Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Disable a template

Previous Next

Disable a template

Disabling a template temporarily stops auditing activities without having to remove the template.

* 
NOTE: Change Auditor stops collecting events if a license expired, the template is disabled, or the agent stops. After you apply a valid license, enable the template, or restart the agent Change Auditor collects available events from the tenant that were missed.
To disable a template
1
On the Microsoft Entra Auditing page, use one of the following methods to disable an auditing template:
Place your cursor in the Status cell for the auditing template to disable, click the arrow control, and select Disabled.
Right-click the template to disable and select Disable

The entry in the Status column for the template changes to ‘Disabled’.

2
To re-enable the auditing template, use the Enable option in either the Status cell or right-click menu.

Delete a template

Previous Next

Delete a template

* 
NOTE: When you delete a template, the web application created in Microsoft Entra ID remains. You can delete the web application using the Microsoft Entra admin center.
To delete a template
1
On the Microsoft Entra Auditing page, select the template to delete and choose Delete | Delete Template.
2
Click Yes to confirm.

Considerations

Previous Next

Considerations
If you have a synchronized environment, you may be auditing high volume synchronization events which have low value. To improve performance and reduce the number of events stored in the database, consider excluding some events with an excluded account template that targets the synchronization account and high volume Microsoft Entra events. Alternatively, you can select to purge the events after a specified number of days. If you set up a purge job for these events, ensure to configure the purge settings to delete the events before they are subject to any archival settings.
Ensure that the appropriate Change Auditor licenses have been applied on all coordinators. See License requirements for license requirements.
Ensure that the appropriate Microsoft Entra ID license has been applied:
To audit sign-in events, a Microsoft Entra ID P1 license is required.
To audit risk events, a Microsoft Entra ID P2 license is required.
Ensure that the correct permissions have been applied on the web application that is associated with your template.
Because Change Auditor collects Microsoft's audit logs, the events and details reported are limited to what these logs provide. If an event appears to be missing in Change Auditor, log onto the respective portal and review the audit logs to see if the event is listed.
For Microsoft Entra ID activity check the Audit Logs under Monitoring | Audit logs or go to https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Audit.
For Microsoft Entra Sign-ins check the Sign-ins under Monitoring | Sign-ins or go to https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/SignIns
For Microsoft Entra risky sign-ins check the Risky sign-ins under Manage | Security | Risky sign-ins or go to https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/SecurityMenuBlade/RiskySignIns.
For Microsoft 365 activity check the Audit Log under Search | Audit log search or go to https://protection.office.com/unifiedauditlog.
See if the following internal events, which are in place to monitor the status of Microsoft Entra and Microsoft 365 auditing, have been generated. Persistent suspension of the auditing where auditing does not resume may lead to delayed event processing that requires administrator attention.
Microsoft Entra auditing has suspended

Event generated when auditing is active, and then client or server HTTP error codes (4xx or 5xx *) are returned by the Microsoft Entra auditing service.
Microsoft Entra auditing has resumed

Event generated when auditing was in a suspended state, and then a successful HTTP code is returned by the Microsoft Entra auditing service.

Microsoft 365 auditing has suspended

Event generated when auditing is active, and then client or server HTTP error codes (4xx or 5xx *) are returned by the Microsoft 365 auditing service.
Microsoft 365 auditing has resumed

Event generated when Microsoft 365 auditing was in a suspended state, and then a successful HTTP code is returned by the Microsoft 365 auditing service.

Microsoft Entra Auditing Wizard

Previous Next

Microsoft Entra Auditing Wizard

To audit Microsoft Entra you must create an auditing template and select an agent.

The following table provides details on how to create a template and the required web application so you can begin to audit activity and how to edit the audited activities in an existing template.

* 
NOTE: You can only create one auditing template per tenant.

Table 5. Microsoft Entra Template Wizard

Page

Description

Credentials, audit activity, and agent selection page

During template creation, use this page to provide the credentials for the accounts that register Change Auditor in the tenant, the activities to audit, and specify the agent.

 

NOTE: A Change Auditor for Active Directory license is required to monitor the audit logs. A Change Auditor for Logon Activity User license is required to monitor sign-in and sign-in risk event activity.
NOTE: To select a new agent, you must create a new template or use the Set-CAAzureADTemplate command through PowerShell. (See the Change Auditor PowerShell Command Guide for details.)
To create a template:
1
Under Authentication Configuration, select to Create a new web application or Use existing web application.

If you select to create a new web application:
Select the tenant type (Commercial or GCC).
Enter the Microsoft Entra Directory Name.

If you select to create a new web application, you will need to login to register Change Auditor in the tenant and ensure the required consent has been granted. Note: Internet access is required. The Microsoft sign-in page opens automatically once you have selected all your template settings and clicked Finish.

To grant permission for all administrators to create a web application:

a
Select an account with the Global Administrator role.
b
Enter the required password, and select Sign in.
c
Review the required permissions for the Change Auditor Configuration Assistant on the Microsoft consent page. (Consent is only required once per tenant. You may, however, be prompted to enter your log on credentials when creating a new web application.)

To apply the consent to all the users in your organization, click to enable Consent on behalf of your organization and click Accept.

To apply the consent for just the current signed-in user simply click Accept.

If you select to use an existing web application:
Select the tenant type (Commercial, GCC, or GCCHigh)
Enter the Microsoft Entra Directory Name, Application ID, and Application key. See the Microsoft documentation for details on integrating applications with Microsoft Entra ID and creating a web application.

The Microsoft Entra web application:
Should be a single-tenant application. A redirect URI is not required.
Must have a Client Secret configured in the web application "Certificates and Secrets" page.

Ensure the following permissions are assigned to the web application:

Microsoft Graph application permissions:
AuditLog.Read.All – Application - Read all audit log data
Directory.Read.All – Application - Read directory data
IdentityRiskEvent.Read.All – Application - Read all identity risk information

 

 

If the app will also be used for Microsoft 365 templates, ensure that the following permissions are also set:

Office 365 Management APIs application permissions:
ActivityFeed.Read – Application - Read activity data for your organization

Office 365 Exchange Online APIs application permissions:
Exchange.ManageAsApp - Application - Manage Exchange As Application
NOTE: For required configuration, see Using an existing web application.
2
Select the activity to audit:

Audit Logs: Audits Microsoft Entra user, group, application, and directory activity.

Sign-ins: Audits Microsoft Entra user sign-in and sign-in risk event activity.

3
Click Select agent to view available agents and whether they are assigned to a Microsoft Entra auditing template.

You cannot use an agent that is already assigned for auditing.

The Microsoft Entra cell contains ‘None’ if an agent is not assigned to a template, or ‘Auditing’ if it is assigned to a template. See the Change Auditor Release Notes for ports that need to be opened on the agent server.

4
Click Finish to create the template. After the template is created, Change Auditor starts collecting events that are available on your tenant.
To edit a template:
1
Under Authentication Configuration, select to Create a new web application or Use existing web application.

If you select to create a new web application, you will need to login to register Change Auditor in the tenant and ensure the required consent has been granted. Note: Internet access is required.

The Microsoft sign-in page opens automatically once you have selected all your template settings and clicked Finish.

To grant permission for all administrators to create a web application:

a
Select an account with the Global Administrator role.
b
Enter the required password, and select Sign in.
c
Review the required permissions for the Change Auditor Configuration Assistant on the Microsoft consent page. (Consent is only required once per tenant. You may, however, be prompted to enter your log on credentials when creating a new web application.)

To apply the consent to all the users in your organization, click to enable Consent on behalf of your organization and click Accept.

To apply the consent for just the current signed-in user simply click Accept.

 

 

If you select to use an existing web application, enter the Application ID and Application key. See the Microsoft documentation for details on integrating applications with Microsoft Entra ID and creating a web application.

 

The Microsoft Entra web application:
Should be a single-tenant application, and does not require a redirect URI.
Must have a Client Secret configured in the web application "Certificates and Secrets" page.

Ensure the following permissions are assigned to the web application:

Microsoft Graph application permissions:
AuditLog.Read.All – Application - Read all audit log data
Directory.Read.All – Application - Read directory data
IdentityRiskEvent.Read.All – Application - Read all identity risk information

If the app will also be used for Microsoft 365 templates, ensure that the following permissions are also set:

Office 365 Management APIs application permissions:
ActivityFeed.Read – Application - Read activity data for your organization

Office 365 Exchange Online APIs application permissions:
Exchange.ManageAsApp - Application - Manage Exchange As Application
NOTE: For required configuration, see Using an existing web application.

Once the required permissions are applied, click Grant admin consent for… and confirm with Yes.

 
2
Add and remove the activity to audit as required.
Audit Logs audits Microsoft Entra user, group, application, and directory activity.
Sign-ins: Audits Microsoft Entra user sign-in and sign-in risk event activity.
3
Click Finish to apply the updates.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating