Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Introduction

Previous Next

Introduction

Change Auditor assigns the default configuration to each agent, including both server agents and workstation agents, during deployment.

* 
TIP: Whenever you upgrade from a previous version of Change Auditor, the default configuration settings will be restored. Therefore, if you want to modify the default configuration settings, it is best to copy the default configuration and then save it using a different name.
NOTE: The values for the proxy server settings are not included when you copy a configuration.

The default configuration consists of the following settings:

System Settings:
Polling Interval: 900 seconds
Forwarding Interval: 5 seconds
Kerberos Ticket Lifetime: 10 hours

A Kerberos user ticket can be used to verify your identity and gain access to specific resources or services in your domain. A golden ticket is a forged Kerberos ticket. An attack using a golden ticket is extremely dangerous due to the forged identity, elevated access it allows, and because it can be reused over its lifetime (10 years by default).

The setting determines the maximum ticket lifetime. When this value is exceeded, the “Kerberos user ticket that exceeds the maximum ticket lifetime detected” domain controller authentication event is generated which may indicate a possible golden ticket attack.
Retry Interval: 300 seconds
Maximum events per connection: 1,500
Agent Load Threshold: 10,000
Allowed time for connection: 24 x 7
* 
NOTE: These system settings apply to both server agents and workstation agents.
Proxy Server settings
Proxy Server: Not set
Port: 8080
Requires authentication: Not set
File System settings:
Discard duplicates that occur within: 10 seconds
* 
NOTE: This setting only applies to file system auditing which is available with Change Auditor for Windows File Servers, Change Auditor for EMC and Change Auditor for NetApp.
AD Query settings:
Discard query results less than: 0 records
Discard queries taking less than: 20 milliseconds
Discard duplicate queries occurring within: 15 minutes
AD Query auditing enabled
* 
NOTE: These settings only apply to Active Directory query auditing which is available with Change Auditor for Active Directory Queries.
Exchange settings:
Discard duplicate folder opens that occur within: 0 seconds
* 
NOTE: This setting only applies to Exchange auditing which is available with Change Auditor for Exchange.

You can define and assign different agent configurations to each deployed server agent from the Agent Configuration page on the Administration Tasks tab. However, workstation agents always use the default configuration; they cannot be assigned to a different agent configuration.

When the default configuration is modified, workstation agents will only receive these modifications when the polling interval determines there has been a change; clicking Refresh Configuration on the Agent Configuration page only pushes agent configuration changes out to server agents.

To enable custom auditing and protection, you must assign templates to an agent’s configuration. The custom auditing and protection features that require custom templates to be assigned to an agent’s configuration are:
Excluded Accounts Auditing
File System Auditing
File System Protection
Registry Auditing
Service Auditing
SQL Auditing
* 
NOTE: The NetApp, EMC, SharePoint, and Microsoft 365 auditing templates define which agents are used to capture events; however, these templates do not use the agent configurations from the Agent Configuration page as described in this section. See the Quest Change Auditor for NetApp User Guide, Quest Change Auditor for EMC User Guide, Quest Change Auditor for SharePoint User Guide, Microsoft 365 and Microsoft Entra ID Auditing User Guide.

 

Agent Configuration page

Previous Next

Agent Configuration page

This page displays when Agent is selected from the Configuration task list in the navigation pane of the Administration Tasks tab. From here you can define and assign agent configurations.

* 
NOTE: Workstation agents always use the default configuration and cannot be assigned to a different agent configuration; therefore, they are not included on the Agent Configuration page.

The following information is available for each deployed server agent. To display columns not on by default, use the Field Chooser button located to the far left of the column headings.

 
* 
NOTE: All dates and times are based on the client’s current local date and time. The format used to display the date and time is determined by the local computer’s regional and language setting.
 

Table 1. Agent Configuration page: Field descriptions

Column

Default

Description

Active Directory

No

Indicates whether Active Directory auditing and/or protection has been defined.

ADAM (AD LDS)

No

Indicates whether ADAM (AD LDS) auditing and/or protection has been defined.

Agent

Yes

Displays the NetBIOS name of the server that hosts the Change Auditor agent.

Agent FQDN

No

Displays the fully qualified domain name (FQDN), consisting of the host and domain name including the top-level domain, of an agent.

Configuration

Yes

Displays the name of the agent configuration assigned to each agent listed.

Coordinator

No

Displays the computer name of the Change Auditor coordinator that an agent is connected through.

DB Size

No

Displays the size of an agent’s database.

Domain

Yes

Displays the name of the domain where the server resides.

EMC

Yes

Indicates whether an agent has been assigned to an EMC auditing template to receive EMC events.

Events Last 24 Hours

No

Displays the number of events encountered on the agent during the past 24 hours from when the Agent Configuration page is initially opened during the current client session or when the page is refreshed using the Refresh button.

The value in this field is a hypertext link and when selected launches a quick search to display the events generated in the last 24 hours.

Events Last Hour

No

Displays the number of events encountered on the agent in the last 60 minutes from when the Agent Configuration page is initially opened during the current client session or when the page is refreshed using the Refresh button.

The value in the field is a hypertext link and when selected launches a quick search to display the events generated in the last 60 minutes.

Events Today

No

Displays the number of events encountered on the agent since 12:00 a.m. of the current day (based on the relative coordinator computer's time).

The value in this field is a hypertext link and when selected launches a quick search to display today’s events.

Events Total

No

Displays the number of events encountered since the agent was started.

The value in this field is a hypertext link and when selected launches a quick search to display all events encountered since the agent was started.

Events Yesterday

No

Displays the number of events encountered between 12:00 a.m. yesterday and 12:00 a.m. of the current day (based on the relative coordinator computer's time).

The value in this field is a hypertext link and when selected launches a quick search to display yesterday’s events.

Exchange

No

For agents hosting Exchange, this column indicates whether Exchange Mailbox auditing and/or Exchange Mailbox protection has been defined.

Microsoft 365

Yes

Indicates whether an agent has been assigned to an Microsoft 365 auditing template to receive Exchange Online, SharePoint Online, and OneDrive for Business events.

Exchange Server

No

Indicates whether the server is an Exchange server.

Exclude Account

Yes

Indicates whether an Excluded Accounts Auditing template has been assigned to an agent’s configuration.

File System

Yes

Indicates whether a File System Auditing or File System Protection template has been assigned to an agent’s configuration.

Forest

No

Displays the name of the forest where the agent resides.

Group Policy

No

Indicates whether Group Policy protection has been defined.

Last Update

No

Displays the date and time when the agent configuration was last updated.

NetApp

Yes

Indicates whether an agent has been assigned to a NetApp Auditing template to receive NetApp filer events.

Registry

Yes

Indicates whether a Registry Auditing template has been assigned to an agent’s configuration.

Service

Yes

Indicates whether a Service Auditing template has been assigned to an agent’s configuration.

SharePoint

Yes

Indicates whether an agent has been assigned to a SharePoint Auditing template to capture SharePoint events.

SQL

Yes

Indicates whether a SQL Auditing template has been assigned to an agent’s configuration.

SQL Data Level

Yes

Indicates whether a SQL Data Level Auditing template has been assigned to an agent’s configuration.

Startup Time

No

Displays the date and time when the agent was last initialized.

Status

No

Displays the current status of the agent:

active
inactive
uninstalled

Type

No

Displays the agent platform:
Domain Controller
Global Catalog
Server

Unsent Events

No

Displays the number of events that have not yet been sent to the coordinator.

Uptime

No

Displays how long the agent has been running.

Version

No

Displays the version number of the Change Auditor agent currently deployed.

Define agent configurations

Previous Next

Define agent configurations

To define a new agent configuration:
1
Open the Administration Tasks tab and click Configuration.
2
Select Agent in the Configuration task list.
3
From the Agent Configuration page, click Configurations.

The Configuration Setup dialog opens, which contains a list of configuration definitions available as well as the means for creating a new configuration.

4
Click Add to create a new definition or click Copy to duplicate the configuration selected in the Configurations list box.

This adds a new configuration to the list, allowing you to name the new configuration, specify the system settings and assign auditing and protection templates to the configuration.

5
With the new/copied configuration highlighted in the Configuration list, enter the name for your new agent configuration.
6
Use the tabbed pages at the top of the dialog to modify the system settings, file system settings, AD Query settings, Exchange settings, Defender auditing, and Authentication Services auditing. The settings that can be modified on these tabs include:
 

Table 2. Agent Configuration settings

Setting:

Default:

Valid range:

System Settings

Polling Interval

900 seconds

60 - 9999 seconds

Forwarding Interval

5 seconds

5 - 999 seconds

Retry Interval

300 seconds

60 - 600 seconds

Kerberos Ticket Lifetime (hours)

10 hours

1 to 99999 hours

Max events per connection

1500 events

100 - 99999 events

Agent Load Threshold

10000 events

100 - 100000 events

Allowed time for connection

Sunday - Saturday
12:00 am - 11:59 pm

N/A

Proxy Server Settings

If your organization uses a proxy server to connect to the internet, these settings are required to audit Microsoft Entra ID and Microsoft 365 targets. Selecting Validate Proxy Settings uses the configured settings to access a website through the proxy server. This test uses the https://www.quest.com web site.

NOTE: Clearing the value for 'Proxy Server' and selecting Apply resets all proxy settings to default values.

Proxy Server

Not set

fully qualified domain name, down-level name, or IPv4 address

Port

8080

1- 65535

Requires Authentication

If your proxy server requires authentication, click the option and enter the required credentials.

Not set

N/A

File System

The settings on the File System tab only apply when Change Auditor for Windows File Servers, Change Auditor for EMC or Change Auditor for NetApp is licensed.

Discard duplicates that occur within nn seconds

Enabled by default

10 seconds

1 - 600 seconds

Audit all configured, including duplicates (Not recommended)

Disabled by default

N/A

AD Query

The settings on the AD Query tab only apply when Change Auditor for Active Directory Queries is licensed.

Discard query results less than nn records

0 records

0 - 99999 records

Discard queries taking less than nn milliseconds

20 milliseconds

0 - 99999 milliseconds

Discard duplicate queries occurring within nn minutes

15 minutes

1 - 1440 minutes

AD Query auditing enabled

Enabled by default

N/A

Exchange

The setting on the Exchange tab only applies when Change Auditor for Exchange is licensed.

NOTE: These settings only apply to the Exchange subsystem events; they do not apply to the Microsoft 365 subsystem events.

Discard duplicates that occur within nn seconds

0 seconds

0 - 600 seconds

Defender

Defender auditing enabled

Disabled by default

N/A

Authentication Services

Authentication Services auditing enabled

Disabled by default

N/A

7
To add an auditing or protection template to the selected configuration, use the Auditing and Protection Templates pane. This pane displays the auditing and protection templates previously defined.

Use one of the following methods to assign a template to an agent configuration:
Select a template and ‘drag and drop’ it onto a configuration in the Configuration list.
Select a configuration from the Configuration list and ‘drag and drop’ it onto a template in the Auditing and Protection Templates pane.
Select a configuration, then select a template, right-click and select Assign.
Select a configuration, then select a template, click in the corresponding Assigned cell and click Yes.

Repeat this step to add additional templates to the selected configuration.

8
If the templates list is empty or you want to define a new template, click Edit Templates.
On the Auditing and Protection Templates dialog, select the tab for the type of template to be added (e.g., Excluded Accounts) and click Add Template.
The associated wizard will be displayed allowing you to define the auditing or protection to be applied. Refer to the appropriate chapters in this guide for details on completing each of these wizards.
9
Once you have defined the new template, click OK to close this dialog and return to the Configuration Setup dialog. Select this new template, right-click and select Assign.
10
Once you have named the configuration, selected the system settings and added auditing or protection templates, click OK to save your configuration and return to the Agent Configuration page.

Assign agent configurations to server agents

Previous Next

Assign agent configurations to server agents

Once agent configurations are defined you can assign it to one or more installed server agents from the Agent Configuration page.

To assign a configuration to an agent from the Agent Configuration page:
1
On the Agent Configuration page, select one or more agents from the agent list and click Assign.
2
On the Agent Assignment dialog, select the configuration definition to be assigned to the selected agents and click OK.

On the Agent Configuration page, the agent configuration assignment will be updated in the Configuration column.

3
Select the agents assigned to the agent configuration and click Refresh Configuration to ensure that the assigned agents are using the latest agent configuration.
To reset ALL agent configurations back to the default configuration:
1
On the Agent Configuration page, click Default All.
2
A message is displayed confirming that you want to reset all agent configurations back to the factory default settings. Click Yes.

The agent configuration assignment will be updated in the Configuration column.

3
Select the agents assigned to the agent configuration and click Refresh Configuration to ensure that the assigned agents are using the latest agent configuration.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating