Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Create custom AD Query search

Previous Next

Create custom AD Query search

The following scenario explains how to use the What tab to create custom AD query searches.

 
* 
NOTE: If you wanted to, you can use the other search properties tabs to define additional criteria:
Who - allows you to search for events generated by a specific user, computer or group
Where - allows you to search for events captured by a specific agent or within a specific domain or site
When - allows you to search for events that occurred within a specific date/time range
Origin - allows you to search for events that originated from a specific workstation or server
To search Active Directory containers for AD queries:
1
Open the Searches page.
2
In the explorer view, expand and select the folder where you want to save your search.

Selecting the Private folder will create a search that only you can run and view, whereas selecting the Shared folder will create a search which can be run and viewed by all Change Auditor users.

3
Click New.
4
On the Info tab, enter a name and description for the search.
5
Open the What tab, expand Add and select Subsystem | AD Query. This opens the Add Active Directory Container dialog.
6
On the Add Active Directory Container dialog, select one of the following options to define the scope of coverage:
All Active Directory Objects - select to search all objects.
This Object - select to search the selected objects only.
This Object and Child Objects Only - select to search the selected object) and its direct child objects.
This Object and All Child Objects - select to search the selected objects and all subordinate objects (in all levels).
Members of this group - select this option to show changes made to users in a specified group. Nested groups are not supported.
* 
NOTE: You cannot exclude selections or use the *Like wildcard option when the scope is specified as Members of this group.
7
When a scope other than All Active Directory Objects is selected, the directory object picker will be activated allowing you to select the objects to include in the search definition.

Use the Browse or Search page to search your environment to locate and select the Active Directory containers to include.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

Use the Options page to view or modify the search options to be used to retrieve directory objects.

8
In addition, you can optionally enter one or more AD query parameters to be included in the search definition:
Filter - allows you to search for a filter string used in a query. This field uses the Like operator; therefore, you can enter a partial string of characters to have Change Auditor return any queries that use a filter string that contains the characters entered.
Attributes - allows you to search for attributes that are being queried. This field uses the Like operator; therefore, you can enter a partial string of characters to have Change Auditor return any queries that query attributes that contain the characters entered.
Results >= - allows you to search for queries that have returned a specific number of results. Enter (or use the arrow controls to specify) the number of results to be included in the search definition and Change Auditor will display the queries that have returned results equal to or greater than the number entered.
Elapsed (ms) >= - allows you to search for queries that take a certain amount of time to complete. Enter (or use the arrow controls to specify) the number of milliseconds to be included in the search definition and Change Auditor will display the queries that took the specified number of milliseconds or longer to run.
Transports - allows you to specify the type of transport protocols used to secure LDAP operation or LDAP queries. To include a specific transport, clear the All Transports check box.
All Transports - select to include LDAP operation or LDAP queries regardless of the transport protocol used (Default)
SSL/TLS - select to include LDAP operation or LDAP queries that are secured using SSL or TLS technology
Kerberos- select to include LDAP operation or LDAP queries that are signed using Kerberos-based encryption
Simple Bind - select to include LDAP operation or LDAP queries that are secured using simple bind authentication (neither SSL\TLS or Kerberos used)
Port - select to identify a specific port used for communication
* 
NOTE: When you clear the All Transports check box and select both the SSL/TLS and Kerberos check boxes, only AD queries using both of these transport protocols will be included in the search results.
* 
NOTE: For pre-5.5 LDAP Query events, this field is NULL in the database; therefore, ‘All Transports’ will be included regardless of this setting.

When you specify more than one AD query parameter, Change Auditor uses the ‘OR’ operator and will return AD Query events that meet any of the AD query parameters specified for the selected Active Directory container.

9
Once you have selected an Active Directory container (and any AD query parameters) to be included, click the Add button to add it to the Selection list at the bottom of the dialog.
* 
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for changes to all Active Directory containers EXCEPT those listed in the ‘what’ list.
* 
NOTE: Select the Runtime Prompt check box on this dialog to prompt for an Active Directory container every time the search is run.
10
Once you have selected the Active Directory container(s) to be included in the search, click the OK button to save your selection and close the dialog.
11
Once you have defined the search criteria, you can either save the search definition or run the search.
To save the search definition without running it, click Save.
To save and run the search, click Run.
12
When this search is run, Change Auditor will search for AD Query events based on the search criteria specified on the What tab and display the results in a new search results page.
To search for an object that already has an audited AD Query event in the database:
1
Open the Searches page.
2
In the explorer view, expand and select the folder where you want to save your search.

Selecting the Private folder will create a search that only you can run and view, whereas selecting the Shared folder will create a search which can be run and viewed by all Change Auditor users.

3
Click the New tool bar button at the top of the Searches page (or right-click a folder and select the New | New Search menu command).
4
On the Info tab, enter a name and description for the search.
5
Open the What tab, expand Add with Events and select Subsystem | AD Query.
6
On the Add Active Directory Container dialog, select an object from the list.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

7
Click the Add button to add it to the selection list at the bottom of the page.
8
Click OK to save your selection and close the dialog.
9
Once you have defined your search, you can either save the search definition or run the search.
To save the search definition without running it, click Save.
To save and run the search, click Run.

When this search runs, Change Auditor searches for the AD Query events based on the search criteria specified on the What tab and display the results in a new search results page.

AD Query Event Details

Previous Next

AD Query Event Details

This section provides a description of the ‘What’ details that are provided on the Events Details pane for an AD Query event.

 

Table 3. AD Query monitored event

Event

Description

Severity

AD Query Performed

Created when an AD query is performed on a container.

Low

 

Table 4. Event Details pane: AD Query events

What Fields

Description

What

Shows the container that was queried. For example, on LDAP bind operations, this displays the name (DN) being bound to; on LDAP search operations, this displays the baseObject of the search; and on LDAP compare operations, this displays the entry (DN) of the object being compared.

Subsystem

Displays ‘AD Query’

Action

Displays ‘Other’

Facility

Displays ‘AD Query’

Type

Displays the type of query:
LDAP
GC

Scope

Displays the scope of coverage:
This object only
This object and all children
Child objects only

Results

Displays the number of results returned as a result of the query.

Authentication

Indicates whether the LDAP operation is secured using the SSL (Secure Socket Layer)/ TLS (Transport Layer Security) technology, simple bind authentication, or signed using Kerberos-based encryption.

NOTE: If changes are initiated within LSASS and not through the LDAP protocol itself, this field will not be captured.

Port

Indicates the port used for authentication.

Occurrences

Displays the number of times the query occurred during the specified interval.

Since

Displays the date and time when the query was first initiated.

Elapsed

Displays how long the query took to run. Zero (0) indicates that it took less than a millisecond to complete.

Kerberos

Indicates whether the LDAP operation or AD query is signed using Kerberos-based encryption.

NOTE: If changes are initiated within LSASS and not through the LDAP protocol itself, this field will not be captured.

Filter

Displays the filter string used in the query.

Attributes

Displays the attributes that were queried.

Change Auditor for Logon Activity

Previous Next

Change Auditor for Logon Activity

The Change Auditor for Logon Activity book contains information about the additional features that are available when a valid Change Auditor for Logon Activity license has been applied. It contains the following topics:
Change Auditor for Logon Activity Overview: This section provides an overview of logon and logoff activity auditing provided with the Change Auditor for Logon Activity User and Change Auditor for Logon Activity Workstation license. It also provides a list of the additional features and components that require a valid Change Auditor for Logon Activity license.
User Logon Activity Searches/Reports: This section explains how to run a built-in user logon activity report and how to create a custom query using the What tab. It also provides a description of the additional details that are provided on the Search Results page and Event Details pane.
Appendix: Agent Comparison: This section displays the agent-related features that are available for both server and workstation agents.
Appendix: Workstation Agent Deployment: This section provides recommendations for deploying Change Auditor agents necessary for auditing both domain workstations and non-domain workstations. It also includes instructions on manually deploying workstation agents.

 

Change Auditor for Logon Activity Overview

Previous Next

Change Auditor for Logon Activity Overview
Introduction
Benefits and features
System requirements
Client components and features
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating