Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Additional Microsoft 365 and Microsoft Entra event details

Previous Next

Additional Microsoft 365 and Microsoft Entra event details

The event details pane contains the following additional information to help gain a better understanding of the activities taking place in Microsoft 365 Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Entra ID.

Table 9. Event details

Tab

Available information

Overview

Displays a high-level view of the activity that is generated for each event.

You can quickly see when the event occurred, who made the change, what changed, where the change originated, the activity, the target type, synchronization type, subject type, subject synchronization type, activity type, category, and action,

Additional information for sign-in events include the reason for a sign-in failure and the sign-in location.

Additional information for sign-in risk events include the type of risk activity, risk status, risk level, and origin (IP address).

Target (Microsoft Entra events only)

NOTE: This tab is not displayed for sign-in and sign-in risk events.

Displays details on the property updates with the old and new value when available. It also displays information about multiple targets affected by a single event. For example, when a user added to a group, you can see both the user and the group as affected targets. When there are multiple targets, the target that best matches the activity type is displayed as the primary target in the Overview tab.

Details

Displays all available properties for a deeper analysis of the activity, including the raw data from the Microsoft Entra Reporting API.

For sign-in risk events, it contains raw data from the Microsoft Entra Identity Protection API.

Parameters (Exchange Online Administration events only)

Displays the parameters used to run the Microsoft 365 Administrative command.

Item

Displays Id, rights, SID, Upn, name and path details for Exchange Online permission additions, removals, or modifications.

Additional Info (Microsoft Entra risky events only)

Displays risk event additional information such as user agent, related event time in UTC, related users agent, device information, related location, request ID, correlation ID.

 

 

 

 

Change Auditor for Active Directory

Previous Next

Change Auditor for Active Directory

The Change Auditor for Active Directory book contains information about the additional features that are available when a valid Change Auditor for Active Directory license has been applied. This book contains the following topics:
Change Auditor for Active Directory Overview: This section provides an overview of Change Auditor for Active Directory and lists the client components and features that require a valid Change Auditor for Active Directory license.
Custom Active Directory Searches and Reports: This section explains how to run a few built-in Active Directory reports and how to create custom Active Directory searches.
Custom Active Directory Object Auditing: This section provides a description of the custom Active Directory object auditing feature.
Custom Active Directory Attribute Auditing: This section provides a description of the custom Active Directory attribute auditing feature.
Member of Group Auditing: This section provides a description of the Member of Group auditing feature and explains how to specify groups that are to be audited based on group membership.
ADAM (AD LDS) Auditing: This section provides a description of the ADAM (AD LDS) auditing page and ADAM (AD LDS) Attribute auditing page (on the Administration Tasks tab). It also explains how to define custom ADAM (AD LDS) object and attribute auditing.
Active Directory Protection: This section provides a description of the forest-level protection available with Change Auditor for Active Directory. It explains how to create protection templates to protect critical Active Directory objects, ADAM (AD LDS) objects and Group Policy objects.
Event Details Pane: This section describes the details that are added to the Event Details pane for Active Directory and Group Policy events. It also provides a description of the Restore Value feature that is available for some Active Directory events.

Change Auditor for Active Directory Overview

Previous Next

Change Auditor for Active Directory Overview
Introduction
Deployment Requirements
Client Components and Features

Introduction

Previous Next

Introduction

Quest Change Auditor for Active Directory drives the security and control of Microsoft Active Directory by tracking vital configuration changes in real-time. From GPO and schema to critical group and operational changes, Change Auditor for Active Directory tracks, audits, reports, and alerts on changes that impact your directory without the overhead costs of system-provided auditing.

In addition, Change Auditor for Active Directory allows you to lock down critical Active Directory, ADAM (AD LDS), and Group Policy Objects, to protect them from unauthorized or accidental modifications or deletions.

You can also track on Microsoft Entra ID changes. Change Auditor correlates activity across the on-premises and cloud environment making it easy to search all events regardless of where they occurred. For more information, see the Change Auditor for Microsoft 365 and Microsoft Entra ID Auditing User Guide.

To ensure Active Directory compliance, you can automatically generate intelligent and in-depth reports, protecting you against policy violations and avoiding the risks and errors associated with day-to-day modifications. For fast troubleshooting, you always get the original and current values.

* 
NOTE: Active Directory auditing and protection are only available if you have licensed Change Auditor for Active Directory. If you do not have a valid license you can use the features, however, associated events are not captured. To verify that it is licensed, right-click the coordinator icon in the system tray and select Licensing.

For information on the core functionality available in Change Auditor ee the Change Auditor Installation Guide
For event details, see the Change Auditor for Active Directory Event Reference Guide.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating