Chat now with support
Chat with Support

Change Auditor 7.5 - Built-in Reports Reference Guide

Introduction Built-in reports
Active Directory Federation Services AD Query All Events Authentication Services Microsoft Entra Defender Microsoft 365 Logon Activity Recommended Best Practices Regulatory Compliance
FISMA (Federal Information Security Management Act)
NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A01 – User Association NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A02 – Content of Audit Records NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A03 – Auditable Events NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A04 – Audit Processing NIST SP 800-53 | Technical Controls | Identification and Authentication | IA02 – Remote, Privileged Access Authentication NIST SP 800-53 | Technical Controls | Identification and Authentication | IA03 – Password Protection Mechanisms NIST SP 800-53 | Technical Controls | Identification and Authentication | IA04 – Password Life NIST SP 800-53 | Technical Controls | Identification and Authentication | IA05 – Password Content NIST SP 800-53 | Technical Controls | Identification and Authentication | IA12 – Remote Access Identification Authentication NIST SP 800-53 | Technical Controls | Identification and Authentication | IA16 – Password Management NIST SP 800-53 | Technical Controls | Logical Access Control | AC01 - Remote Access Restrictions NIST SP 800-53 | Technical Controls | Logical Access Control | AC02 - Logon Notification Message NIST SP 800-53 | Technical Controls | Logical Access Control | AC05 - Session Inactivity NIST SP 800-53 | Technical Controls | Logical Access Control | AC06 - Limited Connection Time NIST SP 800-53 | Technical Controls | Logical Access Control | AC09 - Enforcement Mechanisms NIST SP 800-53 | Technical Controls | Logical Access Control | AC10 - Automated Account Controls NIST SP 800-53 | Technical Controls | Logical Access Control | AC12 - Supervision and Review NIST SP 800-53 | Technical Controls | Logical Access Control | AC14 - Authorization Procedures NIST SP 800-53 | Technical Controls | System and Communications Protection | SP02 - Information System Partitioning NIST SP 800-53 | Technical Controls | System and Communications Protection | SP04 - Denial of Service Protection NIST SP 800-53 | Technical Controls | System and Communications Protection | SP05 - Resource Priority NIST SP 800-53 | Technical Controls | System and Communications Protection | SP06 - Boundary Protection NIST SP 800-53 | Technical Controls | System and Communications Protection | SP07 - Network Segregation NIST SP 800-53 | Technical Controls | System and Communications Protection | SP09 - Network Disconnect NIST SP 800-53 | Technical Controls | System and Communications Protection | SP11 - Trust Path NIST SP 800-53 | Technical Controls | System and Communications Protection | SP16 - Use of Encryption
GLBA (Gramm-Leach-Bliley Act) GDPR HIPAA (Health Insurance Portability and Accountability Act) Payment Card Industry SAS 70 (Statement on Auditing Standards, Service Organizations) SOX (Sarbanes-Oxley General IT Controls Evidence based on the COBIT Framework)
Security SharePoint SQL Data Level SQL Extended Events Threat Detection

Section 404 | Acquisition and Implementation

| Acquisition and Implementation

The Acquisition and Implementation reports are available under the following folders:
BAI2.1 - Define and maintain business functional and technical requirements
BAI2.2 - Perform a feasibility study and formulate alternative solutions
BAI3.10 – Maintain solutions
Authentication Services
Computer Activity
Exchange
BAI3.9 – Manage changes to requirements
BAI6.1 – Evaluate, prioritize and authorize change requests
Organizational Unit Management
BAI6.2 – Manage emergency changes
Organizational Unit Management
BAI6.3 – Track and report change status
Organizational Unit Management
BAI7.5 - Perform acceptance tests
BAI7.6 - Promote to production and manage releases
BAI7.8 – Perform a post-implementation review
BAI2.1 - Define and maintain business functional and technical requirements

BAI2.2 - Perform a feasibility study and formulate alternative solutions

BAI2.2 - Perform a feasibility study and formulate alternative solutions
(Executive Summary) Identify Automated Solutions

A summary report containing events from all of the following reports.

Detailed list of all registry changes
Who = All Users
What = Registry subsystem
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of all schema changes
Who = All Users
What = Schema Configuration facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of service changes
Who = All Users
What = Service Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI3.10 – Maintain solutions
(Executive Summary) BAI3.10 - Acquire and Maintain Technology Infrastructure

A summary report containing events from all of the following reports.

(Executive Summary) BAI3.10 - Acquire and Maintain Application Software

A summary report containing events from all of the following reports.

BAI3.10 – Detailed list of all hot fixes applied
Who = All Users
What = Hotfix Applied
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI3.10 – Detailed list of all registry changes
Who = All Users
What = Registry subsystem
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI3.10 – Detailed list of hot fixes rolled back
Who = All Users
What = Hotfix Rolled Back
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI3.10 – Detailed list of schema modifications
Who = All Users
What = Schema Configuration facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI3.10 – Detailed list of service packs applied
Who = All Users
What = Computer Service Pack Applied
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI3.10 – Detailed list of service packs rolled back
Who = All Users
What = Computer Service Pack Rolled Back
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI3.10 – Detailed list of software installations via GPO added
Who = All Users
What = Computer Software Installation Policy Added
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI3.10 – Detailed list of software installations via GPO modified
Who = All Users
What = Computer Software Installation Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI3.10 – Detailed list of software installations via GPO removed
Who = All Users
What = Computer Software Installation Policy Removed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Authentication Services
BAI3.10 – Authentication Services computers added in the last 30 days
Who = All Users
What = Authentication Services Computer Object Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
BAI3.10 – Authentication Services computers deleted in the last 30 days
Who = All Users
What = Authentication Services Computer Object Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Computer Activity
BAI3.10 – Computers added in the last 30 days
Who = All Users
What = Computer Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
BAI3.10 – Computers disabled in the last 30 days
Who = All Users
What = Computer Account Disabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
BAI3.10 – Computers enabled in the last 30 days
Who = All Users
What = Computer Account Enabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
BAI3.10 – Computers moved in the last 30 days
Who = All Users
What = Computer Moved
Where = All sources
When = Last 30 days
Origin = All workstations/servers
BAI3.10 – Computers removed in the last 30 days
Who = All Users
What = Computer Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
BAI3.10 – Computers renamed in the last 30 days
Who = All Users
What = Computer Renamed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Exchange
BAI3.10 – OWA Website Added to Server
Who = All Users
What = OWA Web Site Added to Server
Where = All sources
When = Last 7days
Origin = All workstations/servers
BAI3.10 – OWA Website Removed from the Server
Who = All Users
What = OWA Web Site Removed from Server
Where = All sources
When = Last 7days
Origin = All workstations/servers
BAI3.10 – OWA Website Renamed
Who = All Users
What = OWA Web Site Renamed on Server
Where = All sources
When = Last 7days
Origin = All workstations/servers
BAI3.9 – Manage changes to requirements
(Executive Summary) BAI3.9 - Acquire and Maintain Application Software

A summary report containing events from all of the following reports.

BAI3.9 – Detailed list of software installations via GPO added
Who = All Users
What = Computer Software Installation Policy Added
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI3.9 – Detailed list of software installations via GPO modified
Who = All Users
What = Computer Software Installation Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI3.9 – Detailed list of software installations via GPO removed
Who = All Users
What = Computer Software Installation Policy Removed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI6.1 – Evaluate, prioritize and authorize change requests
BAI6.2 – Manage emergency changes
BAI6.3 – Track and report change status
(Executive Summary) Develop and Maintain Procedures

A summary report containing events from all of the following reports.

(Executive Summary) Ensure Continuous Service

A summary report containing events from all of the following reports.

(Executive Summary) Manage Changes

A summary report containing events from all of the following reports.

Detailed list of authorized changes made during business hours
Who = All Users
What = All categories
Where = All sources
When = From 08:00 PM to 05:00 AM
Origin = All workstations/servers
Detailed list of unauthorized changes made during business after hours
Who = All Users
What = All categories
Where = All sources
When = From 05:00 PM to 08:00 AM
Origin = All workstations/servers
Detailed list of GPO modifications
Who = All Users
What = Group Policy Item facility; Group Policy Object facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of computer modifications
Who = All Users
What = Custom Computer Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of DNS modifications
Who = All Users
What = DNS Service facility; DNS Zone facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of domain modifications
Who = All Users
What = Domain Configuration facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of domain controller
Who = All Users
What = Configuration Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of Exchange modifications
Who = All Users
What = Exchange Administrative Group facility; Exchange Distribution List facility; Exchange Organization facility; Exchange Permission Tracking facility; Exchange Security Group facility; Exchange User facility
Where = All sources
When = Last 7 days
Origin = All workstations/server
Detailed list of Exchange infrastructure modifications
Who = All Users
What = Exchange Organization facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of fault tolerance modifications
Who = All Users
What = Fault Tolerance facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of file system modifications
Who = All Users
What = Custom File System Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of forest modifications
Who = All Users
What = Forest Configuration facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of group modifications
Who = All Users
What = Custom Group Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of IP modifications
Who = All Users
What = IP Security facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of NETLOGON modifications
Who = All Users
What = NETLOGON Service facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of registry modifications
Who = All Users
What = Registry subsystem
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of replication modifications
Who = All Users
What = Replication Transport facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of schema modifications
Who = All Users
What = Schema Configuration facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of service modifications
Who = All Users
What = Service Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of site modifications
Who = All Users
What = Site Configuration facility; Site Link Configuration facility; Site Link Bridge Configuration facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of user modifications
Who = All Users
What = Custom User Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of subnet modifications
Who = All Users
What = Subnets facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Organizational Unit Management
Organizational Units Added in Last 30 days
Who = All Users
What = Subordinate OU added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Organizational Units Deleted in Last 30 days
Who = All Users
What = Subordinate OU removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Organizational Units Renamed in Last 30 days
Who = All Users
What = Subordinate Ou renamed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Organizational Units set to block GPO inheritance in Last 30 days
Who = All Users
What = Group Policy Block Inheritance Setting Changed on OU
Where = All sources
When = Last 30 days
Origin = All workstations/servers
BAI7.5 - Perform acceptance tests
BAI7.6 - Promote to production and manage releases
BAI7.8 – Perform a post-implementation review
(Executive Summary) Install and Accredit Systems

A summary of reports containing events from all of the following reports.

Detailed list of software installations via GPO added
Who = All Users
What = Computer Software Installation Policy Added
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of software installations via GPO modified
Who = All Users
What = Computer Software Installation Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers

Section 404 | Delivery and Support

| Planning and Organization

The Planning and Organization reports are available under the following folder:
Manage Contract Staff
Manage Contract Staff
(Executive Summary) Manage Human Resources

A summary report containing events from all of the following reports.

Detailed list of disabled user accounts
Who = All Users
What = User Account Disabled
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of enabled user accounts
Who = All Users
What = User Account Enabled
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of expired user accounts
Who = All Users
What = User accountExpires Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of user dial-in modifications
Who = All Users
What = User Dial-in Static Route Added; User Dial-in Static Route Removed; User Dial-in Callback Options Changed; User Dial-in Static IP Address Changed; User Dial-in Remote Access Permission Changed; User Dial-in Verify Caller ID Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of user Exchange mailbox modifications
Who = All Users
What = Mailbox Enabled for User; Mail Disabled for User; Mailbox Rights Changed for User; Mailbox Disabled for User; Mail Enabled for User; Email Addresses Changed for User
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of user name modifications
Who = All Users
What = User userPrincipalName Changed; Display Name Changed on User Object; First Name Changed on User Object; User samAccountName Changed; Last Name Changed on User Object; Domain User Renamed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of user permitted logon hour modifications
Who = All Users
What = User logonHours Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of user workstation restriction modifications
Who = All Users
What = User userWorkstations Added; User userWorkstations Removed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
 
 

Security

The Security reports are available in the following folders:
Access Control - Administrator Account Activity
Access Control - Administrator Group Activity
Access Control - File System
Access Management
Computer Activity
Critical GPO Changes
Domain Controller Security
Domain Security
Exchange
Group Activity
Group Management
Organizational Unit Management
Severity Based Changes
Trust Activity
User Activity
User Management
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating