Chat now with support
Chat with Support

Change Auditor 7.1.1 - Built-in Reports Reference Guide

Introduction Built-in reports
Active Directory Federation Services AD Query All Events Authentication Services Azure Active Directory Defender Office 365 Logon Activity Skype for Business Recommended Best Practices Regulatory Compliance
FISMA (Federal Information Security Management Act)
NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A01 – User Association NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A02 – Content of Audit Records NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A03 – Auditable Events NIST SP 800-53 | Technical Controls | Accountability (Including Audit Trails) | A04 – Audit Processing NIST SP 800-53 | Technical Controls | Identification and Authentication | IA02 – Remote, Privileged Access Authentication NIST SP 800-53 | Technical Controls | Identification and Authentication | IA03 – Password Protection Mechanisms NIST SP 800-53 | Technical Controls | Identification and Authentication | IA04 – Password Life NIST SP 800-53 | Technical Controls | Identification and Authentication | IA05 – Password Content NIST SP 800-53 | Technical Controls | Identification and Authentication | IA12 – Remote Access Identification Authentication NIST SP 800-53 | Technical Controls | Identification and Authentication | IA16 – Password Management NIST SP 800-53 | Technical Controls | Logical Access Control | AC01 - Remote Access Restrictions NIST SP 800-53 | Technical Controls | Logical Access Control | AC02 - Logon Notification Message NIST SP 800-53 | Technical Controls | Logical Access Control | AC05 - Session Inactivity NIST SP 800-53 | Technical Controls | Logical Access Control | AC06 - Limited Connection Time NIST SP 800-53 | Technical Controls | Logical Access Control | AC09 - Enforcement Mechanisms NIST SP 800-53 | Technical Controls | Logical Access Control | AC10 - Automated Account Controls NIST SP 800-53 | Technical Controls | Logical Access Control | AC12 - Supervision and Review NIST SP 800-53 | Technical Controls | Logical Access Control | AC14 - Authorization Procedures NIST SP 800-53 | Technical Controls | System and Communications Protection | SP02 - Information System Partitioning NIST SP 800-53 | Technical Controls | System and Communications Protection | SP04 - Denial of Service Protection NIST SP 800-53 | Technical Controls | System and Communications Protection | SP05 - Resource Priority NIST SP 800-53 | Technical Controls | System and Communications Protection | SP06 - Boundary Protection NIST SP 800-53 | Technical Controls | System and Communications Protection | SP07 - Network Segregation NIST SP 800-53 | Technical Controls | System and Communications Protection | SP09 - Network Disconnect NIST SP 800-53 | Technical Controls | System and Communications Protection | SP11 - Trust Path NIST SP 800-53 | Technical Controls | System and Communications Protection | SP16 - Use of Encryption
GLBA (Gramm-Leach-Bliley Act) GDPR HIPAA (Health Insurance Portability and Accountability Act) Payment Card Industry SAS 70 (Statement on Auditing Standards, Service Organizations) SOX (Sarbanes-Oxley General IT Controls Evidence based on the COBIT Framework)
Security SharePoint SQL Data Level Threat Detection VMware

Service Auditor's Reports: Type I

Service Auditor’s Reports: Type I
(Executive Summary) – Service Auditor’s Report Type I

A summary report containing events from all of the following reports.

Service Auditor’s Report Type I – Detailed list of Change Auditor agent modifications
Who = All Users
What = Agent Service Has More Than 100 Events Waiting; Agent Service Has Reached a Critical Load; Agent Service Has Returned to Normal Operations; Change Auditor Agent Connected; Change Auditor Agent Disconnected; Change Auditor Agent Uninstalled
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Service Auditor’s Report Type I – Detailed list of Change Auditor Internal Controls modifications
Who = All Users
What = Change Auditor Internal Auditing facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Service Auditor’s Report Type I – Detailed list of critical group membership modifications
Who = All Users
What = Nested Member Added to Critical Enterprise Group; Nested Member Removed from Critical Enterprise Group; Member Added to Critical Enterprise Group; Member Removed from Critical Enterprise Group
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Service Auditor’s Report Type I – Detailed list of file system permission modifications
Who = All Users
What = File Access Rights Changed; Folder Access Rights Changed; Local Share Permissions Changed; SYSVOL Folder Access Rights Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Service Auditor’s Report Type I – Detailed list of GPO modifications
Who = All Users
What = Group Policy Item facility; Group Policy Object facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Service Auditor’s Report Type I – Detailed list of interactive login policy modifications
Who = All Users
What = Interactive Logon: Message Title for Users Attempting to Log On Changed; Interactive Logon: Do Not Require CTRL+ALT+DEL Policy Changed; Interactive Logon: Message Text for Users Attempting to Log On Policy Changed; Interactive Logon: Do Not Display Last User Name Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Service Auditor’s Report Type I – Detailed list of security log modifications
Who = All Users
What = Audit Account Logon Events Policy Changed; Audit Account Management Policy Changed; Audit Directory Service Access Policy Changed; Audit Logon Events Policy Changed; Audit Object Access Policy Changed; Audit Policy Change Policy Changed; Audit Privilege Use Policy Changed; Audit Process Tracking Policy Changed; Audit System Events Policy Changed; Audit: Audit the Access of Global System Object Policy Changed; Audit: Audit the use of Backup and Restore Privilege Policy Changed; Audit: Shut Down System Immediately if Unable to Log Security Audit Policy Changed; Security Audit Log Rolled Over; Crash on Audit Fail Policy Changed; Shut Down the Computer When the Security Audit Log is Full Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers

SOX (Sarbanes-Oxley General IT Controls Evidence based on the COBIT Framework)

The SOX reports are available under the following folders:
Section 404 | Acquisition and Implementation
Section 404 | Delivery and Support
Section 404 | Planning and Organization

Section 404 | Acquisition and Implementation

| Acquisition and Implementation

The Acquisition and Implementation reports are available under the following folders:
BAI2.1 - Define and maintain business functional and technical requirements
BAI2.2 - Perform a feasibility study and formulate alternative solutions
BAI3.10 – Maintain solutions
Authentication Services
Computer Activity
Exchange
BAI3.9 – Manage changes to requirements
BAI6.1 – Evaluate, prioritize and authorize change requests
Organizational Unit Management
BAI6.2 – Manage emergency changes
Organizational Unit Management
BAI6.3 – Track and report change status
Organizational Unit Management
BAI7.5 - Perform acceptance tests
BAI7.6 - Promote to production and manage releases
BAI7.8 – Perform a post-implementation review
BAI2.1 - Define and maintain business functional and technical requirements

BAI2.2 - Perform a feasibility study and formulate alternative solutions

BAI2.2 - Perform a feasibility study and formulate alternative solutions
(Executive Summary) Identify Automated Solutions

A summary report containing events from all of the following reports.

Detailed list of all registry changes
Who = All Users
What = Registry subsystem
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of all schema changes
Who = All Users
What = Schema Configuration facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of service changes
Who = All Users
What = Service Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI3.10 – Maintain solutions
(Executive Summary) BAI3.10 - Acquire and Maintain Technology Infrastructure

A summary report containing events from all of the following reports.

(Executive Summary) BAI3.10 - Acquire and Maintain Application Software

A summary report containing events from all of the following reports.

BAI3.10 – Detailed list of all hot fixes applied
Who = All Users
What = Hotfix Applied
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI3.10 – Detailed list of all registry changes
Who = All Users
What = Registry subsystem
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI3.10 – Detailed list of hot fixes rolled back
Who = All Users
What = Hotfix Rolled Back
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI3.10 – Detailed list of schema modifications
Who = All Users
What = Schema Configuration facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI3.10 – Detailed list of service packs applied
Who = All Users
What = Computer Service Pack Applied
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI3.10 – Detailed list of service packs rolled back
Who = All Users
What = Computer Service Pack Rolled Back
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI3.10 – Detailed list of software installations via GPO added
Who = All Users
What = Computer Software Installation Policy Added
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI3.10 – Detailed list of software installations via GPO modified
Who = All Users
What = Computer Software Installation Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI3.10 – Detailed list of software installations via GPO removed
Who = All Users
What = Computer Software Installation Policy Removed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Authentication Services
BAI3.10 – Authentication Services computers added in the last 30 days
Who = All Users
What = Authentication Services Computer Object Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
BAI3.10 – Authentication Services computers deleted in the last 30 days
Who = All Users
What = Authentication Services Computer Object Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Computer Activity
BAI3.10 – Computers added in the last 30 days
Who = All Users
What = Computer Added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
BAI3.10 – Computers disabled in the last 30 days
Who = All Users
What = Computer Account Disabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
BAI3.10 – Computers enabled in the last 30 days
Who = All Users
What = Computer Account Enabled
Where = All sources
When = Last 30 days
Origin = All workstations/servers
BAI3.10 – Computers moved in the last 30 days
Who = All Users
What = Computer Moved
Where = All sources
When = Last 30 days
Origin = All workstations/servers
BAI3.10 – Computers removed in the last 30 days
Who = All Users
What = Computer Removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
BAI3.10 – Computers renamed in the last 30 days
Who = All Users
What = Computer Renamed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Exchange
BAI3.10 – OWA Website Added to Server
Who = All Users
What = OWA Web Site Added to Server
Where = All sources
When = Last 7days
Origin = All workstations/servers
BAI3.10 – OWA Website Removed from the Server
Who = All Users
What = OWA Web Site Removed from Server
Where = All sources
When = Last 7days
Origin = All workstations/servers
BAI3.10 – OWA Website Renamed
Who = All Users
What = OWA Web Site Renamed on Server
Where = All sources
When = Last 7days
Origin = All workstations/servers
BAI3.9 – Manage changes to requirements
(Executive Summary) BAI3.9 - Acquire and Maintain Application Software

A summary report containing events from all of the following reports.

BAI3.9 – Detailed list of software installations via GPO added
Who = All Users
What = Computer Software Installation Policy Added
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI3.9 – Detailed list of software installations via GPO modified
Who = All Users
What = Computer Software Installation Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI3.9 – Detailed list of software installations via GPO removed
Who = All Users
What = Computer Software Installation Policy Removed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
BAI6.1 – Evaluate, prioritize and authorize change requests
BAI6.2 – Manage emergency changes
BAI6.3 – Track and report change status
(Executive Summary) Develop and Maintain Procedures

A summary report containing events from all of the following reports.

(Executive Summary) Ensure Continuous Service

A summary report containing events from all of the following reports.

(Executive Summary) Manage Changes

A summary report containing events from all of the following reports.

Detailed list of authorized changes made during business hours
Who = All Users
What = All categories
Where = All sources
When = From 08:00 PM to 05:00 AM
Origin = All workstations/servers
Detailed list of unauthorized changes made during business after hours
Who = All Users
What = All categories
Where = All sources
When = From 05:00 PM to 08:00 AM
Origin = All workstations/servers
Detailed list of GPO modifications
Who = All Users
What = Group Policy Item facility; Group Policy Object facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of computer modifications
Who = All Users
What = Custom Computer Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of DNS modifications
Who = All Users
What = DNS Service facility; DNS Zone facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of domain modifications
Who = All Users
What = Domain Configuration facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of domain controller
Who = All Users
What = Configuration Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of Exchange modifications
Who = All Users
What = Exchange Administrative Group facility; Exchange Distribution List facility; Exchange Organization facility; Exchange Permission Tracking facility; Exchange Security Group facility; Exchange User facility
Where = All sources
When = Last 7 days
Origin = All workstations/server
Detailed list of Exchange infrastructure modifications
Who = All Users
What = Exchange Organization facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of fault tolerance modifications
Who = All Users
What = Fault Tolerance facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of file system modifications
Who = All Users
What = Custom File System Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of forest modifications
Who = All Users
What = Forest Configuration facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of group modifications
Who = All Users
What = Custom Group Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of IP modifications
Who = All Users
What = IP Security facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of NETLOGON modifications
Who = All Users
What = NETLOGON Service facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of registry modifications
Who = All Users
What = Registry subsystem
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of replication modifications
Who = All Users
What = Replication Transport facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of schema modifications
Who = All Users
What = Schema Configuration facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of service modifications
Who = All Users
What = Service Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of site modifications
Who = All Users
What = Site Configuration facility; Site Link Configuration facility; Site Link Bridge Configuration facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of user modifications
Who = All Users
What = Custom User Monitoring facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of subnet modifications
Who = All Users
What = Subnets facility
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Organizational Unit Management
Organizational Units Added in Last 30 days
Who = All Users
What = Subordinate OU added
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Organizational Units Deleted in Last 30 days
Who = All Users
What = Subordinate OU removed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Organizational Units Renamed in Last 30 days
Who = All Users
What = Subordinate Ou renamed
Where = All sources
When = Last 30 days
Origin = All workstations/servers
Organizational Units set to block GPO inheritance in Last 30 days
Who = All Users
What = Group Policy Block Inheritance Setting Changed on OU
Where = All sources
When = Last 30 days
Origin = All workstations/servers
BAI7.5 - Perform acceptance tests
BAI7.6 - Promote to production and manage releases
BAI7.8 – Perform a post-implementation review
(Executive Summary) Install and Accredit Systems

A summary of reports containing events from all of the following reports.

Detailed list of software installations via GPO added
Who = All Users
What = Computer Software Installation Policy Added
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Detailed list of software installations via GPO modified
Who = All Users
What = Computer Software Installation Policy Changed
Where = All sources
When = Last 7 days
Origin = All workstations/servers
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating