Chat now with support
Chat with Support

Change Auditor 7.1.1 - Built-in Reports Reference Guide

Introduction Built-in reports
Active Directory Federation Services AD Query All Events Authentication Services Azure Active Directory Defender Office 365 Logon Activity Skype for Business Recommended Best Practices Regulatory Compliance
FISMA (Federal Information Security Management Act)
NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A01 – User Association NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A02 – Content of Audit Records NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A03 – Auditable Events NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A04 – Audit Processing NIST SP 800-53 | Technical Controls | Identification and Authentication | IA02 – Remote, Privileged Access Authentication NIST SP 800-53 | Technical Controls | Identification and Authentication | IA03 – Password Protection Mechanisms NIST SP 800-53 | Technical Controls | Identification and Authentication | IA04 – Password Life NIST SP 800-53 | Technical Controls | Identification and Authentication | IA05 – Password Content NIST SP 800-53 | Technical Controls | Identification and Authentication | IA12 – Remote Access Identification Authentication NIST SP 800-53 | Technical Controls | Identification and Authentication | IA16 – Password Management NIST SP 800-53 | Technical Controls | Logical Access Control | AC01 - Remote Access Restrictions NIST SP 800-53 | Technical Controls | Logical Access Control | AC02 - Logon Notification Message NIST SP 800-53 | Technical Controls | Logical Access Control | AC05 - Session Inactivity NIST SP 800-53 | Technical Controls | Logical Access Control | AC06 - Limited Connection Time NIST SP 800-53 | Technical Controls | Logical Access Control | AC09 - Enforcement Mechanisms NIST SP 800-53 | Technical Controls | Logical Access Control | AC10 - Automated Account Controls NIST SP 800-53 | Technical Controls | Logical Access Control | AC12 - Supervision and Review NIST SP 800-53 | Technical Controls | Logical Access Control | AC14 - Authorization Procedures NIST SP 800-53 | Technical Controls | System and Communications Protection | SP02 - Information System Partitioning NIST SP 800-53 | Technical Controls | System and Communications Protection | SP04 - Denial of Service Protection NIST SP 800-53 | Technical Controls | System and Communications Protection | SP05 - Resource Priority NIST SP 800-53 | Technical Controls | System and Communications Protection | SP06 - Boundary Protection NIST SP 800-53 | Technical Controls | System and Communications Protection | SP07 - Network Segregation NIST SP 800-53 | Technical Controls | System and Communications Protection | SP09 - Network Disconnect NIST SP 800-53 | Technical Controls | System and Communications Protection | SP11 - Trust Path NIST SP 800-53 | Technical Controls | System and Communications Protection | SP16 - Use of Encryption
GLBA (Gramm-Leach-Bliley Act) GDPR HIPAA (Health Insurance Portability and Accountability Act) Payment Card Industry SAS 70 (Statement on Auditing Standards, Service Organizations) SOX (Sarbanes-Oxley General IT Controls Evidence based on the COBIT Framework)
Security SharePoint SQL Data Level Threat Detection VMware

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need to know
Access Control - File System
Directory shares added in last 30 days
Who = All Users
What = Active Directory Share Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Directory shares removed in last 30 days
Who = All Users
What = Active Directory Share Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder added in last 30 days
Who = All Users
What = File Created; Folder Created
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder attribute changed in last 30 days
Who = All Users
What = File Attribute Changed; Folder Attribute Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder auditing changed in last 30 days
Who = All Users
What = File Auditing Changed; Folder Auditing Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder modified date changed in last 30 days
Who = All Users
What = File Last Write Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder moved in last 30 days
Who = All Users
What = File Moved; Folder Moved
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder ownership changed in last 30 days
Who = All Users
What = File Ownership Changed; Folder Ownership Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder permission changed in last 30 days
Who = All Users
What = File Access Rights Changed; Folder Access Rights Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder removed in last 30 days
Who = All Users
What = File Deleted; Folder Deleted
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder renamed in last 30 days
Who = All Users
What = File Renamed; Folder Renamed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Local share added in last 30 days
Who = All Users
What = Local Share Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Local share permission changed in last 30 days
Who = All Users
What = Local Share Permissions Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Local share removed in last 30 days
Who = All Users
What = Local Share Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Shares added in last 30 days
Who = All Users
What = Active Directory Share Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Shares removed in last 30 days
Who = All Users
What = Active Directory Share Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Authentication Services
Authentication Services computers added in last 30 days
Who = All Users
What = Authentication Services Computer object added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Authentication Services computers deleted in last 30 days
Who = All Users
What = Authentication Services Computer object deleted
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Groups set to UNIX-disabled in last 30 days
Who = All Users
What = UNIX-Enabled Changed for Group - Restriction = To: Disabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Groups set to UNIX-enabled in last 30 days
Who = All Users
What = UNIX-Enabled Changed for Group - Restriction = To: Enabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
UNIX home directory changed in last 30 days
Who = All Users
What = UNIX Home Directory Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
UNIX login shell changed in last 30 days
Who = All Users
What = UNIX Login Shell Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
UNIX-enabled groups deleted in last 30 days
Who = All Users
What = UNIX-Enabled Group Deleted
Where = All sources
When = Last 30 days
Origin = All workstations/servers
UNIX-enabled users deleted in last 30 days
Who = All Users
What = UNIX-Enabled User Deleted
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users set to UNIX-disabled in last 30 days
Who = All Users
What = UNIX-Enabled Changed for User - Restriction = To: Disabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users set to UNIX-enabled in last 30 days
Who = All Users
What = UNIX-Enabled Changed for User - Restriction = To: Enabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender
All Defender events in last 30 days
Who = All Users
What = Defender facility
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender – Member added to access node in last 30 days
Who = All Users
What = Member Added to Access Node
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender – Member removed from access node in last 30 days
Who = All Users
What = Member Removed from Access Node
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender access node added in last 30 days
Who = All Users
What = Defender Access Node Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender access node removed in last 30 days
Who = All Users
What = Defender Access Node Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender password events in last 30 days
Who = All Users
What = Defender Password Changed; Defender Password Cleared; Defender Password Expiry Cleared; Defender Password Expiry Set; Defender Password Set
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender policy added in last 30 days
Who = All Users
What = Defender Policy Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender policy change events in last 30 days
Who = All Users
What = Defender Policy Changed for Access Node; Defender Policy Changed for Group; Defender Policy Changed for Security Server; Defender Policy Changed for User
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender policy removed in last 30 days
Who = All Users
What = Defender Policy Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender RADIUS payload added in last 30 days
Who = All Users
What = Defender RADIUS Payload Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender RADIUS payload change events in last 30 days
Who = All Users
What = Defender RADIUS Payload Changed for Access Node; Defender RADIUS Payload Changed for Group; Defender RADIUS Payload Changed for Security Server; Defender RADIUS Payload Changed for User
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender RADIUS payload removed in last 30 days
Who = All Users
What = Defender RADIUS Payload Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender security server added in last 30 days
Who = All Users
What = Defender Security Server Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender security server assigned to access node in last 30 days
Who = All Users
What = Defender Security Server Assigned to Access Node
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender security server removed in last 30 days
Who = All Users
What = Defender Security Server Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender security server unassigned from access node in last 30 days
Who = All Users
What = Defender Security Server Unassigned from Access Node
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender temporary response events in last 30 days
Who = All Users
What = Defender Token Temporary Response Cleared; Defender Token Temporary Response Set; Defender Token Temporary Response Usage Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender token added in last 30 days
Who = All Users
What = Defender Token Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender token assigned in last 30 days
Who = All Users
What = Defender Token Assigned
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender token PIN events in last 30 days
Who = All Users
What = Defender Token PIN Changed; Defender Token PIN Cleared; Defender Token PIN Expiry Cleared; Defender Token PIN Expiry Set; Defender Token PIN Set
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender token removed in last 30 days
Who = All Users
What = Defender Token Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender token unassigned in last 30 days
Who = All Users
What = Defender Token Unassigned
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Dynamic Access Control - DAC
File central access policy changed
Who = All Users
What = File central access policy changed
Where = All sources
When = Last 7days
Origin = All workstations/servers
EMC
EMC file access rights changed
Who = All Users
What = EMC file access rights changed
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file contents written
Who = All Users
What = EMC file contents written
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file contents created
Who = All Users
What = EMC file contents created
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file contents deleted
Who = All Users
What = EMC file contents deleted
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file contents moved
Who = All Users
What = EMC file contents moved
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file contents opened
Who = All Users
What = EMC file contents opened
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file ownership changed
Who = All Users
What = EMC file ownership changed
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file renamed
Who = All Users
What = EMC file renamed
Where = All sources
When = This Week
Origin = All workstations/servers
EMC folder access rights changed
Who = All Users
What = EMC folder access rights changed
Where = All sources
When = This Week
Origin = All workstations/servers
EMC folder created
Who = All Users
What = EMC folder created
Where = All sources
When = This Week
Origin = All workstations/servers
EMC folder deleted
Who = All Users
What = EMC folder deleted
Where = All sources
When = This Week
Origin = All workstations/servers
EMC folder moved
Who = All Users
What = EMC folder moved
Where = All sources
When = This Week
Origin = All workstations/servers
EMC folder ownership changed
Who = All Users
What = EMC folder ownership changed
Where = All sources
When = This Week
Origin = All workstations/servers
EMC folder renamed
Who = All Users
What = EMC folder renamed
Where = All sources
When = This Week
Origin = All workstations/servers
Exchange
All Exchange Administrative Group Events
Who = All Users
What = Exchange Administrative Group facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All Exchange Distribution List (Group) Events
Who = All Users
What = Exchange Security Group facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All Exchange Permission Tracking Events
Who = All Users
What = Exchange Permission Tracking facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Group Management
Group added in last 30 days
Who = All Users
What = Group Object Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group deleted in last 30 days
Who = All Users
What = Group Object Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group member added changes in last 30 days
Who = All Users
What = Member Added to Group
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group member removed changes in last 30 days
Who = All Users
What = Member Removed from Group
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group moved in last 30 days
Who = All Users
What = Group Object Moved
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group nested member added changes in last 30 days
Who = All Users
What = Nested Member Added to Group
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group nested member removed changes in last 30 days
Who = All Users
What = Nested Member Removed from Group
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group permissions changed in last 30 days
Who = All Users
What = DACL Changed on Group Object
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group renamed (SAM account name) changes in last 30 days
Who = All Users
What = Group samAccountName Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group renamed in last 30 days
Who = All Users
What = Group Renamed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Group type changes in last 30 days
Who = All Users
What = Group Type Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
NetApp
NetApp file access rights changed (no from-value)
Who = All Users
What = NetApp file access rights changed (no from-value)
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file access rights changed
Who = All Users
What = NetApp file access rights changed
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file contents written
Who = All Users
What = NetApp file contents written
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file created
Who = All Users
What = NetApp file created
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file deleted
Who = All Users
What = NetApp file deleted
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file moved
Who = All Users
What = NetApp file moved
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file opened
Who = All Users
What = NetApp file opened
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file ownership changed
Who = All Users
What = NetApp file access rights changed
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file ownership changed (no from-value)
Who = All Users
What = NetApp file access rights changed (no from-value)
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file renamed
Who = All Users
What = NetApp file renamed
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder access rights changed (no from-value)
Who = All Users
What = NetApp folder access rights changed (no from-value)
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder access rights changed
Who = All Users
What = NetApp folder access rights changed
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder created
Who = All Users
What = NetApp folder created
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder deleted
Who = All Users
What = NetApp folder deleted
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder moved
Who = All Users
What = NetApp folder moved
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder ownership changed
Who = All Users
What = NetApp folder access rights changed
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder ownership changed (no from-value)
Who = All Users
What = NetApp folder access rights changed (no from-value)
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder renamed
Who = All Users
What = NetApp folder renamed
Where = All sources
When = This Week
Origin = All workstations/servers
SharePoint
Permission changes in the last 7 days
Who = All Users
What = All permission levels revoked; Permission level created; Permission level deleted; Permission level granted; Permission level permissions modified; Permission level revoked
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Permission inheritance changes in the last 7 days
Who = All Users
What = Permission inheritance broken; Permission inheritance restored; Permission level inheritance broken; Permission level permissions modified
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Site Collection Groups created and deleted in the last 7 days
Who = All Users
What = Security group created; Security group deleted
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Site Collection Groups membership changes in the last 7 days
Who = All Users
What = Member added to security group; Member removed from security group
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Site Collection ownership changes in the last 7 days
Who = All Users
What = Site collection ownership granted; Site collection ownership revoked
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Site Collections created and deleted in the last 7 days
Who = All Users
What = Site collection created; Site collection deleted
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Sites created and deleted in the last 7 days
Who = All Users
What = Site created; Site deleted
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Sites moved in the last 7 days
Who = All Users
What = Site moved
Where = All sources
When = Last 7 days
Origin = All workstations/servers
SQL
All SQL Add Roles, User, and Login Events in the last 24 hours
Who = All Users
What = Audit Add DB User; Audit Add Login; Audit Add Login to Server Role; Audit Add Member to DB Role; Audit Add Role
Where = All sources
When = Last 24 hours
Origin = All workstations/servers
Audit Add Login
Who = All Users
What = Audit Add Login
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Add Login to Server Role
Who = All Users
What = Audit Add Login to Server Role
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Add Member to DB Role
Who = All Users
What = Audit Add Member to DB Role
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Add Role
Who = All Users
What = Audit Add Role
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Alter Database
Who = All Users
What = Audit Alter Database
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Alter Database Object
Who = All Users
What = Audit Alter Database Object
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Alter Database Principal
Who = All Users
What = Audit Alter Database Principal
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Alter Object Derived Permission
Who = All Users
What = Audit Alter Object Derived Permission
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Alter Schema Object
Who = All Users
What = Audit Alter Schema Object
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Alter Server Object
Who = All Users
What = Audit Alter Server Object
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Alter Server Principal
Who = All Users
What = Audit Alter Server Principal
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Drop Database
Who = All Users
What = Audit Drop Database
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Audit Drop DB User
Who = All Users
What = Audit Drop DB User
Where = All sources
When = Last 7 days
Origin = All workstations/servers
User Activity
Users disabled in last 30 days
Who = All Users
What = User Account Disabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users expiration date changed in last 30 days
Who = All Users
What = User Account Expires changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users locked in last 30 days
Who = All Users
What = User Account Locked
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users unlocked in last 30 days
Who = All Users
What = User Account Unlocked
Where = All sources
When = Last 30 days
Origin = All workstations/servers
User Management
Changes to user profiles in last 30 days
Who = All Users
What = Home Folder Changed on User Object; Home Folder Mapped Drive Changed on User Object; Level of Control Changed for User Object; Primary Group ID Changed for User Object; Profile Path Changed on User Object
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Permissions on user accounts changed in last 30 days
Who = All Users
What = DACL Changed on User Object; Required User’s Permissions Changed for User Object
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users added in last 30 days
Who = All Users
What = User Object Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users added to group in last 30 days
Who = All Users
What = User Member-of Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users deleted in last 30 days
Who = All Users
What = User Object Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users disabled in last 30 days
Who = All Users
What = User Account Disabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users display name changed in last 30 days
Who = All Users
What = Display Name Changed on User Object
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users enabled in last 30 days
Who = All Users
What = User Account Enabled; User Account Re-enabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users first name changed in last 30 days
Who = All Users
What = First Name Changed on User Object
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users last name changed in last 30 days
Who = All Users
What = Last Name Changed on User Object
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users locked out in last 30 days
Who = All Users
What = User Account Locked
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users logon hours changed in last 30 days
Who = All Users
What = User logonHours Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users moved in last 30 days
Who = All Users
What = User Object Moved
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users name(s) changed in last 30 days
Who = All Users
What = Display Name Changed on User Object; First Name Changed on User Object; User samAccountName Changed; Last Name Changed on User Object; User userPrincipal Name Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users principal name changed in last 30 days
Who = All Users
What = User userPrincipalName Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users removed from group in last 30 days
Who = All Users
What = User Member-of Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users renamed in last 30 days
Who = All Users
What = Domain User Renamed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users SAM account name changed in last 30 days
Who = All Users
What = User samAccountName Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users status changed in last 30 days (Enabled, Disabled, Created, Deleted, Locked, Unlocked)
Who = All Users
What = User Account Enabled; User Account Disabled; User Object Added; User Object Removed; User Account Locked; User Account Unlocked; User Account Re-enabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users unlocked in last 30 days
Who = All Users
What = User Account Unlocked
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Users workstation access restrictions changed in last 30 days
Who = All Users
What = User userWorkstations Added; User userWorkstations Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
R8 - Identify and authenticate access to system components
Defender
All Defender events in last 30 days
Who = All Users
What = Defender facility
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender – Member added to access node in last 30 days
Who = All Users
What = Member Added to Access Node
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender – Member removed from access node in last 30 days
Who = All Users
What = Member Removed from Access Node
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender access node added in last 30 days
Who = All Users
What = Defender Access Node Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender access node removed in last 30 days
Who = All Users
What = Defender Access Node Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender password events in last 30 days
Who = All Users
What = Defender Password Changed; Defender Password Cleared; Defender Password Expiry Cleared; Defender Password Expiry Set; Defender Password Set
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender policy added in last 30 days
Who = All Users
What = Defender Policy Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender policy change events in last 30 days
Who = All Users
What = Defender Policy Changed for Access Node; Defender Policy Changed for Group; Defender Policy Changed for Security Server; Defender Policy Changed for User
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender policy removed in last 30 days
Who = All Users
What = Defender Policy Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender RADIUS payload added in last 30 days
Who = All Users
What = Defender RADIUS Payload Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender RADIUS payload change events in last 30 days
Who = All Users
What = Defender RADIUS Payload Changed for Access Node; Defender RADIUS Payload Changed for Group; Defender RADIUS Payload Changed for Security Server; Defender RADIUS Payload Changed for User
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender RADIUS payload removed in last 30 days
Who = All Users
What = Defender RADIUS Payload Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender security server added in last 30 days
Who = All Users
What = Defender Security Server Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender security server assigned to access node in last 30 days
Who = All Users
What = Defender Security Server Assigned to Access Node
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender security server removed in last 30 days
Who = All Users
What = Defender Security Server Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender security server unassigned from access node in last 30 days
Who = All Users
What = Defender Security Server Unassigned from Access Node
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender temporary response events in last 30 days
Who = All Users
What = Defender Token Temporary Response Cleared; Defender Token Temporary Response Set; Defender Token Temporary Response Usage Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender token added in last 30 days
Who = All Users
What = Defender Token Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender token assigned in last 30 days
Who = All Users
What = Defender Token Assigned
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender token PIN events in last 30 days
Who = All Users
What = Defender Token PIN Changed; Defender Token PIN Cleared; Defender Token PIN Expiry Cleared; Defender Token PIN Expiry Set; Defender Token PIN Set
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender token removed in last 30 days
Who = All Users
What = Defender Token Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Defender token unassigned in last 30 days
Who = All Users
What = Defender Token Unassigned
Where = All sources
When = Last 30 days
Origin = All workstations/servers

Maintain a Vulnerability Management Program

R5 - Protect all systems against malware and regularly update ant-virus software or programs
Detailed list of service changes
Who = All Users
What = Service Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
R6 - Develop and maintain secure systems and applications
Service Packs and Hot Fixes
Detailed list of all hot fixes applied
Who = All Users
What = Hotfix Applied
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of hot fixes rolled back
Who = All Users
What = Hotfix Rolled Back
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of service packs applied
Who = All Users
What = Computer Service Pack Applied; Domain Controller Service Pack Applied
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of service packs rolled back
Who = All Users
What = Domain Controller Service Pack Rolled Back
Where = All sources
When = Last 7 days
Origin = All workstations/servers

Regularly Monitor and Test Networks

R10 - Track and monitor all access to network resources and cardholder data
Detailed list of audit policy modifications
Who = All Users
What = Audit Account Logon Events Policy Changed; Audit Account Management Policy Changed; Audit Directory Service Access Policy Changed; Audit Logon Events Policy Changed; Audit Object Access Policy Changed; Audit Policy Change Policy Changed; Audit Privilege Use Policy Changed; Audit Process Tracking Policy Changed; Audit System Events Policy Changed; Audit: Audit the Access of Global System Object Policy Changed; Audit: Audit the use of Backup and Restore Privilege Policy Changed; Audit: Shut Down System Immediately if Unable to Log Security Audit Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of Change Auditor agent modifications
Who = All Users
What = Agent Service Has More Than 100 Events Waiting; Agent Service Has Reached a Critical Load; Agent Service Has Returned to Normal Operations; Change Auditor Agent Connected; Change Auditor Agent Disconnected; Change Auditor Agent Uninstalled
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of Change Auditor security group modifications
Who = All Users
What = Member Added to Critical Enterprise Group; Member Removed from Critical Enterprise Group; Nested Member Added to Critical Enterprise Group; Nested Member Removed from Critical Enterprise Group
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of critical group membership modifications
Who = All Users
What = Member Added to Critical Enterprise Group; Member Removed from Critical Enterprise Group; Nested Member Added to Critical Enterprise Group; Nested Member Removed from Critical Enterprise Group
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of DACL modifications
Who = All Users
What = DACL Changed on AdminSDHolder Object; DACL Changed on Domain Object; DACL Changed on Exchange Group Object (Exchange 2003); DACL Changed on Group Object; DACL Changed on Group Policy Object; DACL Changed on OU Object; DACL Changed on User Object; DACL Changed on Computer Object
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of file system permission modifications
Who = All Users
What = File Access Rights Changed; Folder Access Rights Changed; Local Share Permissions Changed; SYSVOL Folder Access Rights Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of nested group membership modifications
Who = All Users
What = Nested Member Added to Critical Enterprise Group; Nested Member Removed from Critical Enterprise Group; Nested Member Added to Group; Nested Member Removed from Group
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of security log modifications
Who = All Users
What = Audit Account Logon Events Policy Changed; Audit Account Management Policy Changed; Audit Directory Service Access Policy Changed; Audit Logon Events Policy Changed; Audit Object Access Policy Changed; Audit Policy Change Policy Changed; Audit Privilege Use Policy Changed; Audit Process Tracking Policy Changed; Audit System Events Policy Changed; Audit: Audit the Access of Global System Object Policy Changed; Audit: Audit the use of Backup and Restore Privilege Policy Changed; Crash on Audit Fail Policy Changed; Security Audit Log Rolled Over; Shut Down the Computer When the Security Audit Log is Full Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Access Control - File System
Directory shares added in last 30 days
Who = All Users
What = Active Directory Share Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Directory shares removed in last 30 days
Who = All Users
What = Active Directory Share Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File Access Denied NTFS
Who = All Users
What = Failed File Access (FTFS Permissions)
Where = All sources
When = Last 7 days
Origin = All workstations/servers
File Access Denied Change Auditor Lockdown
Who = All Users
What = Failed File Access
Where = All sources
When = Last 7 days
Origin = All workstations/servers
File/Folder added in last 30 days
Who = All Users
What = File Created; Folder Created
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder attribute changed in last 30 days
Who = All Users
What = File Attribute Changed; Folder Attribute Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder auditing changed in last 30 days
Who = All Users
What = File Auditing Changed; Folder Auditing Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder modified date changed in last 30 days
Who = All Users
What = File Last Write Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder moved in last 30 days
Who = All Users
What = File Moved; Folder Moved
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder ownership changed in last 30 days
Who = All Users
What = File Ownership Changed; Folder Ownership Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder permission changed in last 30 days
Who = All Users
What = File Access Rights Changed; Folder Access Rights Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder removed in last 30 days
Who = All Users
What = File Deleted; Folder Deleted
Where = All sources
When = Last 30 days
Origin = All workstations/servers
File/Folder renamed in last 30 days
Who = All Users
What = File Renamed; Folder Renamed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Folder Access Denied NTFS
Who = All Users
What = Failed Folder Access (FTFS Permissions)
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Folder Access Denied Change Auditor Lockdown
Who = All Users
What = Failed Folder Access
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Local share added in last 30 days
Who = All Users
What = Local Share Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Local share auditing changed in last 30 days
Who = All Users
What = Local Share Auditing changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Local share permission changed in last 30 days
Who = All Users
What = Local Share Permissions Changed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Local share removed in last 30 days
Who = All Users
What = Local Share Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Shares added in last 30 days
Who = All Users
What = Active Directory Share Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Shares removed in last 30 days
Who = All Users
What = Active Directory Share Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Share Access Denied NTFS
Who = All Users
What = Failed Share Access (FTFS Permissions)
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Share Access Denied Change Auditor Lockdown
Who = All Users
What = Failed Share Access
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Change Auditor Internal Auditing
CEPP Configuration changed
Who = All Users
What = CEPP configuration changed
Where = All sources
When = This Week
Origin = All workstations/servers
Dynamic Access Control - DAC
File Classification changed
Who = All Users
What = File classification changed
Where = All sources
When = This week
Origin = All workstations/servers
EMC
EMC file access rights changed
Who = All Users
What = EMC file access rights changed
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file contents written
Who = All Users
What = EMC file contents written
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file contents created
Who = All Users
What = EMC file contents created
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file contents deleted
Who = All Users
What = EMC file contents deleted
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file contents moved
Who = All Users
What = EMC file contents moved
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file contents opened
Who = All Users
What = EMC file contents opened
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file ownership changed
Who = All Users
What = EMC file ownership changed
Where = All sources
When = This Week
Origin = All workstations/servers
EMC file renamed
Who = All Users
What = EMC file renamed
Where = All sources
When = This Week
Origin = All workstations/servers
EMC folder access rights changed
Who = All Users
What = EMC folder access rights changed
Where = All sources
When = This Week
Origin = All workstations/servers
EMC folder created
Who = All Users
What = EMC folder created
Where = All sources
When = This Week
Origin = All workstations/servers
EMC folder deleted
Who = All Users
What = EMC folder deleted
Where = All sources
When = This Week
Origin = All workstations/servers
EMC folder moved
Who = All Users
What = EMC folder moved
Where = All sources
When = This Week
Origin = All workstations/servers
EMC folder ownership changed
Who = All Users
What = EMC folder ownership changed
Where = All sources
When = This Week
Origin = All workstations/servers
EMC folder renamed
Who = All Users
What = EMC folder renamed
Where = All sources
When = This Week
Origin = All workstations/servers
Logon Activity
All Failed Logons in the last 7 days
Who = All Users
What = User failed to authenticate through Kerberos, User failed to authenticate through NTLM, User failed to log on interactively, User failed to log on interactively from a remote computer, User failed to perform a network logon from a remote computer
Where = All sources
When = Last 7 days
Origin = All workstations/servers
All Interactive Logons in the past 24 hours
Who = All Users
What = User failed to log on interactively; User logged on interactively
Where = All sources
When = Last 24 hours
Origin = All workstations/servers
All Kerberos Logons in the past 24 hours
Who = All Users
What = User authenticated through Kerberos, User failed to authenticate through Kerberos
Where = All sources
When = Last 24 hours
Origin = All workstations/servers
All Logons in the past 24 hours
Who = All Users
What = Authentication Activity; Domain Controller Authentication; Logon Session
Where = All sources
When = Last 24 hours
Origin = All workstations/servers
All NTLM Logons in the past 24 hours
Who = All Users
What = User authenticated through NTLM, User failed to authenticate through NTLM
Where = All sources
When = Last 24 hours
Origin = All workstations/servers
All Remote Interactive Logons in the past 24 hours
Who = All Users
What = User failed to log on interactively from a remote computer; User failed to perform a network logon from a remote computer; User logged on interactively from a remote computer; User performed a successful network logon from a remote computer
Where = All sources
When = Last 24 hours
Origin = All workstations/servers
All User Sessions in the past 24 hours
Who = All Users
What = Logon Session facility
Where = All sources
When = Last 24 hours
Origin = All workstations/servers
NetApp
NetApp file access rights changed
Who = All Users
What = NetApp file access rights changed
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file access rights (no from value)
Who = All Users
What = NetApp file access rights (no from value)
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file contents written
Who = All Users
What = NetApp file contents written
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file created
Who = All Users
What = NetApp file created
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file deleted
Who = All Users
What = NetApp file deleted
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file moved
Who = All Users
What = NetApp file moved
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file opened
Who = All Users
What = NetApp file opened
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file ownership changed
Who = All Users
What = NetApp file access rights changed
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file ownership changed (no from value)
Who = All Users
What = NetApp file access rights changed (no from value)
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp file renamed
Who = All Users
What = NetApp file renamed
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder access rights changed (no from-value)
Who = All Users
What = NetApp folder access rights changed (no from-value)
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder access rights changed
Who = All Users
What = NetApp folder access rights changed
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder created
Who = All Users
What = NetApp folder created
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder deleted
Who = All Users
What = NetApp folder deleted
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder moved
Who = All Users
What = NetApp folder moved
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder ownership changed
Who = All Users
What = NetApp folder access rights changed
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder ownership changed (no from value)
Who = All Users
What = NetApp folder access rights changed (no from value)
Where = All sources
When = This Week
Origin = All workstations/servers
NetApp folder renamed
Who = All Users
What = NetApp folder renamed
Where = All sources
When = This Week
Origin = All workstations/servers
SharePoint
Document Content changes in the last 7 days
Who = All Users
What = Document added; Document check out canceled; Document checked in; Document checked out; Document deleted; Document metadata updated; Document updated
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Document Story changes in the last 7 days
Who = All Users
What = Document library restored from recycle bin; Document metadata updated; Document moved; Document renamed; Document restored from recycle bin; Document updated; Document version deleted; Document viewed; SharePoint folder deleted; SharePoint folder moved; SharePoint folder renamed; SharePoint folder restored from recycle bin; SharePoint folder updated; Site collection deleted; Site deleted; Site moved
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Document Version changes in the last 7 days
Who = All Users
What = All document versions deleted; Document version deleted
Where = All sources
When = Last 7 days
Origin = All workstations/servers
List Item changes in the last 7 days
Who = All Users
What = All list item versions deleted; List item added; List item attachment added; List item attachment deleted; List item deleted; List item restored from recycle bin; List item updated; List item version deleted
Where = All sources
When = Last 7 days
Origin = All workstations/servers
SQL
All SQL Errors and Warning events in the last 24 hours
Who = All Users
What = SQL Errors and Warnings Event
Where = All sources
When = Last 24 hours
Origin = All workstations/servers

SAS 70 (Statement on Auditing Standards, Service Organizations)

The SAS 70 reports are located under the following folder:
Service Auditor’s Reports: Type I
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating