Chat now with support
Chat with Support

Change Auditor 7.1.1 - User Guide

Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Disable Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags

Search Results page

A new results page is created whenever a search is run. When a search is run, this page displays detailed information about the events found as a result of the search. This page consists of the following panes:
Search Results grid
Search Properties tabs or Event Details pane

Search Results grid

The Search Results grid displays the events captured as a result of running a search from the Searches page. The top area of the grid displays the following information:

Run on
Displays the date and time when the search was run.
* 
NOTE: Based on the client’s current local date and time. The format used to display this date and time is determined by the local machine’s regional and language setting.
Run Time
Displays the amount of time it took to run the search.
Records
Displays the total number of records returned.
Refresh
Use the Refresh button to redisplay the latest information.
Cancel
When a large number of records are being captured for display, the Refresh button will become a Cancel button allowing you to cancel the search.
 

By default, the grid contains the following information about the events returned when a search is run. (You can specify the columns, sort order and grouping for a search, as well as the display format by using the Layout search properties tab.)

 
Table 1. Search Results grid: Event information displayed by default
Column
Description

Action

Displays what change was made to the object.

AD Failure Reason

Displays the reason for the Active Directory failed event.

AD Failure Status Code

Displays the failure code for the Active Directory failed event.

Coordinator ID

The coordinator that processed the event.

Domain

Displays the name of the domain to which the agented server belongs.

Event

Displays the type of change that occurred.

Facility

Defines the event class facility to which the change event belongs.

Result

Indicates whether the operation mentioned in the event was successfully completed. Valid states are:
Success - Indicates the operation occurred as stated in the event.
Protected - Indicates that the operation was prevented from occurring because the object is protected by the Change Auditor object locking feature.
Failed - indicates that the operation was prevented from occurring due to a factor/setting outside of Change Auditor’s control.
None - indicates that the operation occurred as stated, but no results were captured for the event. For example, this state is used for most of the internal Change Auditor events.

Server

Displays the name of the server where the change occurred.

Severity

Displays the severity assigned to a configuration change event:
High
Medium
Low

Site

Displays the name of the site where the agented server resides.

Subsystem

Defines the subsystem, or area of auditing, where the change event occurred.

Time Detected

Displays the date and time when the agent captured the event.

NOTE: Based on the client’s current local date and time. The format used to display this date and time is determined by the local machine’s regional and language setting.
NOTE: For Azure Active Directory sign in events the time detected in the search results references the sign-in time.

User

Displays the name of the user who initiated the change.

Search Properties tabs

From a Search Results page, use the Search Properties tool bar button to display the Search Properties tabs across the bottom of the screen. This view consists of tabbed pages defining the criteria or properties which make up the selected search.

For a detailed description of the Info, Who, What, Where, Origin and Layout tabs and how to use them to create a custom search, refer to Custom Searches and Search Properties. For more information about the Alert tab, see Enable Alert Notifications and the Report tab, see Generate and Schedule Reports.

Event Details pane

Use the Event Details button on a Search Results page, Overview page, or Alert History page to display the Event Details pane. You can also double-click an event in the search results grid to display the Event Details pane for the selected event.

The following details about the selected event selected are available:

 
* 
NOTE: All dates and times are based on the client’s current local date and time. The format used to display the date and time is determined by the local computer’s regional and language setting.
 
Table 2. Event Detail pane: Field descriptions
Field
Description

Severity

The severity level assigned to the search is displayed in the upper left-hand corner.

Who

This field specifies the name of the user who initiated the change. If available, the display name of the user account is also displayed in parenthesis.

When

This field specifies the date and time when the change occurred.

Where

This field displays the name of the server where the change occurred.

Source

This field displays the source of the event:

Change Auditor
Active Roles
GPOADmin
NOTE: When the event is generated from Active Roles or GPOADmin, the name of the user account that initiated the event is displayed in parenthesis.
NOTE: If the Source field displays ‘ActiveRoles’ (instead of ‘ActiveRoles Server’) you are not using the latest integration scripts. If you want to take advantage of the additional events and initiator account information captured using the new integration scripts, ensure you are running Active Roles 6.9 (or higher) with Change Auditor for Active Directory 6.5 (or higher).

Origin

This field displays the NetBIOS name and IP address of the workstation or server from which the event was generated.

What

Displays a brief description of the change that occurred. There are three basic types of events generated that determine the ‘what’ information that will be displayed:
Occurrence events (such as an object is created or deleted)
Change events
Delta events (such as DACL/SACL changes)

Depending on the type of event, additional details may be displayed at the bottom of this pane.

Result

Indicates whether the operation mentioned in the event was successfully completed. Valid states are:
Success (Green) - Indicates that the operation occurred as stated in the event.
Protected (Yellow) - Indicates that the operation was prevented from occurring because the object is being protected by the Change Auditor object locking feature
Failed (Red) - Indicates that the operation was prevented from occurring due to a factor/setting outside of Change Auditor’s control.
None (Green) - Indicates that the operation occurred as stated, but no results were captured for the event. For example, this state is used for most of the internal Change Auditor events.

Subsystem

The first field defines the subsystem, or area of monitoring, where the change event occurred (for example, Active Directory, Service, or Group Policy).

Action

This field defines the action associated with the selected event.

Facility

This field defines the event class facility to which the change event belongs.

Class

For Active Directory and Exchange events, this field displays the object class that was modified, such as user, group, computer, nTDSConnection, CrossRefContainer.

Attribute

If an attribute has been added, deleted or modified, this field displays the name of the attribute.

Type

For Active Directory events associated with groups, this field displays the type of group that was modified (for example, Global (Security), Domain Local (Security)).

For AD Query events, this field displays the type of query:

LDAP
GC

Object

For Active Directory and Exchange events, this field displays the name of the object that was modified.

Authentication

Indicates whether the LDAP operation is secured using the SSL (Secure Socket Layer)/ TLS (Transport Layer Security) technology, simple bind authentication, or signed using Kerberos-based encryption.

NOTE: If changes are initiated within LSASS and not through the LDAP protocol itself, this field will not be captured.

Port

For Active Directory, AD Query, and Exchange events, this field indicates the port used for authentication.

Scope

For AD Query events, this field displays the scope of coverage:

This object only
This object and all children

Results

For AD Query events, this field displays the number of results returned as a result of the query.

Occurrences

For AD Query events, this field displays the number of times the AD query occurred during the specified interval.

Since

For AD Query events, this field displays the date and time when the AD query was first initiated.

Elapsed

For AD Query events, this field displays how long the AD query took to run. Zero (0) indicates that it took less than a millisecond to complete.

Filter

For AD Query events, this text box displays the filter string used in the AD query.

Attributes

For AD Query events, this text box displays the attributes that were queried.

Path

For File System events (including EMC and NetApp), this field displays the full path of the file or folder where the modification occurred.

Process

For File System events, this field is populated with the full path of the application responsible for the file change.

Service

For Service events, this field displays the name of the services that were modified.

Key

For Registry events, this field displays the name of the registry key that was modified.

Value

For Registry events, this field displays the registry value that was modified.

Policy

For Group Policy events, this field displays the name of the group policy that was modified.

Section

For Group Policy events, this field displays what section of the group policy was modified.

Item

For Group Policy events, this field displays the group policy item that was modified.

Account

For Local Account events, this field displays the local account that was modified.

From

This text box lists the old value that was assigned to the object.

To

This text box lists the new value that is now assigned to the object.

NOTE: The To and From information does not apply to permission/ACL (Access Control List) type changes and is replaced with the Changes section. This information is also not available for occurrence type events, e.g., when an object is created or deleted.

Farm

For SharePoint events, this field displays the name of the SharePoint farm to which the modified component belongs.

URL

For SharePoint events, this field displays the name of the SharePoint site to which the modified component belongs.

Target

For SharePoint events, this field displays the URL of the SharePoint item that was modified.

Audited Host

For VMware events, this field displays the IP address or name of the ESX host or vCenter server being audited (as specified in the VMware Auditing template).

Host

For VMware events, this field displays the name of the host where the change occurred.

Compute Res

For VMware events associated with compute resources, this field displays the name of the compute resource where the change occurred.

VM

For VMware events, this field displays the name of the virtual machine where the change occurred.

Net

For VMware events associated with network objects, this field displays the name of the network object where the change occurred.

Data Center

For VMware events, this field displays the name of the datacenter where the change occurred.

Store

For VMware events associated with datastore objects, this field displays the name of the datastore where the change occurred.

DVS

For VMware events associated with a Distributed Virtual Switch (DVS), this field provides the name of the DVS where the change occurred.

Mailbox

For Office 365 Exchange Online mailbox events, this field displays the account name of the online mailbox where the change occurred.

Folder

For Office 365 Exchange Online mailbox events, this field displays the folder name where the change occurred.

Cmdlet

For Office 365 Exchange Online administration events, this field displays the name of the administrative cmdlet what was run.

Object

For Office 365 Exchange Online administration events, this field displays the name of the object within the administrative cmdlet that was modified.

Logon Start

For Logon Session events, this attribute displays the date and time when the user initially logged onto the computer.

Logon End

For Logon Session events, if applicable this attribute displays the date and time when the user logged out of the computer.

Duration

For Logon Session events, depending on the event this attribute displays how long the user session lasted or how long the user was actually logged onto the computer.

Session Start

For Logon Session events, this attribute displays the date and time when the current user session began.

Session End

For Logon Session events, if applicable this attribute displays the date and time when the current user session ended.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating