Chat now with support
Chat with Support

Change Auditor 7.1.1 - Built-in Reports Reference Guide

Introduction Built-in reports
Active Directory Federation Services AD Query All Events Authentication Services Azure Active Directory Defender Office 365 Logon Activity Skype for Business Recommended Best Practices Regulatory Compliance
FISMA (Federal Information Security Management Act)
NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A01 – User Association NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A02 – Content of Audit Records NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A03 – Auditable Events NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A04 – Audit Processing NIST SP 800-53 | Technical Controls | Identification and Authentication | IA02 – Remote, Privileged Access Authentication NIST SP 800-53 | Technical Controls | Identification and Authentication | IA03 – Password Protection Mechanisms NIST SP 800-53 | Technical Controls | Identification and Authentication | IA04 – Password Life NIST SP 800-53 | Technical Controls | Identification and Authentication | IA05 – Password Content NIST SP 800-53 | Technical Controls | Identification and Authentication | IA12 – Remote Access Identification Authentication NIST SP 800-53 | Technical Controls | Identification and Authentication | IA16 – Password Management NIST SP 800-53 | Technical Controls | Logical Access Control | AC01 - Remote Access Restrictions NIST SP 800-53 | Technical Controls | Logical Access Control | AC02 - Logon Notification Message NIST SP 800-53 | Technical Controls | Logical Access Control | AC05 - Session Inactivity NIST SP 800-53 | Technical Controls | Logical Access Control | AC06 - Limited Connection Time NIST SP 800-53 | Technical Controls | Logical Access Control | AC09 - Enforcement Mechanisms NIST SP 800-53 | Technical Controls | Logical Access Control | AC10 - Automated Account Controls NIST SP 800-53 | Technical Controls | Logical Access Control | AC12 - Supervision and Review NIST SP 800-53 | Technical Controls | Logical Access Control | AC14 - Authorization Procedures NIST SP 800-53 | Technical Controls | System and Communications Protection | SP02 - Information System Partitioning NIST SP 800-53 | Technical Controls | System and Communications Protection | SP04 - Denial of Service Protection NIST SP 800-53 | Technical Controls | System and Communications Protection | SP05 - Resource Priority NIST SP 800-53 | Technical Controls | System and Communications Protection | SP06 - Boundary Protection NIST SP 800-53 | Technical Controls | System and Communications Protection | SP07 - Network Segregation NIST SP 800-53 | Technical Controls | System and Communications Protection | SP09 - Network Disconnect NIST SP 800-53 | Technical Controls | System and Communications Protection | SP11 - Trust Path NIST SP 800-53 | Technical Controls | System and Communications Protection | SP16 - Use of Encryption
GLBA (Gramm-Leach-Bliley Act) GDPR HIPAA (Health Insurance Portability and Accountability Act) Payment Card Industry SAS 70 (Statement on Auditing Standards, Service Organizations) SOX (Sarbanes-Oxley General IT Controls Evidence based on the COBIT Framework)
Security SharePoint SQL Data Level Threat Detection VMware

Audit and Accountability

Audit and Accountability
Active Directory
Active Directory\Computers
Active Directory\Configuration
Active Directory\GPO Configuration
Active Directory\Group Policy
Active Directory\Organizational Unit
Active Directory\Users and Groups
Authentication Services
Messaging\Exchange
Messaging\Exchange Online
Microsoft SQL\Audit
Storage\VMWare
VMWare
Windows
Active Directory
- All Account Lockout Events
Who = All Users
What = Local User Account Locked; Local User Account Unlocked; User Account Locked; User Account Unlocked
Where = All sources
When = Last 7 days
Origin = All workstations/servers
- All Object Restore Events
Who = All Users
What = Computer Added; Domain Added; Exchange Group Added (Exchange 2003); Group Object Added; Group Policy Object Added; Subordinate OU Added; User Object Added
Where = All sources
When = Last 7 days
Origin = All workstations/servers
- All OU Events
Who = All Users
What = OU facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
- Changes to User Profiles in the last 30 days
Who = All Users
What = Home Folder Changed on User Object; Home Folder Mapped Drive Changed on User Object; Level of Control Changed for User Object; Primary Group ID Changed for User Object; Profile Path Changed on User Object
Where = All sources
When = Last 30 days
Origin = All workstations/servers
- GDPR - Active Directory Database Events in last 30 days
Who = All Users
What = Active Directory Database facility
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Active Directory\Computers
- Computers added in last 30 days
Who = All Users
What = Computer Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
- Computers disabled in last 30 days
Who = All Users
What = Computer Account Disabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
- Computers enabled in last 30 days
Who = All Users
What = Computer Account Enabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
- Computers moved in last 30 days
Who = All Users
What = Computer Moved
Where = All sources
When = Last 30 days
Origin = All workstations/servers
- Computers removed in last 30 days
Who = All Users
What = Computer Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
- Computers renamed in last 30 days
Who = All Users
What = Computer Renamed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
- Computers with a Service Pack applied in last 30 days
Who = All Users
What = Computer Service Pack Applied
Where = All sources
When = Last 30 days
Origin = All workstations/servers
- Computers with a Service Pack rolled back in last 30 days
Who = All Users
What = Computer Service Pack Rolled Back
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Active Directory\Configuration
- All Basic Domain Controller changes in last 30 days
Who = All Users
What = Append Parent Suffixes Option Changed; Connection DNS Registration Option Changed; Connection-Specific DNS Suffixes Changed; Contents of DNS Server List Changed; Contents of DNS Suffix List Changed; Default Gateway Changed; DHCP Enabled; DHCP Disabled; Disk Size Changed; IP Deny List Entry Added; IP Deny List Entry Removed; IPSEC Settings Changed; Memory Amount Changed; NIC Added; NIC Removed; Processor Speed Changed; Raw IP Allowed Protocols List Changed; Static IP Address Changed; Subnet Mask Changed; Use Connection Suffix in DNS Registration Option Changed; Use of Dynamic DNS Changed; Use Primary and Connection Specific Suffixes Flag Changed
Where = Domain Controller
When = Last 30 days
Origin = All domain controllers
- All Forest changes performed in last 14 days
Who = All Users
What = Forest Configuration facility
Where = All sources
When = Last 14 days
Origin = All workstations/servers
- All Domain changes performed in last 14 days

Search generated for each domain in forest:

Who = All Users
What = Domain Configuration facility; Configuration Monitoring facility
Where = Domain Controller
When = Last 14 days
Origin = All domain controllers
- All Replication Changes performed in last 30 days
Who = All Users
What = Replication Transport facility
Where = All sources
When = Last 30 days
Origin = All workstations/servers
- All Schema Changes performed in last 30 days
Who = All Users
What = Schema Configuration facility
Schema FSMO Role Owner Moved; Schema Modifications Allowed Flag Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
- All Site Changes performed in last 30 days
Who = All Users
What = Site Added; Site Removed; Site Renamed; Site Link Added; Site Link Removed; Site Link Bridge Added; Site Link Bridge Removed
Site Configuration facility; Site Link Bridge Configuration facility; Connection Object facility; Site Link Configuration facility; Subnets facility
Where = All sources
When = Last 30 days
Origin = All workstations/servers
- Allow raw IP allowed protocols list changed in last 30 days
Who = All Users
What = Raw IP Allowed Protocols List Changed
Where = Domain Controller
When = Last 30 days
Origin = All domain controllers
- Changes in Domain Controller Services
Who = All Users
What = Service Monitoring facility
Where = Domain Controller
When = Last 7 days
Origin = All domain controllers
- Changes in Domain Controller System State, Registry and Configuration Files
Who = All Users
What = Custom File System Monitoring facility; Custom Registry Monitoring facility; System Events facility; Service Monitoring facility
Where = Domain Controller
When = Last 7 days
Origin = All domain controllers
- Changes in domain-wide operations master roles
Who = All Users
What = RID FSMO Role Owner Moved; PDC FSMO Role Owner Moved; Infrastructure FSMO Role Owner Moved
Where = All sources
When = Last 7 days
Origin = All workstations/servers
- Changes in forest-wide operations master roles
Who = All Users
What = Domain FSMO Role Owner Moved; Schema FSMO Role Owner Moved
Where = All sources
When = Last 7 days
Origin = All workstations/servers
- Changes in LDAP policies
Who = All Users
What = Default Site Query Policy Object Changed; Linked Query Policy Object for Domain Controller Changed; Linked Query Policy for Site Changed; Query Policy Added; Query Policy Link for Domain Controller Changed; Query Policy Removed; Query Policy Setting Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
- Changes to audit policy settings
Who = All Users
What = Audit Account Logon Events Policy Changed; Audit Account Management Policy Changed; Audit Directory Service Access Policy Changed; Audit Logon Events Policy Changed; Audit Object Access Policy Changed; Audit Policy Change Policy Changed; Audit Privilege Use Policy Changed; Audit Process Tracking Policy Changed; Audit System Events Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
- Changes to DNS settings in last 30 days
Who = All Users
What = DHCP Enabled; DHCP Disabled; Static IP Address Changed; Subnet Mask Changed; Default Gateway Changed; Contents of DNS Server List Changed; Use Primary and Connection Specific Suffixes Flag Changed; Append Parent Suffixes Option Changed; Connection Specific DNS Suffix Changed; Contents of DNS Suffix List Changed; Use Connection Suffix in DNS Registration Option Changed; Connection DNS Registration Option Changed
Where = Domain Controller
When = Last 30 days
Origin = All domain controllers
- Default gateway changes in last 30 days
Who = All Users
What = Default Gateway Changed
Where = Domain Controller
When = Last 30 days
Origin = All domain controllers
- DHCP disabled in last 30 days
Who = All Users
What = DHCP Disabled
Where = Domain Controller
When = Last 30 days
Origin = All domain controllers
- DHCP enabled in last 30 days
Who = All Users
What = DHCP Enabled
Where = Domain Controller
When = Last 30 days
Origin = All domain controllers
- Domain Controller moved in the last 30 days
Who = All Users
What = Domain Controller Moved to Another OU
Where = All sources
When = Last 30 days
Origin = All domain controllers
- Global Catalog added to Domain Controller in last 30 days
Who = All Users
What = GC Added
Where = All sources
When = Last 30 days
Origin = All domain controllers
- Global Catalog removed from Domain Controller in last 30 days
Who = All Users
What = GC Removed
Where = All sources
When = Last 30 days
Origin = All domain controllers
- Hot fixes applied in last 30 days
Who = All Users
What = Hotfix Applied
Where = Domain Controller
When = Last 30 days
Origin = All domain controllers
- Hot fixes rolled back in last 30 days
Who = All Users
What = Hotfix Rolled Back
Where = Domain Controller
When = Last 30 days
Origin = All domain controllers
- Medium Severity changes in the last 30 days
Who = All Users
What = Severity | Medium
Where = All sources
When = Last 30 days
Origin = All workstations/servers
- Promotion or demotion of Domain Controllers
Who = All Users
What = Domain Controller Added to Domain; Domain Controller Removed from Domain; Domain Controller Renamed; GC Added; GC Removed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
- All Basic Domain Controller changes in last 30 days
Who = All Users
What = Append Parent Suffixes Option Changed; Connection DNS Registration Option Changed; Connection-Specific DNS Suffixes Changed; Contents of DNS Server List Changed; Contents of DNS Suffix List Changed; Default Gateway Changed; DHCP Enabled; DHCP Disabled; Disk Size Changed; IP Deny List Entry Added; IP Deny List Entry Removed; IPSEC Settings Changed; Memory Amount Changed; NIC Added; NIC Removed; Processor Speed Changed; Raw IP Allowed Protocols List Changed; Static IP Address Changed; Subnet Mask Changed; Use Connection Suffix in DNS Registration Option Changed; Use of Dynamic DNS Changed; Use Primary and Connection Specific Suffixes Flag Changed
Where = Domain Controller
When = Last 30 days
Origin = All domain controllers
- Schema Changes
Who = All Users
What = Schema Configuration facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
- Service Packs rolled back in last 30 days
Who = All Users
What = Domain Controller Service Pack Rolled Back
Where = All sources
When = Last 30 days
Origin = All domain controllers
- Static IP address changes in last 30 days
Who = All Users
What = Static IP Address Changed
Where = Domain Controller
When = Last 30 days
Origin = All domain controllers
- TCP/IP allowed list changes in last 30 days
Who = All Users
What = IP Deny List Entry Added; IP Deny List Entry Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Active Directory\GPO Configuration
- Changes in GPO assignments
Who = All Users
What = Group Policy Block Inheritance Setting Changed on OU; Group Policy Disabled Setting on Domain Changed; Group Policy Disabled Setting on OU Changed; Group Policy Inheritance Blocked Setting Changed; on Domain; Group Policy Link Added to OU; Group Policy Link Removed from OU; Group Policy Link Settings Modified; Group Policy Linked; Group Policy No Override Setting Changed on Domain; Group Policy Unlinked; Group Policy No Override Setting Changed on OU
Where = All sources
When = Last 7 days
Origin = All workstations/servers
- Changes in linked GPOs
Who = All Users
What = Linked Group Policy on Domain Changed; Linked Group Policy on OU Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
- Changes in the GPO assignments for all Sites
Who = All Users
What = Group Policy Link Added to Site; Group Policy Link Removed from Site; Group Policy Block Inheritance Setting Changed on Site; Group Policy No Override Setting Changed on Site; Group Policy Disabled Setting on Site Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
- Group Policy block inheritance changes
Who = All Users
What = Group Policy Block Inheritance Setting Changed on OU; Group Policy Block Inheritance Setting Changed on Site; Group Policy Block Inheritance Setting Changed on Domain
Where = All sources
When = Last 30 days
Origin = All workstations/servers
- Group Policy disabled setting changes
Who = All Users
What = Group Policy Disabled Setting on OU Changed; Group Policy Disabled Setting on Site Changed; Group Policy Disabled Setting on Domain Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Active Directory\Group Policy
- All Group Policy Events
Who = All Users
What = Group Policy Link Added to OU; Group Policy Link Removed from OU; Group Policy Link Setting Modified; Group Policy Link Added to Site; Group Policy Link Removed from Site
Group Policy Item facility; Group Policy Object facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
- All Group Policy Events Including GPOAdmin Initiator

Returns all Group Policy events, displaying the Initiator UserName and EventSource in the Search Results

Who = All Users
What = Group Policy subsystem
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Layout Tab - Selected Columns: Initiator UserName and EventSource are added to default list
Active Directory\Organizational Unit
- Organizational Unit policy changes last 30 days

Report generated for each domain

Who = All Users
What = Linked Group Policy on OU Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
- Organizational Units added in last 30 days
Who = All Users
What = Subordinate OU Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
- Organizational Units deleted in last 30 days
Who = All Users
What = Subordinate OU Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
- Organizational Units renamed in last 30 days
Who = All Users
What = Subordinate OU Renamed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Active Directory\Users and Groups
- Group renamed (SAM account name) changes in last 30 days
Who = All Users
What = Group samAccountName Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
- Group renamed in last 30 days
Who = All Users
What = Group Renamed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
- Group type changes in last 30 days
Who = All Users
What = Group Type Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
- Nested group changes in last 30 days
Who = All Users
What = Nested Member Added to Critical Enterprise Group; Nested Member Removed from Critical Enterprise Group; Nested Member Added to Group; Nested Member Removed from Group
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Authentication Services
- All Failed Logons in the last 7 days
Who = All Users
What = User failed to authenticate through Kerberos, User failed to authenticate through NTLM, User failed to log on interactively, User failed to log on interactively from a remote computer, User failed to perform a network logon from a remote computer
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Info Tab = Fetch Every 10 Seconds
Messaging\Exchange
- All Exchange Administrative Group Events
Who = All Users
What = Exchange Administrative Group facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
- All Email Address Policy Events
Who = All Users
What = Email Address Policy Added to Organization Configuration; Email Address Policy Email Address Filter List Changed; Email Address Policy Priority Changed; Email Address Policy Query Filter Changed; Email Address Policy Removed from Organization Configuration; Email Address Policy Renamed; Email Address Policy Storage Filter Changed; Distribution List - Email Address Policy Enabled Changed; Mailbox - Email Address Policy Enabled Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
- All Exchange Organization events in last 30 days
Who = All Users
What = Exchange Organization facility
Where = All sources
When = Last 30 days
Origin = All workstations/servers
- All Exchange Permission Tracking events in last 30 days
Messaging\Exchange Online
- Office 365 Exchange Online administrative cmdlets executed this week
Who = All Users
What = Office 365 Exchange Online administration events, external and local
Where = All sources
When = This week
Origin = All workstations/servers
Layout tab - Order By: Time Detected (Not Grouped); User (Grouped)
Microsoft SQL\Audit
- All SQL Session Events in the last 24 hours
Who = All Users
What = SQL Session Event facility
Where = All sources
When = Last 24 hours
Origin = All workstations/servers
- All SQL Stored Procedures Events in the last 24 hours
Who = All Users
What = SQL Stored Procedures Event facility
Where = All sources
When = Last 24 hours
Origin = All workstations/servers
- All SQL TSQL Events in the last 24 hours
Who = All Users
What = SQL TSQL Event facility
Where = All sources
When = Last 24 hours
Origin = All workstations/servers

Microsoft SQL\Configuration

- Audit Access DB Object Changed
Who = All Users
What = Audit Access Database Object
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Storage\VMWare
- DRS events in the last 7 days
Who = All Users
What = Cluster Overcommitted; Cluster Reconfigured; Drs Disabled; Drs Entered Standby Mode; Drs Exit Standby Mode Failed; Drs Exited Standby Mode; Drs Invocation Failed; Drs Recovered From Failure; Drs Resource Configure Failed; Drs Rule Compliance Event; Drs Rule Violation Event; Drs Vm Migrated; Drs Vm Powered On; Failover Level Restored; Resource Pool Event; Resource Pool Reconfigured; Vm Emigrating Event; Vm Failed Migrate; Vm Failed Relayout On Vmfs2 Datastore; Vm Failover Failed; Vm Migrated; Vm No Compatible Host For Secondary Event; Vm Primary Failover Event; Vm Relocated; Vm Resource Pool Moved; Vm Resource Reallocated; Vm Restarted On Alternate Host; Vm Resuming Event; Vm Secondary Added; Vm Secondary Disabled; VMotion License Expired
Where = All sources
When = Last 7 days
Origin = All workstations/servers
VMWare
- Account Events in the last 7 days
Who = All Users
What = VMware Account facility
Where = All sources
When = Last 7 day
Origin = All workstations/servers
- Host Events in the last 7 days
Who = All Users
What = VMware Host facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
- Virtual Machine Events in the last 7 days
Who = All Users
What = VMware Virtual Machine facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Windows
- All Registry Events
Who = All Users
What = Registry subsystem
Where = All sources
When = Last 7 days
Origin = All workstations/servers

Responsibility of the Controller

24.2 - User Association

A summary report containing events from all of the following reports.

Detailed list of audit policy modifications
Who = All Users
What = Audit Account Logon Events Policy Changed; Audit Account Management Policy Changed; Audit Directory Service Access Policy Changed; Audit Logon Events Policy Changed; Audit Object Access Policy Changed; Audit Policy Change Policy Changed; Audit Privilege Use Policy Changed; Audit Process Tracking Policy Changed; Audit System Events Policy Changed; Audit: Audit the Access of Global System Objects Policy Changed; Audit: Audit the Use of Backup and Restore Privilege Policy Changed; Audit: Shut Down System Immediately if Unable to Log Security Audits Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of Change Auditor agent modifications
Who = All Users
What = Agent Service Has More Than 100 Events Waiting; Agent Service Has Reached a Critical Load; Agent Service Has Returned to Normal Operations; Change Auditor Agent Disconnected; Change Auditor Agent Uninstalled; Change Auditor Agent Connected
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of security log modifications
Who = All Users
What = Audit Account Logon Events Policy Changed; Audit Account Management Policy Changed; Audit Directory Service Access Policy Changed; Audit Logon Events Policy Changed; Audit Object Access Policy Changed; Audit Privilege Use Policy Changed; Audit Process Tracking Policy Changed; Audit System Events Policy Changed; Audit: Audit The Access of Global System Objects Policy Changed; Audit: Audit The Use of Backup and Restore Privilege Policy Changed; Audit: Shut Down System Immediately if Unable to Log Security Audits Policy Changed; Security Audit Log Rolled Over; Crash on Audit Fail Policy Changed; Shut Down the Computer When the Security Audit Log is Full Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
24.2 - Password Protection Mechanisms

A summary report containing events from all of the following reports.

Detailed list of account lockout policy modifications
Who = All Users
What = Account Lockout Threshold Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of lockout duration policy modifications
Who = All Users
What = Account Lockout Duration Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of password age policy modifications
Who = All Users
What = Maximum Password Age Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of password complexity policy modifications
Who = All Users
What = Password Must Meet Complexity Requirements Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of password history policy modifications
Who = All Users
What = Enforce Password History Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of storing password policy modifications
Who = All Users
What = Store Passwords Using Reversible Encryption Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers

Integrity and Confidentiality
Active Directory
Active Directory\Users and Groups
Active Directory\Organizational Units
Messaging\Exchange
Microsoft SQL\Configuration
Microsoft SQL\Security
Storage\Windows File System
SharePoint
VMWare
Active Directory
24.2 - All AD Queries grouped by AD Search Filter
Who = All Users
What = AD Query Performed
Where = All sources
When = N/A
Origin = All workstations/servers
Layout tab - Order By: Time Detected (Not Grouped); LDAP Filter (Grouped)
24.2 - All AD Queries grouped by AD starting point
Who = All Users
What = AD Query Performed
Where = All sources
When = N/A
Origin = All workstations/servers
Layout Tab - Order By: Time Detected (Not Grouped); Object Canonical (Grouped)
Active Directory\Users and Groups
5.6 - Changes in the membership of critical built-in Enterprise groups
Who = All Users
What = Member Added to Critical Enterprise Group; Member Removed from Critical Enterprise Group
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Active Directory\Organizational Units
5.6 - Organizational Units set to block GPO inheritance in last 30 days
Who = All Users
What = Group Policy Block Inheritance Setting Changed on OU
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Messaging\Exchange
5.6 - Deleted Items Retention Period Changed for a user
Who = All Users
What = Deleted Item Retention Period Changed; Deleted Item Retention Use Defaults Storage Option Changed; Mailbox - End Date Retention Hold; Mailbox - Retention Hold Enabled; Mailbox - Retention Policy; Mailbox - Start Date for Retention Hold; Mailbox - Use Database Retention Defaults
Where = All sources
When = Last 7 days
Origin = All workstations/servers
5.6 - Mail Enabled for Group
Who = All Users
What = Mail Enabled for Group (Exchange 2003); Distribution List - Created; Distribution List - Enabled
Where = All sources
When = Last 7 days
Origin = All workstations/servers
5.6 - Mailbox Store Mounted
Who = All Users
What = Mailbox Store Mounted
Where = All sources
When = Last 7 days
Origin = All workstations/servers
5.6 - Outlook Anywhere Enabled or Disabled for a Server
Who = All Users
What = Outlook Anywhere Disabled for Server; Outlook Anywhere Enabled for Server
Where = All sources
When = Last 7 days
Origin = All workstations/servers
5.6 - Public Folder Created
Who = All Users
What = Public Folder Store Created in Server Storage Group
Where = All sources
When = Last 7 days
Origin = All workstations/servers
5.6 - Public Store Mounted
Who = All Users
What = Public Store Mounted
Where = All sources
When = Last 7 days
Origin = All workstations/servers
5.6 - Storage Group Removed from Exchange Server
Who = All Users
What = Storage Group Removed from Exchange Server
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Microsoft SQL\Configuration
5.6 - Audit Add Role
Who = All Users
What = Audit Add Role
Where = All sources
When = Last 7 days
Origin = All workstations/servers
5.6 - Audit Alter Database
Who = All Users
What = Audit Alter Database
Where = All sources
When = Last 7 days
Origin = All workstations/servers
5.6 - Audit Alter Database Object
Who = All Users
What = Audit Alter Database Object
Where = All sources
When = Last 7 days
Origin = All workstations/servers
5.6 - Audit Alter Database Principal
Who = All Users
What = Audit Alter Database Principal
Where = All sources
When = Last 7 days
Origin = All workstations/servers
5.6 - Audit Alter Schema Object
Who = All Users
What = Audit Alter Schema Object
Where = All sources
When = Last 7 days
Origin = All workstations/servers
5.6 - Audit Alter Server Object
Who = All Users
What = Audit Alter Server Object
Where = All sources
When = Last 7 days
Origin = All workstations/servers
5.6 - Audit Alter Server Principal
Who = All Users
What = Audit Alter Server Principal
Where = All sources
When = Last 7 days
Origin = All workstations/servers
5.6 - Audit Drop DB User
Who = All Users
What = Audit Drop DB User
Where = All sources
When = Last 7 days
Origin = All workstations/servers

Microsoft SQL\Data

5.6 - SQL Data Level Events in the last 24 hours
Who = All Users
What = Check Constraint Added to a Table; Check Constraint Removed from a Table; Default Constraint Added to a Table; Default Constraint Removed from a Table; Default Object Added; Default Object Removed; Foreign Key Added to a Table; Foreign Key Removed from a Table; Function Added; Function Altered; Function Removed; Index Added to a Table; Index Removed from a Table; Object Renamed; Primary Key Added to a Table; Primary Key Removed from a Table; Procedure Added; Procedure Altered; Procedure Removed; Row Added to a Table; Row Removed from a Table; Row Updated in a Table; Rule Added; Rule Removed; Statistics Added to a Table; Statistics Removed from a Table; Table Added; Table Altered; Table Removed; Table Truncated; Trigger Added; Trigger Altered; Trigger Removed; Type Added; Type Removed; User Added; User Removed; View Added; View Altered; View Removed
Where = All sources
When = Last 24 hours
Origin = All workstations/servers
5.6 - SQL Data Level Row Change Events in the last 24 hours
Who = All Users
What = Row Added to a Table; Row Removed from a Table; Row Updated in a Table
Where = All sources
When = Last 24 hours
Origin = All workstations/servers
5.6 - SQL Data Level Structure Change Events in the last 7 days
Who = All Users
What = Check Constraint Added to a Table; Check Constraint Removed from a Table; Default Constraint Added to a Table; Default Constraint Removed from a Table; Default Object Added; Default Object Removed; Foreign Key Added to a Table; Foreign Key Removed from a Table; Function Added; Function Altered; Function Removed; Index Added to a Table; Index Removed from a Table; Object Renamed; Primary Key Added to a Table; Primary Key Removed from a Table; Procedure Added; Procedure Altered; Procedure Removed; Rule Added; Rule Removed; Statistics Added to a Table; Statistics Removed from a Table; Table Added; Table Altered; Table Removed; Table Truncated; Trigger Added; Trigger Altered; Trigger Removed; Type Added; Type Removed; User Added; User Removed; View Added; View Altered; View Removed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Microsoft SQL\Security
5.6 - Audit Alter Object Derived Permission
Who = All Users
What = Audit Alter Object Derived Permission
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Storage\Windows File System
5.6 - Directory share added in last 30 days
Who = All Users
What = Active Directory Share Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
5.6 - Directory share removed in last 30 days
Who = All Users
What = Active Directory Share Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
5.6 - File/Folder added in last 30 days
Who = All Users
What = File Created; Folder Created
Where = All sources
When = Last 30 days
Origin = All workstations/servers
5.6 - File/Folder moved in last 30 days
Who = All Users
What = File Moved; Folder Moved
Where = All sources
When = Last 30 days
Origin = All workstations/servers
5.6 - File/Folder ownership changed in last 30 days
Who = All Users
What = File Ownership Changed; Folder Ownership Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
5.6 - File/Folder permission changed in last 30 days
Who = All Users
What = File Access Rights Changed; Folder Access Rights Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
5.6 - File/Folder removed in last 30 days
Who = All Users
What = File Deleted; Folder Deleted
Where = All sources
When = Last 30 days
Origin = All workstations/servers
5.6 - Local share added in last 30 days
Who = All Users
What = Local Share Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
5.6 - Local share permission changed in last 30 days
Who = All Users
What = Local Share Permissions Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
5.6 - Local share removed in last 30 days
Who = All Users
What = Local Share Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
5.6 - Shares added in last 30 days
Who = All Users
What = Active Directory Share Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
5.6 - Shares removed in last 30 days
Who = All Users
What = Active Directory Share Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
SharePoint
5.6 - Site Collection Groups created and deleted in the last 7 days
Who = All Users
What = Security group created; Security group deleted
Where = All sources
When = Last 7 days
Origin = All workstations/servers
5.6 - Site Collection Groups Membership changes in the last 7 days
Who = All Users
What = Member added to security group; Member removed from security group
Where = All sources
When = Last 7 days
Origin = All workstations/servers
5.6 - Site Collection Ownership changes in the last 7 days
Who = All Users
What = Site collection ownership granted; Site collection ownership revoked
Where = All sources
When = Last 7 days
Origin = All workstations/servers
5.6 - Site Collections created and deleted in the last 7
Who = All Users
What = Site collection created; Site collection deleted
Where = All sources
When = Last 7 days
Origin = All workstations/servers
5.6 - Sites created and deleted in the last 7 days
Who = All Users
What = Site created; Site deleted
Where = All sources
When = Last 7 days
Origin = All workstations/servers
5.6 - Sites moved in the last 7 days
Who = All Users
What = Site moved
Where = All sources
When = Last 7 days
Origin = All workstations/servers
VMWare
5.6 - Storage Events in the last 7 days
Who = All Users
What = Datastore Capacity Increased; Datastore Destroyed; Datastore Discovered; Datastore Duplicated; Datastore Event; Datastore File Copied; Datastore File Deleted; Datastore File Event; Datastore File Moved; Datastore IORMReconfigured; Datastore Principal Configured; Datastore Removed On Host; Datastore Renamed; Datastore Renamed On Host; Local Datastore Created; NASDatastore Created; No Datastore Configured; Non VIWorkload Detected On Datastore; Vm Failed Relayout On Vmfs2 Datastore; VMFSDatastore Created; VMFSDatastore Expanded; VMFSDatastore Extended
Where = All sources
When = Last 7 days
Origin = All workstations/servers

Security of Processing
32 - Detailed List of security log modifications
Active Directory
Authentication Services
Active Directory\Configuration
Authentication Services
Microsoft SQL\Security
SharePoint
Storage\Windows File System
32 - Detailed List of security log modifications
Who = All Users
What = Audit Account Logon Events Policy Changed; Audit Account Management Policy Changed; Audit Directory Service Access Policy Changed; Audit Logon Events Policy Changed; Audit Object Access Policy Changed; Audit Privilege Use Policy Changed; Audit Process Tracking Policy Changed; Audit System Events Policy Changed; Audit: Audit The Access of Global System Objects Policy Changed; Audit: Audit The Use of Backup and Restore Privilege Policy Changed; Audit: Shut Down System Immediately if Unable to Log Security Audits Policy Changed; Security Audit Log Rolled Over; Crash on Audit Fail Policy Changed; Shut Down the Computer When the Security Audit Log is Full Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Active Directory
32 - Active Directory Database Events in last 30 days
Who = All Users
What = Active Directory Database facility
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Changes to SYSVOL on all Domain Controllers in last 30 days
Who = All Users
What = SYSVOL facility; SYSVOL Location Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Default domain audit policy changes last 30 days

Report generated for each domain

Who = All Users
What = Audit Account Logon Events Policy Changed; Audit Account Management Policy Changed; Audit Directory Service Access Policy Changed; Audit Logon Events Policy Changed; Audit Object Access Policy Changed; Audit Policy Change Policy Changed; Audit Privilege Use Policy Changed; Audit Process Tracking Policy Changed; Audit System Event Policy Changed
Group Policy subsystem – Default Domain Policy container
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Authentication Services
32 - Authentication Services computers added in last 30 days
Who = All Users
What = Authentication Services Computer object added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Authentication Services computers deleted in last 30 days
Who = All Users
What = Authentication Services Computer object deleted
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Default domain Kerberos policy changes last 30 days

Report generated for each domain

Who = All Users
What = Enforce User Logon Restrictions Policy Changed; Maximum Lifetime for Service Ticket Policy Changed; Maximum Lifetime for User Ticket Policy Changed; Maximum Lifetime for User Ticket Renewal Policy Changed; Maximum Tolerance for Computer Clock Synchronization Policy Changed
Group Policy subsystem – Default Domain Policy container
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Default domain password policy changes last 30 days

Report generated for each domain

Who = All Users
What = Enforce Password History Policy Changed; Maximum Password Age Policy Changed; Minimum Password Age Policy Changed; Minimum Password Length Policy Changed; Password Must Meet Complexity Requirements Policy Changed; Store Passwords Using Reversible Encryption Policy Changed
Group Policy subsystem – Default Domain Policy container
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Active Directory\Configuration
32 - All Schema Configuration Events
Who = All Users
What = Schema Configuration facility
Schema FSMO Role Owner Moved; Schema Modifications Allowed Flag Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
32 - Authentication Services GPO settings changes in last 30 days
Who = All Users
What = Authentication Services GPO Settings Computer Object Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Changes in trust
Who = All Users
What = Cross-forest Trust Added; Cross-forest Trust Removed; Trust Added; Trust Removed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
32 - Changes to Domain account policies (GPO filter) in last 30 days
Who = All Users
What = Account Lockout Duration Policy Changed; Account Lockout Threshold Policy Changed; Enforce Password History Policy Changed; Enforce User Logon Restrictions Policy Changed; Maximum Lifetime for Service Ticket Policy Changed; Maximum Lifetime for User Ticket Policy Changed; Maximum Lifetime for User Ticket Renewal Policy Changed; Maximum Password Age Policy Changed; Maximum Tolerance for Computer Clock Synchronization Policy Changed; Minimum Password Age Policy Changed; Minimum Password Length Policy Changed; Password Must Meet Complexity Requirements Policy Changed; Store Passwords Using Reversible Encryption Policy Changed; Reset Account Lockout Counter After Change Policy Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Changes to Domain Audit Policies (GPO filter) in the last 30 days
Who = All Users
What = Audit Account Logon Events Policy Changed; Audit Account Management Policy Changed; Audit Directory Service Access Policy Changed; Audit Logon Events Policy Changed; Audit Object Access Policy Changed; Audit Policy Change Policy Changed; Audit Privilege Use Policy Changed; Audit Process Tracking Policy Changed; Audit System Event Policy Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Changes to Domain Kerberos policies (GPO filter) in the last 30 days
Who = All Users
What = Enforce User Logon Restrictions Policy Changed; Maximum Lifetime for Service Ticket Policy Changed; Maximum Lifetime for User Ticket Policy Changed; Maximum Lifetime for User Ticket Renewal Policy Changed; Maximum Tolerance for Computer Clock Synchronization Policy Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Changes to IP deny filter changes in last 30 days
Who = All Users
What = IP Deny List Entry Added; IP Deny List Entry Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Cross Forest level trusts added in last 30 days
Who = All Users
What = Cross-forest Trust Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Cross Forest level trusts deleted in last 30 days
Who = All Users
What = Cross-forest Trust Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - DNS server list changes in last 30 days
Who = All Users
What = Contents of DNS Server List Changed
Where = Domain Controller
When = Last 30 days
Origin = All domain controllers
32 - Domain policy changes in last 30 days

Report generated for each domain

Who = All Users
What = Linked Group Policy or Domain Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - High Severity changes in the last 30 days
Who = All Users
What = Severity | High
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Permission changes on domains in the last 30 days
Who = All Users
What = DACL Changed on Domain Object
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Trusts added in last 30 days
Who = All Users
What = Trust Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Trusts deleted in last 30 days
Who = All Users
What = Trust Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Use of dynamic DNS changed in last 30 days
Who = All Users
What = Use of Dynamic DNS Changed
Where = Domain Controller
When = Last 30 days
Origin = All domain controllers
Active Directory\GPO Configuration
32 - GPO Link changes on Domain objects in the last 30 days
Who = All Users
What = DACL Changed on Group Policy Object; Group Policy Linked; Group Policy Unlinked; Group Policy Block Inheritance Setting Changed on Domain; Group Policy No Override Setting Changed on Domain; Group Policy Disabled Setting on Domain Changed; Owner Changed on Group Policy Object
Where = All sources
When = Last 30 days
Origin = All workstations/servers

Active Directory\Users and Groups

32 - Critical Group Membership changes in last 30 days
Who = All Users
What = Member Added to Critical Enterprise Group; Member Removed from Critical Enterprise Group; Nested Member Added to Critical Enterprise Group; Nested Member Removed from Critical Enterprise Group
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Group added in last 30 days
Who = All Users
What = Group Object Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Group deleted in last 30 days
Who = All Users
What = Group Object Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Group member added changes in last 30 days
Who = All Users
What = Member Added to Group
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Group member removed changes in last 30 days
Who = All Users
What = Member Removed from Group
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Group Membership changes in last 30 days
Who = All Users
What = Member Added to Group, Member Removed from Group; Nested Member Added to Group; Nested Member Removed from Group
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Group moved in last 30 days
Who = All Users
What = Group Object Moved
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Group nested member added changes in last 30 days
Who = All Users
What = Nested Member Added to Group
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Group nested member removed changes in last 30 days
Who = All Users
What = Nested Member Removed from Group
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Membership changed in critical groups in last 7 days
Who = All Users
What = Member Added to Critical Enterprise Group; Member Removed from Critical Enterprise Group
Where = All sources
When = Last 7 days
Origin = All workstations/servers
32 - Permissions on group changes last 30 days
Who = All Users
What = DACL Changed on Group Object; Active Directory subsystem
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Permissions on user accounts changed in last 30 days
Who = All Users
What = DACL Changed on User Object; Required User’s Permissions Changed for User Object
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Permissions to AdminSDHolder in last 30 days
Who = All Users
What = DACL Changed on AdminSDHolder Object
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - User account restrictions changed in the last 30 days
Who = All Users
What = User Account Enabled; User Account Disabled; DACL Change on User Object; User Member-of Added; User Member-of Removed; User accountExpires Changed; User Password Changed; User logonHours Changed; User Account Locked; User Account Unlocked; Active Session Limit Changed for User Object
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - User logon hours changed in last 30 days
Who = All Users
What = User logonHours Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Users added in last 30 days
Who = All Users
What = User Object Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Users added to group in last 30 days
Who = All Users
What = User Member-of Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Users deleted in last 30 days
Who = All Users
What = User Object Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Users disabled in last 30 days
Who = All Users
What = User Account Disabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Users enabled in last 30 days
Who = All Users
What = User Account Enabled; User Account Re-enabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Users expiration date changed in last 30 days
Who = All Users
What = User Account Expires changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Users locked in last 30 days
Who = All Users
What = User Account Locked
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Users locked out in last 30 days
Who = All Users
What = User Account Locked
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Users logon hours changed in last 30 days
Who = All Users
What = User logonHours Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Users moved in last 30 days
Who = All Users
What = User Object Moved
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Users removed from group in last 30 days
Who = All Users
What = User Member-of Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Users renamed in last 30 days
Who = All Users
What = Domain User Renamed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Users SAM account name changed in last 30 days
Who = All Users
What = User samAccountName Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Users unlocked in last 30 days
Who = All Users
What = User Account Unlocked
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - Users workstation access restrictions changed in last 30 days
Who = All Users
What = User userWorkstations Added; User userWorkstations Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Authentication Services
32 - Detailed list of password age policy modifications
Who = All Users
What = Maximum Password Age Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
32 - Detailed list of password complexity policy modifications
Who = All Users
What = Password Must Meet Complexity Requirements Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
32 - Detailed list of password history policy modifications
Who = All Users
What = Enforce Password History Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
32 - Detailed list of storing password policy modifications
Who = All Users
What = Store Passwords Using Reversible Encryption Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
- IPSec changes in last 30 days
Who = All Users
What = IPSEC Settings Changed
Where = All sources
When = Last 30 days
Origin = All domain controllers

Messaging\Exchange

32 - All Exchange Administrative Group events in last 30 days
Who = All Users
What = Exchange Administrative Group facility
Where = All sources
When = Last 30 days
Origin = All workstations/servers
32 - All Send Connector Change Events
Who = All Users
What = Mutual Auth TLS Option Changed on Send Connector; Send Connector Added to Organization Configuration; Send Connector Protocol Logging Changed; Send Connector Removed from Organization Configuration; Send Connector Renamed; Send Connector Response FQDN Changed; Send Connector Status Changed; Address Space Added to Send Connector; Address Space Removed from Send Connection; External DNS Lookup Option Changed on Send Connector; Send Connector Maximum Message Size Changed; Smart Host Added to Send Connector; Smart Host Authentication Settings Changed on Send Connector; Smart Host Removed from Send Connector; Source Server Added to Send Connector; Source Server Removed from Send Connector
Where = All sources
When = Last 7 days
Origin = All workstations/servers
32 - All Unified Messaging (UM) Policy Change Events
Who = All Users
What = Allow Calls to Extensions Option Changed in UM Mailbox Policy; Allow Calls to Same-Plan Users Option Changed in UM Mailbox Policy; Allow Common PIN Pattern Option Changed in UM Mailbox Policy; Fax Identity Changed in UM Mailbox Policy; Fax Message Text Changed in UM Mailbox Policy; Incorrect PIN Mailbox Lockout Setting Changed in UM Mailbox Policy; Incorrect PIN Reset Setting Changed in UM Mailbox Policy; In-Country Rule Group Added to UM Mailbox Policy; In-Country Rule Group Removed From UM Mailbox Policy; International Rule Group Added to UM Mailbox Policy; International Rule Group Removed from UM Mailbox Policy; Mailbox Enabled Text Changed in UM Mailbox Policy; Maximum Greeting Duration Changed in UM Mailbox Policy; Maximum Greeting Duration Enabled Option Changed in UM Mailbox Policy; Minimum PIN Length Changed in UM Mailbox Policy; PIN History Length Changed in UM Mailbox Policy; PIN Lifetime Changed in UM Mailbox Policy; PIN Reset Text Changed in UM Mailbox Policy; UM Mailbox Policy Added to Organization Configuration; UM Mailbox Policy Removed from Organization Configuration; UM Mailbox Policy Renamed; Voice Message Text Changed in UM Mailbox Policy
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Microsoft SQL\Security
32 - All SQL Add Roles, User, and Login Events in the last 24 hours
Who = All Users
What = Audit Add DB User; Audit Add Login; Audit Add Login to Server Role; Audit Add Member to DB Role; Audit Add Role
Where = All sources
When = Last 24 hours
Origin = All workstations/servers
32 - All SQL Security Audit Events in the last 24 hours
Who = All Users
What = SQL Security Audit Event facility
Where = All sources
When = Last 24 hours
Origin = All workstations/servers
5.6 - Audit Add DB User
Who = All Users
What = Audit Add DB User
Where = All sources
When = Last 7 days
Origin = All workstations/servers
5.6 - Audit Add Login
Who = All Users
What = Audit Add Login
Where = All sources
When = Last 7 days
Origin = All workstations/servers
5.6 - Audit Add Login to Server Role
Who = All Users
What = Audit Add Login to Server Role
Where = All sources
When = Last 7 days
Origin = All workstations/servers
5.6 - Audit Add Member to DB Role
Who = All Users
What = Audit Add Member to DB Role
Where = All sources
When = Last 7 days
Origin = All workstations/servers
SharePoint
32 - Permission changes in the last 7 days
Who = All Users
What = All permission levels revoked; Permission level created; Permission level deleted; Permission level granted; Permission level permissions modified; Permission level revoked
Where = All sources
When = Last 7 days
Origin = All workstations/servers
32 - Permission Inheritance changes in the last 7 days
Who = All Users
What = Permission inheritance broken; Permission inheritance restored; Permission level inheritance broken; Permission level permissions modified
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Storage\Windows File System
32 - File/Folder auditing changed in last 30 days
Who = All Users
What = File Auditing Changed; Folder Auditing Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating