Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

All volume exclusion examples

Previous Next

All volume exclusion examples

Audit Path = All Volumes

In the following examples, Vol0 contains three shares: HOME, SHARE2 and SHAREDDOCS; and Vol1 contains one share: SHAREDAPPS.

* 
NOTE: When using All Volumes, you cannot exclude an individual volume. You must use a share name, which is unique to a volume. That is, you cannot have two shares with the name of HOME (either on the same volume or different volumes).
* 
NOTE: When auditing an individual volume or all volumes, you must include the share name (or a file mask to represent the share) in the exclusion path. See the following examples.

 

Table 4. Exclusion examples: Audit Path = All Volumes

What to exclude:

Exclusion syntax/examples:

Exclude activity against files/subfolders in a specific folder found in a specific location on all volumes.

(Add | Folder)

Exclusion Syntax: *\<Path>\<FolderName>

Example: *\USERS\TEMP\DOCS

Excludes:
Vol0\HOME\USERS\TEMP\DOCS
Vol0\SHARED2\USERS\TEMP\DOCS
Vol1\SHAREDAPPS\USERS\TEMP\DOCS

Exclude activity against files/subfolders in all folders with the specified folder name found on a specific share.

(Add | Folder)

Exclusion Syntax:
<ShareName>\**\<FolderName>

Example: HOME\**\DOCS

Excludes:
Vol0\HOME\DOCS
Vol0\HOME\DEPTS\DOCS
Vol0\HOME\USERS\TEMP\DOCS

Exclude activity against files/subfolders in all folders whose name starts with a specific string of characters found on a specific share.

(Add | Folder)

Exclusion Syntax:
<ShareName>\**\<CharString>*

Example: HOME\**\DOC*

Excludes:
Vol0\HOME\DOCS
Vol0\HOME\DEPTS\DOCS
Vol0\HOME\USERS\TEMP\DOCS
Vol0\HOME\USERS\DOCUMENTS

Exclude activity against files/subfolders in all folders with the specified folder name found anywhere on all volumes.

(Add | Folder)

Exclusion Syntax: **\<FolderName>

Example: **\DOCS

Excludes:
Vol0\HOME\DOCS
Vol0\HOME\DEPTS\DOCS
Vol0\HOME\USERS\TEMP\DOCS
Vol0\SHARE2\TEST\DOCS
Vol1\SHAREDAPPS\DOCS

Exclude activity against files/subfolders in all folders with the specified folder name found at a specific level on all volumes.

(Add | Folder)

Exclusion Syntax: *\*\<FolderName>

Example 1: *\*\DOCS

Excludes:
Vol0\HOME\DEPTS\DOCS
Vol0\SHARE2\TEST\DOCS
Vol1\SHAREDAPPS\INSTALL\DOCS

Example 2: *\*\*\DOCS

Excludes:
Vol0\HOME\USERS\TEMP\DOCS
Vol0\SHARED2\PUBLIC\TEST\DOCS
Vol1\SHAREDAPPS\PROCS\INTRO\DOCS

Exclude activity against files/subfolders in all shares and folders whose name ends with a specific string of characters that may be located anywhere on all volumes.

(Add | Folder)

Exclusion Syntax: **<CharString>

Example: **DOCS

Excludes:
Vol0\HOME\DOCS
Vol0\HOME\MYDOCS
Vol0\HOME\USERS\TEMP\DOCS
Vol0\HOME\USERS\TEMPORARYDOCS
Vol0\HOME\USERS\TEMP\TESTINGDOCS
Vol0\SHARE2\TEST\DOCS
Vol0\SHARE2\PUBLIC\TEST\DOCS
Vol0\SHAREDDOCS
Vol1\SHAREDAPPS\INSTALL\DOCS
Vol1\SHAREDAPPS\PROCS\INTRO\DOCS

Exclude a specific file found in a specific location on the specified share.

(Add | File)

Exclusion Syntax:
<ShareName>\<Path>\<FileName.Ext>

Entering:
SHARE2\USERS\DOCS\Test1.docx

Excludes:
Vol0\SHARE2\USERS\DOCS\Test1.docx

Exclude activity against all files with the specified file extension found in a specific location on the specified share.

(Add | File)

Exclusion Syntax:
<ShareName>\<Path>\*.<Ext>

Entering: SHARE2\TEST\DOCS\*.docx

Excludes:
Vol0\SHARE2\TEST\DOCS\Test1.docx
Vol0\SHARE2\TEST\DOCS\123testing.docx

Exclude activity against all files with the specified file extension found anywhere on all volumes.

(Add | File)

Exclusion Syntax: **\*.<Ext>

Example: **\*.pdf

Excludes:
Vol0\HOME\DEPTS\DOCS\Test123.pdf
Vol0\SHARE2\TEST\DOCS\Current.pdf
Vol1\SHAREDAPPS\WhatsNew.pdf

Exclude a specific file (regardless of the file extension) found anywhere on the all volumes.

(Add | File)

Exclusion Syntax: **\<FileName>.*

Entering: **\test1.*

Excludes:
Vol0\HOME\DEPTS\DOCS\test1.docx
Vol0\HOME\USERS\TEMP\DOCS\test1.docx
Vol0\HOME\USERS\DOCUMENTS\test1.pdf
Vol0\SHARE2\USERS\DOCS\test1.txt
Vol1\SHAREDAPPS\test1.xlsx

EMC Isilon Auditing

Previous Next

EMC Isilon Auditing

EMC Isilon file server auditing is supported; however, automatic Isilon auditing configuration is not supported. This section discusses the manual configuration required to capture events from an Isilon file server.

Configuration Notes
On the agent intended to audit the Isilon server, install CEE. You may need to configure the firewall setting on your server before the CEE application can receive events from an Isilon server.
Change Auditor does not support automatic Isilon auditing configuration. To enable Isilon file server auditing, use the Isilon management web site UI and command line interface.

See EMC OneFS Web Administration Guide (http://bit.ly/onefs-web-administration-guide-7-1) and EMC OneFS CLI Administration Guide (http://bit.ly/onefs-cli-administration-guide-7-1) for more information.

* 
NOTE: An EMC account is required to access these EMC administration guides.
When asked for the URI for the CEE server, use the following format:

‘http://<FQDN of CA agent/CEE server>:12228/vee’
To configure Change Auditor for EMC to audit an Isilon server, use the EMC Auditing wizard. Isilon servers are not listed in the EMC File Server (CIFS) drop-down, but can be manually entered:

Make sure that the server name specified is the one configured in the Isilon auditing setting:
‘Volume’ auditing is not supported on Isilon servers and should not be used.
When specifying file and folder paths to be audited, the Isilon’s shared directory path should be used. You can find it in Isilon management web site UI by going to Protocols – Windows Sharing (SMB) – SMB Shares.

For example: To audit \\IsilonName\Storage\TestFolder folder, you need to specify ifs\data\TestFolder in the Audit Path field of the template in Change Auditor. Ensure that the backslash (\) is used in the path in Change Auditor template.
Owner and permission events are supported, but events captured contain only ‘to’ values and no ‘from’ values. To capture permission changes on Isilon, the Change Auditor agent account (typically the Local System account which translates to the agent computer account) should have Read permissions on the IFS share (or its equivalent). This can be accomplished by adding a computer account to a group and granting Read access to the group.

Individual computer accounts can also be added using ISI command line on the Isilon itself.

For example: isi smb shares permission create ifs --sid COMPUTER_ACCOUNT_SID --permission-type allow --permission read

In addition, agent computer accounts require Read access to all the files\folders to be audited (via Windows security). In the case where users have modified the default inherited security on their folders/files, Change Auditor will be unable to query those items.There is no need to enter information on the Logon Credentials dialog when configuring auditing on an Isilon server.
To audit the "File contents written" operations, you must audit "Close" operations on Isilon. To audit close operations, use isi zone zones modify command in the command line interface (CLI).

For example:
To audit a successful close operation for the 'System' zone run the following command:
isi zone zones modify system --add-audit-success close.
To review all currently audited operations for the System zone, use the following command:
isi zone zones view system

EMC Unity Auditing

Previous Next

EMC Unity Auditing

EMC Unity NAS server auditing is supported; however, automatic unity auditing configuration is not. This section discusses the manual configuration required to capture events from a Unity NAS server.

Configuration Notes
On the agent intended to audit the Unity NAS server, install CEE. You may need to configure the firewall setting on your server before the CEE application can receive events from a Unity server.
Change Auditor does not support automatic Unity auditing configuration. See the EMC Unity documentation for configuring host for more information.

To enable auditing, you must configure CEE using EMC Unisphere:
Select STORAGE | File | NAS Servers. Open the server properties and select Event Publishing. Select to Enabling Common Event Publishing. Add the CEPA Server where the CEE is installed, select All Events, and save the settings.
Select File System you want to audit and choose the Advanced tab. Under the Events Notifications, select Enable SMB Events publishing.
When you create the EMC auditing template to audit a Unity NAS server, you need to enter the NAS servers as they are not listed in the EMC File Server (CIFS) drop-down option. Ensure that you specify the server configured in the Unity auditing setting. For details on creating a template, see EMC auditing templates.

Change Auditor for Exchange

Previous Next

Change Auditor for Exchange

The Change Auditor for Exchange book contains information about the additional features that are available when a valid Change Auditor for Exchange license has been applied. It contains the following topics:
Change Auditor for Exchange Overview: This section provides an overview of Change Auditor for Exchange and lists the features that require a valid Change Auditor for Exchange license.
Exchange Searches and Reports: This section explains how to run a built-in Exchange report and how to create a custom Exchange search using the What tab.
Exchange Mailbox Auditing: This section provides a description of the Exchange Mailbox Auditing feature, including a description of the Exchange Auditing page and instructions on how to create and maintain the Exchange Mailbox Auditing list.
Office 365 Exchange Online Auditing: This section provides a description of the Office 365 Exchange Online Auditing page and wizard. It also explains how to create and maintain the Office 365 Exchange Online auditing templates.
Exchange Settings and Event Logging (Agent Configuration Page): This section explains how to modify the Exchange setting and enable event logging using the Agent Configuration page.
Exchange Mailbox Protection: This section provides a description of the Exchange Mailbox Protection feature, including a description of the Exchange Protection page.
Managing Shared Mailboxes: This section explains how to manage shared mailbox events for Exchange 2007 (or higher) shared mailboxes, rooms and equipment resources, and for any other mailboxes that you have identified as shared.
Disabled Exchange Events: This section lists the Exchange Mailbox Monitoring and Exchange User events that are disabled by default in Change Auditor.

 

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating