Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

SharePoint Auditing templates

Previous Next

SharePoint Auditing templates

To enable SharePoint auditing, create a SharePoint auditing template for each SharePoint farm to audit. Each auditing template defines the SharePoint path within the farm to audit and the agent to capture events from the selected SharePoint farm.

* 
NOTE: There can only be one SharePoint auditing template per SharePoint farm. You cannot proceed if you select a SharePoint farm that already has a template defined.

Be sure that all the SharePoint auditing templates contain a GUID in their Farm name (Farm field on SharePoint Auditing page) BEFORE you attempt to add any new templates.

To create a SharePoint Auditing template:
1
Open the Administration Tasks tab.
2
Click Auditing.
3
Select SharePoint.
4
Click Add to open the SharePoint Auditing wizard to define the SharePoint farm and paths to audit and the agent to receive the events.
5
On the first page of the wizard, specify the SharePoint farm and paths to audit:
SharePoint Farm:

If you are creating a template for a farm that has not been previously audited, use the drop-down arrow and select Find a SharePoint farm. On the Eligible Change Auditor Agents dialog, select the SharePoint Web Front End server to capture SharePoint events. Note: If you have multiple agents, select the Web Front End server. The first time an agent is selected, you are prompted to enter the credentials to connect to the SharePoint farm. Change Auditor then performs a SharePoint topology search to locate the SharePoint farm residing on the selected agent (which may take several minutes). Once the topology is completed, the name of the farm (and GUID) is displayed in the SharePoint Farm field in the wizard.

If you are creating a template for a previously audited farm, use the drop-down arrow and select a <SharePoint Farm (and GUID)> from the list.

* 
NOTE: The Next button on this page is disabled if you select a SharePoint farm from the drop-down list that is assigned to a SharePoint Auditing template. You can only select a SharePoint farm whose auditing template has been deleted.
Click Add and select the SharePoint paths to audit. Once you have selected the paths to audit, they are displayed in the SharePoint Paths to audit list.
Optionally, select Add optional SharePoint paths to exclude from auditing under to select a path that has been added to the SharePoint paths to audit and click Add to locate and add any subsequent paths within the selected path to exclude from auditing.
6
On the second page of the wizard, select the operations (facilities or event classes) to audit. Select an entry from the list box at the top of the page, expand Add and click one of the following commands:
Use Add | Add This Event to add individual events.
Use the Add | Add All Events in Facility option to add all events in the selected facility.

Repeat this step to include more events or facilities. At least one event or facility must be specified.

* 
NOTE: If you want to audit all SharePoint events, they must all be added to this page of the wizard. In addition, the events that are disabled by default must be enabled using the Audit Events page on the Administration Tasks tab.
* 
NOTE: The following operations are audited by default when you create a template. Therefore, they are NOT included in the event class list on this page.
Site Created
Site Deleted
Site Moved
Site Collection Created
Site Collection Deleted
7
The third page of the wizard displays the information about the agent.

If you are creating a template for a farm that has not been previously audited (you used the Find a SharePoint farm option) you see a list of servers with Change Auditor agents. Select the required agent, and click OK.

If you are creating a template for a previously audited farm, select the required agent in the SharePoint farm and click OK. Click Set Credentials and enter the credentials to access the SharePoint farm. Click OK. A notification message is displayed indicating whether you have entered valid credentials.

8
On the last page of the wizard, verify that the Change Auditor SharePoint Solution has been successfully added and deployed to the SharePoint farm selected for auditing.
* 
NOTE: The Change Auditor SharePoint Solution status is checked and refreshed once every hour; therefore, the status displayed may not reflect the most current status. Click Refresh Change Auditor Solution Status to force a refresh of the solution’s status.
9
To create the template, click Finish.
10
On the Administration Tasks tab, click Configuration, select Agent in the Configuration task list to open the Agent Configuration page.
11
Select the agent assigned to the SharePoint Auditing template and click Refresh Configuration.
12
Verify that Auditing is displayed in the SharePoint column.
* 
NOTE: If you do not refresh the agent’s configuration, the agent automatically checks for a new agent configuration based on the polling interval setting (on the System Settings tab of the Configuration Setup dialog). The default is every 15 minutes.
To modify a template:
* 
NOTE: If you do not refresh the agent’s configuration, the agent automatically checks for a new agent configuration based on the polling interval setting (on the System Settings tab of the Configuration Setup dialog). The default is every 15 minutes.
1
On the SharePoint Auditing page, select a template and click Edit.
2
The SharePoint Auditing wizard opens where you can modify the paths included and excluded in the template. For example:
On the first page of wizard, you can add a path to the auditing template. You can also add a SharePoint path that to exclude from auditing.
On the second page of the wizard, you can add or remove SharePoint events and facilities from the auditing template.
On the third page of the wizard, you can select the required agent in the SharePoint farm or change the user account used to access the SharePoint farm.
3
You can also use the last page of the wizard to verify the deployment status of the Change Auditor SharePoint Solution.
4
Once you have made the necessary modifications, click Finish.
5
On the Administration Tasks tab, click Configuration. Select Agent in the Configuration task list to open the Agent Configuration page.
6
Select the agent assigned to the SharePoint Auditing template and click Refresh Configuration.
* 
NOTE: If you do not refresh the agent’s configuration, the agent automatically checks for a new agent configuration based on the polling interval setting (on the System Settings tab of the Configuration Setup dialog). The default is every 15 minutes.
To disable an auditing template:

The disable feature allows you to temporarily stop auditing the specified SharePoint farm or path without having to remove the template or individual path from a template.

1
On the Auditing page, place your cursor in the Status cell for the template, click the arrow control, and select Disabled.

The entry in the Status column for the template changes to ‘Disabled’.

2
To re-enable the auditing template, use the Enable option in either the Status cell or right-click menu.
To disable the auditing of a path in a template:
1
On the SharePoint Auditing page, click in the Status cell for the path and select Disabled.

The entry in the Status column for the selected path changes to ‘Disabled’.

2
To re-enable the auditing of a path, use the Enable option in either the Status cell or right-click menu.
To delete an auditing template:
1
On the Auditing page, select the template and click Delete | Delete Template.
2
A dialog is displayed confirming that you want to delete the selected template. Click Yes.
To delete a path from a template:
1
On the SharePoint Auditing page, select the path and click Delete | Delete Path.
2
A dialog is displayed confirming that you want to delete the selected path from the template. Select Yes.
* 
NOTE: If the selected path is the last one in the template, deleting it also deletes the template.

SharePoint Auditing wizard

Previous Next

SharePoint Auditing wizard

The SharePoint Auditing wizard displays when you click Add or Edit on the SharePoint Auditing page. This wizard steps you through the process of creating a new template, identifying the SharePoint farm and paths to audit. You will also select an agent that has SharePoint installed to capture events from the selected SharePoint farm.

You can also use this wizard to modify a previously defined template.

The following table provides a description of the fields and controls in the SharePoint Auditing wizard.

 

Table 2. SharePoint Auditing wizard

Create or modify a SharePoint Auditing Template page

On the first page of the wizard, specify the SharePoint farm and paths to audit.

SharePoint Farm

This field displays that name (and GUID) of the SharePoint farm being audited. Use the drop-down control to select or find a SharePoint farm.
Find a SharePoint farm - select this option to select a SharePoint farm for auditing. Selecting this option displays the Eligible Change Auditor Agents dialog allowing you to select from a list of agents that host a SharePoint farm.
NOTE: The topology will scan for the SharePoint farm and add it to the SharePoint Farm field. A red flashing icon indicates that the SharePoint Farm is already being monitored by another SharePoint Auditing template. See the Upgrade Change Auditor for SharePoint appendix for more information on editing existing templates BEFORE adding new SharePoint Auditing templates.
<SharePoint Farm Name (GUID)> - select from a list of cached SharePoint farms that have been previously selected for auditing.
NOTE: The only time you can select a SharePoint farm from the drop-down list is when a SharePoint farm was previously selected for auditing and that auditing template has been deleted. The wizard will not allow you to select a SharePoint farm from the drop-down list if it has a template currently assigned to it.

SharePoint paths to audit list

This box lists the SharePoint components within the selected SharePoint farm to be audited. Use the Add and Remove buttons at the top of this list box to specify the SharePoint components to be audited.
Add - Use Add to locate and add a component within the selected SharePoint farm to the SharePoint Paths to Audit list. Clicking Add displays the Browse SharePoint dialog allowing you to select a SharePoint component for auditing.
Remove - Select an entry in the SharePoint Paths to Audit list and click Remove to remove it from the template.

SharePoint paths to exclude list (Optional)

The list box located across the bottom of this page displays the SharePoint components to be excluded from auditing. Use the button above this list box to specify the paths to be excluded.
Add - To exclude a component, select a path in the SharePoint Paths to Audit list and then click Add to select the components under the selected audit path that are to be excluded from auditing.

Clicking Add displays the Browse SharePoint dialog allowing you to locate and select a SharePoint component under the selected audit path for exclusion.
Remove - Select an entry in the Exclusion list and click Remove to remove it.

Select the changes to audit page

From this page, select the SharePoint operations (event classes or facilities) to audit on the selected SharePoint farm. You must select at least one event class.

NOTE: If you want to audit ALL SharePoint events, they must all be added to this page of the wizard. In addition, the events that are disabled by default must be enabled using the Audit Events page on the Administration Tasks tab.

Event Classes

The data grid across the top of the page displays all of the SharePoint event classes available for auditing. Select/highlight an event class and use the appropriate add option to add either the individual event class or all events in the selected facility.

This grid displays the following information for each event class:
Facility - displays the facility to which each event class belongs
Event Class - displays the events available for auditing
Status - indicates whether the event is currently enabled or disabled
Severity - displays the current severity level assigned to each event
NOTE: The following operations are audited by default when you create a SharePoint Auditing template. Therefore, they are NOT included in the event class list on this page.
Site Created
Site Deleted
Site Moved
Site Collection Created
Site Collection Deleted

Add

Select an event class in the data grid, click Add and select one of the following options:
Add This Event - use to add the selected event classes to the Audit list box at the bottom of the page.
Add All Events in Facility - use to add all event classes in the selected facility to the Audit list box at the bottom of the page. This option is only available when you have selected only one event class in the data grid.

Remove

Click Remove to remove the selected entry from the Audit list box.

Audit list

This list box displays the facilities and/or event classes to be included in the selected auditing template.

Select Change Auditor agent page

From this page, select the agent to capture events from the selected SharePoint farm.

NOTE: If you used the Find SharePoint Farm option on the first page of the wizard to specify the SharePoint farm to be audited, this page is pre-populated based on the agent selected.

Browse

Click Browse to display a list of the agented servers available in the selected SharePoint farm. From this dialog, select the agent to capture the events from the specified farm.

Set Credentials

Once you have selected the agent, click Set Credentials to enter the credentials to be used to access the selected SharePoint farm.

Clicking this button displays the SharePoint Credentials Required dialog which prompts you to enter the following:
User
Password
Domain
NOTE: The user account specified must have full access to all SharePoint sites and read permissions on all SharePoint SQL databases.
NOTE: A notification message appears indicating whether you have entered valid credentials. If you get an ‘Invalid credentials’ notification, click Set Credentials and enter the proper credentials.

Clear Credentials

Click Clear Credentials to clear the credentials previously entered for the selected agent.

Change Auditor Agent

Once an agent is selected, the following information is displayed:
Agent
Domain
Agent FQDN
User (this field is populated once valid credentials have been entered/verified using Set Credentials)

Verify Change Auditor SharePoint Solution deployment status page

Use the last page of the wizard to verify the deployment status of the Change Auditor SharePoint Solution.

Refresh Change Auditor Solution Status

The Change Auditor SharePoint Solution status is checked/refreshed once every hour; therefore, the status displayed may not reflect the most current status. Click Refresh Change Auditor Solution Status to force a refresh of the solution’s status.

Solution Status

The Solution Status pane displays the current status of the Change Auditor SharePoint Solution.

If it contains a warning symbol and red text, select Refresh Change Auditor Solution Status. If the warning state remains, click Finish to close the wizard. On the local SharePoint farm server, run the SharePoint Solution Manager utility to add/deploy the solution. See Add and deploy Change Auditor SharePoint Solution.

SharePoint event logging

Previous Next

SharePoint event logging

In addition to real-time event auditing, you can enable event logging to capture SharePoint events locally in a Windows event log. This event log can then be collected using InTrust to satisfy long-term storage requirements.

For SharePoint events, event logging is disabled by default. When enabled, only configured activities are sent to the ChangeAuditor for SharePoint event log. See the Change Auditor for SharePoint Event Reference Guide for a list of the SharePoint events that can be sent to the event log.

To enable SharePoint event logging:
1
Open the Administration Tasks tab.
2
Click Configuration.
3
Select Agent in the Configuration task list to display the Agent Configuration page.
4
Click Event Logging.
5
On the Event Logging dialog, select SharePoint.
6
Click OK to save your selection and close the dialog.

The SharePoint events configured in the SharePoint Auditing template will then be sent to the ChangeAuditor for SharePoint event log.

 

SharePoint Searches and Reports

Previous Next

SharePoint Searches and Reports
Introduction
Create custom SharePoint searches
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating