Welcome to Change Auditor Help
Change Auditor Core Functionality
Change Auditor Core Functionality
Change Auditor Overview
Agent Deployment
Microsoft 365 and Microsoft Entra ID Auditing
Deployment page
Using group Managed Service Accounts (gMSA)
Deploy agents
Connect to a different foreign forest/update credentials
Change the agent installation location and system tray option
Enable auto deployment
Refresh or clear Deployment page information
Change Auditor Client Overview
Starting the Change Auditor client
Accessing Change Auditor news and updates
Managing connection profiles
Client components
Customize table content
Filter data
Directory object picker
Overview Page
Searches
Search Results and Event Details
Introduction
Search Results page
View search results
Preview search results
Compare results side-by-side
View event details or search properties
Copy event details
Email event details
Add comments
View user context and run related searches
Protect critical objects, mailboxes, files and folders
Add search properties to existing event queries
Custom Searches and Search Properties
Enable Alert Notifications
Introduction
Alert tab (Search Properties tabs)
Enable alerts
Disable alerts
Alert History page
View alert history
View event details or alert properties
Administration Tasks
Agent Configurations
Introduction
Agent Configuration page
Define agent configurations
Assign agent configurations to server agents
Enable event logging
Coordinator Configuration
Coordinator Configuration page
Configure email alert notifications/reports
Manually create a Microsoft Entra web application for sending Microsoft 365 mail
Customize alert email content
Shared Folder Configuration
Group Membership Expansion
Add groups to Group Membership Expansion list
Agent Heartbeat Check
Disconnect client after 30 minutes of inactivity
Scheduled Task Handling
Purging and Archiving your Change Auditor Database
Introduction
Planning your jobs
Purge and Archive page
Create and maintain jobs
Purge and Archive wizard
Purge selected records
Working with Private Alerts and Reports
Introduction
Private Alerts and Reports page
Disable private alerts and reports
Move and delete private searches
Generate and Schedule Reports
Schedule reports for distribution
Launch Report Designer
Publish reports
Print or save a page's contents
SQL Reporting Services Configuration
Introduction
SQL Reporting Services Page
SQL Reporting Services Templates
SQL Reporting Services Wizard
Change Auditor User Interface Authorization
Introduction
Application User Interface Authorization page
Add task definition
Add role definition
Add application group
Remove a task definition
Client Authentication
Certificate authentication for client coordinator communication
Integrating with On Demand Audit
Enable/Disable Event Auditing
Introduction
Audit Events page
Enable/disable event auditing
Modify event's severity level or event class description
Define events to be captured based on results
View event information
Account Exclusion
Registry Auditing
Service Auditing
Agent Statistics and Logs
Introduction
Agent Statistics page
Agent system tray icon
View agent status/statistics
Manage Change Auditor agents
Agent Log page
View and save agent trace logs
Coordinator Statistics and Logs
Introduction
Coordinator Statistics page
Coordinator system tray icon
View coordinator status and statistics
Manage Change Auditor coordinators
Coordinator Log page
View and save coordinator trace logs
Change Auditor Commands
Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Overview
Configuring Microsoft 365 and Microsoft Entra ID auditing
Change Auditor for Active Directory
Managing Microsoft 365 templates
Reports and Searches
Microsoft 365 auditing page
Create an Microsoft 365 auditing template
Edit a Microsoft 365 auditing template
Using an existing web application
Disable a template
Delete a template
Microsoft 365 Auditing Wizard
Managing Microsoft Entra templates
Microsoft Entra auditing page
Create a Microsoft Entra auditing template
Edit a Microsoft Entra auditing template
Disable a template
Delete a template
Considerations
Introduction to Microsoft 365 and Microsoft Entra ID reporting
Microsoft 365 built-in reports
Microsoft Entra built-in reports
Custom searches
Creating custom Exchange Online searches
Creating a custom SharePoint Online and OneDrive for Business search
Creating custom Microsoft Entra searches
Additional information for synchronized environments
Working with generic Microsoft 365 and Microsoft Entra events
Additional Microsoft 365 and Microsoft Entra event details
Change Auditor for Active Directory Overview
Custom Active Directory Searches and Reports
Change Auditor for Authentication Services
Introduction
Run the All Active Directory Events report
Run the All Group Policy Events report
Create custom searches
Custom Active Directory Object Auditing
Introduction
Active Directory Auditing page
Custom Active Directory object auditing
Active Directory Auditing wizard
Active Directory event logging
Custom Active Directory Attribute Auditing
Member of Group Auditing
Introduction
Member of Group Auditing page
Member of Group auditing list
Member of Group Auditing wizard
Active Directory Federation Services Auditing
Introduction
Active Directory Federation Services Auditing page
Active Directory Federation Services auditing templates
Active Directory Federation Services Auditing Wizard
ADAM (AD LDS) Auditing
Introduction
ADAM (AD LDS) Auditing page
Enable ADAM (AD LDS) auditing
ADAM (AD LDS) Auditing wizard
ADAM (AD LDS) event logging
Active Directory Database Auditing
Introduction
Active Directory Database Auditing page
Active Directory Database auditing templates
Active Directory Database Auditing Wizard
Active Roles Integration
Requirements
Deploying Change Auditor for Active Directory/Active Roles integration scripts
Client components added to Change Auditor for Active Directory
Removing deployed Change Auditor for Active Directory/Active Roles integration scripts
Troubleshooting Tips
Quest GPOADmin Integration
Requirements
GPOADmin and Change Auditor integration process
Client components added to Change Auditor for Active Directory
Troubleshooting tips
Active Directory Protection
Introduction
Active Directory object protection
Event Details Pane
About us
Active Directory protection page
Active Directory protection templates
Active Directory Protection wizard
Group Policy Object protection
ADAM (AD LDS) object protection
Active Directory Database protection
Active Directory Database protection page
Active Directory Database protection templates
Active Directory Database Protection wizard
Setting extra security on protected objects
Quest Change Auditor for Authentication Services Overview
Getting Started
Change Auditor for Defender
Deployment requirements
Enable Authentication Services auditing
Enable and disable events as required
Make changes and run a report
Authentication Services Searches/Reports
Change Auditor for Defender Overview
Getting Started
Change Auditor for EMC
Deployment requirements and notes
Enable Defender auditing
Make changes and run a report
Troubleshooting
Defender Searches/Reports
Change Auditor for EMC Overview
Getting Started
Change Auditor for Exchange
Introduction
Verify auditing template is applied
Make changes and run a report
Troubleshooting steps
EMC Auditing
Introduction
EMC Auditing page
EMC auditing templates
EMC Auditing wizard
File System events settings
EMC event logging
EMC Searches/Reports
Performance Considerations
EMC Events
File/Folder Inclusion and Exclusion Examples
EMC Isilon Auditing
EMC Unity Auditing
Change Auditor for Exchange Overview
Exchange Searches and Reports
Exchange Mailbox Auditing
Exchange Settings and Event Logging (Agent Configuration Page)
Exchange Mailbox Protection
Change Auditor for Windows File Servers
Exchange mailbox protection introduction
Exchange Mailbox Protection page
Exchange Mailbox Protection templates
Exchange Protection wizard
Managing Shared Mailboxes
Disabled Exchange Events
Change Auditor for Windows File Servers Overview
Getting Started
Change Auditor for Active Directory Queries
Introduction
Getting started
Create File System Auditing template
Make File System changes and run a report
Troubleshooting steps
File System Auditing
Introduction
File System Auditing page
File System Auditing templates
File System Auditing wizard
File System Event settings
File System event logging
File System Searches/Reports
File System Protection
Introduction
File System Protection page
File System Protection templates
File System Protection wizard
File System Events
File/Folder Inclusion and Exclusion Examples
Change Auditor for Active Directory Queries Overview
Configure AD Query Auditing
Active Directory Query Searches/Reports
AD Query Event Details
Change Auditor for Logon Activity
Change Auditor for Logon Activity Overview
Getting Started
User Logon Activity Searches/Reports
Change Auditor for NetApp
Introduction
Built-in logon activity searches
Create custom user logon activity searches
Search Results
Appendix: Workstation Agent Deployment
Appendix: Agent Comparison
Change Auditor for NetApp Overview
Change Auditor for SharePoint
Introduction
System overview
Deployment requirements
FPolicy limitation
Client components and features
Getting Started
Introduction
Verify auditing template is applied
Make changes and run a report
Troubleshooting steps
NetApp Filer Auditing
Introduction
NetApp Auditing page
NetApp Auditing templates
NetApp Auditing wizard
File System events settings
NetApp event logging
NetApp Searches/Reports
Performance Considerations
NetApp Filer Events
File and Folder Inclusion and Exclusion Examples
Change Auditor for SharePoint Overview
Change Auditor for SQL Server
Introduction
System overview
Deployment requirements
Getting Started
Enable SharePoint settings
Add and deploy Change Auditor SharePoint Solution
Create SharePoint Auditing template
Client components and features
Introduction
Verify deployment status of Change Auditor SharePoint Solution
Verify auditing template is applied
Make changes and run a report
Troubleshooting steps
SharePoint Auditing
Introduction
SharePoint Auditing page
SharePoint Auditing templates
SharePoint Auditing wizard
SharePoint event logging
SharePoint Searches and Reports
Manually Add and Deploy the Change Auditor SharePoint Solution
SharePoint Event Requirements
Upgrade Change Auditor for SharePoint
Change Auditor for SQL Server Overview
Getting Started
Change Auditor SIEM Integration Guide
Introduction
Apply SQL Server auditing template
Make changes to the default SQL instance and run a report
SQL Server Auditing
SQL Data Level Auditing
Introduction
SQL Data Level Auditing page
SQL Data Level Auditing templates
SQL Data Level Auditing wizard
SQL Extended Events Auditing (Preview)
SQL Searches/Reports
Introduction
Create custom SQL searches
Create custom SQL Data Level searches
Create custom SQL Extended Events searches (Preview)
Disabled SQL Events
Webhooks in Change Auditor
Integrating Change Auditor and SIEM Tools
Subscription Management
Change Auditor Threat Detection Deployment
Adding the PowerShell module
Viewing available commands and help
Connecting to Change Auditor
Managing subscriptions
Webhook technical insights
New-CAEventWebhookSubscription
Get-CAEventWebhookSubscriptions
Set-CAEventWebhookSubscription
Remove-CAEventWebhookSubscription
Get-CAEventExportSubsystems
Working with event subscriptions in the client
Managing a Splunk integration
Working with Splunk subscriptions through the client
New-CASplunkEventSubscription
Get-CASplunkEventSubscriptions
Set-CASplunkEventSubscription
Remove-CASplunkEventSubscription
Splunk event subscription wizard
Managing an IBM QRadar integration
Working with QRadar subscriptions through the client
New-CAQRadarExtension
New-CAQRadarEventSubscription
Get-CAQRadarEventSubscriptions
Set-CAQRadarEventSubscription
Remove-CAQRadarEventSubscription
QRadar event subscription wizard
Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration
Working with Change Auditor data within ArcSight
Working with ArcSight subscriptions through the client
New-CAArcSightEventSubscription
Get-CAArcSightEventSubscriptions
Set-CAArcSightEventSubscription
Remove-CAArcSightEventSubscription
ArcSight event subscription wizard
Managing a Quest IT Security Search integration (Preview)
Working with a Quest IT Security Search subscriptions through the client
New-CAITSSEventSubscription
Get-CAITSSEventSubscriptions
Set-CAITSSEventSubscription
Remove-CAITSSEventSubscription
IT Security Search event subscription wizard
Managing a Syslog integration
Working with Syslog subscriptions through the client
New-CASyslogEventSubscription
Get-CASyslogEventSubscriptions
Set-CASyslogEventSubscription
Remove-CASyslogEventSubscription
Syslog event subscription wizard
Managing a Microsoft Sentinel integration
Working with Microsoft Sentinel subscriptions through the client
New-CASentinelEventSubscription
Get-CASentinelEventSubscriptions
Set-CASentinelEventSubscription
Remove-CASentinelEventSubscription
Microsoft Sentinel event subscription wizard
Deploying Threat Detection
Change Auditor Threat Detection Dashboard
Introduction to Change Auditor Threat Detection
Requirements and prerequisites
Events to configure
Port Requirements
Maintaining the Change Auditor database size
Deploying a Threat Detection server on ESX
Deploying a Threat Detection server on Hyper-V
Upgrading the Threat Detection server
Creating a Threat Detection configuration
Reviewing configuration status
Removing a configuration
Historical events and your baseline calculations
Threat Detection configuration commands
Adding the PowerShell module
Viewing available commands and help
Threat Detection sample scripts
Connecting to Change Auditor
Managing a Threat Detection configuration
Appendix: System Architecture
Introduction to Change Auditor Threat Detection
Change Auditor PowerShell Command Guide
Overview
Which Change Auditor modules are monitored?
Threat Detection server events
Threat detection concepts
Threat Detection process
Using the Threat Detection Dashboard
Deployment and installation
Accessing the dashboard
Overview tab
Users tab
Alerts Tab
Common functions
Alert and indicator reference
PowerShell Commands
Change Auditor Dialogs
Adding the PowerShell module
Viewing available commands and help
Installing Change Auditor coordinators and web clients
Setting the master time zone
Finding Change Auditor installations and coordinators
Connecting to and disconnecting from Change Auditor installations and coordinators
Importing and exporting configuration settings
Managing client authentication options
Gathering Change Auditor system information
Deploying Change Auditor agents
Managing auditing templates
Working with searches
Managing Active Directory Database auditing
Working with Active Directory Database protection templates
Managing Windows File System auditing
Managing SQL Extended Events Auditing (Preview)
Managing Microsoft Entra ID auditing
Managing Office 365 auditing
Configuring a Quest On Demand Audit integration
Working with Active Directory protection templates
Working with GPO protection templates
Change Auditor dialogs
About Us
Quest Change Auditor dialog
Add Administrator
Add Agents, Domains, Sites dialog
Add Container dialog
Add Active Directory Container dialog (AD Query)
Add Facilities or Event Classes dialog
Add Facilities or Event Classes dialog (Add With Events)
Add File System Path dialog
Add Foreign Forest Credential
Add Group Policy Container dialog
Add Local Account dialog
Add Logons dialog
Add Logons dialog (Add With Events)
Add Object Classes dialog
Add Object Classes dialog (Add With Events)
Add Origin dialog
Add Origin dialog (Add With Events)
Add Registry Key dialog
Add Results dialog
Add Service dialog
Add Service dialog (Add With Events)
Add Severities dialog
Add Severities dialog (Add With Events)
Add SharePoint Path dialog
Add SQL Instance dialog
Add SQL Data Level Object
Add Users, Computers or Groups dialog
Add Where dialog
Add Who dialog
Advanced Deployment Options dialog
Agent Assignment dialog
Alert Body Configuration dialog
Alert Custom Email dialog
Auditing and Protection Templates dialog
Authorizations: Application Group dialog
Authorizations: Operations | Role Definitions | Task Definitions | Application Group
Authorizations: Role dialog
Authorizations: Task dialog
Auto Deploy to New Servers in Forest dialog
Browse for Folder dialog
Browse SharePoint dialog
Comments dialog
Configuration Setup dialog
Configure cepp.conf Auditing dialog
Connection screen
Coordinator Configuration tool
Coordinator Credentials Required dialog
Credentials Required dialog
Custom Filter dialog
Database Credentials Required dialog
Directory object picker
Domain Credentials dialog
Eligible Change Auditor Agents dialog
Event Logging dialog
Export/Import dialog
Install or Upgrade/Uninstall/Update Foreign Agent Credentials
IP Address dialog
Log page
Logon Credentials dialog (Deployment page)
Logon Credentials dialog (EMC Auditing wizard)
Manage Connection Profiles dialog
New Report Layout dialog
Microsoft 365 dialog
Rename dialog
Save As dialog
Select a SQL Instance and Database dialog
Select Destination Folder dialog
Select Exchange Users dialog
Select Registry Key dialog
Select SQL Reporting Services Template dialog
Shared Mailboxes dialog
SharePoint Credentials Required dialog
When dialog
Coordinator system tray icon
 |
 |
Coordinator system tray icon
See Change Auditor Coordinator Status dialog for a full description of this status dialog.
For example: %ProgramFiles%\Quest\ChangeAuditor\Service\Logs\ChangeAuditor.ServiceLog.nptlog
Starts the Coordinator Configuration Tool which allows you to:
See Coordinator Configuration tool for a description of how to use this utility.
Automatically loads the system tray application when the coordinator starts.
Change Auditor Coordinator Status dialog
| |
|
Change Auditor Coordinator Status dialog
The Change Auditor Coordinator Status dialog contains the following information:
Coordinator Configuration tool
| |
|
Coordinator Configuration tool
You can use the Coordinator Configuration tool to modify the credentials used by the coordinator when accessing the database. Right-clicking the coordinator system tray icon and selecting Coordinator Configuration, displays the Coordinator Configuration tool. From here, you can:
This tool consists of the following tabbed pages:
Security page
SQL server and instance Enter the name or IP address of the SQL instance to be used. (i.e., <Server Name>\<Instance Name>). You can also click Browse to locate and select the SQL server and instance.
Name of database Catalog This displays the name assigned to the Change Auditor database.
Connect using
Depending on the authentication option selected, enter the appropriate user credentials.
If you are using a group Managed Service Account:
MyHostName.b1b2a3d4e5f7.database.windows.net,1433
Login ID Enter the user name for the account to be used to access the SQL server instance.
Password Enter the password associated with the user account entered above.
Domain Encryption Select the appropriate level of encryption for the data sent between the coordinator and SQL server.
Enabling Trust server certificate, when 'Optional' or 'Mandatory' encryption is selected, or if the server enforces encryption, means that SQL Server will not validate the server certificate on the client computer when encryption is enabled for network communication.
Under Host name in the certificate, you can provide an alternate, yet expected, Common Name (CN) or Subject Alternative Name (SAN) in the server certificate. You would use this option when the server name does not match the CN or SAN, for example, when using DNS aliases.
Ports page
If you upgraded from a 5.x installation where static ports were defined, these static ports are retained as part of the upgrade process. However, the Agent Port setting, which is used by 6.0 agents, is set to use a dynamic port. Check with your system administrator to determine whether this new connection should also be using a static port.
Enter the ports to use to communicate with the coordinator:
Client Port Enter the static port number to be used by the client to communicate with the coordinator.
Public SDK Port Enter the static port number to be used by external applications to access the coordinator.
Agent Port Enter the static port number to be used for communication between a agent and a coordinator.
Protection page
Store Active Directory/GPO protection in: Select one of the following options:
Store ADAM (AD LDS) protection in: Select one of the following options:
LDAP Authentication page
From this page you can specify the authentication method to use to make Active Directory requests.
View coordinator status and statistics
| |
|
View coordinator status and statistics
To view coordinator status and statistics (Overview page):
To view coordinator status/statistics (Coordinator Statistics page):
To view coordinator status/statistics on current coordinator only (coordinator system tray icon):