Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Introduction

Previous Next

Introduction

Change Auditor can generate alerts when certain kinds of configuration changes occur. These alerts appear in the client and are then dispatched to designated recipients through email, SNMP or WMI events.

* 
NOTE: You cannot enable alerting for search definitions that use the Runtime Prompt option.
* 
NOTE: Email, SNMP and/or WMI must be configured to receive alerts before any alert notifications will be sent.

Smart Alert Technology provides intelligent event correlation by notifying you when event patterns cause potential security risks. You can customize the Smart Alerts to match your security policies. For example, if a privileged account is attempting to log on with a bad password at multiple computers within a predetermined time period, a proactive alert can be generated.

Alert tab (Search Properties tabs)

Previous Next

Alert tab (Search Properties tabs)

The Alert tab displays the current alert configuration for the selected search definition. From the Alert tab, you can enable/disable an alert notification for the selected search definition, define how and where to dispatch the alert (through email, SNMP, or WMI), and modify the alert configuration settings.

Use the controls on the Alert tab as described below.

 

Table 1. Alert tab: Field/Control descriptions

Field/Control

Description

Alert Enabled

Select the Alert Enabled check box to enable an alert for the current search definition.

This option will became available only after one of the transport methods are selected in the Send Alert To setting on this tab.

Alert Configuration pane

Send Alert To

Select all of the transport options that are to be applied to this search definition:
SNMP - Select this option to dispatch alerts for this search definition via SNMP traps.
WMI - Select this option to dispatch alerts for this search definition via WMI (Windows Management Instrumentation) events.
Email - Select this option to dispatch alerts for this search definition via email. Selecting this option will display the Alert Custom Email dialog allowing you to specify the email address of the persons who are to receive the email notification.

History Search Limit

By default, up to 50,000 events can be included in the alert history. Use the arrow controls to increase or decrease this value to define the maximum number of events to be included in the alert history.

NOTE: The History Search Limit setting is a global setting and changes made to this setting will be applied to ALL alerts.

Configure Email

For email alerts, click Configure Email to change the details about the alert email to be sent, including the To address, the Reply To address, and the Subject Line. In addition, from the Alert Custom Email dialog you can access the Alert Body Configuration dialog to configure the body of the email alert.

NOTE: If email is not configured, a message box appears stating that the Coordinator email configuration has not been configured. Open the Administration Tasks tab and use the Coordinator Configuration page to enable email notification and configure mail.

Events Per Email

For email alerts, a maximum of 100 events will be included in a single alert email by default. Use the arrow controls to increase or decrease this value to define the maximum number of events to be included in an email.

Time zone

For email alerts, use this field to specify the time zone to be used for the time stamp in the name of the report attachment. By default, the time zone of the computer where the Change Auditor client resides is used.

Smart Alert pane

Smart Alert Enabled

Select this check box to specify under what conditions an alert is to be sent. This feature is only available for email and SNMP notifications.

Send Alert When <nn> Events Occur Within <nn> <interval>

Select this option to specify the number of events that must occur within a specified time interval before generating/dispatching the alert.

Where: <interval> is one of the following: minutes, hours or days

On A Single Object

Select this check box to specify that the event must occur for the same object the specified number of times before the alert will be triggered. When this check box is cleared (default), the event can occur on any object the specified number of times to trigger the alert.

NOTE: Smart alerts on a single object are only supported for Active Directory and File System subsystems.

Enable alerts

Previous Next

Enable alerts

Using the Searches page, you can enable/disable alert notifications for individual search definitions and dispatch them through email, SNMP or WMI.

 
* 
NOTE: The right-click commands available for enabling/disabling alert notifications are available when multiple search definitions are selected. However, you can only enable/disable alert notifications using the Alert tab when a single search definition is selected.
To enable email alerts for individual search definitions:
* 
NOTE: To dispatch configuration change alerts through email you must first enable email notification and define the email server to be used on the Coordinator Configuration page. See Click Test Mail to test the configuration. in the Coordinator Configuration chapter.
1
Open the Searches page.
2
Expand the Private or Shared folders in the explorer view to locate the search to which an alert is to be associated. Select the search from the Search list in the right-hand pane.
3
Use one of the following methods to enable an alert:
Right-click the search and select the Alert | Enable Transport | Email command.
Open the Alert tab and select the Email check box and then the Alert Enabled check box. (If the Search Properties tabs are not being displayed, right-click the search definition and select Show Properties).
* 
NOTE: If email is not configured, a message box will display stating that the coordinator email configuration has not been configured. Open the Administration Tasks tab and use the Coordinator Configuration page to configure email alerts.
4
Using either of these methods displays the Alert Custom Email dialog allowing you to enter the email address of the persons who are to receive the alert notification.

Enter the email address or click the browse button to specify the users who are to receive the alert notification. Selecting the browse button displays one of the following dialogs:
The Select Active Directory Objects dialog (directory object picker) where you can use the Browse or Search page to locate Active Directory users. This dialog is displayed when no Exchange host is specified in the Email Alerts Configuration pane of the Coordinator Configuration page.
The Search Users dialog allowing you to locate and select an Exchange user (Exchange tab) or an Active Directory user (Active Directory tab). This dialog is displayed when an Exchange host is defined in the Email Alerts Configuration pane of the Coordinator Configuration page.
 
* 
NOTE: You can enter an individual email address or distribution list address in the To, Cc or Bcc fields. You can also send the alert notification to additional recipients by selecting the appropriate check box, as described below:
Add Who - Select this check box to send an alert to the user who initiated the change that triggered the alert.
Add Users - When selected, alerts for user object changes are sent to the user; alerts for mailbox objects are sent to the mailbox owner.
Add Managers - When selected, alerts for user object changes are sent to the user manager (if set); alerts for group objects are sent to the managed-by user (if set). Alerts for mailbox objects are sent to the owner's manager (if set).

Once a check box is selected, select the corresponding option to add it to the To, Cc or Bcc field.

By default, the values entered on the Email Alerts Configuration pane of the Coordinator Configuration page will be used for the following fields/settings:
Reply To address
Subject line
email format (Plain Text or HTML)
body of the email alert

If you do not want to use these default settings for the current search query, you can modify them on the Alert Custom Email dialog. To modify the body of the email alert, click Configure Body.

Once you have finished specifying the recipient email addresses, click OK to save your selections and close the dialog.

5
In addition, you can change the following alert configuration settings using the Alert tab (Search Properties tabs):
By default, up to 50,000 events will be included in the alert history. Use the History Search Limit setting to change this value. (This setting is a global setting and changes made to this setting will be applied to ALL alerts.)
By default, a maximum of 100 events will be included in a single alert email. Use the Events Per Email setting to change this number.
By default the time zone of the computer where the Change Auditor client resides is used for an alert’s date/time stamps in the email. To change the time zone to be used for these date/time stamps, select the time zone from the drop-down list.
If you want to specify under what conditions an alert is to be sent, select the Smart Alert Enabled check box and specify the number of events that must occur within a specified time interval before generating/dispatching the alert.

By default, a smart alert is generated when the event occurs on any object the specified number of times. You can however, select the On a Single Object option to have the smart alert triggered when the event occurs on the same object the specified number of times.

6
When an alert is enabled, the following indicators are added to the Searches list:
* 
NOTE: If using the Alert tab, be sure to click Save to save the alert definition.
Type - the icon for the search (magnifying glass) changes to a check mark and the label changes from ‘Search’ to ‘Alert’ (e.g., Shared Alert)
Alert - displays ‘Enabled’
Alert To - displays the email address of any users who are to receive the alert email
Alert Cc - if specified, displays the email address of any users who are to receive a copy of the alert email
Alert Bcc - if specified, displays the email address of any users who are to receive a blind copy of the alert email
To enable SNMP alerts for individual search definitions:
* 
NOTE: In order to generate SNMP alerts, SNMP must be installed and the trap receiver must be started.
1
Open the Searches page.
2
Expand the Private and Shared folders in the explorer view to locate the search to which an alert is to be associated. Select the search from the Search list in the right-hand pane.
3
Use one of the following methods to enable an alert:
Right-click the search and select Alert | Enable Transport | Email.
Open the Alert tab at the bottom of the page, select the Email check box, then the Alert Enabled check box. (If the Search Properties tabs are not being displayed, right-click the alert definition and select Show Properties).
4
In addition, you can change the following alert configuration settings using the Alert tab (Search Properties tabs):
By default, up to 50,000 events will be included in the alert history. Use the History Search Limit setting to change this value. (This setting is a global setting and changes made to this setting will be applied to ALL alerts.)
5
When an alert is enabled, the following indicators are added to the Searches list:
* 
NOTE: If using the Alert tab, be sure to click Save to save the alert definition.
Type - the icon for the search (magnifying glass) changes to a check mark and the label changes from ‘Search’ to ‘Alert’ (e.g., Shared Alert)
Alert - displays ‘Enabled’
To enable WMI alerts for individual search definitions:
* 
NOTE: In order to generate WMI alerts, WMI must be installed and started. A WMI event consumer must also be running on the coordinator server.
1
Open the Searches page.
2
Expand the Private and Shared folders in the explorer view to locate the search to which an alert is to be associated. Select the search from the Search list in the right-hand pane.
3
Use one of the following methods to enable an alert:
Right-click the search and select the Alert | Enable Transport | WMI command.
On the Alert tab, select the WMI check box and then the Alert Enabled check box. (If the Search Properties tabs are not being displayed, right-click the alert definition and select the Show Properties menu command).
4
In addition, you can change the following alert configuration setting using the Alert tab (Search Properties tabs):
By default, up to 50,000 events will be included in the alert history. Use the History Search Limit setting to change this value. (This setting is a global setting and changes made to this setting will be applied to ALL alerts.)
5
When an alert is enabled, the following indicators are added to the Searches list:
* 
NOTE: If using the Alert tab, be sure to click Save to save the alert definition.
Type - the icon for the search (magnifying glass) changes to a check mark and the label changes from ‘Search’ to ‘Alert’ (e.g., Shared Alert)
Alert - displays ‘Enabled’

Disable alerts

Previous Next

Disable alerts

To disable alerts:
* 
NOTE: The right-click commands available for enabling/disabling alert notifications are available when multiple search definitions are selected. However, you can only enable/disable alert notifications using the Alert tab when a single search definition is selected.
1
Open the Searches page.
2
Expand the Private and Shared folders in the explorer view to locate the alert-enabled search to be disabled. Select the alert from the Search list box in the right-hand pane.
3
Use one of the following methods to disable an alert:
Right-click the alert and select Alert | Disable Alert. A message box is displayed asking you to confirm that you want to disable the alert. Click Yes.
Open the Alert tab, clear the Alert Enabled check box. (If the Search Properties tabs are not being displayed, right-click the alert definition and select the Show Properties menu command.)
4
When the alert is disabled, the Alert column displays ‘Disabled’.
* 
NOTE: If using the Alert tab, click the Save button to apply the change.

In addition to disabling an alert, you can also disable the alerting transports for an alert-enabled search.

To disable email alerts for individual search definition:
1
Open the Searches page.
2
Expand the Private and Shared folders in the explorer view to locate the alert-enabled search to be disabled. Select the alert from the Search list in the right-hand pane.
3
Use one of the following methods to disable an alert:
Right-click the alert and select Alert | Disable Transport | Email. A message box will be displayed asking you to confirm that you want to disable the alert. Click Yes.
Open the Alert tab, clear the Email check box and the Alert Enabled check box. (If the Search Properties tabs are not being displayed, right-click the alert definition and select the Show Properties menu command.)

If this is the only transport or when all transports are disabled, the definition returns to a ‘Search’ type.

* 
NOTE: If using the Alert tab, click Save to apply the change.
To disable SNMP alerts for individual search definition:
1
Open the Searches page.
2
Expand the Private and Shared folders in the explorer view to locate the alert-enabled search to be disabled. Select the alert from the Search list in the right-hand pane.
3
Use one of the following methods to disable an alert:
Right-click the alert and select Alert | Disable Transport | SNMP. A message box will be displayed asking you to confirm that you want to disable the alert. Click Yes.
Open the Alert tab, clear the SNMP check box and the Alert Enabled check box. (If the Search Properties tabs are not being displayed, right-click the alert definition and select Show Properties.)

If this is the only transport or when all transports are disabled, the definition returns to a ‘Search’ type.

* 
NOTE: If using the Alert tab, click Save to apply the change.
To disable WMI alerts for individual search definition:
1
Open the Searches page.
2
Expand the Private and Shared folders in the explorer view to locate the alert-enabled search to be disabled. Select the alert from the Search list in the right-hand pane.
3
Use one of the following methods to disable an alert:
Right-click the alert and select Alert | Disable Transport | WMI. A message box will be displayed asking you to confirm that you want to disable the alert. Click Yes.
Open the Alert tab, clear the WMI check box and the Alert Enabled check box. (If the Search Properties tabs are not being displayed, right-click the alert definition and select the Show Properties menu command.)
 
* 
NOTE: If using the Alert tab, click Save to apply the change.

If this is the only transport or when all transports are disabled, the definition returns to a ‘Search’ type.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating