Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Alert Custom Email dialog

Previous Next

Alert Custom Email dialog

The Alert Custom Email dialog opens when you enable an alert or when you select the Configure Email button on the Alert tab of the Search Properties tabs for a search. From this dialog, you can define a custom alert email for the selected search. That is, for the selected search, the alert settings defined in this dialog will overwrite the global settings defined on the Email Alerts Configuration pane of the Coordinator Configuration page.

* 
NOTE: If the fields on this dialog are disabled, go to the Coordinator Configuration page on the Administrative Tasks page to ensure that the SMTP or Microsoft 365 check box is checked and that email alerting is configured.

This dialog contains the following information/controls:

To

Enter or click the browse button to specify the email addresses for users who are to receive the alert emails for the selected search. You can enter either individual email addresses or distribution list addresses; separate multiple addresses with a semi-colon.

Cc

Enter or click the browse button the email addresses for users who are to receive a carbon copy of the alert emails. You can enter either individual email addresses or distribution list addresses; separate multiple addresses with a semi-colon.

Bcc

Enter or click the browse button to specify the email addresses for users who are to receive a blind carbon copy of the alert emails. You can enter either individual email addresses or distribution list addresses; separate multiple addresses with a semi-colon.

Reply To

This field contains the Reply To address specified on the Coordinator Configuration page. To change this address, place your cursor in this field and enter a different address or click the browse button to specify the address where replies to alert emails are to be sent. Separate multiple addresses with a semi-colon.

Clicking the browse button to the right of any of these email address fields displays one of the following dialogs:
The Select Active Directory Objects dialog (Directory object picker) where you can use the Browse or Search page to locate Active Directory user(s). This dialog is displayed when no Exchange host is specified in the Email Alerts Configuration pane of the Coordinator Configuration page.
The Select Exchange Users dialog allowing you to locate and select an Exchange user (Exchange tab) or an Active Directory user (Active Directory tab). This dialog is displayed when an Exchange host is defined in the Email Alerts Configuration pane of the Coordinator Configuration page.

Alert Subject

Enter a customized subject line for the selected search definition to replace the default text in the subject line. The default subject line contains the following information:

Change Auditor %Alert_Type% from %Alert_Coordinator_Name% %Alert_Name%

Where:
%Alert_Type% is either ‘Alert’ or ‘Smart Alert’
%Alert_Coordinator_Name% is the name of the coordinator generating the alert
%Alert_Name% is the name of the alert that fired

Click the browse button to the far right of the Alert Subject to change the variables used in the subject line or to reset it back to the default content.
Insert Variable - Expand the Insert Variable option to select a variable to be inserted into the subject line.
Restore to Default - Use the Restore to Default option to reset the subject line back to the default content. That is, remove any variables that were inserted.

Send Plain-Text Email

Select to have the email notification sent in plain text format. (Default)

Send HTML Email

Select to have the email notification sent in HTML format.

Configure Body

Click the Configure Body button to launch the Alert Body Configuration dialog where you can define the content of the main body, the event details and the signature to be included in your alert emails.

Add Who

Select to send an alert to the user who initiated the change that triggered the alert. Then select the corresponding option to specify the recipient field (To, Cc, or Bcc) to which it is to be added.

Add Users

When selected, alerts for user object changes are sent to the user; alerts for mailbox objects are sent to the mailbox owner. Select the corresponding option to specify the recipient field (To, Cc, or Bcc) to which it is to be added.

* 
NOTE: This feature only applies to Exchange Mailbox Monitoring, which is available in Change Auditor for Exchange.

Add Managers

When selected, alerts for user object changes are sent to the user manager (if set); alerts for group objects are sent to the managed-by user (if set). Alerts for mailbox objects are sent to the owner's manager (if set).

Select the corresponding option to specify the recipient field (To, Cc, or Bcc) field to which it is to be added.

Auditing and Protection Templates dialog

Previous Next

Auditing and Protection Templates dialog

The Auditing and Protection Templates dialog appears when the Edit Templates button is clicked on the Configuration Setup dialog. It also appears when an individual template is selected and you select the Edit Template right-click command. This dialog contains a list of all the auditing and protection templates that have been previously defined which can be assigned to an agent configuration. It consists of a tabbed page for each of the following types of templates:
File System Auditing and File System Protection (File System auditing or protection templates will not capture the associated events or protect the designated files/folders unless you have licensed Change Auditor for Windows File Servers.)
Registry Auditing
Service Auditing
Excluded Accounts Auditing
SQL Server Auditing (SQL Server auditing will not capture the associated events unless you have licensed Change Auditor for SQL Server.
* 
NOTE: You may have other protection templates defined (for example, Active Directory and Group Policy) but they will not be included in this dialog because they are global templates and are not assigned to agent configurations. To create, modify or delete these templates you must go to the appropriate protection page on the Administration Tasks tab.

From this dialog, use the buttons at the bottom of the tab to perform the following tasks:

Add Template

Click to create a new template. Clicking this button displays the appropriate wizard to assist in defining the content for the new template.

Edit Template

Select a template from the list and click this button to modify the template. Clicking this button displays the appropriate wizard to assist in modifying the content of the selected template.

Delete Template

Select a template from the list and click this button to remove the template from the Auditing and Protection Templates list.

In addition to the above tasks, you can also use the corresponding Status cell control to:
enable or disable a template
enable or disable an object in a template

Authorizations: Application Group dialog

Previous Next

Authorizations: Application Group dialog

The Authorizations: Application Group dialog appears when Add | Add Application Group is selected on the Application User Interface Authorization page (from the Administration Tasks tab). From this dialog, you can define an Authorization Manager application group which can then be assigned to a task or role definition.

To define a new application group definition, enter the requested information on the following tabbed pages:

Group tab

Use the Group tab to assign a name to the new application group and define the method to be used to add members to the application group.

Name

Enter a name for the new application group.

Description

Optionally enter a description for the application group.

Select one of the following options to define the method to be used to define the members of the application group:
Basic (default) - use to define an explicit list of members to be included or excluded
LDAP Query - use to dynamically generate the member list based on an LDAP query
Members tab

When the Basic option is selected on the Group tab, use the Members tab to define the members to be included in the application group.

Members list box

Contains the users, groups or application groups who are to be included in the application group.

Add Application Group

Use to add an Application Group to the members list. Clicking this button will display the Authorizations: Application Group dialog allowing you to select from a list of previously defined application groups.

Add User or Group

Use to add a user or group to the members list. Clicking this button will display the Directory object picker. Use the Browse or Search pages to locate and select the user and/or group account(s) to be added.

Remove

Use to remove an application group, user or group from the member list.

Non-Members tab

When the Basic option is selected on the Group tab, use the Non-Members tab to define the members who are to be excluded from the application group.

Non-Members list box

Contain the users, groups or application groups who are to be excluded from the application group.

Add Application Group

Use to add an Application Group to the non-members list. Clicking this button will display the Authorizations: Application Group dialog allowing you to select from a list of previously defined application groups.

Add User or Group

Use to add a user or group to the non-members list. Clicking this button will display the Directory object picker. Use the Browse or Search page to locate and select the user and/or group account(s) to be added to this list.

Remove

Use to remove an application group, user or group from the non-member list.

LDAP Query tab

When the LDAP Query option is selected on the Group tab, use the LDAP Query tab to enter the LDAP query to be used to dynamically generate the member list for the application group. That is, when new users or groups that match the criteria defined are added, they will automatically be added to the member list.

Authorizations: Operations | Role Definitions | Task Definitions | Application Group

Previous Next

Authorizations: Operations ||| Application Group

An additional Authorizations dialog opens when you click Add on one of the following Authorizations dialogs:

Authorizations:dialog

Contains a list of previously defined roles that can be added to the selected role.

It opens when Add Role is selected on the Definitions tab of the Authorizations: Role dialog.

Authorizations:dialog

Contains a list of previously defined tasks that can be added to the selected role or task.

It opens when Add Task is selected on one of the following tabs:
Authorizations: Role dialog - Definition tab
Authorizations: Task dialog - Definition tab
Authorizations: Operations dialog

Contains a list of the operations that can be added to the selected role or task.

It opens when Add Operation is selected on one of the following tabs:
Authorizations: Role dialog - Definition tab
Authorizations: Task dialog - Definition tab
Authorizations: Application Groups dialog

Contains a list of the application groups previously defined that can be added to the selected members list.

It opens when Add Application Group is selected on one of the following tabs:
Authorizations: Role dialog - Members tab
Authorizations: Application Group dialog - Members tab
Authorizations: Application Group dialog - Non-Members tab
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating