Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Manage Connection Profiles dialog

Previous Next

Manage Connection Profiles dialog

The Manage Connection Profiles dialog appears when the Manage button on the Connection screen is clicked. From this dialog, you can add new connection profiles, edit or delete connection profiles and clear saved logon credentials.

Connection profiles list

Displays a list of previously defined connection profiles, including the following information:
Enabled - indicates whether the connection profile is enabled or disabled. Click in the Enable cell to enable or disable a connection profile.
Connection Profile - displays the name assigned to the connection profile when it was created.
User Defined - indicates whether the connection profile is user defined.
Creds - indicates whether additional credentials are required to access the selected coordinator

Selecting a profile in this list displays additional details (such as the forest name, coordinator name, port number, and installation name) for the selected connection profile.

Use the buttons at the bottom of this screen as described below:

Add

Use to create a new connection profile. Clicking this button will launch the Connection Wizard which steps you through the process of creating a new connection profile.

Delete

Use to remove the selected connection profile from the list box.

 
* 
NOTE: This button is only available for user defined connection profiles.

Edit

Use to modify the selected connection profile. Clicking this button will display the Connection wizard allowing you to modify the settings for the selected connection profile.

 
* 
NOTE: This button is only available for user defined connection profiles.

Clear Creds

Use to clear the saved logon credentials allowing you to use a different set of credentials for accessing the coordinator.

Save

Use to save the new profile or the changes made to an existing profile.

Cancel

Use to close the dialog without saving your new/modified profile.

New Report Layout dialog

Previous Next

New Report Layout dialog

The New Report Layout dialog appears when the Add tool bar button on the Report Layouts page (Administration Tasks tab) is clicked. On this dialog, enter a name for the new report layout you are about to create and click OK. Clicking OK adds the new report layout to the Report Layouts page and launches the report designer allowing you to define the header and/or footer information to be included in the new report layout.

* 
NOTE: The report designer in Change Auditor uses StimulReport.Net components for designing reports. For a detailed description and functionality of each component available, click F1 to view the Stimulsoft online help.

Microsoft 365 dialog

Previous Next

Microsoft 365 dialog

Appears when Add | Subsystem | Microsoft 365 or Add With Events | Subsystem | Microsoft 365 is selected on the What tab of the Search Properties tabs. From here, you can either include all Microsoft 365 events or selected events in a search query.

When using the Selected Events option, you can search for either mailbox, administration cmdlet, or SharePoint Online and OneDrive for Business events.

For mailbox events, enter the expressions to use to search for events based on the mailbox name, folder name, On-Premises User Name, On-Premises Target Name, Target Display Name, and Target Sync Type.
For administration cmdlet events, enter the expressions to use to search for events based on the Cmdlet Name, Cmdlet Parameters, Parameter Values, and Cmdlet Object.
For SharePoint Online and OneDrive for Business, enter the expressions to use to search for events based on the operation, file, folder, or site.

Once you have entered an expression, click Add to move the search criteria into the selection list. When multiple entries are added to the selection list, Change Auditor uses the ‘OR’ operator to evaluate events, returning events that meet any of the entries listed. Once you have specified the events to be included, click OK to save your selections and close the dialog.

All Events

This option is selected by default and includes all Microsoft 365 events. Click OK to save your selection and close the dialog.

All Mailbox Events

Select to include all Microsoft 365 Exchange Online mailbox events in the search. Click OK to save your selection and close the dialog.

All Administration Events

Select to include all changes made by administrators to the Microsoft 365 Exchange Online organization. Click OK to save your selection and close the dialog.

Selected Events

Select to specify the Microsoft 365 events to include in the search. When this option is selected, the remaining fields on this dialog are enabled allowing you to further define events to be included. Click the Add button to move your selections to the list box at the bottom of the page.

Mailbox Event

Select this check box to search for changes to a specific Microsoft 365 Exchange Online mailbox or folder. Use the following fields to specify events based on the mailbox name, folder name, on-premises user name, on-premises target name, target display name, and target sync type to be included in the search.

Mailbox Name - select Mailbox Name to specify the expression to be used to match the mailboxes that are to be included in the search.
Select the comparison operator to be used: Contains or Does Not Contain
Enter the name (or partial name) of a mailbox to be used to search for a match. Case sensitivity is based on your SQL settings.
Folder Name - select Folder Name to specify the expression to be used to match folder(s) that are to be included in the search.
Select the comparison operator to be used: Contains or Does Not Contain
Enter the name (or partial name) of a folder (e.g., Inbox) to be used to search for a match. Case sensitivity is based on your SQL settings.
* 
NOTE: If both the Mailbox Name and Folder Name are specified, both expressions must be met before an event will be returned.
Select On-Premises User Name to specify the user to include.
Select the comparison operator to be used: Like or Not like and enter the name (or partial name) to be used to search for a match. Case sensitivity is based on your SQL setting.
Select On-Premises Target to specify the target to include. (This will include changes for specific targets based on the SAM account and domain name of the on-premises mailbox account that corresponds to the cloud-based mailbox account.)
Select the comparison operator to be used: Like or Not like and enter the name (or partial name) to be used to search for a match. Case sensitivity is based on your SQL setting.
Select Target Display Name to specify the target to include. (This will search for changes for specific targets based on the mailbox account display name.)
Select the comparison operator to be used: Like or Not like and enter the name (or partial name) to be used to search for a match. Case sensitivity is based on your SQL setting.
Select Target Sync Type to specify the type of mailbox accounts to include based on how they are synchronized.
Select In cloud to include mailbox accounts created in the cloud.
Select Synced from AD to include mailbox accounts that have been synchronized from your on-premises Active Directory directories.

Administration Cmdlet Event

Use the following fields to specify the cmldets, parameters, values or objects to include in the search.

Click Cmdlet Name and select the comparison operator to use: Contains or Does not contain. Enter the ‘command’ to use to search for a match. For example, to search for any ‘add’ users, enter add.
Click Cmdlet Parameters select the comparison operator to use (Contains or Does not contain), and enter the name (or partial name) of a parameter to use to search for a match.
Click Parameter Values select the comparison operator to use (Contains or Does not contain), and enter the value to use to search for a match.
Click Cmdlet Object, select the comparison operator to use (Contains or Does not contain), and enter the name (or partial name) of a mailbox to use to search for a match.

NOTE
Case sensitivity is based on your SQL setting.
If the Cmdlet Name, Cmdlet Parameters, Parameter Values and Cmdlet Object are specified, all expressions must be met before an event is returned
Cmdlet Parameters and Parameter Values can be searched separately; however, when both are selected the query is limited to the parameter that contains the selected value.
a
To add the expression to the selection list, click Add.
b
Repeat this process to add any additional search query requirements.
* 
NOTE: When multiple entries are added to the selection list at the bottom of the page, Change Auditor uses the ‘OR’ operator to evaluate events, returning events that meet any of the entries listed.

Microsoft 365 services

Select the Microsoft 365 services to search. You can choose SharePoint Online or OneDrive for Business or both.

* 
NOTE: Case sensitivity is based on your SQL setting.
Operation - select this to specify the activity to include. Select the comparison operator to be used: Like or Not like and enter the name (or partial name) to use to search for a match.
Select Site URL filter to specify the full or partial URL to include in the search. Select a comparison operator (Like or Not like) and enter a string (character string and the * wildcard character).
Select the Target filter to specify the full or partial name of the operation target (for example, the folder, file, user, or group) to include in the search. Select a comparison operator (Like or Not like) and enter a string (character string and the * wildcard character).

Exclude the Above Selection(s)

Select this to exclude the expressions listed in the selection list from the search. That is, Change Auditor will search for all events except those that match the expressions listed.

Runtime Prompt

Select the Runtime Prompt option to prompt for the Microsoft 365 events whenever the search is run. That is, when the Run tool bar button is used, the Microsoft 365 dialog appears allowing you to specify the expressions to be used in the search.

* 
NOTE: When Runtime Prompt is selected, the Microsoft 365 option will be disabled on the Add tool bar buttons on the What tab.

Rename dialog

Previous Next

Rename dialog

* 
NOTE: This option is not available when this dialog is launched from the Purge Job wizard.

The Rename dialog appears when you click the Edit tool bar button on the Audit Events page (Administration Tasks tab) to modify an event’s description in the Event Class field.

Current

Displays the current description of the event selected on the Audit Events page.

New

Initially displays the current description of the event, which is highlighted. Enter the new description for the event selected on the Audit Events page.

Click OK to save your changes, close the dialog and return to the Audit Events page where the new description is now displayed.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating