Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Active Directory event logging

Previous Next

Active Directory event logging

In addition to real-time event auditing, you can enable event logging to capture Active Directory events locally in a Windows event log. This event log can then be collected using InTrust® to satisfy long-term storage requirements.

For Active Directory events, event logging is disabled by default. When enabled, all Active Directory activity is sent to the InTrust for AD event log. See the Quest Change Auditor for Active Directory Event Reference Guide for a list of the events that can be sent to this event log.

To enable Active Directory event logging:
1
Open the Administration Tasks tab.
2
Click Configuration.
3
Select Agent in the Configuration task list to display the Agent Configuration page.
4
Click Event Logging.
5
On the Event Logging dialog, select Active Directory.
6
Click OK to save your selection and close the dialog.
 

Custom Active Directory Attribute Auditing

Previous Next

Custom Active Directory Attribute Auditing
Introduction
Active Directory Attribute Auditing page
Custom Active Directory attribute auditing

Introduction

Previous Next

Introduction

Using custom attribute auditing, you can specify individual schema attributes to audit and assign a severity to the audited attributes. A new event will be added for each attribute selected for auditing. Once set, these events are identified with “Custom” in the facility name.

* 
NOTE: Starting with Change Auditor 5.6, the attributes that can be set using the User Properties dialog in Active Directory Users and Computers (ADUC) are audited by default. If you have added custom attribute auditing for any of these attributes, you will receive two events when changes to these user attributes are made:
A Custom User Monitoring event for the built-in user attribute event.
A Custom AD Object Monitoring event for the custom attribute event (user attribute specified on Active Directory Attribute Auditing page).

To eliminate duplicate events, you can remove the user attribute from the Active Directory Attribute Auditing page which will prevent the custom attribute event from being generated.

* 
NOTE: Change Auditor does not audit ‘constructed’ attributes, which are built from other normal attributes. To audit the changes made to these attributes, you need to audit the normal attributes associated with a constructed attribute.
* 
NOTE: To use custom attribute auditing, you must be logged in to Change Auditor with an account with Enterprise Admin privileges.

Active Directory Attribute Auditing page

Previous Next

Active Directory Attribute Auditing page

The Active Directory Attribute auditing page displays when you select Active Directory | Attributes from the Auditing task list in the navigation pane of the Administration Tasks page. From here you can specify individual schema attributes to audit and assign the severity.

This page consists of the following information/controls:

* 
NOTE: Authorization to use the administration tasks on the Administrations Tasks tab is defined using the Application User Interface page under the Configuration task list. If you are denied access to the tasks on this page, see the Quest Change Auditor User Guide for information on how to gain access.
Attributes list

The list box located across the top of this page lists the object classes that can be selected to define attribute auditing. It contains the object classes selected on the Attributes Auditing page.

In addition to the name of the object class, the assigned severity and number of custom attributes selected for auditing within each object class are also displayed.

* 
NOTE: The default set of attributes (added, moved, removed and renamed) are always being audited, but they are not included in the Monitored Attributes count on this page. This count only includes the custom attributes selected for auditing.

Selecting an entry in this list, will populate the list boxes across the bottom of the dialog with the applicable attributes.

Unmonitored Attribute list

The list box located in the lower left-hand pane of this page displays the attributes that are currently NOT being audited by Change Auditor for the schema class selected in the Attributes list.

Monitored Attribute list

The list box located in the lower right-hand pane contains the attributes that are currently selected for auditing by Change Auditor for the schema class selected in the Attributes list.

In addition to the attribute, the assigned severity is also displayed. To change the severity level assigned to an attribute, place your cursor in the Severity cell and use the drop-down arrow to select the severity you want to assign to the selected attribute.

Add

Select one or more attributes from the Unmonitored Attribute list and click Add to select them for auditing. The selected attributes are moved to the Monitored Attribute list box.

* 
NOTE: You can also double-click an attribute to select it for auditing or ‘drag and drop’ it into the Monitored Attribute list.
Remove

Select one or more attributes from the Monitored Attribute list and click Remove to remove them from auditing. The selected attributes are moved back to the Unmonitored Attribute list box.

* 
NOTE: You can also double-click an attribute to remove it from auditing or ‘drag and drop’ it back into the Unmonitored Attribute list.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating