Chat now with support
Chat with Support

Change Auditor 7.2 - PowerShell User Guide

Copy-CASearch

Use this command to copy a search in the installation.

-Connection

A connection obtained by using the Connect-CAClient command.

-Search

The search info object obtained from the Get-CASearches command.

-IsPublic (Optional)

An optional switch that specifies if the search is public. The default is private.

-UserSid

An optional parameter that is used (when –IsPublic is not used) to specify the SID of the user that owns the directory where the copy of the search is placed.

-Path

A parameter that specifies a path where the copy is to be placed. The default is the root folder of the user/public folder specified with
–UserSid /-IsPublic.

-Name (Optional)

An optional parameter that specifies a new name for the copy of the search.

-PassThru (Optional)

A switch that specifies to return the updated search after the command runs.

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

$search = Get-CASearches $connection | ? {$_.Name –eq “New Search for Employee”}

Copy-CASearch –Connection $connection –Search $search –UserSid S-1-5-21-3623811015-3361044348-30300820-1013 –Path Private\Searches\New –Name “All My Events” -PassThru

Use this command to create a search in the installation.

-Connection

A connection obtained by using the Connect-CAClient command.

-XmlSearchDefinition

An XML string or object that represents a search definition.

-IsPublic

A switch that specifies if the search is public. The default is private.

-UserSid

A parameter that is used (when –IsPublic is not used) to specify the SID of the user who owns the new search.

-Path

A parameter that specifies a path where the new search will be placed. The default is the root folder of the user/public folder specified with –UserSid /-IsPublic.

-Name

A parameter that specifies a new name for the search.

-PassThru (Optional)

A switch that specifies to return the new search after the command runs.

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

$searchDefinition = Get-Content C:\Users\Admin\Documents\MySearchDefinition.xml

Add-CASearch –Connection $connection –XmlSearchDefinition $searchDefinition
–IsPublic –Path Shared\AllSearches\New –Name “All events in the past 23 hours”
-PassThru

Use this command to move a search from one folder path to another in the installation.

-Connection

A connection obtained by using the Connect-CAClient command.

-IsPublic

A switch that specifies if the search is public. The default is private.

-UserSid

A parameter that is used (when –IsPublic is not used) to specify the SID of the user who owns the new search.

-Path

A parameter that specifies the path where the search will be placed. The default is the root folder of the user/public folder specified with –UserSid /-IsPublic.

-Search

The search info object obtained from the Get-CASearches command.

-PassThru (Optional)

A switch that specifies to return the updated search after the command runs.

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

$search = Get-CASearches $connection | ? {$_.Name –eq “All AD Queries in the last 30 days”}

Move-CASearch $connection –Search $search –UserSid S-1-5-21-3623811015-3361044348-30300820-1013 –Path “Shared\Skype”

Use this command to remove a public or private search from the installation.

-Connection

A connection obtained by using the Connect-CAClient command.

-Search

The search info object obtained from the Get-CASearches command.

-Force (Optional)

A parameter that removes the prompt before a search is removed.

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

$search = Get-CASearches $connection | ? {$_.Name –eq “All Exchange Admin Events”}

Remove-CASearch $connection –Search $search

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

$search = Get-CASearches $connection | ? {$_.OwnerSid –eq “S-1-5-21-3623811015-3361044348-30300820-1013”} | ? {$_.FolderPath –eq “Security\Internal\Searches”} | ? {$_.Name –eq “All Search Events”}

Remove-CASearch $connection –Search $search

Use this command to create a search folder in the installation.

-Connection

A connection obtained by using the Connect-CAClient command.

-IsPublic

A switch that specifies if the search is public. The default is private.

-UserSid

A parameter that is used (when –IsPublic is not used) to specify the SID of the user who owns the new folder.

-Path

A parameter that specifies the path to create. The default is the root folder of the user/public folder specified with –UserSid /-IsPublic.

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

Add-CASearchFolder –Connection $connection –IsPublic –Path Shared\Searches\New

Use this command to remove a public or private folder from the installation.

-Connection

A connection obtained by using the Connect-CAClient command.

-IsPublic

A switch that specifies the folder being removed is public.

-UserSid

A parameter that is used if –IsPublic is not specified to speci-fy the SID of the user that owns the private folder being removed.

-Path

A parameter that specifies the path to the folder to remove. The default is the root folder of the user/public folder specified with
–UserSid /-IsPublic.

-Force (Optional)

An optional parameter that removes the prompt before a search is removed.

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

Remove-CASearchFolder $connection –IsPublic –Path Shared\Miscellaneous\OldSearches

Managing Windows File System auditing

Change Auditor for Windows File Server tracks, audits, and alerts on file and folder changes in real time, translating events into simple terms and eliminating the time and complexity required by system provided auditing. The auditing scope can be set on an individual file or folder or an entire file system recursive or non-recursive. You can include or exclude certain files or folders from the audit scope to ensure a faster and more efficient audit process.

Managing Windows file system auditing is available through the following PowerShell commands:

Use this command to define a folder or file paths to audit.

NOTE:  

-IncludePath

Specifies the folder or file to audit.

-IncludePathType

Specifies the type of path to audit based on one of the following values:

-IncludeScope

 

Specifies the scope to monitor for the Includepath based on one of the following values:

-AuditEvents

The events to audit.

Use Get-CAWindowsFSEventClassInfo to get the list of event classes.

-IncludeMask (Optional)

Specifies what to include in the selected folder or file path to audit. Entering * will audit all files and folders in the selected folder.

-ExcludeFilePaths (Optional)

Specifies the names and paths of any files to exclude from auditing.

The default is set to None.

-ExcludeFolderPaths (Optional)

Specifies the names and paths of any subfolders to exclude from auditing. The default is set to None.

-Disabled (Optional)

Specifies whether auditing is enabled or disabled on the selected path or folder. The default is set to false.

New-CAWindowsFSAuditObject -IncludePath "C:\ExampleDirectory" -IncludePathType SystemFolder -IncludeScope ScopeSubTree -AuditEvents $auditEvents -IncludeMask "*"
–ExcludeFolderPaths "C:\ExampleDirectory\ExcludedDirectory"

New-CAWindowsFSAuditObject -IncludePath "C:\ExampleDirectory" -IncludePathType SystemFolder -IncludeScope ScopeOneLevel -AuditEvents $auditEvents -IncludeMask "*" –ExcludeFilePaths "*.tmp"

To enable Windows File System auditing, you must first create an auditing template for each file or folder to audit. Each auditing template defines the files or folders to audit, the auditing scope, and the excluded processes.

Use this command to create a Windows file system auditing template.

-Connection

A connection obtained by using the Connect-CAClient command.

-TemplateName

The template name.

-AuditObjects

The folder or file path objects created using
New-CAWindowsFSAuditObject.

-ExcludeProcess (Optional)

The list of processes to exclude from auditing. The default is none.

-DiscardTooltipEvents (Optional)

Multiple folder open events are generated by tooltips (folder content information that is displayed when you hover your mouse over a folder) because Windows Explorer navigates the folder tree for all the sub-folders when you hover over the parent folder to see the tooltip. To ignore the folder opened events generated by this action set this parameter to 'true'.

-DiscardBrowsingEvents (Optional)

Multiple file open events are generated by file scans because Windows Explorer opens and reads the header of all files contained in an opened folder for information to display in the window. To ignore the file open events generated by this action set this parameter to 'true'.

-Disabled (Optional)

Specifies whether the template is enabled or disabled. Default is set to false.

New-CAWindowsFSAuditTemplate -Connection $connection -TemplateName 'New-FSTemplate' -AuditObjects $auditObject -ExcludeProcess $excludeProcess -DiscardTooltipEvents $true -DiscardBrowsingEvents $true -Disabled $false

Use this command to delete a Windows File System auditing template.

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

The CAWindowsFSAuditTemplate object to remove. Obtain the template objects using the Get-CAWindowsFSAuditTemplates command and filter to select the object to remove.

-Force (Optional)

Removes template without prompting for a confirmation. The default is false.

Remove-CAWindowsFSAuditTemplate -Connection $connection -Template $removeTemplate

 

Use this command to edit an existing Windows File System auditing template.

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

The CAWindowsFSAuditTemplate object to edit. Obtain the template objects using the Get-CAWindowsFSAuditTemplates command and filter to select the object to remove.

-TemplateName (Optional)

The template name.

-AuditObjects (Optional)

The folder or file path objects created using
New-CAWindowsFSAuditObject.

-ExcludeProcess (Optional)

The list of processes to exclude from auditing. The default is none.

-DiscardTooltipEvents (Optional)

Multiple folder open events are generated by tooltips (folder content information that is displayed when you hover your mouse over a folder) because Windows Explorer navigates the folder tree for all the sub-folders when you hover over the parent folder to see the tooltip. To ignore the folder opened events generated by this action set this parameter to 'true'.

-DiscardBrowsingEvents (Optional)

Multiple file open events are generated by file scans because Windows Explorer opens and reads the header of all files contained in an opened folder for information to display in the window. To ignore the file open events generated by this action set this parameter to 'true'.

-Disabled (Optional)

Set to true or false to enable or disable the template.

Set-CAWindowsFSAuditTemplate -Connection $connection -Template $Template -ExcludeProcess "avsoftware.exe" -TemplateName "NewTemplateName"

Use this command to see all the Windows File System auditing templates available within your installation.

-Connection

A connection obtained by using the Connect-CAClient command.

Get-CAWindowsFSAuditTemplates -Connection $connection

$template = Get-CAWindowsFSAuditTemplates -Connection $connection | where TemplateName -eq TemplateName

Use this command to get a list of all available Windows File System auditing event classes.

-Connection

A connection obtained by using the Connect-CAClient command.

Get-CAWindowsFSEventClassInfo -Connection $connection

 

Managing Fluid File System auditing

Change Auditor for Fluid File System tracks, audits, reports, and alerts on file and folder changes in real time, translating events into simple text and eliminating the time and complexity required by system provided auditing. The auditing scope can be set on an individual file or folder or an entire file system recursive or non-recursive. Change Auditor also allows you to include or exclude certain files or folders from the audit scope to ensure a fast and efficient audit process.

Change Auditor captures events and provides detailed information relating to the following activities:

The following commands are available to manage Fluid File System auditing:

Use this command to see a list of all Fluid File Service clusters available to audit.

-Connection

A connection obtained by using the Connect-CAClient command.

Get-CAFluidFSClusters -Connection $connection

Use this command to see if encryption has been set. Encryption protects the data as it passes between the FluidFS cluster and the Change Auditor agents.

-Connection

A connection obtained by using the Connect-CAClient command.

-ClusterName

The name of the FluidFS cluster to audit.

-ClusterConfigurationCredential

Administrator credentials to access Enterprise Manager.

Get-CAFluidFSEncryptionStatus -Connection $connection -ClusterName $clustername -ClusterConfigurationCredential $credential

Use this command to get a list of all available FluidFS event classes.

-Connection

A connection obtained by using the Connect-CAClient command.

Get-CAFluidFSEventClassInfo -Connection $connection

Use this command to see all the Fluid File System templates available within your installation.

-Connection

A connection obtained by using the Connect-CAClient command.

Example: Get a list of all FluidFS templates

Get-CAFluidFSTemplates -Connection $connection

Use this command to get a list of all volumes on a specified cluster.

-Connection

A connection obtained by using the Connect-CAClient command.

-ClusterName

The name of the cluster from which to retrieve volume names.

-ClusterConfigurationCredential

Administrator credentials to access Enterprise Manager. This allows the Coordinator to connect with the Enterprise Manager Data Collector service and populate the list of available volumes to audit.

Example: See a list of all available volumes on a cluster

Get-CAFluidFSVolumes -Connection $connection -ClusterName $clustername -ClusterConfigurationCredential $credential

Use this command to define which volumes to audit.

 

-Volume

The name of the volume to audit.

-IncludePaths

The folders\files to include.

-EventClasses

The events to audit.

-ExcludeFilePaths (Optional)

The name and path of files to exclude from auditing.

-ExcludeFolderPaths (Optional)

The name and path of subfolders to exclude from auditing.

-Disabled (Optional)

Specifies whether auditing is enabled or disabled on the volume. The disable feature allows you to temporarily stop auditing the specified volume without having to remove the auditing template or individual volume from a template.

$auditVolume = New-CAFluidFSAuditVolume -Volume $volumes[0] -IncludePaths $includePaths -EventClasses $fluidFSEventClasses -ExcludeFilePaths $excludeFilePaths -ExcludeFolderPaths $excludeFolderPaths -Disabled $False

To enable FluidFS auditing in Change Auditor, you must first create an auditing template for each file server to audit. Each auditing template defines the location of the file server, the auditing scope, and the Change Auditor agents that are to receive the events.

Use this command to create a Fluid File System auditing template.

Returns: A FluidFS template object.

-Connection

A connection obtained by using the Connect-CAClient command.

-ClusterName

The name of the cluster to audit.

-Agents

The Change Auditor agents that are to receive the FluidFS events.

-AuditItems

The volumes and their list of exclusions and inclusions.

-ClusterConfigurationCredential

Administrator credentials to access Enterprise Manager. This allows the Coordinator to connect with the Enterprise Manager Data Collector service and populate the list of available volumes to audit.

-Disabled (Optional)

Specifies whether the template is enabled or disabled.

New-CAFluidFSTemplate -Connection $connection -ClusterName $clustername -Agents $agents -AuditItems $auditItems -ClusterConfigurationCredential $credential
-Disabled $False

Use this command to delete a FluidFS to delete a template when a connection cannot be made with the FluidFS cluster.

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

The template to delete.

Clear-FluidFSTemplate -Connection $connection -Template $template

Use this command to edit an existing Fluid File System template.

NOTE: You can also use the Enable-CAAgentTemplate and Disable-CAAgentTemplate to enable or disable the template.

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

The template to edit.

-ClusterConfigurationCredential

Administrator credentials to access Enterprise Manager. This allows the Coordinator to connect with the Enterprise Manager Data Collector service and populate the list of available volumes to audit.

-Agents (Optional)

The Change Auditor agents that are to receive the FluidFS events.

-AuditItems (Optional)

The volumes and their list of exclusions and inclusions.

-Enable (Optional)

Set to true or false to enable and disable the template.

Set-CAFluidFSTemplate -Connection $connection -Template $template -ClusterConfigurationCredential $credential -Enable True -Agents $agents -AuditItems $auditItems

Use this command to enable or disable encryption for auditing on the Fluid File System cluster. Encryption allows you to protect the event traffic as it passes between the FluidFS cluster and the Change Auditor agents.

-Connection

A connection obtained by using the Connect-CAClient command.

-ClusterName

The name of the cluster to audit.

-ClusterConfigurationCredential

Administrator credentials to access Enterprise Manager.

-EncryptionCredential

The service account credentials for the cluster to use when encrypting events.

Set-CAFluidFSEncryptionCredential -Connection $connection -ClusterName $clustername -ClusterConfigurationCredential $credential -EncryptionCredential $EncryptionCredential

Managing Azure Active Directory auditing

Change Auditor audits activity in the Azure portal that corresponds to the events in the Azure Active Directory auditing logs and sign-in activity. Managing Azure Active Directory auditing is available through the following PowerShell commands:

NOTE: When you delete a template (see Remove-CAAgentTemplate), the web application created in Azure Active Directory remains. You can delete the web application using the Azure management portal. If you do not have the portal, see https://technet.microsoft.com/en-us/library/dn832618.aspx for instructions.

The following sample scripts are available in the Change Auditor client folder. By default they are located here: C:\Program Files\Quest\ChangeAuditor\Client\PowerShell Sample Scripts:

 

Use this command to create a template for auditing Azure Active Directory.

-AgentInfo

An agent object obtained using the Get-CAAgents command. The agent is used for Azure Active Directory auditing.

-Connection

A connection obtained by using the Connect-CAClient command.

-CreateWebApp (Optional)

Specifies that you want to create a new Azure web application.

You will need to login to register Change Auditor in the tenant and ensure the required consent has been granted. Note: Internet access is required.

The Azure Active Directory sign-in page opens automatically.

To apply the consent to all the users in your organization, click to enable Consent on behalf of your organization and click Accept.

-Tenant

The Azure Active Directory tenant/directory that you want to audit (for example: yourTenantName.onmicrosoft.com).

-AuditLogs

Specifies whether or not to audit the Azure Active Directory audit logs. You must enable at least one type of activity to audit using the
- AuditLogs or -SignIns parameter.

-SignIns

Specifies whether or not to audit Azure Active Directory sign-in activity. You must enable at least one type of activity to audit using the
- AuditLogs or -SignIns parameter.

-HistoricalEventCollectionHours (Optional)

Specifies how many hours the agent should go back in time to start event collection. The parameter accepts values from 1 to 720.

-HistoricalEventCollectionDays (Optional)

Specifies how many days the agent should go back in time to start event collection. The parameter accepts values from 1 to 30.

-Disabled (Optional)

Specifies whether auditing is enabled or disabled for Azure Active Directory.

$connection = Connect-CAClient –InstallationName ‘Default'

$agent = Get-CAAgents –Connection $connection | where{$_.agentfqdn -like "CAAGENT.DOMAIN.COM"} *Keep in Uppercase

New-CAAzureADTemplate -Connection $connection -CreateWebApp -Tenant $tenant
-AgentInfo $agent –HistoricalEventCollectionDays 30 -SignIns $True -AuditLogs $True

Alternatively, use these parameters if you are using a pre-created Azure web application that Change Auditor will use for authentication.

For details on integrating applications with Azure Active Directory and creating a web application, consult the Microsoft documentation. When creating a web application in the Azure Classic Portal, you are required to provide the following URLs: Sign-On URL, App ID URL. Specify any URL address that is unique to your tenant (for example: http://ChangeAuditorApp) for each of them.

The following permissions must be assigned to the Azure web application:

Office 365 Management APIs

Application Permissions:

 

Microsoft Graph

Application Permissions:

Once the required permissions are applied, click Grant admin consent for… and confirm with Yes.

-AgentInfo

An agent object obtained using the Get-CAAgents command. The agent will be used for Azure Active Directory auditing.

-Connection

A connection obtained by using the Connect-CAClient command.

-Tenant

The Azure Active Directory tenant/directory that you want to audit (for example: yourTenantName.onmicrosoft.com).

-AuditLogs

Specifies whether or not to audit the Azure Active Directory audit logs. You must enable at least one type of activity to audit using the
- AuditLogs or -SignIns parameter.

-SignIns

Specifies whether or not to audit Azure Active Directory sign-in activity. You must enable at least one type of activity to audit using the
- AuditLogs or -SignIns parameter.

-WebAppId

An Azure Active Directory web application Id. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

-WebAppKey

 

The key assigned to the web application specified for the WebAppId parameter. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

-HistoricalEventCollectionHours (Optional)

Specifies how many hours the agent should go back in time to start event collection. The parameter accepts values from 1 to 720.

-HistoricalEventCollectionDays (Optional)

Specifies how many days the agent should go back in time to start event collection. The parameter accepts values from 1 to 30.

-Disabled (Optional)

Specifies whether auditing is enabled or disabled for Azure Active Directory.

New-CAAzureADTemplate -Connection $connection -AgentInfo $agent -WebAppKey $webAppKey -WebAppId $webAppId -Tenant $tenant –HistoricalEventCollectionDays 30
-SignIns $True -AuditLogs $True

Use this command to edit the web application key and ID, and the agent in an existing Azure Active Directory template. This also allows you to replace an expired or revoked web application.

NOTE:  

-AgentInfo

An agent object obtained using the Get-CAAgents command. The agent will be used for Azure Active Directory auditing.

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

A template object obtained by the Get-CAAzureADTemplates command.

-CreateWebApp (Optional)

Specifies that you want to create a new Azure web application.

You will need to login to register Change Auditor in the tenant and ensure the required consent has been granted. Note: Internet access is required.

The Azure Active Directory sign-in page opens automatically.

To apply the consent to all the users in your organization, click to enable Consent on behalf of your organization and click Accept.

-AuditLogs

Specifies whether or not to audit the Azure Active Directory audit logs. You must enable at least one type of activity to audit using the
- AuditLogs or -SignIns parameter.

-SignIns

Specifies whether or not to audit Azure Active Directory sign-in activity. You must enable at least one type of activity to audit using the
- AuditLogs or -SignIns parameter.

-WebAppId

An Azure Active Directory web application Id. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

-WebAppKey

 

The key assigned to the web application specified for the WebAppId parameter. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

Set-CAAzureADTemplate -Connection $connection -Template $template -WebAppKey $webAppKey -WebAppId $webAppId

Set-CAAzureADTemplate -Connection $connection -Template $template -SignIns $True
-AuditLogs $True

Use this command to see all the Azure Active Directory templates available within your installation.

-Connection

A connection obtained by using the Connect-CAClient command.

Get-CAAzureADTemplates -Connection $connection

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating