Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Introduction

Previous Next

Introduction

Auditing your SharePoint platform is critical to maintaining internal security controls and meeting external auditing regulation requirements. Change Auditor for SharePoint tracks operations across your SharePoint environment, providing comprehensive auditing and reporting that tells you ‘who, what, when and where’ changes are being made to SharePoint configuration, documents, lists and sites.

To enable SharePoint auditing, you must deploy the Change Auditor SharePoint component to the SharePoint farms, then create an auditing template for each farm to define the paths within the farm to audit, and the agent to capture the events.

* 
IMPORTANT: Change Auditor processes all activities on all site collections within the audited SharePoint farm. When auditing a large SharePoint farm with a lot of activity, the agent may experience performance-related issues including slowness in loading the plugin and capturing events or the potential for missed events. Factors that can impact performance include the number of site collections in the farm and the volume of activity in the SharePoint environment. Quest recommends performing a test in the environment of the similar size and configuration to determine if your farm is suitable to be audited by Change Auditor.

Change Auditor also audits user and administration activity for SharePoint Online (and OneDrive for Business) that corresponds to the events in the Microsoft 365 Security & Compliance Center unified audit log. You can track, report, and create alerts on activities including:
When files and folders are accessed, created, deleted, uploaded, moved, renamed, and checked in and out of SharePoint Online and OneDrive for Business sites.
 

 

System overview

Previous Next

System overview

The following diagram illustrates how SharePoint integrates with Change Auditor to provide this auditing capability.

1
The SharePoint Farm Administrator deploys the SharePoint.Auditing.Monitor.wsp solution, which writes event information from each server to the SharePoint database. Deployment is done by running the SharePoint Solution Manager utility.
2
The administrator installs an agent on one of the SharePoint Web Front End servers in the farm.
3
The agent enables the solution for the event information to be captured and written to the SharePoint database AuditData table.
4
System provided SharePoint auditing writes events in the AuditData table shortly after events occur.
5
The agent periodically queries the SharePoint AuditData table to collect the events and forwards them to the coordinator.

Deployment requirements

Previous Next

Deployment requirements

For a successful deployment, ensure that your environment meets the minimum system requirements. For information about system requirements, see the Change Auditor Release Notes. For details on installing Change Auditor, see the Change Auditor Installation Guide.

* 
NOTE: This guide assumes SharePoint 2016/2019 is properly installed and configured. For detailed installation steps, see the appropriate guide from Microsoft.

After you have installed Change Auditor, complete the following to audit SharePoint events:
Enable SharePoint settings
Add and deploy Change Auditor SharePoint Solution
Create SharePoint Auditing template

Enable SharePoint settings

Previous Next

Enable SharePoint settings

To capture some of the SharePoint events, you must enable:

System provided auditing
Versioning
MySite Site Collection
MySite Web Application
* 
NOTE:  
See SharePoint Event Requirements for a list of the events that need these additional settings enabled.
Since SharePoint Foundation Server does not provide a graphical user interface, enable these auditing flags (system provided auditing and versioning) using PowerShell commands.

System provided auditing

For all SharePoint web applications (including each user site under MySite) to be audited, system provided auditing must be enabled.

To enable system provided auditing:
1
From a top-level site, or web application, select Site Actions | Site Settings.
2
Under the Site Collection Administration heading, click Site collection audit settings.
3
Under the Documents and Items section, select all the check boxes.
4
Under the Lists, Libraries, and Sites section, select the Editing users and permissions check box.
* 
NOTE: Log trimming is off by default. Enable log trimming to meet your policies. If the agent is offline or is otherwise unable to retrieve event information from the SharePoint database for a period longer than the trim period, events could be lost.

Versioning

To audit versioning within SharePoint, enable it for each individual Library and List Item pertaining to the Sites being audited.

* 
NOTE: This procedure also applies to announcements, calendars, and tasks. The only difference is that the ‘Tools’ section and tabs are specific to the List Settings item.
To enable document versioning for shared documents for a top-level site:
1
Navigate to a Document Library.
2
Under Library Tools, select the Library tab.
3
Click the Library Settings icon, located to the right of the ribbon.
4
Click Versions settings under General Settings.
5
In the Document Version History section, change the selection of No Versioning to the desired level of versioning: Create major versions or Create major and minor (draft) version.

Verify MySite permissions

For proper auditing of sites within the MySite Site Collection or Web Application, the account Change Auditor uses to access the SharePoint database must be added as a Site Collection Administrator (primary or secondary) or to the User Web Policy for the MySite host.

Depending on how your MySite host is initially set up, use the Central Administration Web Site to verify, and if necessary add, this account.

* 
NOTE: This account must be added BEFORE you add a personal site to a SharePoint auditing template or you will encounter an ‘access denied’ error when you select a personal site in the SharePoint Auditing wizard.

MySite Site Collection

This refers to the default ‘MySite’ Site Collection that is automatically created during a SharePoint Single Server installation. Its location is under the default SharePoint-80 Web Application (//veneno in the following screen shot). By default, the SharePoint farm account is assigned as the Primary Site Collection Administrator. However, if this site collection is manually created, then the primary and secondary administrator can be specified.

In this scenario, verify that the account Change Auditor is using is listed as either the Primary Site Collection Administrator or Secondary Site Collection Administrator for the MySite Site Collection.

MySite Web Application

This refers to the ‘MySite’ Web Application that is created manually after a SharePoint Multi-Server Farm installation. In this case, MySite is not tied to any other web application (i.e., is not underneath the default SharePoint Web Application) and therefore uses the User Policy permissions.

In this scenario, verify that the account Change Auditor is using is included in the User Web Policy for the MySite Web Application.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating