Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Introduction

Previous Next

Introduction

By default, Change Auditor audits the Enterprise for all Active Directory events. To see a complete list of the Active Directory events that are audited by default, go to the Audit Events table (Administration Task->Auditing->Audit Events), and sort by license.

Using the Active Directory Auditing wizard, you can define additional custom object classes to be audited, as well as specify where you want to conduct the audit (for example, enterprise, or individual object).

 

Active Directory Auditing page

Previous Next

Active Directory Auditing page

The Active Directory Auditing page is used to define additional Active Directory custom events that you want to audit. The page is displayed when you select Active Directory from the Auditing task list in the navigation pane of the Administration Tasks tab. Custom Active Directory events will contain the word ‘custom’ in their facility name, for example “Custom User Monitoring”. By default user, group and computer object classes are selected on this page.

 
* 
NOTE: Authorization to use the administration tasks on the Administrations Tasks tab is defined using the Application User Interface page under the Configuration task list. If you are denied access to the tasks on this page, refer to the Change Auditor User Guide for more information on how to gain access.
* 
NOTE: If you receive a message stating that the client is unable to acquire exclusive access to object monitoring, there is another user using the Active Directory Auditing page and therefore, all of the tool bar buttons will be deactivated preventing you from making any changes.

The Active Directory Auditing page contains an expandable view of the Active Directory objects selected for auditing. Initially, the list box will contain an entry for auditing all user, computer and group object classes in the entire enterprise.

To add an object to this list, use the Add tool bar button (or to add multiple objects, expand the Add tool bar button and select the Select Multiple Objects option). Once added, the following information will be displayed:

Object

Displays the distinguished name of object.

Status

Indicates whether the auditing for a selected object is enabled or disabled.

Scope

Displays the scope of coverage:
Forest
Object
One Level
SubTree
Object Class

This field is used for filtering data.

If the view is not already expanded, click the expansion box to the left of an object to expand the view to display the object classes and monitored attributed to be audited in the object.

Object Class

Displays the object class being audited (such as computer, user, and group.)

Monitored Attributes

Displays the number of schema attributes selected for auditing by Change Auditor for each object class listed.

 
* 
NOTE: Attribute auditing is specified using the AD Attribute Auditing page.

Custom Active Directory object auditing

Previous Next

Custom Active Directory object auditing

* 
NOTE: The cells directly under the main heading rows are used for filtering data. That is, as you enter characters into these cells, the client will redisplay the templates that meet the search criteria (i.e., comparison operator and characters entered). For more details about using the data filtering function provided throughout the client, see the Change Auditor User Guide.

Custom auditing allows you to specify custom Active Directory object classes and attributes to audit. A new event will be added for each object selected for auditing. Once set, these events are identified with “Custom” in the facility name.

By default, Change Auditor audits user, group and computer custom object classes. If you remove the custom objects from the Active Directory Auditing wizard you will no longer receive audit events for them. This will not affect ‘non-custom’ events and those will still be audited by Change Auditor.

To add an Active Directory object to the auditing list:
1
Open the Administration Tasks tab.
2
Click Auditing.
3
Select Active Directory in the Auditing task list.
4
Click Add to open the Active Directory Auditing wizard, which steps you through the process of defining the objects and object classes to audit.
5
Select where to conduct the audit:
Enterprise (Default)
This object only
This object and child objects only
This object and all child objects
6
If you selected the This Object, This Object and Child Objects Only, or This Object and All Child Objects option, use the Browse or Search pages to locate the directory object or container to audit.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

7
If you selected either the This Object and Child Objects Only or This Object and All Child Objects option, select Next to define the object classes to audit.

Use one of the following methods to move an object class to the Audited Object Class list (right-hand pane):
Select one or more object classes in the UnAudited Object Class list and click Add.
Select one or more object classes in the UnAudited Object Class list and ‘drag and drop’ the selected object classes into the Audited Object Class list.
Double-click an object class in the UnAudited Object Class list.

You must select at least one object class for auditing.

8
After selecting the Active Directory objects (and object classes) to audit, click Finish to save your selection, close the wizard and return to the Active Directory Auditing page.
To add multiple Active Directory objects to the auditing list:
1
Open the Active Directory Auditing page.
2
Expand Add and select Select Multiple Objects.
3
Select where to conduct the audit:
Enterprise (Default)
This object only
This object and child objects only
This object and all child objects
4
If you selected the This Object, This Object and Child Objects Only, or This Object and All Child Objects option, use the Browse or Search pages to locate the directory object or container to audit.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

After selecting a directory object or container, click Add to add the selected object to the list box at the bottom of the page.

Repeat this step to add multiple Active Directory objects.

5
If you selected either the This Object and Child Objects Only or This Object and All Child Objects option, select Next to define the object classes to be audited.

Use one of the following methods to move an object class to the Audited Object Class list (right-hand pane):
Select one or more object classes in the UnAudited Object Class list and then click Add.
Select one or more object classes in the UnAudited Object Class list and ‘drag and drop’ the selected object classes into the Audited Object Class list.
Double-click an object class in the UnAudited Object Class list.

You must select at least one object class for auditing.

 
* 
NOTE: If you have selected multiple objects on the first page of the wizard, the object classes selected on this second page will apply to all of these objects.
6
After selecting the Active Directory objects (and object classes) to audit, click Finish to save your selection, close the wizard and return to the Active Directory Auditing page.
To modify an object in the auditing list:
1
On the Active Directory Auditing page, select the object to modify, and click Edit.

This opens the Active Directory Auditing wizard, where you can select a different Active Directory object or object classes for auditing.

2
Click Finish to save your selection, close the wizard and return to the Active Directory Auditing page.
To disable the auditing of an object in the auditing list:

Disabling a template allows you to temporarily disable the auditing of a directory object without having to remove it from the Active Directory auditing list.

1
On the Active Directory Auditing page, place your cursor in the Status cell for the required object, click the arrow control, and select Disabled.

The entry in the Status column for the object will change to ‘Disabled’.

2
To re-enable the auditing of an object, use the Enable option in either the Status cell.
To delete an object from the auditing list:
1
On the Active Directory Auditing page, select the required object and click Delete.
2
Click Yes to confirm the deletion.
To delete an object class from the auditing list:
1
On the Active Directory Auditing page, select the required object class and click Delete | Delete Object Class.
2
Click Yes to confirm the deletion.
* 
NOTE: You cannot delete the last object class in an object entry in the auditing list. In order to delete this last object class, you must delete the entire object from the auditing list.

Active Directory Auditing wizard

Previous Next

Active Directory Auditing wizard

The Active Directory Auditing wizard opens when you select Add or Add | Select Multiple Objects on the Active Directory auditing page. This wizard steps you through the process of defining the custom Active Directory objects to audit.

The following table provides a description of the available fields and controls:

 

Table 2. Active Directory Auditing wizard

Create or modify Active Directory Auditing page: On the first page of the wizard, select the Active Directory object to audit.

Scope

Select the appropriate option to specify the scope of coverage (Enterprise is selected by default):

Enterprise - to audit the entire enterprise

This Object - to audit an individual object

This Object and Child Objects Only - to audit an object and its direct child objects

This Object and All Child Objects - to audit an object and all of its subordinate objects (all levels)

When an option other than Enterprise is selected, the Browse and Search pages allow you to locate and select the Active Directory objects to audit.

Browse page

Displays a hierarchical view of the containers in your environment allowing you to locate and select the Active Directory objects to audit.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

If you used the Add | Select Multiple Objects option, once you have selected an object, click Add to add it to the list.

Search page

Use the controls at the top of the Search page to locate an Active Directory object.

If you used the Add | Select Multiple Object option, once you have selected an account, click Add to add it to the list.

Options page

Use the Options page to modify the search options used to retrieve directory objects.

 

Select Object Classes Page: From here you can select at least one object class for auditing.

NOTE: This page is only displayed if the This Object and Child Objects Only or This Object and All Child Objects scope option is selected on the first page of the wizard.

UnAudited Object Class list

The list box located in the left displays the object classes that are currently not being selected to audit by this template.

Audited Object Class list

The list box located in the right contains the object classes that are currently selected for auditing.

Add

Select one or more object classes from the UnAudited Object Class list and click Add to select them for auditing. The selected object classes will be moved to the Audited Object Class list.

NOTE: You can also double-click an object class to move it into the Audited Object Class list or ‘drag and drop’ it into the Audited Object Class list.

Remove

Select one or more object classes from the Audited Object Class list and click Remove to remove them from auditing. The selected object classes will then be moved back to the UnAudited Object Class list.

NOTE: You can also double-click an object class to move it back into the UnAudited Object Class list or ‘drag and drop’ it into the UnAudited Object Class list.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating