Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Manually create a Microsoft Entra web application for sending Microsoft 365 mail

Previous Next

Manually create a Microsoft Entra web application for sending Microsoft 365 mail

See Microsoft documentation for details on integrating applications with Microsoft Entra ID and creating a web application.

* 
NOTE: The Microsoft Entra web application:
Should be a single-tenant application. A redirect URI is not required.
Must have a Client Secret configured in the web application "Certificates and Secrets" page.

Ensure the following permission is assigned to the web application:

Microsoft Graph application permission:
Mail.Send – Application - Send mail as any user

Once the required permission is applied, click Grant admin consent for… and confirm with Yes.

Customize alert email content

Previous Next

Customize alert email content

In addition to the customizable fields (Reply To, Alert Subject and Signature) on the Coordinator Configuration dialog, you can use the Configure Body button to define the content to be used in the main body of your alert emails as well as the event details to be included.

* 
NOTE: When accessed through the Coordinator Configuration page, these settings will apply globally to all alert emails. However, if accessed through the Alert tab, these settings will apply to the selected alert only.
* 
NOTE: The Alert Body Configuration settings do not apply to email reports. To define the content (columns) to be included in a report, use the Layout tab. In addition, you can use the Report Layouts page (Administration Tasks tab) to create customized report layout templates defining the header and footer information to be used in your reports.
To customize alert email content:
1
Click Configure Body to display the Alert Body Configuration dialog.
2
Select the appropriate option (at the bottom of the dialog) to edit either the Plain Text (default) or the HTML representation of the alert emails.
3
Use the Main Body tab to enter the text to be included and define the overall layout of the alert body.
Select the Show Variables check box to display the variables that can be added to the main body of your email.
To add a variable, double-click the variable from the Variable list at the bottom of the page. You can also drag and drop a variable from the Variable list into the main body text box.
* 
NOTE: The event details defined in the Event Details tab are placed in the Main Body pane using the following tag: %EVENT_DETAILS%. This tag should not be removed from the Main Body tab if you want to include the event details in the alert emails.
4
Use the Event Details tab to specify the event details to be included. That is, you can rearrange the entries, remove entries, or modify text, etc.
Select the Show Variables check box to display a list of the variable that can be added to the event details of your alert email.
To add a variable, double-click the variable from the Variable list at the bottom of the page. You can also drag and drop a variable from the Variable list into the Event Details text box.
* 
NOTE: Do not modify the blue text surrounded by percent signs (such as %USERNAME%). These are tags which represent actual data retrieved from the Change Auditor event that triggered the alert. See Change Auditor Email Tags for more information on these tags and the data retrieved by each.
5
Use the Signature tab to define the content of the signature line to be used in alert emails.
6
After you have entered the body content and defined the event details and signature line to be included, select the Preview tab to view a sample email using your defined format and content.
7
Once defined, click OK to save your settings and close the Alert Body Configuration dialog.
* 
NOTE: Click Restore to Default to revert back to the default email content and format.

Shared Folder Configuration

Previous Next

Shared Folder Configuration

To allow users to send reports to a shared folder, you must specify credentials to use to write reports and a default shared folder.

To configure the ability to send reports to a shared folder:
1
Open the Administration Tasks page and click Configuration.
2
Select Coordinator in the Configuration task list to open the Coordinator Configuration page.
3
Under Shared Folder Configuration, select Enable Shared Folder for Reporting. Checking this option activates the remaining fields on this page to define the account credentials and folder to use.
4
Enter the credentials (account name and password) for the coordinator to use to write the reports to a shared folder. The credentials are used to write reports to the default shared folder as well as custom shared folders specified for individual reports.
* 
NOTE: If you are using a group Managed Service Account:
The account must end with '$' and the password must be blank.
The Windows client must be run as the administrator. (Right-click and select Run as administrator.)
The coordinator host must be correctly configured to retrieve the managed password for the specified group Managed Service Account.
The local Administrator group must be added to the group policy debug programs. (Found under Local Computer Policy | Windows Settings | Security Settings | Local Policies | User Rights Assignments | Debug programs.)
5
Select a shared folder to use as the default when users select to enable reporting for a search. Select Test access to ensure that the folder exists and the specified account has permissions to write to it.
* 
NOTE: If the default shared folder path is updated, it will be used for each report that uses it.

Group Membership Expansion

Previous Next

Group Membership Expansion

The middle pane of the Coordinator Configuration page contains options which allow you to define the schedule for expanding nested membership of Active Directory groups that are referenced in searches (Who search criteria) or groups that are defined in the Member of Group feature. Group membership will be recursively enumerated in order to determine nested group membership.

Use the following options to define group membership expansion behavior:

 

Table 2. Coordinator Configuration page: Group membership expansion options

Options

Description

Select the groups to expand

Select one of the following options to define how you want to expand groups:
Expand all groups - This expands all groups in the forest. Use this only if you are using SSIS and need the freedom to make requests for any group in the forest.
Expand groups that are referenced in existing queries - Change Auditor must expand all groups in queries in order to get their membership. With the membership, the events for the groups can be retrieved. This is always done and cannot be disabled.
Expand groups that are referenced in existing queries and selected groups (default) - In addition to the groups referenced in existing queries, you have the ability to select other groups. This would be useful when you have groups that need expansion for SSIS database requests, but you do not want to burden your production system with expanding all groups in the environment.

Group Membership Expansion list

The Group Membership Expansion list box is only available when the Expand groups that are referenced in existing queries and selected groups option is selected and displays a list of the groups to be expanded. Use Add to add groups to this list box and Remove to remove groups from the list box.

Add

Use to add groups to the group membership expansion list. Clicking this button will display the Select Active Directory Objects dialog allowing you to locate and select the groups to be added.

See Directory object picker for a description of the Browse, Search and Options pages. Note that the Find field on this dialog will display Group and cannot be changed.

Remove

Use to remove the selected group from the group membership expansion list.

Select the refresh frequency

Select from the following options to define how often you want to refresh the group membership expansion list.

Refresh group membership every nnn minutes

By default, group membership will be refreshed every 360 minutes. Use the arrow controls to increase or decrease this value.

Valid range: 10 - 43200

Number of groups to expand every 5-minute cycle

By default, 20 groups will be expanded every 5-minute cycle. Use the arrow controls to increase or decrease this value

Valid range: 1 - 100000

Refresh the list of expanded groups every nnn minutes

By default, the group membership expansion list is refreshed every 180 minutes. Use the arrow controls to increase or decrease this value.

Valid range: 10 - 43200

Defaults

Use to reset the fresh frequency settings back to the factory defaults.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating