Searches page - Search definition (right pane) NOTE: The History and Delete History options are only displayed when alerting has been enabled for a search. | |
Event Details pane (text boxes) Overview page - event (data grid) | |
• |
Preview - is for previewing a sample of what your customized email will look like. |
• |
Main Body - to define the overall content and layout of the alert email body. |
• |
Event Details - to define the details to be included for each event included in the alert email. |
• |
Signature - to define the signature line to be included. |
The email address for the user referenced in an Active Directory user event. | |
The name of the domain where the coordinator that generated the alert resides. | |
The batch ID for all alerts grouped into a single smart alert email. | |
The number of events grouped into a single smart alert email. | |
Indicates whether this is a smart alert email and on a single object. | |
For smart alerts, the occurrence value specified in ‘Send alert when <nn> Events occur within <nn> <interval>’. | |
For smart alerts, the period of time specified in ‘Send alert when <nn> Events occur within <nn> <interval>’. | |
For smart alerts, the time interval (minutes, hours or days) specified in ‘Send alert when <nn> Events occur within <nn> <interval>’. |
For Azure Active Directory events, the origin of the activity. | |||||||
For Azure Active Directory events, the associated Active Directory on premises subject. | |||||||
For Azure Active Directory events, the associated Active Directory on premises target. | |||||||
For Azure Active Directory events, the associated Active Directory on premises username. | |||||||
For Azure Active Directory events, the associated subject display name. | |||||||
For Azure Active Directory events, the associated subject synchronization type. | |||||||
For Azure Active Directory events, the target synchronization type. | |||||||
For Azure Active Directory events, the tenant default domain. | |||||||
The action associated with the event (e.g., Modify Attribute). | |||||||
For Active Directory events, the logon name of the user who initiated the change event. | |||||||
For Active Directory events, the failure reason for failed events. | |||||||
For Active Directory events, the status code for failed events. | |||||||
For ADAM (AD LDS) events, the name of the ADAM instance where the change occurred. | |||||||
For ADAM (AD LDS) events, the name of the directory partition where the change event occurred. | |||||||
The name of the domain where the coordinator that generated the alert resides. | |||||||
For File System events, the name of the file or folder attribute that was modified. | |||||||
The batch ID assigned to all alerts grouped into a single smart alert email. | |||||||
Any comments for the event which were entered using the Comments feature on the Event Details pane. | |||||||
Indicates whether the agented server is a domain controller. | |||||||
The distinguished name (DN) of the domain to which the agent that generated the alert belongs. | |||||||
The name of the domain to which the agent that generated the alert belongs. | |||||||
The name of the event class facility to which the event belongs (e.g., Domain Configuration). | |||||||
The name of the forest where the agent that captured the event resides. | |||||||
For File System events, the name of the attribute that was modified. | |||||||
For File System events, the name of the file that was modified. | |||||||
For File System events, the name of the server where the file or folder that was modified resides. | |||||||
For File System events, the type of object (File or Folder) that was modified. | |||||||
For File System events, the full path of the file or folder where the modification occurred. | |||||||
For File System events, the logon ID of the user who made the change. | |||||||
For File System events, the SID of the user who made the change. | |||||||
For File System events, the full path of the application responsible for the change. | |||||||
For File System events, the name of the local share that was modified. | |||||||
For File System Transaction Status Changed events, the current status of the transaction. | |||||||
For Group Policy events, the canonical name (CN) of the group policy that was modified. | |||||||
For Group Policy events, the group policy item that was modified. | |||||||
For Group Policy events, the name of the group policy that was modified. | |||||||
For Group Policy events, the section of the group policy that was modified. | |||||||
The IP address of the Change Auditor agent that generated the alert. | |||||||
For AD Query events, the filter string used in the AD query. | |||||||
For AD Query events, the number of times the AD query occurred during the specified interval. | |||||||
For AD Query events, the number of results returned as a result of the query. | |||||||
For AD Query events, the scope of coverage: This object only or This object and all children. | |||||||
For AD Query events, the date and time when the AD query was first initiated. | |||||||
For Logon Session events, the date and time when the user logged out of the computer. | |||||||
For Logon Session events, the date and time when the current user session ended. | |||||||
For Logon Session events, the date and time when the current user session began. | |||||||
For Logon Session events, the date and time when the user initially logged onto the computer. | |||||||
For Active Directory and ADAM (AD LDS) events, the canonical name of the object that was modified. For Group Policy events, the canonical name of the group policy that was modified. For AD Query events, the LDAP object canonical name of the object that was queried. | |||||||
For ADAM (AD LDS) events, the object class that was modified (e.g., container, user, group). | |||||||
For Active Directory and Exchange events, the name of the object that was modified. For ADAM (AD LDS) events, the distinguished name of the object that was modified. For Group Policy events, the name of the group policy that was modified. For AD Query events, the name of the object that was queried. | |||||||
For Active Directory and ADAM (AD LDS) events, the OU associated with the object that was modified. For Group Policy events, the name of the OU that is linked to the group policy that was modified. For AD Query events, the name of the OU associated with the LDAP query. | |||||||
Indicates the operating system version of the machine where the modification occurred. | |||||||
For Registry events, the name of the registry key that was modified. | |||||||
Indicates the result of the operation mentioned in the event:
| |||||||
The logon name of the local account that initiated the change event. | |||||||
The distinguished name (DN) of the agented server that captured the event. | |||||||
The fully qualified domain name (FQDN) of the agented server that captured the event. | |||||||
The name of the organizational unit where the agented server resides. | |||||||
For Service events, the display name of the service that was modified. | |||||||
For Service events, the name of the service that was modified. | |||||||
The severity assigned to the change event: High, Medium or Low. | |||||||
For SharePoint events, the name of the SharePoint farm where the modification occurred. | |||||||
For SharePoint events, the URL of the SharePoint item that was modified. | |||||||
For SharePoint events, the name of the SharePoint list that was modified. | |||||||
For SharePoint events, the full path of the SharePoint list where the modification occurred. | |||||||
For SharePoint events, the name of the web site where the modification occurred. | |||||||
For SharePoint events, the URL of the web site where the modification occurred. | |||||||
The distinguished name (DN) of the site where the agented server resides. | |||||||
Indicates whether this is a smart alert email and on a single object. | |||||||
For smart alerts, the occurrence value specified in ‘Send alert when <nn> Events occur within <nn> <interval>’. | |||||||
For smart alerts, the period of time specified in ‘Send alert when <nn> Events occur within <nn> <interval>’. | |||||||
For smart alerts, the time interval (minutes, hours or days) specified in ‘Send alert when <nn> Events occur within <nn> <interval>’. | |||||||
For SQL events, the name of the client application that initiated the change event. | |||||||
For SQL events, the name of the SQL database used by the process that initiated the change event. | |||||||
For SQL events, the SQL Server operation (event class) that was performed. | |||||||
For SQL events, the type of event subclass that was performed. | |||||||
For SQL events, the name of the client workstation that initiated the session. | |||||||
For SQL events, the name of the SQL instance where the change event occurred. | |||||||
For SQL events, indicates whether a system session initiated the change. | |||||||
For SQL events, the object identifier associated with the SQL object that was changed. | |||||||
For SQL events, the object identifier of related objects or entities, if available. | |||||||
For SQL events, the name of the SQL Server object that was changed. | |||||||
For SQL events, the type of SQL Server object that was changed. | |||||||
For SQL events, the name of the schema in which the object that changed resides. | |||||||
For SQL events, the number of rows returned by the SQL query. | |||||||
For SQL events, the SQL Server login name used by the client to create the session. | |||||||
For SQL events, the SQL Server Process ID associated with the process that initiated the change. | |||||||
The UTC date and time when the batch of events were sent from the agent to coordinator. | |||||||
The UTC time (no date) when the event the agent captured the event. | |||||||
The UTC date and time when the event was received by Change Auditor. | |||||||
The name of the time zone used for the alert’s date/time stamps in the email. | |||||||
The date and time when the Change Auditor agent captured the event, based on the selected time zone. | |||||||
The date and time when the event was received by Change Auditor, based on the selected time zone. | |||||||
The machine name or IP address of the machine where the change originated. | |||||||
The IPv4 IP address of the machine where the change originated. | |||||||
The IPv6 IP address of the machine where the change originated. | |||||||
The NT4 logon name (domain\name) of the user who initiated the change. | |||||||
The security identifier (SID) assigned to the user who initiated the change. | |||||||
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center