Chat now with support
Chat with Support

Change Auditor 7.1 - PowerShell Command User Guide

Managing Office 365 auditing

Change Auditor for Exchange and Change Auditor for SharePoint have been extended to include the auditing of activities taking place in Exchange Online, SharePoint Online, and OneDrive for Business. The following commands are available to manage Office 365 auditing:
New-CAO365Template
Set-CAO365Template
Get-CAO365Templates
Remove-CAO365Template
Get-CAO365ExchangeMailboxes
Add-CAO365ExchangeTemplateMailboxes
Remove-CAO365ExchangeTemplateMailboxes
Get-CAO365ExchangeTemplateMailboxes
* 
NOTE: When you delete a template (see Remove-CAAgentTemplate), the web application created in Azure Active Directory remains. You can delete the web application using the Azure management portal. If you do not have the portal, see https://technet.microsoft.com/en-us/library/dn832618.aspx for instructions.
* 
NOTE: If your organization uses a proxy server to connect to the internet, you must configure the agent settings to audit Azure Active Directory and Office 365 targets. (See Set-CAConfiguration)
New-CAO365Template

Use this command to create a template for auditing Office 365 Exchange Online, SharePoint Online, and OneDrive for Business.

Table 60. Available parameters

 

Parameter
Description

-AgentInfo

An agent obtained by using the Get-CAAgents command.

NOTE: The agent must be able to connect to Azure.
If the agent is separated from the coordinator by a firewall, you must create a firewall exception for port 8373 on every agent computer to be used for Azure Active Directory auditing. This is the default port that enables the coordinator to communicate with the agent. A different port number can, however, be specified by running the Set-CAConfiguration command.
A firewall outbound exception for remote port 443 (https) must exist for every agent computer that will be used for Azure Active Directory auditing. This is the port that is used for communicating with the tenant.

-Connection

A connection obtained by using the Connect-CAClient command.

-WebAppCreationCredential

Azure Active Directory account credentials required to create an Azure web application. The credential object is obtained by using the Get-Credential command.

NOTE: The account must be a user with the Global Administrator role.

-AuditAdministration (Optional)

Specifies whether to audit administration events.

-AuditOrganization (Optional)

Specifies whether to audit all Exchange Online mailboxes accessed by users other than the mailbox owner.

-Disabled (Optional)

Specifies whether the auditing template is enabled or disabled.

-EnableOneDrive (Optional)

Specifies whether OneDrive for Business auditing is enabled or disabled.

-EnableSharePoint (Optional)

Specifies whether SharePoint Online auditing is enabled or disabled.

-HistoricalEventCollectionHours (Optional)

Specifies how many hours the agent should go back in time to start event collection. The parameter accepts values from 1 to 168.

NOTE: When using this parameter, you cannot also specify the
–HistoricalEventCollectionDays parameter.
NOTE: Using this parameter may cause a duplication of events if the same events have been previously collected.
NOTE: The historical data returned is based on the information in the Office 365 audit logs. This may not reflect the configuration options in the current template.

-HistoricalEventCollectionDays (Optional)

Specifies how many days the agent should go back in time to start event collection. The parameter accepts values from 1 to 7.

NOTE: When using this parameter, you cannot also specify the
–HistoricalEventCollectionHours parameter.
NOTE: Using this parameter may cause a duplication of events if the same events have been previously collected.
NOTE: The historical data returned is based on the information in the Office 365 audit logs. This may not reflect the configuration options in the current template.

-O365ExchangeAdminCredential (Optional)

An account with the Exchange Administrator role. It is used to configure the mailbox auditing settings in the tenant that are defined in the template (such as enabling auditing of owner activity). These credentials are used periodically by the agent to validate or update auditing settings, so they are securely stored in Change Auditor.

NOTE: The account must belong to the same tenant as the Azure Active Directory account used to create the Azure web application.

-ExcludedOperations (Optional)

String that specifies events to exclude from the Office 365 OneDrive for Business event, Office 365 SharePoint Online event, and Office 365 Exchange Online event.

These generic dynamically constructed events created when associated activity is detected that does not have a corresponding event defined in Change Auditor.

-OverwriteTenantMailboxAuditing (Optional)

Specifies whether the template auditing settings will overwrite the existing tenant auditing settings.

Example: Create a template that audits both Exchange Online administration and mailbox non-owner events and will collect events generated 7 days in the past.

New-CAO365Template -Connection $connection -WebAppCreationCredential $azureCreds -AgentInfo $agent -O365ExchangeAdminCredential $o365Creds -AuditAdministration $true –AuditOrganization $true –HistoricalEventCollectionDays 7

Create a template using an existing web application

Alternatively, use these parameters when using a pre-created Azure web application that will be used by Change Auditor for authentication.

For details on integrating applications with Azure Active Directory and creating a web application, consult the Microsoft documentation. When creating a web application in the Azure Classic Portal, you are required to provide the following URLs: Sign-On URL, App ID URL. Specify any URL address that is unique to your tenant (for example: http://ChangeAuditorApp) for each of them.

The following permissions must be assigned to the Azure web application:

Table 61. Required permission
System
Permissions

Windows Azure Active Directory

Application Permissions:
Read directory data

Delegated Permissions:
Read directory data
Sign in and read user profile

Microsoft Graph

Application Permissions:
Read all identity risk event information
Read all audit log data

Office 365 Management APIs

Application Permissions:
Read activity reports for your organization
Read activity data for your organization
Read service health information for your organization

Delegated Permissions:
Read activity reports for your organization
Read activity data for your organization
Read service health information for your organization
Table 62. Available parameters
Parameter
Description

-AgentInfo

An agent object obtained by using the Get-CAAgents command.

NOTE: The agent must be able to connect to Azure.
If the agent is separated from the coordinator by a firewall, you must create a firewall exception for port 8373 on every agent computer to be used for Azure Active Directory auditing. This is the default port that enables the coordinator to communicate with the agent. A different port number can, however, be specified by running the Set-CAConfiguration command.
A firewall outbound exception for remote port 443 (https) must exist for every agent computer that will be used for Azure Active Directory auditing. This is the port that is used for communicating with the tenant.

-Connection

A connection obtained by using the Connect-CAClient command.

-Tenant

The Azure AD tenant/Directory that you would like Change Auditor to audit (for example: yourTenantName.onmicrosoft.com).

-WebAppId

An Azure Active Directory web application Id. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

NOTE: Azure Active Directory and Office 365 must each have their own dedicated web application.
NOTE: When using this parameter, you cannot also specify the
–WebAppCreationCredential parameter.

-WebAppKey

 

The key assigned to the web application specified for the WebAppId parameter. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

NOTE: When using this parameter, you cannot also specify the
–WebAppCreationCredential parameter.

-AuditAdministration (Optional)

Specifies whether to audit administration events.

-AuditOrganization (Optional)

Specifies whether to audit all Exchange Online mailboxes accessed by users other than the mailbox owner.

-Disabled (Optional)

Specifies whether the auditing template is enabled or disabled.

-EnableOneDrive (Optional)

Specifies whether OneDrive for Business auditing is enabled or disabled.

-EnableSharePoint (Optional)

Specifies whether SharePoint Online auditing is enabled or disabled.

-HistoricalEventCollectionDays (Optional)

Specifies how many days the agent should go back in time to start event collection. The parameter accepts values from 1 to 7.

NOTE: When using this parameter, you cannot also specify the
–HistoricalEventCollectionHours parameter.
NOTE: Using this parameter may cause a duplication of events if the same events have been previously collected.
NOTE: The historical data returned is based on the information in the Office 365 audit logs. This may not reflect the configuration options in the current template.

-HistoricalEventCollectionHours (Optional)

Specifies how many hours the agent should go back in time to start event collection. The parameter accepts values from 1 to 168.

NOTE: When using this parameter, you cannot also specify the
–HistoricalEventCollectionDays parameter.
NOTE: Using this parameter may cause a duplication of events if the same events have been previously collected.
NOTE: The historical data returned is based on the information in the Office 365 audit logs. This may not reflect the configuration options in the current template.

-O365ExchangeAdminCredential (Optional)

An account with the Exchange Administrator role. It is used to configure the mailbox auditing settings in the tenant that are defined in the template (such as enabling auditing of owner activity). These credentials are used periodically by the agent to validate or update auditing settings, so they are securely stored in Change Auditor.

NOTE: The account must belong to the same tenant as the Azure AD account used to create the Azure web application.

-ExcludedOperations (Optional)

String that specifies events to exclude from the Office 365 OneDrive for Business event, Office 365 SharePoint Online event, and Office 365 Exchange Online event.

These generic dynamically constructed events created when associated activity is detected that does not have a corresponding event defined in Change Auditor.

-OverwriteTenantMailboxAuditing (Optional)

Specifies whether the template auditing settings will overwrite the existing tenant auditing settings.

Example: Create a template that audits both Exchange Online administration and mailbox non-owner events and will collect events generated 7 days in the past.

New-CAO365Template -Connection $connection -AgentInfo $agent -O365ExchangeAdminCredential $o365Creds -WebAppKey $webAppKey -WebAppId $webAppId - Tenant $tenant -AuditAdministration $true –AuditOrganization $true
–HistoricalEventCollectionDays 7

Set-CAO365Template

Use this command to edit the account used to access Office 365 Exchange Online, the type of service and events to audit, and select a new agent.

Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

A template object obtained by using the Get-CAO365Templates command.

-WebAppCreationCredential

Azure Active Directory account credentials required to create an Azure web application. The credential object is obtained by using the Get-Credential command.

NOTE: The account must be a user with the Global Administrator role.
NOTE: When you specify this parameter a new web application is created and assigned to the template.

-WebAppId

An Azure Active Directory web application Id. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

NOTE: Azure Active Directory and Office 365 must each have their own dedicated web application.
NOTE: When using this parameter, you cannot also specify the
–WebAppCreationCredential parameter.

-WebAppKey

 

The key assigned to the web application specified for the WebAppId parameter. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

NOTE: When using this parameter, you cannot also specify the
–WebAppCreationCredential parameter.

-AgentInfo (Optional)

An agent object obtained by using the Get-CAAgents command.

NOTE: The agent must be able to connect to Azure.
If the agent is separated from the coordinator by a firewall, you must create a firewall exception for port 8373 on every agent computer to be used for Azure Active Directory auditing. This is the default port that enables the coordinator to communicate with the agent. A different port number can, however, be specified by running the Set-CAConfiguration command.
A firewall outbound exception for remote port 443 (https) must exist for every agent computer that will be used for Azure Active Directory auditing. This is the port that is used for communicating with the tenant.
NOTE: The web application ID and key values are encrypted; therefore, each time you change the agent associated with a template you must explicitly specify the values again.

-AuditAdministration (Optional)

Specifies whether to audit administration events.

-AuditOrganization (Optional)

Specifies whether to audit all Exchange Online mailboxes accessed by non-owners.

-EnableExchange (Optional)

Specifies whether Exchange Online auditing is enabled or disabled.

-EnableOneDrive (Optional)

Specifies whether OneDrive for Business auditing is enabled or disabled.

-EnableSharePoint (Optional)

Specifies whether SharePoint Online auditing is enabled or disabled.

-O365ExchangeAdminCredential (Optional)

An account with the Exchange Administrator role. It is used to configure the mailbox auditing settings in the tenant that are defined in the template (such as enabling auditing of owner activity). These credentials are used periodically by the agent to validate or update auditing settings, so they are securely stored in Change Auditor.

NOTE: The account must belong to the same tenant as the Azure AD account used to create the Azure web application.

-ExcludedOperations (Optional)

String that specifies events to exclude from the Office 365 OneDrive for Business event, Office 365 SharePoint Online event, and Office 365 Exchange Online event.

These generic dynamically constructed events created when associated activity is detected that does not have a corresponding event defined in Change Auditor.

-OverwriteTenantMailboxAuditing (Optional)

Specifies whether the template auditing settings will overwrite the existing tenant auditing settings.

Example: Enable auditing all Office 365 Exchange Online mailboxes accessed by non-owners

Set-CAO365Template -Connection $connection -Template $template
-AuditOrganization $true

Example: Enable auditing of SharePoint Online and OneDrive for Business

Set-CAO365Template -Connection $connection -Template $template -EnableSharePoint $true -EnableOneDrive $true

Example: Replace the web application

Set-CAO365Template -Connection $connection -Template $template -WebAppId $webAppId -WebAppKey $webAppKey

Example: Replace the agent
* 
NOTE: Replacing the agent requires additional parameters to provide authentication credentials and tenant information.

Set-CAO365Template -Connection $connection -Template $template -AgentInfo $agent -WebAppId $webAppId -WebAppKey $webAppKey -O365ExchangeAdminCredential $o365LiveCreds

Get-CAO365Templates

Use this command to see all the Office 365 templates available within your installation.

Table 63. Available parameters
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command.

Example: Get a list of all Office 365 templates

Get-CAO365Templates -Connection $connection

Remove-CAO365Template

Use this command to remove a template for auditing Office 365 Exchange Online, SharePoint Online, and OneDrive for Business.

Table 64. Available parameters
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Tenant

The Office 365 tenant that is used for auditing. For example, yourTenantName.onmicrosoft.com.

Example: Remove an Office 365 template

Remove-CAO365Template -Connection $connection -Tenant $tenant

Get-CAO365ExchangeMailboxes

Use this command to find specific mailboxes that can be added to an existing Office 365 Exchange Online template.

* 
NOTE: To run this command, you must first create an Office 365 auditing template. See New-CAO365Template.
Table 65. Available parameters
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Tenant

The Office 365 tenant that is used for auditing. For example, yourTenantName.onmicrosoft.com.

-SearchText (Optional)

The search criteria specified as the mailbox display name. This can be the full name of the mailbox to return a specific mailbox or the starting characters to return a list of mailboxes that start with those characters.

-Skip (Optional)

The number of objects to exclude from the list of returned objects, starting from the top.

-First (Optional)

The number of objects to return.

-IncludeTotalCount (Optional)

The total number of objects in the data set. Values specified for the First or Skip parameters do not impact this count.

Example: Find all Office 365 mailboxes that start with the letter a

Get-CAO365ExchangeMailboxes -Connection $connection -Tenant $tenant -SearchText "a"

Add-CAO365ExchangeTemplateMailboxes

Use this command to audit specific mailboxes in your organization by adding them to an existing Office 365 Exchange Online template.

Table 66. Available parameters
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

A template object obtained by using the Get-CAO365Templates command.

-Mailboxes

Mailbox objects obtained by using the Get-CAO365ExchangeMailboxes command.

-AuditOwnerEvents (Optional)

A switch that indicates that the added mailboxes will be audited for owner activity in addition to the non-owner activity. By default, the mailboxes will be audited for non-owner mailbox activity only.

IMPORTANT: It is recommended that you select owner auditing for critical mailboxes only. Owner auditing for a large number of mailboxes produces many events that may affect performance.

-OverwriteExisting (Optional)

If the mailboxes already exist in the template, this switch indicates that the mailboxes will have their current owner/non-owner auditing settings overwritten with new settings.

Example: Add Office 365 mailboxes to the existing Exchange Online template

Add-CAO365ExchangeTemplateMailboxes -Connection $connection -Template $template -Mailboxes $mailboxes –AuditOwnerEvents

Remove-CAO365ExchangeTemplateMailboxes

Use this command to remove mailboxes from an existing Office 365 Exchange Online template.

Table 67. Available parameters
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

A template object obtained by using the Get-CAO365Templates command.

-Mailboxes

Mailbox objects obtained by using the Get-CAO365ExchangeMailboxes command.

-All (Optional)

A switch that indicates that all mailboxes will be removed from the template.

Example: Remove all Office 365 mailboxes from the existing Exchange Online template

Remove-CAO365ExchangeTemplateMailboxes -Connection $connection -Template $template –All

Get-CAO365ExchangeTemplateMailboxes

Use this command to retrieve a list of mailboxes being audited by a particular Office 365 Exchange Online template.

Table 68. Available parameters
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

A template object obtained by using the Get-CAO365Templates command.

-AuditTypeFilter

Parameter that allows you to narrow the search based on the type of activities being audited: non-owner only, owner (non-owner, owner), or any (non-owner only, owner and non-owner).

-DisplayNameFilter

The search criteria specified as the mailbox display name. This can be the full name of the mailbox to return a specific mailbox or the starting characters to return a list of mailboxes that start with those characters.

-Skip (Optional)

The number of objects to exclude from the list of returned objects, starting from the top.

-First (Optional)

The number of objects to return.

-IncludeTotalCount (Optional)

The total number of objects in the data set. Values specified for the First or Skip parameters do not impact this count.

Example: Get all Office 365 audited mailboxes from the existing Exchange Online template

Get-CAO365ExchangeTemplateMailboxes -Connection $connection -Template $template

Example: This example will return mailboxes that are not enabled for owner auditing where the display name starts with “John S”

Get-CAO365ExchangeTemplateMailboxes -Connection $connection -Template $template -DisplayNameFilter "John S" -AuditTypeFilter NonOwnerOnly

 

Managing Skype for Business auditing

The following commands are available to manage Skype for Business auditing:
Get-CASkypeEventClassInfo
New-CASkypeTemplate
Get-CASkypeTemplates
Set-CASkypeTemplate
Remove-CASkypeTemplate
Get-CASkypeEventClassInfo

Use this command to see the list of event classes available for the Skype for Business subsystem.

Table 69. Available parameters
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command.

Example: Get a list of all available Skype for Business event classes

Get-CASkypeEventClassInfo –Connection $connection

New-CASkypeTemplate

Use this command to add a Skype for Business template to Change Auditor.

* 
NOTE: It is recommended that the Change Auditor Coordinator Service is running in the same forest as the Skype for Business Central Management Store (CMS) database server.

Once the template has been created, the agent is notified of the Skype for Business Central Management Store details and the events to audit.

Table 70. Available parameters
Parameter
Description

-AgentInfo

The Change Auditor agent to audit the Skype events. This agent must be executing on the Skype for Business Central Management Store database server.

-AuditItems

Collection of events to audit.

-Connection

A connection obtained by using the Connect-CAClient command.

-CMSInstanceName (Optional)

The Microsoft Skype for Business server 2015 / Microsoft Lync Server 2013 Central Management Store (CMS) SQL Server Instance Name.

The CMS Instance name must be provided only when the Change Auditor Coordinator Service is not in the same Active Directory forest as Microsoft Skype for Business Server 2015 / Microsoft Lync Sever 2013.

-DatabaseCMSCredential

Skype for Business Central Management Store database credentials.

-TemplateName

The name of the template.

-UseWindowsAuthentication

Specifies whether to use Windows authentication when connecting to the Central Management Store database. If Windows authentication is not used, SQL Authentication will be used.

-SkipCMSDatabaseConnectivityTest (Optional)

Specifies whether to test the Central Management Store (CMS) SQL Server Connection using the supplied CMS credentials.

-Disabled (Optional)

Specifies whether the template is disabled.

Example: Create a Skype for Business template

New-CASkypeTemplate -AgentInfo $agentInfo -AuditItems $auditItems -Connection

$connection -DatabaseCMSCredential $dbCredential -TemplateName 'Skype for Business

Template' -UseWindowsAuthentication $True -Disabled $False

Get-CASkypeTemplates

Use this command to see all the Skype for Business templates that have been created.

Table 71. Available parameters
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command.

Example: Get a list of all Skype for Business templates

Get-CASkypeTemplates -Connection $connection

Set-CASkypeTemplate

Use this command to update the properties of an existing Skype for Business template. Once the template has been updated, the agent is notified of the Skype for Business Central Management Store details, and the events to audit.

* 
NOTE: If the Central Management Store database server has changed, you need to redeploy your agent to the new Central Management Store SQL Server, delete the existing template, then create a new template.
Table 72. Available parameters
Parameter
Description

-AgentInfo

The Change Auditor agent to audit the Skype events. This agent must be executing on the Skype for Business Central Management Store database server.

-AuditItems

Collection of events to audit.

-Connection

A connection obtained by using the Connect-CAClient command.

-DatabaseCMSCredential

Skype for Business Central Management Store database credentials.

-Template

The name of the existing template to update.

-TemplateName

The name of the template.

-UseWindowsAuthentication

Specifies whether to use Windows authentication when connecting to the Central Management Store database. If Windows authentication is not used, SQL Authentication will be used.

-SkipCMSDatabaseConnectivityTest (Optional)

Specifies whether to test the Central Management Store (CMS) SQL Server Connection using the supplied CMS credentials.

-Disabled (Optional)

Specifies whether the template is disabled.

Example: Modify a Skype for Business template

Set-CASkypeTemplate -Connection $connection -Template $templateToUpdate ‘Updated Skype for Business Template’ -AgentInfo &agentInfo -AuditItems &$auditItems -DatabaseCMSCredential $dbCredential -UseWindowsAuthentication $True -Disabled $False

Remove-CASkypeTemplate

Use this command to remove a Skype for Business template. Agents associated with the template would be notified and Skype for Business configuration events would not be audited anymore.

Table 73. Available parameters
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command.

-TemplateName

The name of the template to remove.

Example: Remove a Skype for Business template

Remove-CASkypeTemplate -Connection $connection -TemplateName 'Skype For Business

Template'

Configuring a Quest On Demand Audit integration

Configuring a Quest On Demand Audit integration

Quest On Demand Audit is a Software as a Service (SaaS) application, available through quest-on-demand.com that provides extensive, customizable auditing of critical activities and detailed alerts about vital changes taking place in Microsoft Office 365 and Azure Active Directory.

On Demand Audit can also provide a single view of activity across hybrid Microsoft environments. By sending Change Auditor Active Directory event data, you can gain visibility to on premises changes (including events gathered up to 30 days prior to installing or upgrading Change Auditor 7.1).

To begin, you need to configure a connection between Change Auditor and your organization in On Demand Audit. Once the connection is made, On Demand Audit creates the required subscription used to send events from Change Auditor to On Demand Audit. For details on how Change Auditor uses subscriptions to send events, see the Change Auditor SIEM Integration Guide.

* 
NOTE: Although the configuration is made through Change Auditor, the subscription is managed (edited and removed) through On Demand Audit. See the On Demand Audit User Guide for details.
New-CAODAConfiguration
Get-CAODAConfiguration
Set-CAODAConfiguration
New-CAODAConfiguration

Use this command to create the connection required to send Change Auditor event data to On Demand Audit. When you run this command, you are presented with a dialog where you need to enter the information required to configure the connection. Enter your Quest account credentials to sign in to On Demand Audit and if prompted select the organization. By default, the current installation is used for the configuration name. If required, you can enter a different name for the configuration. This is the configuration name used in On Demand Audit; it does not change the Chane Auditor installation name.

 

Table 2. Available parameters

Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command.

Example: Create a subscription to send Active Directory event data to On Demand Audit

New-CAODAConfiguration -Connection $connection

Get-CAODAConfiguration

Use this command to see the details of the current On Demand Audit configuration.

Table 74. Available parameters
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command.

-SubscriptionId (optional)

The ID of an existing On Demand Audit subscription.

Example: Get information about the On Demand Audit configuration

Get-CAODAConfiguration -Connection $connection

Command output

The command returns the following information.

Table 75. Available information about the subscription created by the configuration
Setting
Description

ActiveBatchSize

The current batch size. (The current number of events to include in a single notification message.) The batch size is automatically adjusted based on network throughput and system performance. Its value never exceeds the specified batch size.

AllowedCoordinators

List of coordinators permitted to send events.

BatchSize

Batch size. (The maximum number of events that the active batch size can increase to.)

BatchesSent

Number of batches sent.

Enabled

Whether the subscription is enabled.

EventsSent

Number of events sent.

LastCoordinator

The coordinator that is sending events. If the subscription is disabled, this is the last coordinator that sent events.

LastEventResponse

The last event response. Provides the response in JSON format from the event receiver.

LastEventTime

When the last event was sent.

NotificationInterval

How often how often (in milliseconds) notifications are sent.

StartTime

Starting point in time for events being sent.

Subscription Id

The subscription ID.

Subsystems

Subsystems that contain the event data being sent.

Webhook Subscription Id

The webhook subscription ID.

Set-CAODAConfiguration

Use this command to modify an On Demand Audit configuration.

Table 2. Available parameters

Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command. See the Change Auditor Command Guide for details.

-AllowedCoordinators (Optional)

Specifies the DNS or NetBIOS name of the coordinators permitted to send events. By default, any coordinator can send the events.

NOTE: The list order does not determine which coordinator is selected to send events.

Example: Set the allowed coordinators for the On Demand Audit configuration to the computers named "coordinator1" and "coordinator2"

Set-CAODAConfiguration -Connection $connection -AllowedCoordinators @("coordinator1", "coordinator2")

Working with protection templates

Enabling Active Directory protection allows you to lock down critical objects and attributes to prevent accidental or unauthorized creations, modifications, or deletions.

The following commands are available to manage Active Directory protection:
New-CAADProtectionTemplate
New-CAProtectedObject
New-CAForestCredential
New-CAScheduledTimeRange
Get-CAADProtectionTemplates
Remove-CAADProtectionTemplate
New-CAADProtectionTemplate

Use this command to create an Active Directory protection template.

Table 76. Available parameters
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Credential

Credentials used to access the foreign forest.

-Name

The template name.

-ProtectedObjects

List of ProtectedObjects. See New-CAProtectedObject for details.

-Attributes (Optional)

List of attributes to protect. When AttributeType is not set to “All” this specifies the attributes for the template. Default is none.

-AttributeType (Optional)

This is applied to the list of attributes specified in the Attributes parameter. Possible values include “All”, “Only” and “AllExcept”. Default is All.

-OverrideAccounts (Optional)

Accounts allowed or not allowed to change the protected objects.

-OverrideAccountsDenied (Optional)

Specifies if you want to deny the list of user in the OverrideAccounts access. You can specify either $true or $false.

Default is false which means that the user accounts are not denied access.

-AdminAccounts (Optional)

Accounts that can manage the protection template. Default is none.

-Locations (Optional)

IP addresses to protect. Default is none.

-LocationProtectionType (Optional)

Applied to the IP addresses specified by the Locations parameter. The potential values include ProtectAllLocations, ProtectSelectLocations, AllowSelectLocations, or ProtectUnknownLocations.

Default is ProtectAllLocations.

-Schedule (Optional)

It is a list of PSCAScheduledTimeRange objects, created with the
New-CAScheduledTimeRange cmdlet. Default is no specified schedule, which means that protection is always enabled.

See New-CAScheduledTimeRange for details.

Example: Create an Active Directory protection template

$protectedObject = New-CAProtectedObject -Connection $connection -ObjectDistinguishName “ObjectName” -ProtectedScope ScopeObject -Operations Create

New-CAADProtectionTemplate -Connection $connection -Name TemplateSample1 -ProtectionObjects $protectedObject

Example: Creating an Active Directory Protection template to protect objects in a foreign forest

$forestCredential = New-CAForestCredential -ForestName $forestName -Credential $liveCred

New-CAADProtectionTemplate -Connection $connection -Name $templateName -ProtectedObjects $protectedObject -OverrideAccounts $overrideAccountDn -AdminAccounts $adminAccountDn -Schedule $schedule -Credential $forestCredential

 

 

 

New-CAProtectedObject

Use this command to create a protected object to include in a protection template.

Table 77. Available parameters
Parameter
Description

-ObjectDistinguishName

Distinguish name of object to protect.

-ProtectedScope

Scope of coverage for the protected object. Specify the scope using one of the following values:

ScopeObject
ScopeOneLevel
ScopeSubtree

-Operations

Operations to be denied for the selected object:
None
Create
Modify
Delete
Move
NOTE: You can specify multiple operations.
Example: Create a new protected object

New-CAProtectedObject -Connection $connection -ObjectDistinguishName “ObjectName” -ProtectedScope ScopeObject -Operations Create

New-CAForestCredential

Use this command to input credentials for foreign forests when creating Active Directory Protection templates with PowerShell.

Table 78. Available parameters
Parameter
Description

-ForestName

The name of the forest to access.

-Credential

Credentials used to access the foreign forest. The credential object is obtained by using the Get-Credential command.

Example: Creating an Active Directory Protection template to protect objects in a foreign forest

$forestCredential = New-CAForestCredential -ForestName $forestName -Credential $liveCred

New-CAADProtectionTemplate -Connection $connection -Name $templateName -ProtectedObjects $protectedObject -OverrideAccounts $overrideAccountDn -AdminAccounts $adminAccountDn -Schedule $schedule -Credential $forestCredential

New-CAScheduledTimeRange

Use this command to schedule when to enforce the protection.

Table 79. Available parameters
Parameter
Description

-Day

Spelled out day of the week to begin the protection. For example, Monday.

-StartTime

The time to start the protection. This parameter requires an integer and validates that the input is between 0 and 24 inclusive. This implies an hour of the day to start on.

-EndTime

The time to end the protection. This parameter requires an integer and validates that the input is between 0 and 24 inclusive. This implies an hour of the day to end on.

Example: Create a scheduled time range for a protected template

New-CAScheduledTimeRange -Day Monday -StartTime 7 -EndTime 18

Get-CAADProtectionTemplates

Use this command to see all the Active Directory Protection templates that have been created including those in a foreign forest.

Table 80. Available parameters
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Credential

Credentials used to access the foreign forest.

Example: Get a list of all Active Directory Protection templates

Get-CAADProtectionTemplates -Connection $connection

Example: Get a list of all Active Directory Protection templates in a foreign forest

$forestCredential = New-CAForestCredential -ForestName $forestName -Credential $liveCred

Get-CAADProtectionTemplates -Connection $connection -Credential $forestCredential

Remove-CAADProtectionTemplate

Use this command to remove an Active Directory protection template.

Table 81. Available parameters
Parameter
Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Credential

Credentials used to access the foreign forest.

-Template

The PSCAProtectionTemplate object to remove.

Obtain the template objects using the Get-CAADProtectionTemplates command and filter to select the object to remove.

-Force

Removes the template without providing confirmation.

Example: Remove an Active Directory protection template

Remove-CAADProtectionTemplate -Connection $connection -Template $template

Example: Remove an Active Directory Protection template in a foreign forest

$forestCredential = New-CAForestCredential -ForestName $forestName -Credential $liveCred

Remove-CAADProtectionTemplate -Connection $connection -Template $selectedTemplate -Credential $forestCredential

 

 

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating