Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Managing Microsoft 365 templates

Previous Next

Managing Microsoft 365 templates

Change Auditor audits activity for Exchange Online, SharePoint Online, and OneDrive for Business that corresponds to the events in the Microsoft 365 Security & Compliance Center unified audit log. Change Auditor allows you to easily track, report, and create alerts on activities such as:
When Exchange Online mailboxes are created, deleted, and accessed.
Permission changes to see which users are granted access to a mailbox.
Mailbox activity by non-owner such as messages sent, read, deleted, and folders deleted
Mailbox activity by owner for sensitive and high value mailboxes.
When files and folders are accessed, created, deleted, uploaded, moved, renamed, and checked in and out of SharePoint Online and OneDrive for Business sites.
* 
NOTE:  
Due to enhanced security measures, basic authentication is no longer supported for Microsoft 365 auditing; certificate authentication is now required.
If you have existing Microsoft 365 auditing templates, the web application associated with them must be updated or replaced to support certificate authentication. See Edit a Microsoft 365 auditing template and for details.

For a compete list of events, their description, and default severity see the Change Auditor Microsoft 365 and Microsoft Entra ID Event Reference Guide.

See also:
Microsoft 365 auditing page
Create an Microsoft 365 auditing template
Disable a template
Delete a template

Microsoft 365 auditing page

Previous Next

Microsoft 365 auditing page

The Microsoft 365 auditing page contains a list of auditing templates that define the Microsoft 365 services and Exchange Online mailboxes to audit. Microsoft 365

* 
NOTE: Authorization to use the administration tasks on the Administrations Tasks tab is defined using the Application User Interface page under the Configuration task list. If you are denied access to the tasks on this page, see the Change Auditor User Guide for more information about how to gain access.

The following information is displayed for each template:

Template

Displays the name assigned to the auditing template when it was created. This name is the same as your tenant initial domain name.

Tenant Type

Displays whether the tenant is Commercial, GCC, or GCCHigh.

Status

Indicates whether the auditing template is enabled or disabled.

Administrative Events

Indicates whether Microsoft 365 Exchange Online administrative events are monitored.

Non-Owner Events

Indicates whether Microsoft 365 Exchange Online mailboxes are monitored for activities performed by users other than the mailbox owner.

SharePoint

Indicates whether SharePoint Online events are monitored.

OneDrive

Indicates whether OneDrive for Business events are monitored.

Overwrite Tenant Mailbox Auditing

Indicates whether the template auditing settings will overwrite the existing tenant auditing.

Create an Microsoft 365 auditing template

Previous Next

Create an Microsoft 365 auditing template

The following section describes the steps to create a template and the required web application so you can begin to audit the Microsoft 365 activity.

* 
NOTE:  
Microsoft 365 Exchange, SharePoint and OneDrive auditing templates created in the Windows client defaults to 7 days (168 hours) of historical event collection. Historical event collection includes only mailbox auditing types previously enabled.
Due to enhanced security measures, basic authentication is no longer supported for Microsoft 365 auditing; certificate authentication is now required.

If you choose to create the required web application when you create the template, you can select to generate a self-signed certificate (default) or use a valid certificate from your personal certificate store. This will result in a properly configured web application.

For a certificate to be valid, it must contain a private key that is marked as exportable, and must support client and server authentication.

If you choose to use an existing web application when you create a template, you will need to specify the application ID, application key, and a valid certificate. For required configuration, see Using an existing web application.
The ability to automatically create a new web application is not supported for GCC High tenants.
To create a template
1
Open the Administration Tasks page.
2
Click Auditing.
3
Select Micosoft 365 (under Applications).
4
Click Add to open the auditing wizard.
5
Under Authentication Configuration, select to Create a new web application or Use existing web application.

If you select to create a new web application:

a
Select the tenant type (Commercial or GCC).
b
Enter the Microsoft Entra Directory Name.
c
Select Generate self-signed certificate or Select certificate to choose a previously created certificate from your personal store. By default, invalid certificates are filtered out from the list of available certificates.

If you select to use an existing web application:

a
Select the tenant type (Commercial, GCC, or GCCHigh).
b
Enter the Microsoft Entra Directory Name, Application ID, Application key, and select a previously created Application Certificate. For required settings and permissions, see Using an existing web application and Microsoft documentation for details on integrating applications with Microsoft Entra ID, creating a web application, and adding a certificate to a web application.
6
Select the Microsoft 365 services to audit.
7
Click Select agent to view available agents and whether they are assigned to an Microsoft 365 auditing template. The Microsoft 365 cell contains ‘None’ if an agent is not assigned to a template, or ‘Auditing’ if it is assigned to a template. From this list, select the agent to capture the events and click OK.
* 
NOTE:  
The agent must be upgraded to version 7.2 for certificate authentication support.
PowerShell 5.1 or later is required.
You cannot use an agent that is already assigned for Microsoft 365 auditing.
GCC and GCCHigh tenants are not supported on agents versions lower than version 7.5.
* 
IMPORTANT: See the Change Auditor Release Notes for ports that must be opened on the agent server.
8
If you have selected to audit Exchange Online, you now need to choose the activities to audit. Click Next. For mailbox activity, you have the option to set mailbox auditing settings or use the settings that have been configured in the Exchange Online tenant.
* 
NOTE: When you add and remove individual mailboxes for auditing or select to enable or disable owner auditing, the changes to the template are saved immediately. They are effective after the agent configuration is updated.

Available auditing events

Description

All administrative events

 

All changes made by administrators to the Microsoft 365 Exchange Online organization.

Set tenant mailbox auditing settings

NOTE: When Change Auditor creates a template with default settings, it turns on mailbox non-owner activity auditing settings for every mailbox in your tenant.

When you disable this option:
Mailbox non-owner activity auditing settings for every mailbox in your tenant are disabled as well.
Only the mailboxes specifically added to the template through your selection are audited. This may affect other systems that rely on having auditing enabled.
NOTE: If you change the mailbox display name, email address, or UPN for a mailbox currently in a template, the auditing of the mailbox continues; however, the old mailbox settings display in the Change Auditor template. To see the new values, remove the mailbox and add it again.

 

By default, only activities performed by users other than the mailbox owner (non-owner activity) are audited. You can however, disable this option and audit only specific mailboxes.

NOTE: Before you can select to audit individual mailboxes or update the configuration to audit owner events, select Finish to create the template.
To add and remove individual mailboxes:
1
Click Select mailboxes.
2
To add a mailbox:
a
Enter the first letter or letters of the display name (not the mailbox name) in the top search field and click Search.
b
Select the appropriate entry from the mailbox results and click Add.
3
To remove a mailbox
a
Enter the first letter or letters of the display name (not the mailbox name) into the bottom search field and click Search.
b
Select the appropriate entry from the lower mailbox window and click Remove.

You can refine your mailbox search by selecting Non-Owner Only, Owner, or All. (Owner includes mailboxes enabled for both owner and non-owner activity.)

 

 

 

To optionally add owner auditing on specific mailboxes, enable the Include Owner Activity option.

The "Owner Activity" audited on a configured mailbox include folder, message, and login events.

IMPORTANT: Quest recommends that you select owner auditing for critical mailboxes only. Owner auditing for many mailboxes produces many events that may affect performance.
To add or remove owner auditing on specific mailboxes:
1
Enter the first letter or letters of the display name (not the mailbox name) into the bottom search field and click Search.
2
Locate the required mailbox to enable or disable to Include Owner Activity as required.

You can refine your mailbox search by selecting Non-Owner Only, Owner, or All. (Owner includes mailboxes enabled for both owner and non-owner activity.)

Use existing tenant mailbox settings

When this is enabled, the template settings will have no effect on the mailbox auditing settings. The settings in the tenant will be used.

9
Click Next to optionally specify the generic events to exclude from auditing based on their operations. The operations are visible in the "Activity Name/Operation" column of the Microsoft 365 built-in searches. Generic events are dynamically created when associated activity is detected that does not have a corresponding event defined in Change Auditor. See Working with generic Microsoft 365 and Microsoft Entra events for more information.
10
Click Finish.
* 
NOTE:  
The template name will be automatically set to your tenant initial domain name.
When the agent’s configuration is updated, it may take some time (approximately 1 second per mailbox) for it to be applied and the auditing to start after a template is created or modified.
11
Login to register Change Auditor in the tenant and ensure the required consent has been granted.
* 
NOTE: The Microsoft sign-in page opens automatically once you have selected all your template settings and clicked Finish.
To grant permission for all administrators to create a web application:
1
Select an account with the Global Administrator role.
2
Enter the required password, and select Sign in.
3
Review the required permissions for the Change Auditor Configuration Assistant on the consent page.

To apply the consent to all the users in your organization, click to enable Consent on behalf of your organization and click Accept.

To apply the consent for just the current signed-in user simply click Accept.

* 
NOTE: Consent is only required once per tenant. You may, however, be prompted to enter your log on credentials when creating a new web application.

Edit a Microsoft 365 auditing template

Previous Next

Edit a Microsoft 365 auditing template

This section describes the steps to add or remove an Microsoft 365 service to audit and update the mailboxes and type of Exchange Online events to monitor.

To select a new agent, you must create a new template or use the Set-CAO365Template command through PowerShell. (See the Change Auditor PowerShell Command Guide for details.)

* 
NOTE:  
Due to enhanced security measures, basic authentication is no longer supported for Microsoft 365 auditing; certificate authentication is now required.
If you select to use an existing web application, it must be updated or replaced to support certificate authentication. See Using an existing web application for details.
The ability to automatically create a new web application is not supported for GCC High tenants.
To edit a template
1
Open the Administration Tasks page.
2
Click Auditing.
3
Select Microsoft 365 (under Applications).
4
Select the template and click Edit to open the auditing wizard.
5
Under Authentication Configuration, select to Create a new web application or Use existing web application.

If you select to create a new web application, select Generate self-signed certificate or Select certificate to choose a previously created certificate from your personal store. By default, invalid certificates are filtered out from the list of available certificates.

If you select to use an existing web application, enter the Application ID, Application Key, and select a previously created Application Certificate. For required settings and permissions, see Using an existing web application and Microsoft documentation for details on integrating applications with Microsoft Entra ID, creating a web application, and adding a certificate to a web application.

6
Add and remove the services to audit as required. Choose between Exchange Online, SharePoint Online, and OneDrive for Business.
* 
NOTE: When you remove a service, the agent stops auditing its activity. If you later enable auditing, you cannot access events generated when auditing was disabled.
7
If you are auditing Exchange Online, click Next to update the events to audit.

Table 3. Available activities to audit

Available auditing events

Description

All administrative events

All changes made by administrators to the Exchange Online organization.

Set tenant mailbox auditing settings

NOTE: When you add and remove individual mailboxes for auditing or select to enable or disable owner auditing, the changes to the template are saved immediately. They are effective after the agent configuration is updated.
NOTE: When Change Auditor creates a template with default settings, it turns on mailbox non-owner activity auditing settings for every mailbox in your tenant.

When you disable this option:
Mailbox non-owner activity auditing settings for every mailbox in your tenant are disabled as well.
Only the mailboxes specifically added to the template through your selection are audited. This may affect other systems that rely on having auditing enabled.
NOTE: If you change the mailbox display name, email address, or UPN for a mailbox currently in a template, the auditing of the mailbox continues; however, the old mailbox settings display in the Change Auditor template. To see the new values, remove the mailbox and add it again.

 

By default, only activities performed by users other than the mailbox owner (non-owner activity) are audited. You can however, disable this option and audit only specific mailboxes.

NOTE: Before you can select to audit individual mailboxes or update the configuration to audit owner events, select Finish to create the template.
To add and remove individual mailboxes:
1
Click Select mailboxes.
2
To add a mailbox:
a
Enter the first letter or letters of the display name (not the mailbox name) in the top search field and click Search.
b
Select the appropriate entry from the mailbox results and click Add.
3
To remove a mailbox
a
Enter the first letter or letters of the display name (not the mailbox name) into the bottom search field and click Search.
b
Select the appropriate entry from the lower mailbox window and click Remove.

You can refine your mailbox search by selecting Non-Owner Only, Owner, or All. (Owner includes mailboxes enabled for both owner and non-owner activity.)

 

 

 

To optionally add owner auditing on specific mailboxes, enable the Include Owner Activity option.

The "Owner Activity" audited on a configured mailbox include folder, message, and login events.

IMPORTANT: Quest recommends that you select owner auditing for critical mailboxes only. Owner auditing for many mailboxes produces many events that may affect performance.
To add or remove owner auditing on specific mailboxes:
1
Enter the first letter or letters of the display name (not the mailbox name) into the bottom search field and click Search.
2
Locate the required mailbox to enable or disable to Include Owner Activity as required.

You can refine your mailbox search by selecting Non-Owner Only, Owner, or All. (Owner includes mailboxes enabled for both owner and non-owner activity.)

Use existing tenant mailbox settings

When this is enabled, the template settings will have no effect on the mailbox auditing settings. The settings in the tenant will be used.

8
Click Close.
9
Click Next to optionally specify the generic events to exclude from auditing based on their operations. The operations are visible in the "Activity Name/Operation" column of the Microsoft 365 built-in searches. Generic events are dynamically created when associated activity is detected that does not have a corresponding event defined in Change Auditor.
10
Click Finish to apply the updates. When the agent’s configuration is updated, it may take some time (approximately 1 second per mailbox) for it to be applied and the auditing to start after a template is created or modified.
11
You will need to login to register Change Auditor in the tenant and ensure the required consent has been granted. Note: Internet access is required.
* 
NOTE: The Microsoft sign-in page opens automatically once you have selected all your template settings and clicked Finish.
To grant permission for all administrators to create a web application:
1
Select an account with the Global Administrator role.
2
Enter the required password, and select Sign in.
3
Review the required permissions for the Change Auditor Configuration Assistant on the consent page.

To apply the consent to all the users in your organization, click to enable Consent on behalf of your organization and click Accept.

To apply the consent for just the current signed-in user simply click Accept.

* 
NOTE: Consent is only required once per tenant. You may, however, be prompted to enter your log on credentials when creating a new web application.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating