Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

When tab

Previous Next

When tab

The When tab allows you to limit the returned results of the search by date and time. By default, a new search is set to include the change events captured this week. The When tab contains the following information and controls:

 
* 
NOTE: All dates and times are based on the client’s current local date and time. The format used to display the date and time is determined by the local computer’s regional and language setting.
 

Table 5. When tab: Field and control descriptions

Field and Control

Description

Runtime Prompt

Select this check box to prompt for the date and time interval whenever the search is run. That is, when Run is selected, the When dialog is displayed allowing you to specify the date and time range to be used in your search.

NOTE: When this check box is checked, Add is deactivated.
NOTE: You cannot enable alerting for search definitions that use the Runtime Prompt option.
 

Date Interval

Check one of the following options to change the default setting and define a different date range to limit your search.

From/To

Select this check box and enter the date range.
From: Enter the start date for your date range; or click the arrow control to display a calendar from which to select the start date. Only events that occurred on or after this date are included in the search.
To: Enter the end date for your date range; or click the arrow control to display a calendar from which to select the end date. Only events that occurred before or on this date are included in the search.

Last

Select this check box and the appropriate relative date and value (that is, number of minutes, hours, days, weeks, months, quarters, or years).

NOTE: Relative dates are calculated based on the actual date and time when the search is started.

This

Select this check box and click the arrow control to select the appropriate date and time interval:

This Day: Start parameter is TODAY at midnight local time; end parameter is the current date and time.
This Week: Start parameter is midnight local time on the day specified in the First Day of Week parameter (Regional and Location setting) on the local machine (for example, SUNDAY); end parameter is the current date and time. (Default for new searches.)
This Month: Start parameter is the first day of the current month at midnight local time; end parameter is the current date and time.

Time Interval

Use this pane to specify a time range to further limit your search.

From

Use the arrow controls to select or enter the starting time for your time range. Only events that occurred at or after this time are included in the search.

To

Use the arrow controls to select or enter the ending time for your time range. Only events that occurred before or at this time are included in the search.

Reset

Use to clear the time interval settings.

To search for events generated during a specific date and time range:
* 
NOTE: By default, new searches include the events captured this week (Sunday at midnight, local time, through the current date and time).
1
Open the When tab.
2
In the Date Interval pane, check one of the following options to specify a date range to limit your search:
From/To - select this option and enter the date range to use.
Last - select this option and the appropriate relative date and value (that is, number of minutes, hours, days, weeks, months, quarters, or years).
This - select this option and click the arrow control to select the appropriate time interval (that is, Day, Week, or Month).
3
In the Time Interval pane, optionally specify a time range to further limit your search.

Origin tab

Previous Next

Origin tab

The Origin tab allows you to search for events based on the workstation or server where the event originated. When multiple ‘origin’ criteria is specified on this tab, Change Auditor uses the ‘OR’ operator to evaluate change events, returning events that originated from any of the specified workstations or servers.

The Origin tab contains the following information and controls:

 

Table 6. Origin tab: Field and control descriptions

Field and Control

Description

Runtime Prompt

Select this check box to prompt for the originating workstation or server whenever the search is run. That is, when Run is selected, the Add Origin dialog is displayed allowing you to enter the wildcard expression to locate a specific workstation or server.

NOTE: When this check box is checked, Add is deactivated.
NOTE: You cannot enable alerting for search definitions that use the Runtime Prompt option.
 

Exclude the Following Selection(s)

Select this check box to specify the workstations or servers to exclude from the search. That is, Change Auditor will return events originating from all workstations and servers except those listed in the Origin list.

Origin list

By default, all events regardless of where they originated are included in a new search and therefore this list box is initially empty.

Once criteria is selected, this list box contains the wildcard expression used to locate the workstations and servers to include in the search (or excluded from the search if the Exclude the Following Selection(s) option is checked).

To search for events based on where they originated:
* 
NOTE: By default, all events regardless of the workstation or server from which it originated are included in the search.
1
Open the Origin tab.
2
Click Add.
3
Enter the wildcard expression to use to search for a workstation or server, based on its NetBIOS name or IP address:
Select the comparison operator to use: Like or Not Like.
In the field to the right, enter the pattern (character string and * wildcard character) to be used to search for a match. Use the * wildcard character to match any string of zero or more characters.
4
After entering the wildcard expression to use, click OK to close the dialog and add the wildcard expression to the ‘origin’ list.
5
When this search is run, Change Auditor searches for change events originating on workstations and servers whose name or IP address matches the specified wildcard expression.
* 
NOTE: You can use Add with Events (instead of Add) to select a workstation or server that already has an event associated with it in the database. The workstations and servers available for selection are based on the ‘when’ clause (When tab) and the search limit (Info tab) specified for the current search.

Alert tab

Previous Next

Alert tab

The Alert tab allows you to enable alerting and define how and where to dispatch alerts. See Alert tab (Search Properties tabs) for a detailed description of the contents of this tab.

Report tab

Previous Next

Report tab

The Report tab allows you to enable reporting and define when and where to send a report. Reports can be sent to email addresses and shared folders. See Report tab (Search Properties tabs) for a detailed description of the contents of this tab.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating