Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Event Details pane

Previous Next

Event Details pane

Use the Event Details button on a Search Results page, Overview page, or Alert History page to display the Event Details pane. You can also double-click an event in the search results grid to display the Event Details pane for the selected event.

The following details about the selected event selected are available:

 
* 
NOTE: All dates and times are based on the client’s current local date and time. The format used to display the date and time is determined by the local computer’s regional and language setting.
 

Table 2. Event Detail pane: Field descriptions

Field

Description

Severity

The severity level assigned to the search is displayed in the upper left-hand corner.

Who

This field specifies the name of the user who initiated the change. If available, the display name of the user account is also displayed in parenthesis.

When

This field specifies the date and time when the change occurred.

Where

This field displays the name of the server where the change occurred.

Source

This field displays the source of the event:

Change Auditor
Active Roles
GPOADmin
NOTE: When the event is generated from Active Roles or GPOADmin, the name of the user account that initiated the event is displayed in parenthesis.
NOTE: If the Source field displays ‘ActiveRoles’ (instead of ‘ActiveRoles Server’) you are not using the latest integration scripts. If you want to take advantage of the additional events and initiator account information captured using the new integration scripts, ensure you are running Active Roles 6.9 (or higher) with Change Auditor for Active Directory 6.5 (or higher).

Origin

This field displays the NetBIOS name and IP address of the workstation or server from which the event was generated.

What

Displays a brief description of the change that occurred. There are three basic types of events generated that determine the ‘what’ information that will be displayed:
Occurrence events (such as an object is created or deleted)
Change events
Delta events (such as DACL/SACL changes)

Depending on the type of event, additional details may be displayed at the bottom of this pane.

Result

Indicates whether the operation mentioned in the event was successfully completed. Valid states are:
Success (Green) - Indicates that the operation occurred as stated in the event.
Protected (Yellow) - Indicates that the operation was prevented from occurring because the object is being protected by the Change Auditor object locking feature
Failed (Red) - Indicates that the operation was prevented from occurring due to a factor/setting outside of Change Auditor’s control.
None (Green) - Indicates that the operation occurred as stated, but no results were captured for the event. For example, this state is used for most of the internal Change Auditor events.

Subsystem

The first field defines the subsystem, or area of monitoring, where the change event occurred (for example, Active Directory, Service, or Group Policy).

Action

This field defines the action associated with the selected event.

Facility

This field defines the event class facility to which the change event belongs.

Class

For Active Directory and Exchange events, this field displays the object class that was modified, such as user, group, computer, nTDSConnection, CrossRefContainer.

Attribute

If an attribute has been added, deleted or modified, this field displays the name of the attribute.

Type

For Active Directory events associated with groups, this field displays the type of group that was modified (for example, Global (Security), Domain Local (Security)).

For AD Query events, this field displays the type of query:

LDAP
GC

Object

For Active Directory and Exchange events, this field displays the name of the object that was modified.

Authentication

Indicates whether the LDAP operation is secured using the SSL (Secure Socket Layer)/ TLS (Transport Layer Security) technology, simple bind authentication, or signed using Kerberos-based encryption.

NOTE: If changes are initiated within LSASS and not through the LDAP protocol itself, this field will not be captured.

Port

For Active Directory, AD Query, and Exchange events, this field indicates the port used for authentication.

Scope

For AD Query events, this field displays the scope of coverage:

This object only
This object and all children

Results

For AD Query events, this field displays the number of results returned as a result of the query.

Occurrences

For AD Query events, this field displays the number of times the AD query occurred during the specified interval.

Since

For AD Query events, this field displays the date and time when the AD query was first initiated.

Elapsed

For AD Query events, this field displays how long the AD query took to run. Zero (0) indicates that it took less than a millisecond to complete.

Filter

For AD Query events, this text box displays the filter string used in the AD query.

Attributes

For AD Query events, this text box displays the attributes that were queried.

Path

For File System events (including EMC and NetApp), this field displays the full path of the file or folder where the modification occurred.

Process

For File System events, this field is populated with the full path of the application responsible for the file change.

Service

For Service events, this field displays the name of the services that were modified.

Key

For Registry events, this field displays the name of the registry key that was modified.

Value

For Registry events, this field displays the registry value that was modified.

Policy

For Group Policy events, this field displays the name of the group policy that was modified.

Section

For Group Policy events, this field displays what section of the group policy was modified.

Item

For Group Policy events, this field displays the group policy item that was modified.

Account

For Local Account events, this field displays the local account that was modified.

From

This text box lists the old value that was assigned to the object.

To

This text box lists the new value that is now assigned to the object.

NOTE: The To and From information does not apply to permission/ACL (Access Control List) type changes and is replaced with the Changes section. This information is also not available for occurrence type events, e.g., when an object is created or deleted.

Farm

For SharePoint events, this field displays the name of the SharePoint farm to which the modified component belongs.

URL

For SharePoint events, this field displays the name of the SharePoint site to which the modified component belongs.

Target

For SharePoint events, this field displays the URL of the SharePoint item that was modified.

Mailbox

For Microsoft 365 Exchange Online mailbox events, this field displays the account name of the online mailbox where the change occurred.

Folder

For Microsoft 365 Exchange Online mailbox events, this field displays the folder name where the change occurred.

Cmdlet

For Microsoft 365 Exchange Online administration events, this field displays the name of the administrative cmdlet what was run.

Object

For Microsoft 365 Exchange Online administration events, this field displays the name of the object within the administrative cmdlet that was modified.

Logon Start

For Logon Session events, this attribute displays the date and time when the user initially logged onto the computer.

Logon End

For Logon Session events, if applicable this attribute displays the date and time when the user logged out of the computer.

Duration

For Logon Session events, depending on the event this attribute displays how long the user session lasted or how long the user was actually logged onto the computer.

Session Start

For Logon Session events, this attribute displays the date and time when the current user session began.

Session End

For Logon Session events, if applicable this attribute displays the date and time when the current user session ended.

View search results

Previous Next

View search results

To view the results of a search:
1
From the Searches page, run a search.
2
For each search that is run, a new search results page is automatically created and opened, allowing you to view the event records returned.
3
When multiple search results are active, select the heading tab at the top of a search page to view the selected search results.
4
Use the column controls to sort, rearrange, or group the data displayed. See Customize table content for more information on using the column controls to customize the content of this page.
5
Change Auditor also provides advanced filtering options that allow you to modify the results of a search without changing the original search. Click in the Click here to filter data cell to enter the criteria to be used to filter the data displayed. See Filter data for more information on using Change Auditor’s filtering feature.

Display results in different formats

Previous Next

Display results in different formats

When a grouping is created (for example, a single column heading is dragged up into the heading area to group the data), three icons are added to the heading area which can be used to display the data in a different format. The following icons/formats are available:

Data Grid: Select the data grid icon to redisplay the data in the grid format (default format).

Pie Chart: Select the pie chart icon to display a pie chart showing the correlated data. Move your cursor over the pieces in the pie chart to display the label and number of items that make up that piece of the pie.

Bar Graph: Select the bar graph icon to display a bar graph showing the correlated data. Move your cursor over the bars in the graph to display the label and number of items that make up that bar.

* 
NOTE: The Pie Chart and Bar Graph displays are only available when a single level grouping has been applied to the data grid. Also, when the search results are too numerous to chart, a message will display stating that there are too many items to display them all.

Preview search results

Previous Next

Preview search results

The criteria definition is in-line with the results which enables you to preview and modify the results without closing and opening multiple dialogs.

To modify search criteria and preview the results:
1
Open the Search Results page for a search where you want to preview changes based on new search criteria.
2
Click Search Properties to display the Search Properties tabs across the bottom of the page.
3
Modify the search criteria and then click Preview Changes from one of the Search Properties tabs.
4
The results of the modified search appears at the top of the open Search Results page. An asterisk is appended to the name in the tab denoting that the search properties have been modified and these changes have not yet been saved.
5
Once you achieve the desired results, you can use Save or Save As on one of the Search Properties tabs to save the modifications made to the search criteria.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating