Chat now with support
Chat with Support

Change Auditor 7.2 - Built-in Reports Reference Guide

Introduction Built-in reports
Active Directory Federation Services AD Query All Events Authentication Services Azure Active Directory Defender Office 365 Logon Activity Skype for Business Recommended Best Practices Regulatory Compliance
FISMA (Federal Information Security Management Act)
NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A01 – User Association NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A02 – Content of Audit Records NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A03 – Auditable Events NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A04 – Audit Processing NIST SP 800-53 | Technical Controls | Identification and Authentication | IA02 – Remote, Privileged Access Authentication NIST SP 800-53 | Technical Controls | Identification and Authentication | IA03 – Password Protection Mechanisms NIST SP 800-53 | Technical Controls | Identification and Authentication | IA04 – Password Life NIST SP 800-53 | Technical Controls | Identification and Authentication | IA05 – Password Content NIST SP 800-53 | Technical Controls | Identification and Authentication | IA12 – Remote Access Identification Authentication NIST SP 800-53 | Technical Controls | Identification and Authentication | IA16 – Password Management NIST SP 800-53 | Technical Controls | Logical Access Control | AC01 - Remote Access Restrictions NIST SP 800-53 | Technical Controls | Logical Access Control | AC02 - Logon Notification Message NIST SP 800-53 | Technical Controls | Logical Access Control | AC05 - Session Inactivity NIST SP 800-53 | Technical Controls | Logical Access Control | AC06 - Limited Connection Time NIST SP 800-53 | Technical Controls | Logical Access Control | AC09 - Enforcement Mechanisms NIST SP 800-53 | Technical Controls | Logical Access Control | AC10 - Automated Account Controls NIST SP 800-53 | Technical Controls | Logical Access Control | AC12 - Supervision and Review NIST SP 800-53 | Technical Controls | Logical Access Control | AC14 - Authorization Procedures NIST SP 800-53 | Technical Controls | System and Communications Protection | SP02 - Information System Partitioning NIST SP 800-53 | Technical Controls | System and Communications Protection | SP04 - Denial of Service Protection NIST SP 800-53 | Technical Controls | System and Communications Protection | SP05 - Resource Priority NIST SP 800-53 | Technical Controls | System and Communications Protection | SP06 - Boundary Protection NIST SP 800-53 | Technical Controls | System and Communications Protection | SP07 - Network Segregation NIST SP 800-53 | Technical Controls | System and Communications Protection | SP09 - Network Disconnect NIST SP 800-53 | Technical Controls | System and Communications Protection | SP11 - Trust Path NIST SP 800-53 | Technical Controls | System and Communications Protection | SP16 - Use of Encryption
GLBA (Gramm-Leach-Bliley Act) GDPR HIPAA (Health Insurance Portability and Accountability Act) Payment Card Industry SAS 70 (Statement on Auditing Standards, Service Organizations) SOX (Sarbanes-Oxley General IT Controls Evidence based on the COBIT Framework)
Security SharePoint SQL Data Level Threat Detection

Introduction

Change Auditor provides predefined reports which allow you to quickly retrieve valuable configuration change information from various perspectives.

* 
NOTE: The terms ‘searches’ and ‘reports’ are used in conjunction to acquire the wanted output. You run a ‘search’ and the results returned are referred to as a ‘report’.
To run a built-in search:
1
Click the Searches tab or select View | Searches to open the Searches page.
2
Expand and select the appropriate folder in the explorer view to display the list of search definitions stored in the selected folder.
3
In the right pane, locate the search to run and use one of the following methods to run the selected search:
Double-click a search definition
Right-click a search definition and select Run
Select the search definition and click Run
4
A new Search Results page displays populated with the audited events that met the search criteria defined in the selected search definition.

This guide contains a list of the all the built-in reports provided with Change Auditor. They are listed according to the folder structure under the Shared folder on the Searches page.

* 
NOTE: Many of the built-in reports are only available when the appropriate Change Auditor license is applied For example, to capture Exchange events, Quest® Change Auditor for Exchange must be licensed. Some built-in reports also require auditing templates to define the auditing scope. For example, to capture File System events, you must first define a template to specify the files and folders and events to audit.

Change Auditor does not prevent you from running any of the built-in reports; however, associate events are not captured unless the proper license and auditing template is applied. See the individual Change Auditor user guides for more information about auditing key environments.

Built-in reports

The following criteria defines the contents of the default ‘My Favorite’ report that is displayed on the Overview page:

Change Auditor Real-Time
Who = All Users
What = All Event Classes
Where = All sources
When = Last 20 minutes
Origin = All workstations/servers
 

The other built-in reports provided with Change Auditor are available under the following folders:
Active Directory Federation Services
AD Query
All Events
Authentication Services
Azure Active Directory
Defender
Office 365
Logon Activity
Skype for Business
Recommended Best Practices
Regulatory Compliance
Security
SharePoint
SQL Data Level

Active Directory Federation Services

All Active Directory Federation Services sign-ins in the last 24 hours
Who = All Users
What = Active Directory Federation Services - Sign-in facility
Where = All sources
When = Last 24 hours
Origin = All workstations/servers
All Claims Provider Trust events in the last 30 days
Who = All Users
What = Active Directory Federation Services - Claims Provider Trusts facility
Where = All sources
When = Last 30 days
Origin = All workstations/servers
All Endpoint events in the last 30 days
Who = All Users
What = Active Directory Federation Services - Endpoints facility
Where = All sources
When = Last 30 days
Origin = All workstations/servers
All Successful Active Directory Federation Services sign-ins in the last 24 hours
Who = All Users
What = Successful Active Directory Federation Services sign-in
Where = All sources
When = Last 24 hours
Origin = All workstations/servers
All Failed Active Directory Federation Services sign-ins in the last 7 days
Who = All Users
What = Failed Active Directory Federation Services sign-in
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All Authentication Method events in the last 30 days
Who = All Users
What = Active Directory Federation Services - Authentication Methods facility
Where = All sources
When = Last 30 days
Origin = All workstations/servers
All Relying Party Trust events in the last 30 days
Who = All Users
What = Active Directory Federation Services - Relying Party Trusts facility
Where = All sources
When = Last 30 days
Origin = All workstations/servers

AD Query

* 
NOTE: By default, the AD Query reports include the following information on the Search Results page: Origin, LDAP Attributes, LDAP Scope, LDAP Filter, LDAP Type, LDAP Occurrences, LDAP Elapsed, LDAP Since, and LDAP Results. These additional columns are defined using the Layout tab.
All AD Queries grouped by AD search filter
Who = All Users
What = AD Query Performed
Where = All sources
When = N/A
Origin = All workstations/servers
Layout tab - Order By: Time Detected (Not Grouped); LDAP Filter (Grouped)
All AD Queries grouped by AD starting point
Who = All Users
What = AD Query Performed
Where = All sources
When = N/A
Origin = All workstations/servers
Layout Tab - Order By: Time Detected (Not Grouped); Object Canonical (Grouped)
All AD Queries grouped by number of results
Who = All Users
What = AD Query Performed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Layout Tab - Order By: Time Detected (Not Grouped); LDAP Results (Grouped)
All AD Queries grouped by originating hostname\IP address
Who = All Users
What = AD Query Performed
Where = All sources
When = N/A
Origin = All workstations/servers
Layout Tab - Order By: Time Detected (Not Grouped); Origin (Grouped)
All AD Queries grouped by time elapsed (query run time)
Who = All Users
What = AD Query Performed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Layout Tab - Order By: Time Detected (Not Grouped); LDAP Elapsed (Grouped)
All AD Queries in the last 1 week
Who = All Users
What = AD Query Performed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All AD Queries in last 30 days
Who = All Users
What = AD Query Performed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating