Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Creating an On Demand Audit configuration

Previous Next

Creating an On Demand Audit configuration

An On Demand Audit subscription is required before you can configure the connection to Change Auditor.

* 
NOTE: If you do not currently have a subscription, you can select to register for a free 30 day trial. Once you have registered, you can sign in and configure the connection between Change Auditor and On Demand Audit.
* 
NOTE: To create the configuration, you must use the email from the account that created the On Demand subscription or have been delegated the appropriate permissions from your On Demand administrator.

To delegate the required permissions, the On Demand Audit administrator must add the required accounts to the Auditing Administrator role through the On Demand Access page.
* 
NOTE: Once a configuration is in place, all coordinators which belong to the Change Auditor Installation will be registered with On Demand Audit.

To create a configuration with On Demand Audit, Change Auditor clients and coordinators must be able to access specific URLs. See the Quest On Demand Audit User Guide for details.

To send events to On Demand Audit, Change Auditor coordinators must be able to access specific URLs. See the Quest On Demand Audit User Guide for details.

 

* 
IMPORTANT: If the only coordinator in the Installation is removed for any reason the On Demand Audit subscription will become unavailable. Once a new coordinator is deployed, set all deprecated coordinators to "Uninstalled" status in the Change Auditor client under View | Statistics | Coordinator. Once complete, recreate the On Demand Audit subscription under View | Administration | Configuration | On Demand Audit. Event forwarding will continue from the last forwarded event.
To create a configuration
1
From the Administration Tasks, select Configuration | On Demand Audit.
2
Select Sign in and Configure to create the connection.
3
Enter your Quest account credentials to sign in to On Demand Audit.
4
Choose the required organization if prompted and click Select Organization.

By default, the current installation is used for the configuration name. If required, you can enter a different name for the configuration. This is the configuration name used in On Demand Audit; it does not change the Change Auditor installation name.

5
Click Finish.

On Demand Audit will now create the subscription and Change Auditor will begin to send events.

Working with an On Demand Audit configuration

Previous Next

Working with an On Demand Audit configuration

You can view the On Demand Audit configuration details in Change Auditor; however, the configuration is managed (paused, started, or removed) through On Demand Audit. See the On Demand Audit User Guide for details.

To view existing details of the subscription created by the configuration:
1
From the Administration Tasks, select Configuration | On Demand Audit.
2
Click Refresh to update the information.

The following subscription information is displayed.

Table 1. Subscription properties

Property

Description

ActiveBatchSize

The current batch size. (The current number of events to include in a single notification message.) The batch size is automatically adjusted based on network throughput and system performance. Its value never exceeds the specified batch size.

AllowedCoordinators

List of coordinators permitted to send events.

BatchSize

Batch size. (The maximum number of events that the active batch size can increase to.)

BatchesSent

Number of batches sent.

Enabled

Whether the subscription is enabled.

EventsSent

Number of events sent.

LastCoordinator

The coordinator that is sending events. If the subscription is disabled, this is the last coordinator that sent events.

LastEventResponse

The last event response. Provides the response in JSON format from the event receiver.

LastEventTimeUTC

When the last event was sent.

NotificationInterval

How often how often (in milliseconds) notifications are sent.

StartTimeUTC

Starting point in time for events being sent.

Subscription Id

The subscription ID.

Subsystems

Subsystems that contain the event data being sent.

Webhook Subscription Id

The webhook subscription ID.

To pause, start, or remove a configuration
1
From the Administration Tasks, select Configuration | On Demand Audit.
2
Click the link to access On Demand Audit.

 

 

Enable/Disable Event Auditing

Previous Next

Enable/Disable Event Auditing
Introduction
Audit Events page
Enable/disable event auditing
Modify event’s severity level or event class description
Define events to be captured based on results
View event information

Introduction

Previous Next

Introduction

You can enable/disable the auditing of individual events so that Change Auditor is auditing only those events that are vital to your organization’s operation. In addition, you can modify the severity level (high, medium, or low) and description assigned to each event. The severity level is used when processing events and to help you in determining the potential level of risk associated with each configuration change event.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating