Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Add Service dialog (Add With Events)

Previous Next

Add Service dialog (Add With Events)

* 
NOTE: This option is not available when this dialog is launched from the Purge Job wizard.

The Add Service dialog appears when Add With Events | Subsystem | Service is selected on the What search properties tab (Searches page or the Purge Options page in the Purge Job wizard). This dialog allows you to search for events generated by a service that has an event associated with it in the Change Auditor database.

* 
NOTE: Make sure that the selected computer is on the network and has remote administration enabled. If the selected remote computer does not allow remote administration access, a message will be displayed explaining that you need to select a different server.

From this dialog, select a service and click the Add button to add it to the list box located across the bottom of the dialog. Once you have made your selection(s), click the OK button to save your selection and close the dialog.

The following information/controls are included on this dialog:

Data grid

The data grid displays the services that have an event associated with it in the Change Auditor database. This grid displays the following information for each entry:
Display Name - lists the display name for all the services listed.
Service - lists the service name of all the services that have an event in the Change Auditor database.

Service list

The list box at the bottom of the dialog displays the name of the service(s) to be included in the search definition (or excluded when the Exclude the Above Selection(s) check box is checked). Use the buttons located above this list box to add or remove entries:
Add - select a service in the data grid and click the Add button to add the selected service to the Service list. This button is activated when one or more services are selected in the data grid.
Select Enter a service not listed above to enter an unlisted service.
Remove - select the service to be removed in the Service list and then click the Remove button.

Exclude the Above Selection(s)

Select this check box to exclude the services listed in the selection list box. When this check box is checked, Change Auditor will return events for all services except those listed.

Runtime Prompt

Select the Runtime Prompt option to prompt for the service whenever the search is run. That is, when the Run tool bar button is clicked, the Add Service dialog appears allowing you to select the service to be used.

* 
NOTE: When Runtime Prompt is selected, the Service option will be disabled on the Add tool bar buttons on the What tab.
 
* 
NOTE: This option is not available when this dialog is launched from the Purge Job wizard.

Add Severities dialog

Previous Next

Add Severities dialog

The Add Severities dialog appears when Add | Severity is selected on the What search properties tab (Searches page or the Purge Options page in the Purge Job wizard). This dialog allows you to search for events (or purge events) based on the severity (High, Medium or Low) assigned to events.

From this dialog, select a severity and click the Add button to add it to the list box located across the bottom of the dialog. Once you have made your selection(s), click the OK button to save your selection and close the dialog.

The following information/controls are included on this dialog:

Data grid

The data grid displays the different severity levels that can be assigned to events.

Severities list

The list box at the bottom of the dialog displays the severities to be included in the search definition (or excluded if the Exclude the Above Selection(s) check box is checked). Use the buttons located above this list box as described below:
Add - click the Add button to add the selected item to the Severities list.
Remove - select the entry to be removed from the Severities list and then click the Remove button.

Exclude the Above Selection(s)

Select this check box to exclude the items listed in the selection list box. When this check box is checked, Change Auditor will return details for all audited events except those assigned a severity level which is listed.

Runtime Prompt

Select the Runtime Prompt option to prompt for the severity criteria whenever the search is run. That is, when the Run tool bar button is clicked, the Add Severities dialog appears allowing you to select the severity criteria to be included in the search.

* 
NOTE: When Runtime Prompt is selected, the Severity option will be disabled on the Add tool bar buttons on the What tab.
 
* 
NOTE: This option is not available when this dialog is launched from the Purge Job wizard.

Add Severities dialog (Add With Events)

Previous Next

Add Severities dialog (Add With Events)

The Add Severities dialog appears when Add With Events | Severity is selected on the What search properties tab. This dialog displays only the severity levels (High, Medium or Low) that have an associated event in the Change Auditor database.

From this dialog, select a severity and click the Add button to add it to the list box located across the bottom of the dialog. Once you have made your selection(s), click the OK button to save your selection and close the dialog.

The following information/controls are included on this dialog:

Data grid

The data grid displays the different severity levels that have an event in the Change Auditor database.

Severities list

The list box at the bottom of the dialog displays the severities to be included in the search definition (or excluded if the Exclude the Above Selection(s) check box is checked). Use the buttons located above this list box as described below:
Add - click the Add button to add the selected item to the Severities list.
Remove - select the entry to be removed from the Severities list and then click the Remove button.

Exclude the Above Selection(s)

Select this check box to exclude the items listed in the selection list box. When this check box is checked, Change Auditor will return details for all audited events except those assigned a severity level which is listed.

Runtime Prompt

Select the Runtime Prompt option to prompt for the severity criteria whenever the search is run. That is, when the Run tool bar button is clicked, the Add Severities dialog appears allowing you to select the severity criteria to be included in the search.

* 
NOTE: When Runtime Prompt is selected, the Severity option will be disabled on the Add tool bar buttons on the What tab.
 
* 
NOTE: This option is not available when this dialog is launched from the Purge Job wizard.

Add SharePoint Path dialog

Previous Next

Add SharePoint Path dialog

The Add SharePoint Path dialog appears when Add | Subsystem | SharePoint or Add With Events | Subsystem | SharePoint is selected on the What search properties tab (Searches page or the Purge Options page in the Purge Job wizard). This dialog allows you to select the path to be used to search for SharePoint events.

From this dialog, select a SharePoint object and click the Add button to add it to the list box located across the bottom of the dialog. Once you have made your selection(s), click the OK button to save your selection and close the dialog. If you select the All SharePoint Paths option, simply click the OK button to save your selection and close the dialog.

The following information/controls are included on this dialog:

Scope

Select one of the following options to define the scope of the search:
All SharePoint Paths - select this option to include all SharePoint paths in the search query.
This Object - select this option to include only selected SharePoint objects in the search query.

Hierarchy pane

The hierarchy pane (left pane) displays your SharePoint farms, including the web applications, sites and lists discovered on each farm. Using this pane, you can search for events against an individual SharePoint object. For example, to search an individual SharePoint farm, select the farm to be searched in this pane and click the Add button to add it to list at the bottom of the dialog.

 
* 
NOTE: This pane is enabled when This Object is selected as the scope of the search.

Data grid

The data grid replaces the hierarchy pane when Add With Events | Subsystem | SharePoint is selected. This grid displays a list of all the SharePoint objects that have an event associated with it in the Change Auditor database. For each object listed, the following information is displayed:
Title - displays the name of the SharePoint component
FarmName - displays the name of the SharePoint farm where the SharePoint component resides
Type - indicates the type of SharePoint component

Select an entry in the data grid and click the Add button to add it to the selection list box.

Wildcard expression pane

The wildcard expression pane (right pane) is populated as you select objects in the hierarchy pane. Using this pane, you can expand your search for events against all objects that match a specific wildcard expression.

To specify a wildcard expression:

1
Select the SharePoint component(s) to be included in your search: Farm Name, Web Name, List Name, Item Name and/or Item URL.
2
For each SharePoint component selected, select the comparison operator to be used: Like or Not Like
3
For each SharePoint component selected, enter the pattern (character string and * wildcard character) to be used to search for a match

When multiple wildcard expressions are specified (i.e., multiple check boxes are selected), they are ‘ANDed’ together and all of the expressions must be met to be considered a match.

For example, to search all web application sites that begin with ‘Admin’ for documents that contain ’procedure' in their name):
Select Web Name and specify: Like Admin*
Select Item Name and specify: Like *procedure*

You can also select objects in the hierarchical pane to pre-populate the fields in the wildcard expression pane. When you use this approach to pre-populate the fields, the check boxes associated with the object(s) do not need to be checked in order to include them in your wildcard expression. However, in order to convert or add a specific expression, you must select the corresponding check box in order to select the comparison operator and pattern to be matched.

For example, to search for all documents that begin with ‘Sales’ in a SharePoint farm:
From the hierarchical pane, select the SharePoint farm to be searched (this will pre-populate the Farm Name field in the wildcard expression pane)
From the wildcard expression pane, select Item Name check box and specify: Like Sales*

Once you have defined the wildcard expression to be used, click the Add button to add it to the selection list at the bottom of the dialog.

 
* 
NOTE: This pane is enabled when This Object is selected as the scope of the search.

Selection list

The list across the bottom of the dialog displays the objects selected for inclusion in the search. Use the buttons at the top of this list as described below:
Add - After selecting an individual SharePoint object from the hierarchy pane or specifying a group of objects using the wildcard expression pane, click the Add button to add it to the selection list.
Remove - Select an entry in the selection list and then click the Remove button to remove it from the list.
Update - Select an entry in the selection list, use the hierarchy or wildcard expression pane to modify the entry and then click the Update button to save your changes.

Exclude the Above Selection(s)

Select the Exclude the Above Selection(s) check box if you want to search for changes to all SharePoint objects except those listed in the ‘what’ list.

Runtime Prompt

Select the Runtime Prompt check box on this dialog to prompt for a SharePoint object every time the search is run. That is, when the Run tool bar button is selected, the Add SharePoint Path dialog appears allowing you to select the path to be searched for SharePoint events.

 
* 
NOTE: When Runtime Prompt is selected, the SharePoint option will be disabled on the Add tool bar buttons on the What tab.
* 
NOTE: This option is not available when this dialog is launched from the Purge Job wizard.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating