deleted in the last 30 days
Who = All Users
What = Authentication Services Computer Object Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Computer Activity
BAI3.10 – Computers added in the last 30 days
Who = All Users
What = Computer Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
BAI3.10 – Computers disabled in the last 30 days
Who = All Users
What = Computer Account Disabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
BAI3.10 – Computers enabled in the last 30 days
Who = All Users
What = Computer Account Enabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
BAI3.10 – Computers moved in the last 30 days
Who = All Users
What = Computer Moved
Where = All sources
When = Last 30 days
Origin = All workstations/servers
BAI3.10 – Computers removed in the last 30 days
Who = All Users
What = Computer Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
BAI3.10 – Computers renamed in the last 30 days
Who = All Users
What = Computer Renamed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Exchange
BAI3.10 – OWA Website Added to Server
Who = All Users
What = OWA Web Site Added to Server
Where = All sources
When = Last 7days
Origin = All workstations/servers
BAI3.10 – OWA Website Removed from the Server
Who = All Users
What = OWA Web Site Removed from Server
Where = All sources
When = Last 7days
Origin = All workstations/servers
BAI3.10 – OWA Website Renamed
Who = All Users
What = OWA Web Site Renamed on Server
Where = All sources
When = Last 7days
Origin = All workstations/servers
BAI3.9 – Manage changes to requirements
(Executive Summary) BAI3.9 - Acquire and Maintain Application Software

A summary report containing events from all of the following reports.

BAI3.9 – Detailed list of software installations via GPO added
Who = All Users
What = Computer Software Installation Policy Added
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI3.9 – Detailed list of software installations via GPO modified
Who = All Users
What = Computer Software Installation Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI3.9 – Detailed list of software installations via GPO removed
Who = All Users
What = Computer Software Installation Policy Removed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI6.1 – Evaluate, prioritize and authorize change requests
BAI6.2 – Manage emergency changes
BAI6.3 – Track and report change status
(Executive Summary) Develop and Maintain Procedures

A summary report containing events from all of the following reports.

(Executive Summary) Ensure Continuous Service

A summary report containing events from all of the following reports.

(Executive Summary) Manage Changes

A summary report containing events from all of the following reports.

Detailed list of authorized changes made during business hours
Who = All Users
What = All categories
Where = All sources
When = From 08:00 PM to 05:00 AM
Origin = All workstations/servers
Detailed list of unauthorized changes made during business after hours
Who = All Users
What = All categories
Where = All sources
When = From 05:00 PM to 08:00 AM
Origin = All workstations/servers
Detailed list of GPO modifications
Who = All Users
What = Group Policy Item facility; Group Policy Object facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of computer modifications
Who = All Users
What = Custom Computer Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of DNS modifications
Who = All Users
What = DNS Service facility; DNS Zone facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of domain modifications
Who = All Users
What = Domain Configuration facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of domain controller
Who = All Users
What = Configuration Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of Exchange modifications
Who = All Users
What = Exchange Administrative Group facility; Exchange Distribution List facility; Exchange Organization facility; Exchange Permission Tracking facility; Exchange Security Group facility; Exchange User facility
Where = All sources
When = Last 7 days
Origin = All workstations/server
Detailed list of Exchange infrastructure modifications
Who = All Users
What = Exchange Organization facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of fault tolerance modifications
Who = All Users
What = Fault Tolerance facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of file system modifications
Who = All Users
What = Custom File System Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of forest modifications
Who = All Users
What = Forest Configuration facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of group modifications
Who = All Users
What = Custom Group Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of IP modifications
Who = All Users
What = IP Security facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of NETLOGON modifications
Who = All Users
What = NETLOGON Service facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of registry modifications
Who = All Users
What = Registry subsystem
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of replication modifications
Who = All Users
What = Replication Transport facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of schema modifications
Who = All Users
What = Schema Configuration facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of service modifications
Who = All Users
What = Service Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of site modifications
Who = All Users
What = Site Configuration facility; Site Link Configuration facility; Site Link Bridge Configuration facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of user modifications
Who = All Users
What = Custom User Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of subnet modifications
Who = All Users
What = Subnets facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Organizational Unit Management
Organizational Units Added in Last 30 days
Who = All Users
What = Subordinate OU added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Organizational Units Deleted in Last 30 days
Who = All Users
What = Subordinate OU removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Organizational Units Renamed in Last 30 days
Who = All Users
What = Subordinate Ou renamed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Organizational Units set to block GPO inheritance in Last 30 days
Who = All Users
What = Group Policy Block Inheritance Setting Changed on OU
Where = All sources
When = Last 30 days
Origin = All workstations/servers
BAI7.5 - Perform acceptance tests
BAI7.6 - Promote to production and manage releases
BAI7.8 – Perform a post-implementation review
(Executive Summary) Install and Accredit Systems

A summary of reports containing events from all of the following reports.

Detailed list of software installations via GPO added
Who = All Users
What = Computer Software Installation Policy Added
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of software installations via GPO modified
Who = All Users
What = Computer Software Installation Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers

Section 404 | Delivery and Support

| Delivery and Support

The Delivery and Support reports are available under the following folders:
APO9.2 – Catalogue IT-enabled services
APO9.4 – Monitor and report service levels
BAI10.3 – Maintain and control configuration items
BAI10.4 – Produce status and configuration reports
BAI10.5 – Verify and review integrity of the configuration repository
BAI4.1 – Assess current availability, performance and capacity and create a baseline
BAI4.3 – Plan for new or changed service requirements
BAI4.4 – Monitor and review availability and capacity
BAI4.5 – Investigate and address availability, performance and capacity issues
DSS1.1 – Perform operational procedures
DSS1.3 – Monitor IT infrastructure
DSS3.1 – Identify and classify problems
DSS3.2 – Investigate and diagnose problems
DSS3.5 – Perform proactive problem management
DSS5.1 – Protect against malware
Antivirus Scanning
Defender
Group Management
Service Pack and Hotfixes
User Management
DSS5.2 – Manager network and connectivity security
Antivirus Scanning
Defender
Group Management
Service Pack and Hotfixes
User Management
DSS5.3 – Manage endpoint security
Antivirus Scanning
Defender
Group Management
Service Pack and Hotfixes
User Management
DSS5.4 – Manager user identity and logical access
Antivirus Scanning
Defender
Group Management
Service Pack and Hotfixes
User Management
DSS5.6 – Manage sensitive documents and output devices
Access Control - File System
Authentication Services
Dynamic Access Control - DAC
Dynamic Access Control - DAC
EMC
Exchange
NetApp
SharePoint
SQL
DSS5.7 – Monitor the infrastructure for security-related events
Access Control - File System
Authentication Services
Dynamic Access Control - DAC
Dynamic Access Control - DAC
EMC
Exchange
NetApp
SharePoint
SQL
DSS6.6 – Secure information assets
Access Control - File System
Authentication Services
Dynamic Access Control - DAC
Dynamic Access Control - DAC
EMC
Exchange
NetApp
SharePoint
SQL
APO9.2 – Catalogue IT-enabled services
APO9.4 – Monitor and report service levels
(Executive Summary) Define and Manage Service Levels
A summary report containing events from all of the following reports.
(Executive Summary) Manage Third Party Services

A summary report containing events from all of the following reports.

Detailed list of DNS modifications
Who = All Users
What = DNS Service facility; DNS Zone facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of domain controller modifications
Who = All Users
What = Configuration Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of domain controller removed
Who = All Users
What = Configuration Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of NETLOGON modifications
Who = All Users
What = NetLOGON Service facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of NTDS modifications
Who = All Users
What = NTDS Service facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of replication modifications
Who = All Users
What = Replication Transport facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of service modifications
Who = All Users
What = Service Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of software installations via GPO removed
Who = All Users
What = Computer Software Installation Policy Removed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of software installations via GPO modified
Who = All Users
What = Computer Software Installation Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of software installations via GPO added
Who = All Users
What = Computer Software Installation Policy Added
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Users enabled in last 30 days
Who = All Users
What = User Account Enabled; User Account re-enabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users disabled in last 30 days
Who = All Users
What = User Account Disabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users deleted in last 30 days
Who = All Users
What = User Account Deleted
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users added in last 30 days
Who = All Users
What = User Object Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users logon hours changed in last 30 days
Who = All Users
What = User logonhours changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
 
BAI10.3 – Maintain and control configuration items
BAI10.4 – Produce status and configuration reports
BAI10.5 – Verify and review integrity of the configuration repository
(Executive Summary) Manage the Configuration

A summary report containing events from all of the following reports.

Detailed list of all Active Directory modifications
Who = All Users
What = Active Directory subsystem
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of all Exchange modifications
Who = All Users
What = Exchange Administrative Group facility; Exchange Distribution List facility; Exchange Organization facility; Exchange Permission Tracking facility; Exchange Security Group facility; Exchange User facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of all file system modifications
Who = All Users
What = File System subsystem
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of all registry modifications
Who = All Users
What = Registry subsystem
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI4.1 – Assess current availability, performance and capacity and create a
baseline
BAI4.3 – Plan for new or changed service requirements
BAI4.4 – Monitor and review availability and capacity
BAI4.5 – Investigate and address availability, performance and capacity issues
(Executive Summary) Manage Performance and Capacity

A summary report containing events from all of the following reports.

Detailed list of disk size modifications
Who = All Users
What = Disk Size Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of memory modifications
Who = All Users
What = Memory Amount Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of NETLOGON modifications
Who = All Users
What = NETLOGON Service facility
Where = All sources
Where = All sources
When = Last 7 days
Origin = All workstations/servers
DSS1.1 – Perform operational procedures
DSS1.3 – Monitor IT infrastructure
(Executive Summary) Manage Operations

A summary report containing events from all of the following reports.

Detailed list of Change Auditor agent modifications
Who = All Users
What = Agent Service Has More Than 100 Events Waiting; Agent Service has Reached a Critical Load; Agent Service Has Returned to Normal Operations; Change Auditor Agent Disconnected; Change Auditor Agent Uninstalled; Change Auditor Agent Connected
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of computer modifications
Who = All Users
What = Custom Computer Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of domain modifications
Who = All Users
What = Domain Configuration facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of Exchange modifications
Who = All Users
What = Exchange Distribution List facility; Exchange Permission Tracking facility; Exchange Security Group facility; Exchange Administrative Group facility; Exchange User facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of file system modifications
Who = All Users
What = Custom File System Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of GPO modifications
Who = All Users
What = Group Policy Item facility; Group Policy Object facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of group modifications
Who = All Users
What = Custom Group Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of OU modifications
Who = All Users
What = OU facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of user modifications
Who = All Users
What = Custom User Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
DSS3.1 – Identify and classify problems
DSS3.2 – Investigate and diagnose problems
DSS3.5 – Perform proactive problem management
(Executive Summary) Manage Problems and Incidents

A summary report containing events from all of the following reports.

Detailed list of all high severity modifications
Who = All Users
What = Severity | High
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of all low severity modifications
Who = All Users
What = Severity | Low
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of all medium severity modifications
Who = All Users
What = Severity | Medium
Where = All sources
When = Last 7 days
Origin = All workstations/servers
DSS5.1 – Protect against malware
DSS5.2 – Manager network and connectivity security
DSS5.3 – Manage endpoint security
DSS5.4 – Manager user identity and logical access
DSS5.7 – Monitor the infrastructure for security-related events
(Executive Summary) Ensure Systems Security

A summary report containing events from all of the following reports.

(Executive Summary) Identify and Allocate Costs

A summary report containing events from all of the following reports.

Detailed list of audit policy modifications
Who = All Users
What = Audit Account Logon Events Policy Changed; Audit: Shut Down System Immediately if Unable to Log Security Audits Policy Changed; Audit: Audit the Use of Backup and Restore Privilege Policy Changed; Audit: Audit the Access of Global System Objects Policy Changed; Audit Privilege Use Policy Changed; Audit System Events Policy Changed; Audit Process Tracking Policy Changed; Audit Directory Service Access Policy Changed; Audit Logon Events Policy Changed; Audit Object Access Policy Changed; Audit Account Management Policy Changed; Audit Policy Change Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of computers added
Who = All Users
What = Computers Added
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of DACL (permissions) modifications
Who = All Users
What = DACL Changed on Group Object; DACL Changed on OU Object; DACL Changed on User Object; DACL Changed on AdminSDHolder Object; DACL Changed on Exchange Group Object (Exchange 2003); DACL Changed on Domain Object; DACL Changed on Computer Object
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of domain controllers added
Who = All Users
What = Domain Controller Added to Domain
Where = All sources
When = Last 7 days
Origin = All domain controllers
Detailed list of Exchange permission modifications
Who = All Users
What = Exchange Permission Tracking facility; Mailbox Rights Changed for User
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of file system permission modifications
Who = All Users
What = File Access Rights Changed; Folder Access Rights Changed; Local Share Permissions Changed; SYSVOL Folder Access Rights Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of security log modifications
Who = All Users
What = Audit Account Logon Events Policy Changed; Audit Account Management Policy Changed; Audit Directory Service Access Policy Changed; Audit Logon Events Policy Changed; Audit Object Access Policy Changed; Audit Policy Change Policy Changed; Audit Privilege Use Policy Changed; Audit Process Tracking Policy Changed; Audit System Events Policy Changed; Audit: Audit the Access of Global System Objects Policy Changed; Audit: Audit the use of Backup and Restore Privilege Policy Changed; Audit: Shut Down System Immediately if Unable to Log Security Audits Policy Changed; Security Audit Log Rolled Over; Crash on Audit Fail Policy Changed; Shut Down the Computer When the Security Audit Log is Full Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of share modifications
Who = All Users
What = Active Directory Share Added; Active Directory Share Removed; Local Share Added; Local Share Folder Path Changed; Local Share Permissions Changed; Local Share Removed; SYSVOL Folder Access Rights Changed; SYSVOL Folder Auditing Changed; SYSVOL Folder Ownership Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Antivirus Scanning
Detailed list of service changes
Who = All Users
What = Service Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Defender
All Defender events in last 30 days
Who = All Users
What = Defender facility
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender – Member added to access node in last 30 days
Who = All Users
What = Member Added to Access Node
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender – Member removed from access node in last 30 days
Who = All Users
What = Member Removed from Access Node
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender access node added in last 30 days
Who = All Users
What = Defender Access Node Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender access node removed in last 30 days
Who = All Users
What = Defender Access Node Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender password events in last 30 days
Who = All Users
What = Defender Password Changed; Defender Password Cleared; Defender Password Expiry Cleared; Defender Password Expiry Set; Defender Password Set
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender policy added in last 30 days
Who = All Users
What = Defender Policy Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender policy change events in last 30 days
Who = All Users
What = Defender Policy Changed for Access Node; Defender Policy Changed for Group; Defender Policy Changed for Security Server; Defender Policy Changed for User
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender policy removed in last 30 days
Who = All Users
What = Defender Policy Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender RADIUS payload added in last 30 days
Who = All Users
What = Defender RADIUS Payload Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender RADIUS payload change events in last 30 days
Who = All Users
What = Defender RADIUS Payload Changed for Access Node; Defender RADIUS Payload Changed for Group; Defender RADIUS Payload Changed for Security Server; Defender RADIUS Payload Changed for User
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender RADIUS payload removed in last 30 days
Who = All Users
What = Defender RADIUS Payload Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender security server added in last 30 days
Who = All Users
What = Defender Security Server Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender security server assigned to access node in last 30 days
Who = All Users
What = Defender Security Server Assigned to Access Node
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender security server removed in last 30 days
Who = All Users
What = Defender Security Server Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender security server unassigned from access node in last 30 days
Who = All Users
What = Defender Security Server Unassigned from Access Node
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender temporary response events in last 30 days
Who = All Users
What = Defender Token Temporary Response Cleared; Defender Token Temporary Response Set; Defender Token Temporary Response Usage Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender token added in last 30 days
Who = All Users
What = Defender Token Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender token assigned in last 30 days
Who = All Users
What = Defender Token Assigned
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender token PIN events in last 30 days
Who = All Users
What = Defender Token PIN Changed; Defender Token PIN Cleared; Defender Token PIN Expiry Cleared; Defender Token PIN Expiry Set; Defender Token PIN Set
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender token removed in last 30 days
Who = All Users
What = Defender Token Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender token unassigned in last 30 days
Who = All Users
What = Defender Token Unassigned
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group Management
Group added in last 30 days
Who = All Users
What = Group Object Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group deleted in last 30 days
Who = All Users
What = Group Object Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group member added changes in last 30 days
Who = All Users
What = Member Added to Group
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group member removed changes in last 30 days
Who = All Users
What = Member Removed from Group
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group moved in last 30 days
Who = All Users
What = Group Object Moved
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group nested member added changes in last 30 days
Who = All Users
What = Nested Member Added to Group
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group nested member removed changes in last 30 days
Who = All Users
What = Nested Member Removed from Group
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group permissions changed in last 30 days
Who = All Users
What = DACL Changed on Group Object
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group renamed (SAM account name) changes in last 30 days
Who = All Users
What = Group samAccountName Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group renamed in last 30 days
Who = All Users
What = Group Renamed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group type changes in last 30 days
Who = All Users
What = Group Type Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Service Pack and Hotfixes
Detailed list of all hot fixes applied
Who = All Users
What = Hotfix Applied
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of hot fixes rolled back
Who = All Users
What = Hotfix Rolled Back
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of service packs applied
Who = All Users
What = Computer Service Pack Applied; Domain Controller Service Pack Applied
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of service packs rolled back
Who = All Users
What = Domain Controller Service Pack Rolled Back
Where = All sources
When = Last 7 days
Origin = All workstations/servers
User Management
Changes to user profiles in last 30 days
Who = All Users
What = Home Folder Changed on User Object; Home Folder Mapped Drive Changed on User Object; Level of Control Changed for User Object; Primary Group ID Changed for User Object; Profile Path Changed on User Object
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Permissions on user accounts changed in last 30 days
Who = All Users
What = DACL Changed on User Object; Required User’s Permissions Changed for User Object
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users added in last 30 days
Who = All Users
What = User Object Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users added to group in last 30 days
Who = All Users
What = User Member-of Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users deleted in last 30 days
Who = All Users
What = User Object Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users disabled in last 30 days
Who = All Users
What = User Account Disabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users display name changed in last 30 days
Who = All Users
What = Display Name Changed on User Object
Where = All sources
When = Last 30 days
Origin = All workstations/servers
DSS5.6 – Manage sensitive documents and output devices
DSS6.6 – Secure information assets
(Executive Summary) Manage Data

A summary report containing events from all of the following reports.

Detailed list of audit policy modifications
Who = All Users
What = Audit Account Logon Events Policy Changed; Audit: Shut Down System Immediately if Unable to Log Security Audits Policy Changed; Audit: Audit the Use of Backup and Restore Privilege Policy Changed; Audit: Audit the Access of Global System Objects Policy Changed; Audit Privilege Use Policy Changed; Audit System Events Policy Changed; Audit Process Tracking Policy Changed; Audit Directory Service Access Policy Changed; Audit Logon Events Policy Changed; Audit Object Access Policy Changed; Audit Account Management Policy Changed; Audit Policy Change Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of Change Auditor agent modifications
Who = All Users
What = Agent Service Has More Than 100 Events Waiting; Agent Service has Reached a Critical Load; Agent Service Has Returned to Normal Operations; Change Auditor Agent Disconnected; Change Auditor Agent Uninstalled; Change Auditor Agent Connected
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of security log modifications
Who = All Users
What = Audit Account Logon Events Policy Changed; Audit Account Management Policy Changed; Audit Directory Service Access Policy Changed; Audit Logon Events Policy Changed; Audit Object Access Policy Changed; Audit Policy Change Policy Changed; Audit Privilege Use Policy Changed; Audit Process Tracking Policy Changed; Audit System Events Policy Changed; Audit: Audit the Access of Global System Object Policy Changed; Audit: Audit the Use of Backup and Restore Privilege Policy Changed; Audit: Shut Down System Immediately if Unable to Log Security Audit Policy Changed; Security Audit Log Rolled Over; Crash on Audit Fail Policy Changed; Shut Down the Computer When the Security Audit Log is Full Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Access Control - File System
Directory shares added in last 30 days
Who = All Users
What = Active Directory Share Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Directory shares removed in last 30 days
Who = All Users
What = Active Directory Share Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder added in last 30 days
Who = All Users
What = File Created; Folder Created
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder attribute changed in last 30 days
Who = All Users
What = File Attribute Changed; Folder Attribute Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder auditing changed in last 30 days
Who = All Users
What = File Auditing Changed; Folder Auditing Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder modified date changed in last 30 days
Who = All Users
What = File Last Write Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder moved in last 30 days
Who = All Users
What = File Moved; Folder Moved
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder ownership changed in last 30 days
Who = All Users
What = File Ownership Changed; Folder Ownership Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder permission changed in last 30 days
Who = All Users
What = File Access Rights Changed; Folder Access Rights Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder removed in last 30 days
Who = All Users
What = File Deleted; Folder Deleted
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder renamed in last 30 days
Who = All Users
What = File Renamed; Folder Renamed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Local share added in last 30 days
Who = All Users
What = Local Share Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Local share auditing changed in last 30 days
Who = All Users
What = Local Share Auditing changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Local share permission changed in last 30 days
Who = All Users
What = Local Share Permissions Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Local share removed in last 30 days
Who = All Users
What = Local Share Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Shares added in last 30 days
Who = All Users
What = Active Directory Share Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Shares removed in last 30 days
Who = All Users
What = Active Directory Share Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Authentication Services
Authentication Services computers added in last 30 days
Who = All Users
What = Authentication Services Computer object added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Authentication Services computers deleted in last 30 days
Who = All Users
What = Authentication Services Computer object deleted
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Groups set to UNIX-disabled in last 30 days
Who = All Users
What = UNIX-Enabled Changed for Group - Restriction = To: Disabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Groups set to UNIX-enabled in last 30 days
Who = All Users
What = UNIX-Enabled Changed for Group - Restriction = To: Enabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
UNIX home directory changed in last 30 days
Who = All Users
What = UNIX Home Directory Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
UNIX login shell changed in last 30 days
Who = All Users
What = UNIX Login Shell Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
UNIX-enabled groups deleted in last 30 days
Who = All Users
What = UNIX-Enabled Group Deleted
Where = All sources
When = Last 30 days
Origin = All workstations/servers
UNIX-enabled users deleted in last 30 days
Who = All Users
What = UNIX-Enabled User Deleted
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users set to UNIX-disabled in last 30 days
Who = All Users
What = UNIX-Enabled Changed for User - Restriction = To: Disabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users set to UNIX-enabled in last 30 days
Who = All Users
What = UNIX-Enabled Changed for User - Restriction = To: Enabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Dynamic Access Control - DAC
All Dynamic Access Control Events
Who = All Users
What = Dynamic Access Control
Where = All sources
When = Last 7days
Origin = All workstations/servers
EMC
EMC file access rights changed
Who = All Users
What = EMC file access rights changed
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file contents written
Who = All Users
What = EMC file contents written
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file contents created
Who = All Users
What = EMC file contents created
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file contents deleted
Who = All Users
What = EMC file contents deleted
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file contents moved
Who = All Users
What = EMC file contents moved
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file contents opened
Who = All Users
What = EMC file contents opened
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file ownership changed
Who = All Users
What = EMC file ownership changed
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file renamed
Who = All Users
What = EMC file renamed
Where = All sources
When = This Week
Origin = All workstations/servers
EMC folder access rights changed
Who = All Users
What = EMC folder access rights changed
Where = All sources
When = This Week
Origin = All workstations/servers
EMC folder created
Who = All Users
What = EMC folder created
Where = All sources
When = This Week
Origin = All workstations/servers
EMC folder deleted
Who = All Users
What = EMC folder deleted
Where = All sources
When = This Week
Origin = All workstations/servers
EMC folder moved
Who = All Users
What = EMC folder moved
Where = All sources
When = This Week
Origin = All workstations/servers
EMC folder ownership changed
Who = All Users
What = EMC folder ownership changed
Where = All sources
When = This Week
Origin = All workstations/servers
EMC folder renamed
Who = All Users
What = EMC folder renamed
Where = All sources
When = This Week
Origin = All workstations/servers
Exchange
All Exchange Administrative Group Events
Who = All Users
What = Exchange Administrative Group facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All Exchange Distribution List (Goup) Events
Who = All Users
What = Exchange Security Group facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All Exchange Permission Tracking Events
Who = All Users
What = Exchange Permission Tracking facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
NetApp
NetApp file access rights changed
Who = All Users
What = NetApp file access rights changed
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file access rights changed
Who = All Users
What = NetApp file access rights changed
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file access rights (no from value)
Who = All Users
What = NetApp file access rights (no from value)
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file contents written
Who = All Users
What = NetApp file contents written
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file created
Who = All Users
What = NetApp file created
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file deleted
Who = All Users
What = NetApp file deleted
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file moved
Who = All Users
What = NetApp file moved
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file opened
Who = All Users
What = NetApp file opened
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file ownership changed
Who = All Users
What = NetApp file access rights changed
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file ownership changed (no from value)
Who = All Users
What = NetApp file access rights changed (no from value)
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file renamed
Who = All Users
What = NetApp file renamed
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder access rights changed (no from-value)
Who = All Users
What = NetApp folder access rights changed (no from-value)
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder access rights changed
Who = All Users
What = NetApp folder access rights changed
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder created
Who = All Users
What = NetApp folder created
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder deleted
Who = All Users
What = NetApp folder deleted
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder moved
Who = All Users
What = NetApp folder moved
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder ownership changed
Who = All Users
What = NetApp folder access rights changed
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder ownership changed (no from value)
Who = All Users
What = NetApp folder access rights changed (no from value)
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder renamed
Who = All Users
What = NetApp folder renamed
Where = All sources
When = This Week
Origin = All workstations/servers
SharePoint
Permission changes in the last 7 days
Who = All Users
What = All permission levels revoked; Permission level created; Permission level deleted; Permission level granted; Permission level permissions modified; Permission level revoked
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Permission inheritance changes in the last 7 days
Who = All Users
What = Permission inheritance broken; Permission inheritance restored; Permission level inheritance broken; Permission level permissions modified
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Site Collection Groups created and deleted in the last 7 days
Who = All Users
What = Security group created; Security group deleted
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Site Collection Groups membership changes in the last 7 days
Who = All Users
What = Member added to security group; Member removed from security group
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Site Collection ownership changes in the last 7 days
Who = All Users
What = Site collection ownership granted; Site collection ownership revoked
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Site Collections created and deleted in the last 7 days
Who = All Users
What = Site collection created; Site collection deleted
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Sites created and deleted in the last 7 days
Who = All Users
What = Site created; Site deleted
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Sites moved in the last 7 days
Who = All Users
What = Site moved
Where = All sources
When = Last 7 days
Origin = All workstations/servers
SQL
All SQL Add Roles, User, and Login Events in the last 24 hours
Who = All Users
What = Audit Add DB User; Audit Add Login; Audit Add Login to Server Role; Audit Add Member to DB Role; Audit Add Role
Where = All sources
When = Last 24 hours
Origin = All workstations/servers
Audit Add Login
Who = All Users
What = Audit Add Login
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Add Login to Server Role
Who = All Users
What = Audit Add Login to Server Role
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Add Member to DB Role
Who = All Users
What = Audit Add Member to DB Role
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Add Role
Who = All Users
What = Audit Add Role
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Alter Database
Who = All Users
What = Audit Alter Database
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Alter Database Object
Who = All Users
What = Audit Alter Database Object
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Alter Database Principal
Who = All Users
What = Audit Alter Database Principal
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Alter Object Derived Permission
Who = All Users
What = Audit Alter Object Derived Permission
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Alter Schema Object
Who = All Users
What = Audit Alter Schema Object
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Alter Server Object
Who = All Users
What = Audit Alter Server Object
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Alter Server Principal
Who = All Users
What = Audit Alter Server Principal
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Drop Database
Who = All Users
What = Audit Drop Database
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Drop DB User
Who = All Users
What = Audit Drop DB User
Where = All sources
When = Last 7 days
Origin = All workstations/servers

Section 404 | Planning and Organization

| Planning and Organization

The Planning and Organization reports are available under the following folder:
Manage Contract Staff
Manage Contract Staff
(Executive Summary) Manage Human Resources

A summary report containing events from all of the following reports.

Detailed list of disabled user accounts
Who = All Users
What = User Account Disabled
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of enabled user accounts
Who = All Users
What = User Account Enabled
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of expired user accounts
Who = All Users
What = User accountExpires Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of user dial-in modifications
Who = All Users
What = User Dial-in Static Route Added; User Dial-in Static Route Removed; User Dial-in Callback Options Changed; User Dial-in Static IP Address Changed; User Dial-in Remote Access Permission Changed; User Dial-in Verify Caller ID Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of user Exchange mailbox modifications
Who = All Users
What = Mailbox Enabled for User; Mail Disabled for User; Mailbox Rights Changed for User; Mailbox Disabled for User; Mail Enabled for User; Email Addresses Changed for User
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of user name modifications
Who = All Users
What = User userPrincipalName Changed; Display Name Changed on User Object; First Name Changed on User Object; User samAccountName Changed; Last Name Changed on User Object; Domain User Renamed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of user permitted logon hour modifications
Who = All Users
What = User logonHours Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of user workstation restriction modifications
Who = All Users
What = User userWorkstations Added; User userWorkstations Removed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
 
 
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating