Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Enable event logging

Previous Next

Enable event logging

Using the Agent Configuration page you can enable the event logging feature which writes Change Auditor events locally to a Windows event log. These event logs can then be collected using InTrust to satisfy long-term storage requirements.

 
* 
NOTE: This is a global setting and applies to all agents. Keep the following in mind when defining custom auditing:
Disabling Change Auditor events does NOT impact event logging.
Excluding accounts from auditing does NOT impact event logging with the exception of Exchange. That is, if an Exchange Mailbox account is set to exclude ALL mailbox events, then these events will also be excluded from the event log.
For Registry events, event logging is disabled by default. When enabled, only configured activities are sent to the event log.
For Service events, event logging is disabled by default. When enabled, only configured activities are sent to the event log.
For Active Directory events, event logging is disabled by default. When enabled, all Active Directory activity is sent to the event log.
For Microsoft Entra events, event logging is disabled by default. When enabled, only configured activities are sent to the event log
For ADAM (AD LDS) events, event logging is disabled by default. When enabled, all ADAM activity is sent to the event log.
For File System events, event logging is disabled by default. When enabled, only configured activities are sent to the event log.
For Exchange mailbox events, event logging is disabled by default. When enabled, only configured Exchange Mailbox activities are sent to the event log. Microsoft 365 Exchange Online events are not logged to this event log.
For SQL Server events, event logging is disabled by default. When enabled, only configured activities are sent to the event log.
For SQL Data Level events, event logging is disabled by default. When enabled, only configured activities are sent to the event log.
For AD Query events, event logging is disabled by default. When enabled, all Active Directory queries, except those specified in the excluded AD Query list are sent to the event log. When enabling AD Query event logging, keep in mind that AD Query events could be of very high volume.
For EMC events, event logging is disabled by default. When enabled, only configured activities are sent to the event log.
For NetApp events, event logging is disabled by default. When enabled, only configured activities are sent to the event log.
For SharePoint events, event logging is disabled by default. When enabled, only configured activities are sent to the event log.
To enable event logging:
1
Open the Administration Tasks tab and select Agent (under the Configuration task list) to display the Agent Configuration page.
2
Click Event Logging.
3
Select the type of event logging to enable:
Active Directory
ADAM (AD LDS)
Microsoft Entra
Exchange
File System
SQL
SQL Data Level
EMC
AD Query
Registry
Service
Local Account
Change Auditor
NetApp
SharePoint
* 
NOTE: If an option is disabled, this indicates that you do not have the corresponding component licensed.
4
Click OK to save your selection and close the dialog.

 

Coordinator Configuration

Previous Next

 

Coordinator Configuration
Coordinator Configuration page
Configure email alert notifications/reports
Manually create a Microsoft Entra web application for sending Microsoft 365 mail
Customize alert email content
Shared Folder Configuration
Group Membership Expansion
Add groups to Group Membership Expansion list
Agent Heartbeat Check
Disconnect client after 30 minutes of inactivity
Scheduled Task Handling

Coordinator Configuration page

Previous Next

Coordinator Configuration page

The Coordinator Configuration page is displayed when you select Coordinator from the Configuration task list in the navigation pane of the Administration Tasks tab.

This page consists of the following:
Configure email alert notifications/reports - for enabling and configuring SMTP email and Microsoft 365 Mail for alerting and reporting
Shared Folder Configuration - for enabling and configuring shared folders for reporting
Group Membership Expansion - for defining the schedule for expanding nested membership of Active Directory groups that are referenced in searches (Who search criteria) or groups that are defined in the Member of Group auditing feature
Agent Heartbeat Check - for specifying how long the coordinator service is to wait before an agent that is not sending updates will be marked as ‘inactive’
Scheduled Task Handling - for specifying which coordinators should handle purge, archive, and scheduled reports jobs.

 

Configure email alert notifications/reports

Previous Next

Configure email alert notifications/reports

To dispatch alerts and reports through email, SMTP or Microsoft 365 Mail, you need to enable notification and define the email settings.

* 
NOTE: The settings set on this page are global settings and apply to all alert/report emails. For alerts you can override the reply to, alert subject, signature and body content for individual search queries using the settings on the Alert tab (Search Properties tabs). For reports, you can override the To and Reply addresses, specify carbon copy (Cc and Bcc) recipients, and modify the subject line for individual search queries using the Report tab (Search Properties tabs).
To enable and configure email notifications/reports:
1
Open the Administration Tasks page and click Configuration at the bottom of the navigation pane (left pane).
2
Select Coordinator in the Configuration task list to open the Coordinator Configuration page.
3
On the Email Alerts Configuration pane, specify the required information.

 

Table 1. Email Alerts Configuration pane options

Field/Control

Description

Disabled

Select to disable email notifications.

SMTP

Select this to enable SMTP email alert notifications and reporting. When this option is selected, you can specify a mail server and authentication options for the SMTP email configuration.
Server Requires Authentication : Select this check box if the specified email server requires authentication and enter the account information as described below.
Enable SSL : Select this check box to enable Secure Socket Layer (SSL) encryption protocol to create a secure connection for transmitting data from the email server.
Requires Comma-Separated Addresses: Select this option if your SMTP server requires comma separated addresses when multiple recipients are specified.
Mail Server: When SMTP is enabled for alerts and reporting, enter the name or IP address of the email server in this text box.

To configure a specific SMTP port, append the email server (SMTP server name or IP address) with a colon and the required port.

Change Auditor sends alerts/reports through a single SMTP (email) relay configuration even when multiple coordinators are configured. That is, all coordinators will use the same email server for sending alert notifications and reports.
Account Name : Enter the account name required to authenticate to the specified email server. Instead of entering the account name, you can use the browse button to the far right of the Account Name field to select the account to be used. Clicking this button displays the Select Active Directory Object dialog (Directory object picker). Use the Browse or Search pages to locate the user account to be used to authenticate to the email server.
Password : Enter the password associated with the account name entered above. Blank passwords are not allowed.

Microsoft 365 Mail

Select this to enable Microsoft 365 Mail alert notifications and reporting. When this option is selected, you can specify an Microsoft Entra Directory Name and web application for the email configuration.
Microsoft Entra Directory Name: The name of the Microsoft Entra directory for Microsoft 365 Mail.
Application ID: The Microsoft Entra web application ID. Select Create New to create a new application. (When creating a new web application, the account provided must hold the Global Administrator role in the specified Microsoft Entra directory.)
Application Key: The Microsoft Entra web application key.
NOTE: Automatic web app creation is not supported for GCC High tenants. See Manually create a Microsoft Entra web application for sending Microsoft 365 mail for details.

From Address

NOTE: Browsing for an email address is only supported for on-premises Active Directory and Exchange.
NOTE: The From Address value must be an enabled mailbox in the specified Microsoft Entra directory when Microsoft 365 mail configuration is selected.

Enter the email address from which alert notifications and reports are to originate.

You can use the browse button to select the user whose email address is to be used for alert notifications and email reports. Clicking this button displays one of the following dialogs:
The Select Active Directory Objects dialog (Directory object picker) allows you to locate and select an Active Directory user. Use the Browse or Search page to locate and select an Active Directory user.

This dialog is displayed when no Exchange host is specified in the Coordinator Configuration page.
The Select Exchange Users dialog allows you to search for and select a mail-enabled object from the Exchange Global Access List (GAL). On the Exchange tab, enter a name or partial name, at least three characters long, and click the Search button to lookup mail-enabled objects in the GAL. On the Active Directory tab, use the Browse or Search page to locate and select an Active Directory user.

This dialog is displayed when an Exchange host is defined in the Coordinator Configuration page.

Reply To

Enter the address where replies to alert/report emails are to be sent.

You can use the browse button to select the user whose email address is to be used for alert notifications and email reports. Clicking this button displays one of the following dialogs:
The Select Active Directory Objects dialog (Directory object picker) allows you to locate and select an Active Directory user. Use the Browse or Search page to locate and select an Active Directory user.

This dialog is displayed when no Exchange host is specified in the Coordinator Configuration page.
The Select Exchange Users dialog allows you to search for and select a mail-enabled object from the Exchange Global Access List (GAL). On the Exchange tab, enter a name or partial name, at least three characters long, and click Search to lookup mail-enabled objects in the GAL. On the Active Directory tab, use the Browse or Search page to locate and select an Active Directory user.

This dialog is displayed when an Exchange host is defined in the Coordinator Configuration page.

Alert Subject

NOTE: This does not apply to email reports.

 

Enter a customized subject line to replace the default text in the subject line for alert notifications. The default subject line contains the following information:

Change Auditor %Alert_Type% from %Alert_Coordinator_Name%: %Alert_Name%

Where:

%Alert_Type% is either ‘Alert’ or ‘Smart Alert’

%Alert_Coordinator_Name% is the name of the coordinator generating the alert

%Alert_Name% is the name of the alert that fired

Click the browse button to select the variables to insert into the subject line or to reset it back to the default content. Expand the Insert Variable option to insert one or more of the following variables into the subject line:
ALERT_NAME
ALERT_TIME_SENT
ALERT_TYPE
ALERT_COORDINATOR_DOMAIN
ALERT_COORDINATOR_NAME
SMART_ALERT
SMART_ALERT_GROUPING
SMART_ALERT_OCCURRENCE
SMART_ALERT_PERIOD
SMART_ALERT_PERIOD_UNIT
BATCH_ID
EVENT_COUNT

Select Restore To Default to reset the subject line back to the default content. That is, remove any variables that were inserted.

Send Plain Text Email

Select this option to have the email notification sent in plain text format. (Default)

Send HTML Email

Select this option to have the email notification sent in HTML format.

Configure Body

Click this button to define the content of the main body, the event details and the signature to be included in your alert emails.

NOTE: The Alert Body Configuration settings do not apply to email reports. To define the content (columns) to be included in a report, use the Layout tab. In addition, you can use the Report Layouts page (Administration Tasks tab) to create customized report layout template(s) defining the header and footer information to be used in your reports.

Mailbox Search (optional)

Entering the Exchange host information allows you to lookup email recipients from the Exchange GAL in addition to Active Directory. That is, when you click a browse button on the SMTP Configuration pane, Alert Custom Email dialog or Report tab to lookup an email recipient, the Select Exchange Users dialog appears which contains both an Exchange tab and an Active Directory tab.

NOTE: Browsing for an email address is only supported for on-premises Active Directory and Exchange.
Exchange Host: Enter the internet host name of the Exchange email server and the Exchange version associated with the specified Exchange host.
Email: Enter your full email address.
My Host Requires Authentication : Select this check box if the specified Exchange host requires authentication and enter the account name and password.
Account Name : Enter the user account name used to log into your email account. You can also use the browse button to select the account to be used. Clicking this button displays the Select Active Directory Object dialog (Directory object picker). Use the Browse or Search pages to locate the user account to be used to authenticate to the Exchange host.
Password: Enter the password associated with the account name entered above.
4
Click Test Mail to test the configuration.
5
Once the email server configuration is verified, click Apply Changes to save the configuration.

Now that alerting/reporting is enabled and configured, you can enable email alert notifications for individual search definitions using the Alert tab (Search Properties tabs) and/or reporting for individual search definitions using the Report tab (Search Properties tabs).

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating