Chat now with support
Chat with Support

Change Auditor 7.1.1 - Release Notes

Quest® Change Auditor 7.1

Quest® Change Auditor 7.1
These release notes provide information about the Quest Change Auditor release.
About Quest Change Auditor 7.1
New features
Important information
Resolved issues
Known issues
System requirements
Product licensing
Getting started with Change Auditor 7.1
About us

About Quest Change Auditor 7.1

Change Auditor provides total auditing and security coverage for your enterprise network. To protect your data and your business, Change Auditor Threat Detection uses advanced machine learning, user and entity behavioral analytics (UEBA), and SMART correlation technology to spot anomalous activity and identify the highest risk users in your environment. The users with the highest risk scores are then highlighted in the Threat Detection dashboard, enabling you to prioritize your response and adjust policies to strengthen your organization’s security and regulatory enforcement.

Change Auditor audits the activities taking place in your infrastructure and, with real-time alerts, delivers detailed information about vital changes and activities as they occur. Instantly know who made the change including the IP address of the originating workstation, where and when it occurred along with before and after values. Then automatically turn that information into intelligent, in-depth forensics for auditors and management — and reduce the risks associated with day-to-day modifications.
Audit all critical changes across your enterprise including Active Directory, Azure Active Directory, Office 365 Exchange Online\SharePoint Online\OneDrive For Business, Exchange, Windows File Servers, NetApp, EMC, SQL Server, VMware vCenter, SharePoint, Microsoft Skype for Business and Fluid File Systems.
Collect user login and log out activity for regulatory compliance and user activity tracking.
Automate ongoing compliance with tracking and reporting for compliance initiatives including SOX, PCI-DSS, HIPAA, FISMA, GLBA, and more.
Speed troubleshooting through real-time insight into changes with a comprehensive audit library including built-in audit alerts, reports, and powerful searches.
Proactively protect (lock down) critical Active Directory objects, Exchange mailboxes, and Windows files and folders from harmful changes that could open security holes or cause resources to become unavailable.
Modular approach allows separate product deployment and management for key environments including Active Directory, Exchange, Windows File Servers, NetApp, EMC, SQL Server, Active Directory Queries, SharePoint, Logon Activity, and Skype for Business.
Integrate with other Quest products to track, audit, report, and alert on critical changes made using Quest Authentication Services and Quest Defender.
Integrate with On Demand Audit to gain access to rich visualizations of on-premises and cloud events, responsive search across tenants, and long-term storage of audit data.

Change Auditor 7.1.1 is a minor release, with enhanced features and functionality. See New features.

New features

Additional Office 365 Exchange Online mailbox events:
Message opened in online shared mailbox
Message opened in online mailbox by owner
Message opened in online mailbox by non-owner
Online mailbox auditing has been throttled
Folder opened in online mailbox by owner
Folder synchronized from online shared mailbox
Folder synchronized from online mailbox by owner
Folder synchronized from online mailbox by non-owner

Enhanced security auditing
Event generated when an agent's configuration for Kerberos ticket lifetime is changed:
Agent configuration Kerberos Ticket Lifetime changed
Event generated when Kerberos auditing components are not on the domain controller resulting in Kerberos authentication events not being captured:
Kerberos auditing components failed to load
Ability to detect when an irregular domain replication request is performed which could indicate a potential threat:
Irregular domain replication activity detected
Additional built-in searches:
All Irregular Domain Replication Activity Events under Shared | Built-in | All Events
All Kerberos user ticket events that exceed the maximum ticket lifetime in the past 30 days under Shared | Built-in | Logon Activity

Search Enhancements
Ability to search and filter events based on the coordinator that processed them.
Updated Coordinator Statistics page:
Coordinator ID column to identify the coordinator that processes the events.
Hyperlinked columns to run a quick search for associated events for each coordinator.
Search results include the Coordinator ID to identify the coordinator that processed the event.
Layout tab includes a Coordinator ID column to sort and order results by coordinator.
Ability to see failure reason and status code in Active Directory failed search results.
Ability to see the full search folder path to identify the location for all search folder changes.
Updated default columns for the "All Failed Logons in the last 7 days” report.
Updated operators access when using the search commands:
Full access when using the following commands:
Invoke-CASearch
Get-CASearches
Get-CASearchDefinition
Restricted access to private searches and folders when using the following commands:
Set-CASearchProperties
Copy-CASearch
Add-CASearch
Move-CASearch
Remove-CASearch
Add-CASearchFolder
Remove-CASearchFolder

SIEM Tool Integration Improvements
Ability to send the rich events gathered by Change Auditor to a Syslog server.
Following events to monitor changes to syslog subscriptions have been added:
Syslog subscription added
Syslog subscription modified
Syslog subscription removed

 

Ability to Audit and Protect the Active Directory Database

Change Auditor allows you to monitor the Active Directory database (NTDS.dit) file for possible unauthorized access attempts. When configured, Change Auditor can also prevent copying and other tampering attempts on the Active Directory database (NTDS.dit) file.

Extraction of this file could lead to parsing of usernames and passwords resulting in a security breach. The ability to audit changes to this file reduces the risk of the user account information from being accessed and tampered with by unwanted processes or users.

The following events have been added:
Active Directory database file access rights changed
Active Directory database file accessed
Active Directory database file attribute changed
Active Directory database file auditing changed
Active Directory database file central access policy changed
Active Directory database file classification changed
Active Directory database file created
Active Directory database file deleted
Active Directory database file last write changed
Active Directory database file moved
Active Directory database file ownership changed
Active Directory database file renamed
Failed Active Directory database access (Sharing violation)
Failed Active Directory database access (Change Auditor Protection)
Failed Active Directory database access (NTFS permissions)
The following built-in searches have been added:
All Active Directory Database Events under Shared | Built-in | All Events
Active Directory Database Events in last 30 days under Shared | Built-in | Security | Domain Controller Security
GDPR - Active Directory Database Events in last 30 days under Shared | Built-in | Regulatory Compliance |GDPR |Audit and Accountability | Active Directory
GDPR 32 - Active Directory Database Events in last 30 days under Shared | Built-in | Regulatory Compliance |GDPR |Security of Processing (32) | Active Directory

Ability to Audit Active Directory Federation Services

Change Auditor allows you to monitor the Active Directory Federation Services login activity and configuration changes once an Active Directory Federation Services auditing template has been created and assigned to the appropriate agent.
The following events have been added:
* 
NOTE: A Change Auditor Logon Activity license is required to capture the sign-in events. A Change Auditor for Active Directory license is required to capture the configuration changes events.
Successful Active Directory Federation Services sign-in
Failed Active Directory Federation Services sign-in
Additional authentication methods changed
Additional authentication method registered
Additional authentication method unregistered
Allow additional authentication providers as primary setting changed
Extranet authentication methods changed
Intranet authentication methods changed
Relying Party Trust added
Relying Party Trust changed
Relying Party Trust deleted
Relying Party Trust disabled
Relying Party Trust enabled
Active Directory Federation Services auditing template added
Active Directory Federation Services auditing template disabled
Active Directory Federation Services auditing template enabled
Active Directory Federation Services auditing template removed
Active Directory Federation Services auditing template added to agent configuration
Active Directory Federation Services auditing template removed from agent configuration
Active Directory Federation Services sign-ins auditing enabled
Active Directory Federation Services sign-ins auditing disabled
Active Directory Federation Services configuration changes auditing disabled
Active Directory Federation Services configuration changes auditing enabled
The following built-in searches have been added:
All Active Directory Federation Services sign-ins in the last 24 hours under Shared | Built-in | Active Directory Federation Services
All Successful Active Directory Federation Services sign-ins in the last 24 hours under Shared | Built-in | Active Directory Federation Services
All Failed Active Directory Federation Services sign-ins in the last 7 days under Shared | Built-in | Active Directory Federation Services

Foreign Forest Support

The following is supported in environments where a coordinator does not exist in the foreign forest where agents are deployed:
Ability to audit foreign forests by member of group.
Ability to search foreign forest by member of group using the Who criteria.
Ability to search foreign forest by member of group using the What criteria.
Ability to expand foreign forest groups by Group Membership Expansion.
Ability to audit Exchange mailboxes with an agent in the foreign forest.
Ability to exclude events generated by foreign forest accounts with account exclusion.
Ability to specify group Managed Service Account to be used for foreign forest agent to establish a coordinator connection.

Authentication Enhancements

The following authentication options are supported through the client and PowerShell:
Certificate authentication when the client and coordinator exist in environments where NTLM restrictions are in place.
Azure Active Directory authentication when the Change Auditor database resides on an Azure SQL Managed Instance.

Additional Platform Support

The following support has been added:
Microsoft Exchange Server 2016 CU16, CU17, and CU18
Microsoft Exchange Server 2019 CU5, CU6, and CU7
Azure SQL Managed Instance (PaaS) with SQL authentication or Azure Active Directory authentication for Change Auditor coordinator
Azure SQL Managed Instance (PaaS) with SQL authentication for Change Auditor client
Microsoft SQL Server 2017 and 2019 for Skype for Business auditing
Windows Server 2016 ADFS
Windows Server 2019 ADFS
Fluid File System 6.0.4
GPOADmin 5.15
CEE 8.7.7 for EMC auditing
Dell Storage Manager 18.1 and 19.1
Chrome 84
Edge 84
Firefox 78
Safari 13.1.1

The following support has been removed:
Windows Server 1803 Server Core
Windows 8 for the client and workstation agent

Miscellaneous Features and Enhancements
Share added, share deleted, and share edited events are generated when the New-SMBShare, Remove-SMBShare, and Set-SMBShare commands are run. The events are also generated when using Server Manager File and Storage Services add share task and “Stop Sharing" and "Properties" context menus.
New Active Directory email tags for the reason and status for failed Active Directory events. (AD_STATUS_CODE and AD_FAILURE_REASON)
Ability to see the license number for all applied licenses.
The authentication certificates used to authentication with On Demand Audit will automatically renew as required.
Office 365 Exchange Online events no longer display Microsoft deprecated events.
Improved alert query performance.
A user object's UserPrincipalName is now updated immediately following modification for enhanced reporting.
Event generated when coordinators specified to handle scheduled purge, archive, and report jobs are unavailable: All specified coordinators that handle purge/archive/report jobs are unavailable.

Important information
With Change Auditor database structure, you have access to larger volumes of data online without the need to archive data regularly. Here are a few pointers on auditing and accessing “big data”:
When building custom searches, keep in mind that the new schema organizes its event indexes in “hourly blocks”. The smaller the window of time in the when criteria, the better performance in the client for returning a result set.
While Change Auditor provides efficient event auditing with our agents, it is highly recommended that you maintain “focused” auditing. This ensures high performance when accessing large amounts of data in the Change Auditor client.
If excessive audits are received within the same hour, performance may decrease dramatically depending on the criteria selected.
General Exchange concepts:
Outlook “Show New Mail Desktop Alert” triggers the “Message Read by Owner” event: When this option is enabled, new email that arrives flashes a semi-transparent “alert” near the desktop system tray. Change Auditor captures a Message Read by Owner event when this occurs. The new email alert window opens each new email message as it arrives to build the alert. Note: The “Message Read by Owner” event is disabled by default in Audit Event configuration.
Microsoft Outlook/Exchange add-Ins: Change Auditor may be incompatible with Microsoft Outlook or Exchange “add-ins” (commercial or custom) that interact with Exchange Servers. While Quest makes every effort to ensure proper functionality and performance, we are unable to validate against the many add-ins available for Microsoft Outlook or Exchange Server.
“By Owner” auditing feature: Selecting ‘By Owner’ auditing for many mailboxes can produce many events. This adversely affects Change Auditor auditing and in severe cases the performance of the Exchange Server itself. In extreme cases, Outlook connections may be slowed or dropped. Select owner auditing for at most only a few critical mailboxes.
Auditing mailboxes with many delegates: Auditing normal mailboxes where access permission is granted to many delegates (more than 10), can produce large numbers of non-owner events. This will adversely affect Change Auditor auditing and in severe cases, the performance of the Exchange Server itself. If these mailboxes need to be audited, add them to the Shared Mailbox list (User Defined tab) to reduce unwanted non-owner events and to improve performance.
SMTP alert notifications on owner mailbox “event storm”: It is highly recommended that mailboxes configured to receive SMTP alerts are excluded from auditing “by Owner” events. An “event storm” could occur when a new SMTP alert is received on an audited mailbox by owner, generating a never-ending cycle of “Inbox opened by owner” and “Message read by owner” events.
Upgrading agents on high volume Exchange Servers: It is critical that agent upgrades be scheduled for maintenance intervals or other periods of low user mailbox activity for any configuration of Exchange Server. Change Auditor for Exchange agent upgrades should not be attempted on an active Exchange Server cluster node in any case.
Attempting to upgrade the agent on a busy Exchange Server may result in:
Exchange 2013 mailbox role: failed agent upgrade, unwanted RpcClientAccess service restart, or unscheduled Exchange cluster node failover.
Exchange 2013 client access role: unwanted IIS Exchange application pool restarts.
Exchange 2016 or 2019 mailbox role: failed agent upgrade, unwanted RpcClientAccess or IIS application pool restarts, or unscheduled Exchange cluster node failover.
To eliminate the possibility of unscheduled Exchange Server downtime, perform agent upgrades to Exchange Servers during periods of low or no mailbox activity.
General EMC concepts:
Control Stations: The Control Station is a dedicated management computer that monitors and controls cabinet components and allows access to the full functionality of the Celerra or VNX Network Server software. It contains utilities for installing and configuring the Celerra or VNX Network Server, maintaining the system, and monitoring system performance. The Control Station runs a set of programs that are collectively referred to as the Control Station software. The Control Station itself uses an EMC-customized version of Linux as its operating system.
Data Movers: Data Movers are the Celerra or VNX components that transfer data between the storage system and the network client. Data Movers are managed by using a Control Station. By default, Data Movers are named server_n, where n is the slot number of the Data Mover. For example, server_2 is the Data Mover in slot 2.
Troubleshooting EMC events: If EMC events are not being audited by the Change Auditor agent, first check to see if the EMC CAVA agent service is running on your Windows Server where the EMC events are being collected. Second, check to see if the CEPP service on the EMC Data Mover is running or if the state is offline, by using the command:
server_cepp {mover_name} -p -i
Resulting output of this command should be similar to the following:
IP = {mover IP}, state = ONLINE... etc
If the CEPP service is OFFLINE, you can fix this by first restarting the EMC CAVA service on the Windows Server. If that does not work, restart the EMC CEPP services on the Data Mover by using the following command:
server_cepp {mover_name} -service -start
Change Auditor agent requires File and Printer Sharing on Windows Server 2012: By default, File and Printer sharing are not enabled on Windows Server 2012 installations. To remotely install agents to Windows Server 2012 (Full UI and Server Core), enable the File and Printer Sharing (SMB-in) Inbound rule in the Windows Firewall (Port 445) on the target host machine.
The File and Printer Sharing for Microsoft Networks service on the network adapter is also required to be enabled for remote deployment.
File System auditing for NAS and mapped network drives: Change Auditor does not support File System auditing on NAS devices or mapped network drives other than EMC Celerra/VNX/Isilon or NetApp Data ONTAP filers.
Microsoft Office files: Since the Change Auditor for Windows File Servers, NetApp, and EMC drivers capture events related to file activity, it is possible that a folder containing files being opened and edited by Microsoft Office products (Word, Excel, PowerPoint, and so on) will generate unexpected results. Understanding how MS Office products interact with the file system might help explain some of the audit events captured. See http://support.microsoft.com/kb/211632 for more details.
File System Auditing for SAN: Support and engineering will attempt to troubleshoot and resolve issues to the best of their ability when the SAN is attached to a Windows-based file server such that it appears as a local drive on that host. In this configuration, the SAN generally behaves as an extra disk drive on the server which can be audited by a Change Auditor agent on that server. Success in this configuration depends on many factors and is not guaranteed.
File System auditing: Change Auditor does not audit files with a size of zero (0) bytes.
Recompiling the Change Auditor MOF file: Change Auditor no longer ships with a MOF file as part of the coordinator installer. Should the CA WMI namespace become corrupt, or should there be an installation failure, the file can be recompiled using the following command line:
ChangeAuditor.Service.exe --install
Blackberry Enterprise Server (or similar) services: To eliminate auditing of automated tasks, the Change Auditor agent attempts to automatically exclude auditing of mailbox accesses by Blackberry Enterprise Server (BES) or similar service accounts. These accounts have both ‘Receive All’ and ‘Administer Information Setup’ rights on the mailbox database. If these explicit rights are granted to user accounts, those accounts are also excluded from mailbox auditing, which may not be wanted. If necessary, this automated exclusion can be disabled on a server-by-server basis.
Changes to domain administration level security objects may generate subsequent DACL changes reported with Changed By information as “NT AUTHORITY\ANONYMOUS LOGON” up to an hour after the original change. According to Microsoft, an Active Directory domain controller that holds the primary domain controller (PDC) operations master role runs a thread every hour to check the access control lists of members of several built-in administrative groups. If a user account is a member of one of these administrative groups, even if only because of its membership with a distribution group, the user account's ACL is checked when the thread is run and may be reset to the ACL of the CN=AdminSDHolder,CN=System,DC=<domain> object.
Exclude Change Auditor components and monitored processes from antivirus software: Quest recommends excluding the following Change Auditor components and monitored processes from any antivirus software that uses technology similar to “Buffer Overrun Protection” or “On Access Scanner”:
DSAMain.exe
Lsass.EXE
Microsoft.Exchange.RpcClientAccess.Service.exe (Exchange 2013 only)
NPSRVhost.exe
Services.exe
‘Server’ service
Change Auditor coordinator service running under a service account (instead of Local System):
If the coordinator service is running under a service account (instead of Local System):
The user must re-save existing Forest or GC profiles using the Change Auditor client's connection wizard. This updates the SPN with the correct information.
The user must enter the coordinator’s IP address instead of its DNS name in the connection settings in:
The web.config for the Change Auditor web client
The manual option in the Change Auditor client's connection wizard
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating