Chat now with support
Chat with Support

Change Auditor 7.1.1 - Built-in Reports Reference Guide

Introduction Built-in reports
Active Directory Federation Services AD Query All Events Authentication Services Azure Active Directory Defender Office 365 Logon Activity Skype for Business Recommended Best Practices Regulatory Compliance
FISMA (Federal Information Security Management Act)
NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A01 – User Association NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A02 – Content of Audit Records NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A03 – Auditable Events NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A04 – Audit Processing NIST SP 800-53 | Technical Controls | Identification and Authentication | IA02 – Remote, Privileged Access Authentication NIST SP 800-53 | Technical Controls | Identification and Authentication | IA03 – Password Protection Mechanisms NIST SP 800-53 | Technical Controls | Identification and Authentication | IA04 – Password Life NIST SP 800-53 | Technical Controls | Identification and Authentication | IA05 – Password Content NIST SP 800-53 | Technical Controls | Identification and Authentication | IA12 – Remote Access Identification Authentication NIST SP 800-53 | Technical Controls | Identification and Authentication | IA16 – Password Management NIST SP 800-53 | Technical Controls | Logical Access Control | AC01 - Remote Access Restrictions NIST SP 800-53 | Technical Controls | Logical Access Control | AC02 - Logon Notification Message NIST SP 800-53 | Technical Controls | Logical Access Control | AC05 - Session Inactivity NIST SP 800-53 | Technical Controls | Logical Access Control | AC06 - Limited Connection Time NIST SP 800-53 | Technical Controls | Logical Access Control | AC09 - Enforcement Mechanisms NIST SP 800-53 | Technical Controls | Logical Access Control | AC10 - Automated Account Controls NIST SP 800-53 | Technical Controls | Logical Access Control | AC12 - Supervision and Review NIST SP 800-53 | Technical Controls | Logical Access Control | AC14 - Authorization Procedures NIST SP 800-53 | Technical Controls | System and Communications Protection | SP02 - Information System Partitioning NIST SP 800-53 | Technical Controls | System and Communications Protection | SP04 - Denial of Service Protection NIST SP 800-53 | Technical Controls | System and Communications Protection | SP05 - Resource Priority NIST SP 800-53 | Technical Controls | System and Communications Protection | SP06 - Boundary Protection NIST SP 800-53 | Technical Controls | System and Communications Protection | SP07 - Network Segregation NIST SP 800-53 | Technical Controls | System and Communications Protection | SP09 - Network Disconnect NIST SP 800-53 | Technical Controls | System and Communications Protection | SP11 - Trust Path NIST SP 800-53 | Technical Controls | System and Communications Protection | SP16 - Use of Encryption
GLBA (Gramm-Leach-Bliley Act) GDPR HIPAA (Health Insurance Portability and Accountability Act) Payment Card Industry SAS 70 (Statement on Auditing Standards, Service Organizations) SOX (Sarbanes-Oxley General IT Controls Evidence based on the COBIT Framework)
Security SharePoint SQL Data Level Threat Detection VMware

164.312 – Technical Safeguards | Standard Access Control

| Standard Access Control

164.312 – Technical Safeguards | Standard Audit Control

| Standard Audit Control
(Executive Summary) – 164.312(b) – Audit Controls

A summary report containing events from all of the following reports.

Detailed list of Change Auditor agent modifications
Who = All Users
What = Agent Service Has More Than 100 Events Waiting; Agent Service Has Reached a Critical Load; Agent Service Has Returned to Normal Operations; Change Auditor Agent Disconnected; Change Auditor Agent Uninstalled; Change Auditor Agent Connected
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of critical group membership modifications
Who = All Users
What = Nested Member Added to Critical Enterprise Group; Nested Member Removed from Critical Enterprise Group; Member Added to Critical Enterprise Group; Member Removed from Critical Enterprise Group
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of security log modifications
Who = All Users
What = Audit Account Logon Events Policy Changed; Audit Account Management Policy Changed; Audit Directory Service Access Policy Changed; Audit Logon Events Policy Changed; Audit Object Access Policy Changed; Audit Policy Change Policy Changed; Audit Privilege Use Policy Changed; Audit Process Tracking Policy Changed; Audit System Events Policy Changed; Audit: Audit the Access of Global System Object Policy Changed; Audit: Audit the use of Backup and Restore Privilege Policy Changed; Audit: Shut Down System Immediately if Unable to Log Security Audit Policy Changed; Security Audit Log Rolled Over; Crash on Audit Fail Policy Changed; Shut Down the Computer When the Security Audit Log is Full Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers

Payment Card Industry

The reports are available under the following folders:

Build and Maintain a Secure Network and Systems

R1 - Establish firewall and router configuration standards
Authentication Services
Authentication Services computers added in the last 30 days
Who = All Users
What = Authentication Services Computer Object Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Authentication Services computers deleted in the last 30 days
Who = All Users
What = Authentication Services Computer Object Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Computer Activity
Computers added in the last 30 days
Who = All Users
What = Computer Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Computers disabled in the last 30 days
Who = All Users
What = Computer Account Disabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Computers enabled in the last 30 days
Who = All Users
What = Computer Account Enabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Computers moved in the last 30 days
Who = All Users
What = Computer Moved
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Computers removed in the last 30 days
Who = All Users
What = Computer Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Computers renamed in the last 30 days
Who = All Users
What = Computer Renamed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Detailed list of file system modifications
Who = All Users
What = Custom File System Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of interactive login policy modifications
Who = All Users
What = Interactive Logon: Do Not Display Last Name Policy Changed; Interactive Logon: Do Not Require CTRL+ALT+DEL Policy Changed; Interactive Logon: Message Text for Users Attempting to Log on Policy Changed; Interactive Logon: Message Title for Users Attempting to Log On Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of NETLOGON modifications
Who = All Users
What = NETLOGON Services facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of service changes
Who = All Users
What = Service Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of software installations via GPO added
Who = All Users
What = Computer Software Installation Policy Added
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of software installations via GPO modified
Who = All Users
What = Computer Software Installation Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of software installations via GPO removed
Who = All Users
What = Computer Software Installation Policy Removed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Domain Controller Security
All Basic Domain Controller changes in last 30 days
Who = All Users
What = Append Parent Suffixes Option Changed; Connection DNS Registration Option Changed; Connection-Specific DNS Suffixes Changed; Contents of DNS Server List Changed; Contents of DNS Suffix List Changed; Default Gateway Changed; DHCP Enabled; DHCP Disabled; Disk Size Changed; IP Deny List Entry Added; IP Deny List Entry Removed; IPSEC Settings Changed; Memory Amount Changed; NIC Added; NIC Removed; Processor Speed Changed; Raw IP Allowed Protocols List Changed; Static IP Address Changed; Subnet Mask Changed; Use Connection Suffix in DNS Registration Option Changed; Use of Dynamic DNS Changed; Use Primary and Connection Specific Suffixes Flag Changed
Where = Domain Controller
When = Last 30 days
Origin = All domain controllers
Allow raw IP allowed protocols list changed in last 30 days
Who = All Users
What = Raw IP Allowed Protocols List Changed
Where = Domain Controller
When = Last 30 days
Origin = All domain controllers
Changes to DNS settings in last 30 days
Who = All Users
What = DHCP Enabled; DHCP Disabled; Static IP Address Changed; Subnet Mask Changed; Default Gateway Changed; Contents of DNS Server List Changed; Use Primary and Connection Specific Suffixes Flag Changed; Append Parent Suffixes Option Changed; Connection Specific DNS Suffix Changed; Contents of DNS Suffix List Changed; Use Connection Suffix in DNS Registration Option Changed; Connection DNS Registration Option Changed
Where = Domain Controller
When = Last 30 days
Origin = All domain controllers
Changes to IP deny filter changes in last 30 days
Who = All Users
What = IP Deny List Entry Added; IP Deny List Entry Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Changes to IP settings in last 30 days
Who = All Users
What = Append Parent Suffixes Option Changed; Connection DNS Registration Option Changed; Connection-Specific DNS Suffix Changed; Contents of DNS Server List Changed; Contents of DNS Suffix List Changed; Default Gateway Changed; DHCP Enabled; DHCP Disabled; Static IP Address Changed; Subnet Mask Changed; Use Primary and Connection-Specific Suffixes Flag Changed; Use Connection Suffix in DNS Registration Option Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Default gateway changes in last 30 days
Who = All Users
What = Default Gateway Changed
Where = Domain Controller
When = Last 30 days
Origin = All domain controllers
DHCP disabled in last 30 days
Who = All Users
What = DHCP Disabled
Where = Domain Controller
When = Last 30 days
Origin = All domain controllers
DHCP enabled in last 30 days
Who = All Users
What = DHCP Enabled
Where = Domain Controller
When = Last 30 days
Origin = All domain controllers
Disk size changes in last 30 days
Who = All Users
What = Disk Size Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
DNS server list changes in last 30 days
Who = All Users
What = Contents of DNS Server List Changed
Where = Domain Controller
When = Last 30 days
Origin = All domain controllers
Domain Controllers moved in last 30 days
Who = All Users
What = Domain Controller Moved to Another OU
Where = All sources
When = Last 30 days
Origin = All domain controllers
Domain Controllers renamed in last 30 days
Who = All Users
What = Domain Controller Renamed
Where = All sources
When = Last 30 days
Origin = All domain controllers
Global Catalog added to Domain Controller in last 30 days
Who = All Users
What = GC Added
Where = All sources
When = Last 30 days
Origin = All domain controllers
Global Catalog removed from Domain Controller in last 30 days
Who = All Users
What = GC Removed
Where = All sources
When = Last 30 days
Origin = All domain controllers
IPSec changes in last 30 days
Who = All Users
What = IPSEC Settings Changed
Where = All sources
When = Last 30 days
Origin = All domain controllers
NIC added/removed in last 30 days
Who = All Users
What = NIC Added; NIC Removed
Where = Domain Controller
When = Last 30 days
Origin = All domain controllers
Static IP address changes in last 30 days
Who = All Users
What = Static IP Address Changed
Where = Domain Controller
When = Last 30 days
Origin = All domain controllers
Subnet mask changes in last 30 days
Who = All Users
What = Subnet Mask Changed
Where = Domain Controller
When = Last 30 days
Origin = All domain controllers
TCP/IP allowed in last 30 days
Who = All Users
What = IP Deny List Entry Added; IP Deny List Entry Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Use of dynamic DNS changed in last 30 days
Who = All Users
What = Use of Dynamic DNS Changed
Where = Domain Controller
When = Last 30 days
Origin = All domain controllers
Exchange
OWA Website Added to Server
Who = All Users
What = OWA Web Site Added to Server
Where = All sources
When = Last 7days
Origin = All workstations/servers
OWA Website Removed from the Server
Who = All Users
What = OWA Web Site Removed from Server
Where = All sources
When = Last 7days
Origin = All workstations/servers
OWA Website Renamed
Who = All Users
What = OWA Web Site Renamed on Server
Where = All sources
When = Last 7days
Origin = All workstations/servers
Trust Activity
Cross Forest level trust added in last 30 days
Who = All Users
What = Cross-forest Trust Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Cross Forest level trust deleted in last 30 days
Who = All Users
What = Cross-forest Trust Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Trusts added in last 30 days
Who = All Users
What = Trust Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Trusts deleted in last 30 days
Who = All Users
What = Trust Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
R2 - Do not use vendor-supplied defaults for system passwords and other security parameters
Authentication Services
Authentication Services GPO Settings Changes in the last 30 days
Who = All Users
What = Authentication Services GPO Settings Computer Object Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Critical GPO Changes
Default domain audit policy changes in last 30 days

Report generated for each domain

Who = All Users
What = Audit Account Logon Events Policy Changed; Audit Account Management Policy Changed; Audit Directory Service Access Policy Changed; Audit Logon Events Policy Changed; Audit Object Access Policy Changed; Audit Policy Change Policy Changed; Audit Privilege Use Policy Changed; Audit Process Tracking Policy Changed; Audit System Event Policy Changed
Group Policy subsystem – Default Domain Policy container
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Default domain Kerberos policy changes in last 30 days

Report generated for each domain

Who = All Users
What = Enforce User Logon Restrictions Policy Changed; Maximum Lifetime for Service Ticket Policy Changed; Maximum Lifetime for User Ticket Policy Changed; Maximum Lifetime for User Ticket Renewal Policy Changed; Maximum Tolerance for Computer Clock Synchronization Policy Changed
Group Policy subsystem – Default Domain Policy container
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Default domain password policy changes in last 30 days

Report generated for each domain

Who = All Users
What = Enforce Password History Policy Changed; Maximum Password Age Policy Changed; Minimum Password Age Policy Changed; Minimum Password Length Policy Changed; Password Must Meet Complexity Requirements Policy Changed; Store Passwords Using Reversible Encryption Policy Changed
Group Policy subsystem – Default Domain Policy container
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Detailed list of GPO modifications
Who = All Users
What = Accounts: Administrator Account Status Policy Changed; Accounts: Guest Account Status Policy Changed; Accounts: Limit Local Account Use of Blank Passwords to Console Only Policy Changed; Accounts: Rename Administrator Account Policy Changed; Accounts: Rename Guest Account Policy Changed; Audit: Audit the Access of Global System Objects Policy Changed; Audit: Audit the User of Backup and Restore Privilege Policy Changed; Audit: Shut Down System Immediately if Unable to Log Security Audits Policy Changed; Devices: Allow Undock Without Having to Logon Policy Changed; Devices: Allowed to Format and Eject Removable Media Policy Changed; Devices: Prevent Users from Installing Printer Drivers Policy Changed; Devices: Restrict CD-ROM Access to Locally Logged-on User Only Policy Changed; Devices: Restrict Floppy Access to Locally Logged-on User Only Policy Changed; Devices: Unsigned Driver Installation Behavior Policy Changed; Domain Controller: Allow Server Operators to Schedule Tasks Policy Changed; Domain Controller: LDAP Server Signing Requirements Policy Changed; Domain Controller: Refuse Machine Account Password Changes Policy Changed; Domain Member: Digitally Encrypt or Sign Secure Channel Data (Always) Policy Changed; Enforce Password History Policy Changed; Enforce User Logon Restrictions Policy Changed; Maximum Lifetime for Service Ticket Policy Changed; Maximum Lifetime for User Ticket Policy Changed; System Objects: Strengthen Default Permissions of Global System Objects Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Domain policy changes in last 30 days

Report generated for each domain

Who = All Users
What = Linked Group Policy or Domain Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Domain Security
Changes to Domain account policies (GPO filter) in last 30 days
Who = All Users
What = Account Lockout Duration Policy Changed; Account Lockout Threshold Policy Changed; Enforce Password History Policy Changed; Enforce User Logon Restrictions Policy Changed; Maximum Lifetime for Service Ticket Policy Changed; Maximum Lifetime for User Ticket Policy Changed; Maximum Lifetime for User Ticket Renewal Policy Changed; Maximum Password Age Policy Changed; Maximum Tolerance for Computer Clock Synchronization Policy Changed; Minimum Password Age Policy Changed; Minimum Password Length Policy Changed; Password Must Meet Complexity Requirements Policy Changed; Store Passwords Using Reversible Encryption Policy Changed; Reset Account Lockout Counter After Change Policy Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Changes to Domain Audit policies (GPO filter) in last 30 days
Who = All Users
What = Audit Account Logon Events Policy Changed; Audit Account Management Policy Changed; Audit Directory Service Access Policy Changed; Audit Logon Events Policy Changed; Audit Object Access Policy Changed; Audit Policy Change Policy Changed; Audit Privilege Use Policy Changed; Audit Process Tracking Policy Changed; Audit System Event Policy Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Changes to Domain Kerberos policies (GPO filter) in last 30 days
Who = All Users
What = Enforce User Logon Restrictions Policy Changed; Maximum Lifetime for Service Ticket Policy Changed; Maximum Lifetime for User Ticket Policy Changed; Maximum Lifetime for User Ticket Renewal Policy Changed; Maximum Tolerance for Computer Clock Synchronization Policy Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
GPO Link changes on Domain objects in last 30 days
Who = All Users
What = DACL Changed on Group Policy Object; Group Policy Linked; Group Policy Unlinked; Group Policy Block Inheritance Setting Changed on Domain; Group Policy No Override Setting Changed on Domain; Group Policy Disabled Setting on Domain Changed; Owner Changed on Group Policy Object
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Permission changes on domains in last 30 days
Who = All Users
What = DACL Changed on Domain Object
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Permissions to AdminSDHolder Changes in last 30 days
Who = All Users
What = DACL Changed on AdminSDHolder Object
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Exchange
All ActiveSync Mailbox Policy Events
Who = All Users
What = ActiveSync Mailbox Policy Added to Organization Client Access Configuration; ActiveSync Mailbox Policy Allow Attachments to be Downloaded Option Changed; ActiveSync Mailbox Policy Allow Non-Provisionable Devices Options Changed; ActiveSync Mailbox Policy Allow Simple Password Option Changed; ActiveSync Mailbox Policy Enable Password Recovery Option Changed; ActiveSync Mailbox Policy Maximum Attachment Size Changed; ActiveSync Mailbox Policy Minimum Password Length Changed; ActiveSync Mailbox Policy Password Expiration Changed; ActiveSync Mailbox Policy Password History Changed; ActiveSync Mailbox Policy Password Required Option Changed; ActiveSync Mailbox Policy Removed from Organization Client Access Configuration; ActiveSync Mailbox Policy Renamed; ActiveSync Mailbox Policy Require Alphanumeric Password Option Changed; ActiveSync Mailbox Policy Require Encryption On Device Option Changed; ActiveSync Mailbox Policy User Idle Timeout Changed; ActiveSync Mailbox Policy Windows File Shares Access Option Changed; ActiveSync Mailbox Policy Windows SharePoint Services Access Option Changed; ActiveSync Mailbox Policy Number of Failed Attempts Allowed Changed; ActiveSync Mailbox Policy Refresh Interval Changed; ActiveSync Mailbox Policy Require Encryption On Device Option Changed; Mobile Device - ActiveSync Device Policy
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All Email Address Policy Events
Who = All Users
What = Email Address Policy Added to Organization Configuration; Email Address Policy Email Address Filter List Changed; Email Address Policy Priority Changed; Email Address Policy Query Filter Changed; Email Address Policy Removed from Organization Configuration; Email Address Policy Renamed; Email Address Policy Storage Filter Changed; Distribution List - Email Address Policy Enabled Changed; Mailbox - Email Address Policy Enabled Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All Exchange Permission Tracking Events
Who = All Users
What = Exchange Permission Tracking facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All Journaling Rule Change Events
Who = All Users
What = Journaling Rule Added to Organization Configuration; Journaling Rule Changed; Journaling Rule Removed from Organization Configuration; Journaling Rule Renamed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Deleted Items Retention Period Changed for a user
Who = All Users
What = Deleted Item Retention Period Changed; Deleted Item Retention Use Defaults Storage Option Changed; Mailbox - End Date Retention Hold; Mailbox - Retention Hold Enabled; Mailbox - Retention Policy; Mailbox - Start Date for Retention Hold; Mailbox - Use Database Retention Defaults
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Message Tracking Options Changed on an Exchange 2007 Server
Who = All Users
What = Message Tracking Option Changed on Server
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Organizational Unit Management
Organizational Units added in last 30 days
Who = All Users
What = Subordinate OU Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Organizational Units deleted in last 30 days
Who = All Users
What = Subordinate OU Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Organizational Units renamed in last 30 days
Who = All Users
What = Subordinate OU Renamed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Organizational Units set to block GPO inheritance in last 30 days
Who = All Users
What = Group Policy Block Inheritance Setting Changed on OU
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group Policy Changed last 30 days
Group Policy block inheritance changes
Who = All Users
What = Group Policy Block Inheritance Setting Changed on OU; Group Policy Block Inheritance Setting Changed on Site; Group Policy Block Inheritance Setting Changed on Domain
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group Policy disabled setting changes
Who = All Users
What = Group Policy Disabled Setting on OU Changed; Group Policy Disabled Setting on Site Changed; Group Policy Disabled Setting on Domain Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group Policy no override changes
Who = All Users
What = Group Policy No Override Setting Changed on OU; Group Policy No Override Setting Changed on Site; Group Policy No Override Setting Changed on Domain
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating