Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Excluded Accounts templates

Previous Next

Excluded Accounts templates

* 
NOTE: The cells directly under the main heading rows are used for filtering data. That is, as you enter characters into these cells, the client will redisplay the templates that meet the search criteria (i.e., comparison operator and characters entered). For more details about using the data filtering function provided throughout the client, see Filter data.

To exclude accounts from auditing, you must first create an Excluded Accounts template which specifies the user or computer accounts that are to be excluded. You can then add this template to an agent configuration, which then needs to be assigned to the appropriate agents.

To create an Excluded Accounts template:
1
Open the Administration Tasks tab and click Auditing.
2
Select Excluded Accounts (under the Configuration heading in the Auditing task list) to open the Excluded Accounts Auditing page.
3
Click Add to start the Excluded Accounts wizard which will step you through the process of creating an Excluded Accounts template.
4
On the first page of the wizard, enter the following information:
Template Name - Enter a name for the template.
Optionally select the facilities/event classes to be excluded.
To add individual event classes, select one or more events from the displayed list and click Add | Add This Event.
To add all the events in a facility, select an event from the facility and click Add | Add All Events in Facility.

After providing a name and optionally selecting the facilities/event classes to be excluded, click Next.

5
On the second page of the wizard, select the accounts that are to be excluded from auditing.

Use the Browse or Search pages to locate and select the account to be excluded. Click Add to add the selected account to the list box at the bottom of the page.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

Repeat this step to add additional accounts to the exclusion list.

6
(Optional) To specify a wildcard search expression to dynamically exclude additional user accounts from auditing, click Next.

On the Select Accounts to Exclude using Wildcards page, add the accounts to be excluded from auditing. In the text box, enter the wildcard expression (string of characters and/or wildcard character) to be used to search the Domain(NetBIOS)\NT 4 account name for matching users:
Use an asterisk (*) to substitute zero or more alphanumeric characters.
Use a question mark (?) to substitute a single alphanumeric character.

Click Add to add the string to the Account list.

* 
NOTE: This page should be used to exclude multiple users that match the wildcard search expression. Explicitly named user accounts must be specified on the previous page of the wizard.
7
After specifying the accounts to be excluded, click Finish to create the template without assigning it to an agent configuration.

Clicking Finish creates the template, closes the wizard and returns to the Excluded Accounts Auditing page, where the newly created template will now be listed.

8
To create the template and assign it to an agent configuration, expand the Finish button and click Finish and Assign to Agent Configuration.

This displays the Configuration Setup dialog, allowing you to select the agent configuration to which the template is to be assigned.

 
* 
NOTE: Back on the Excluded Accounts Auditing page, you can also use the Assign tool bar button to assign the selected template to an agent configuration. Clicking this button will display the Configuration Setup dialog allowing you to select the agent configuration to which this template is to be assigned.
9
On the Agent Configuration page, select the agents assigned to use the modified agent configuration and click Refresh Configuration to ensure the agents are using the latest configuration.
To modify an Excluded Accounts template:
* 
NOTE: If you do not refresh the agent’s configuration, the agent will automatically check for a new agent configuration based on the polling interval setting (located on the System Settings tab of the Configuration Setup dialog). The default is every 15 minutes.
1
On the Excluded Accounts Auditing page, select the template to be modified and click Edit.
2
This displays the Excluded Accounts wizard, where you can modify the current list of accounts included in the template.
3
Click Finish or expand the Finish button and click Finish and Assign to Agent Configuration.
To disable an Excluded Accounts template:

Disabling allows you to temporarily stop excluding the specified accounts without having to remove the auditing template.

1
On the Auditing page, use one of the following methods to disable an auditing template:
Place your cursor in the Status cell for the template to be disabled, click the arrow control and select Disabled.
Right-click the template to be disabled and select Disable.

The entry in the Status column for the template will change to ‘Disabled’.

2
To re-enable the auditing template, use the Enable option in either the Status cell or right-click menu.
To delete an Excluded Accounts template:
1
On the Auditing page, select the template to be deleted and click Delete | Delete Template.
2
A dialog will be displayed confirming that you want to delete the selected template. Click Yes.
To delete an account from an Excluded Accounts template:
1
On the Excluded Accounts Auditing page, select the account to be deleted and click Delete | Delete Excluded Account,
2
A dialog will be displayed confirming that you want to delete the account from the template. Click Yes.
* 
NOTE: If the account is the last one in the template, deleting this account will also delete the template.

Excluded Accounts wizard

Previous Next

Excluded Accounts wizard

The Excluded Accounts wizard is displayed when you click Add on the Excluded Accounts Auditing page. This wizard steps you through the process of creating a new Excluded Accounts template, identifying the user, computer or group accounts to be included in the template. You will also use this wizard to modify a previously defined Excluded Accounts template.

The following table provides a description of the fields and controls in the Excluded Accounts wizard:

 
* 
NOTE: A red flashing icon indicates that you have not yet entered the required information. Hovering your cursor over this icon displays a tool tip explaining what needs to be entered.
 

Table 1. Excluded Accounts wizard

Create or modify an Excluded Accounts Auditing Template page

On the first page of the wizard, enter a name for the template and optionally select the event classes/facilities to be excluded.

Template Name

Enter a descriptive name for the Excluded Accounts template being created.

Facility/Event Class data grid

The data grid located across the middle of the page displays all of the event classes available for auditing in Change Auditor.

By default, all event classes/facilities will be excluded for the selected accounts. To exclude individual event classes and/or facilities, use this grid to select the event classes and/or facilities to be excluded and use Add to add them to the Exclusion list box at the bottom of the page.

NOTE: The Change Auditor Internal Auditing facility or events CANNOT be excluded.

Exclusion list

The list box located at the bottom of this page displays the individual event classes or facilities selected for exclusion. Use the buttons above this list box to add or remove entries from this list.
Add | Add This Event - Click this option to add the selected events to the list box. This option is selected by default when more than one event is selected in the data grid.
Add | Add All Events in Facility - Click this option to add all of the events in the selected facility to the list box. This option is only available when a single event is selected in the data grid.
Remove - Select an entry in the list box and click the Remove button to remove it from the template.
NOTE: If you want to exclude all event classes/facilities for the selected account, this list box will be empty.

Select Accounts to Exclude page (a.k.a. Directory object picker)

Use this page to select the individual accounts to be excluded from auditing.

Browse page

Displays a hierarchical view of the directory objects in your environment allowing you to locate and select the accounts to excluded from auditing.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

Once you have selected an account, click Add to add it to the list box at the bottom of the page.

Search page

Use the controls at the top of the Search page to search your environment to locate the desired account.

Once you have selected an account, click Add to add it to the list box at the bottom of the page.

Options page

Use the Options page to modify the search options used to retrieve directory objects.

NOTE: For more information on using the Browse, Search or Options pages, refer to Directory object picker.

Account list

The list box located across the bottom of this page, displays the accounts selected for exclusion. Use the buttons located above this list box to add and remove objects.
Add - Select an account in the Browse or Search page and click Add to add it to the list.
Remove - Select an entry from the list and then click Remove to remove it.

(Optional) Select Accounts to Exclude using Wildcards page

Use this page to optionally add additional user accounts (Domain(NetBIOS)\NT 4 account) that match a wildcard search expression to the excluded accounts list.

NOTE: This page should be used to exclude multiple users that match the wildcard search expression. Explicitly named user accounts must be specified on the previous page of the wizard.

Search expression

In the text box, enter the string of characters and/or wildcard character to be used to search for additional user accounts that are to be excluded from auditing. Valid wildcards are:
Use an asterisk (*) to substitute zero or more characters.
Use a question mark (?) to substitute a single character.

Click Add to add the string to the Account list.

Account list

The list at the bottom of the page displays the wildcard search expressions to be used to search for additional user accounts that are to be excluded from auditing. Use the buttons to the left of the text box to add, remove and modify a search expression.
Add - Click Add to add the search expression in the text box to the Account list.
Remove - Select an entry in the Account list and click Remove to remove it from the list.
Modify - Select an entry in the Account list, make the necessary changes to the search expression (which is displayed in the text box) then click the Modify button to replace it in the Account list.
NOTE: If you click Add after modifying a search expression, an additional entry will be added instead of replacing the original search expression.

 

Registry Auditing

Previous Next

Registry Auditing
Introduction
Registry Auditing page
Registry Auditing templates
Registry Auditing wizard

Introduction

Previous Next

Introduction

The ability to audit registry settings improves operational efficiency dramatically. For example, some applications, such as virus scanning software, modify registry keys when an update is installed. By capturing these change events proactively, administrators can determine whether or not specific machines received an update.

Furthermore, other applications may warrant the tracking of modifications to certain registry settings to ensure that they have not been tampered with. Change Auditor’s registry auditing feature allows you to audit changes to a specific key or to a folder and its sub folders.

To capture registry events, you must define the registry keys to be audited and the events to be captured:

1
Create a Registry Auditing template which specifies the registry keys and events to be audited. For more information on creating a Registry Auditing template, refer to Registry Auditing templates.
2
Add this template to an agent configuration. For more information on adding a Registry Auditing template to an agent configuration, refer to Define agent configurations.
3
Assign the agent configuration to agents. For more information on assigning an agent configuration to an agent, refer to Assign agent configurations to server agents.
* 
NOTE: Event logging is disabled by default; and when enabled, only configured activities will be captured in the Windows event log.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating