Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Exchange event logging

Previous Next

Exchange event logging

In addition to real-time event auditing, you can enable event logging to capture Exchange events locally in a Windows event log. This event log can then be collected using InTrust to satisfy long-term storage requirements.

When event logging for Exchange is enabled in Change Auditor, the following types of Exchange events are sent to the InTrust for Exchange event log:
ActiveSync events
Exchange Mailbox events, including non-owner, owner, permission and protection events
* 
NOTE: Only configured Exchange Mailbox activities are sent to the event log.
Public folder events
Store mount events
System events
Exchange Administrative PowerShell events

See the Change Auditor for Exchange Event Reference Guide for a list of the events that can be sent to this event log.

To enable Exchange event logging:
1
Open the Administration Tasks tab.
2
Click Configuration.
3
Select Agent in the Configuration task list to display the Agent Configuration page.
4
Click Event Logging.
5
On the Event Logging dialog, select Exchange.
6
Click OK to save your selection and close the dialog.

Exchange events, including activities associated with the Exchange Mailboxes included on the Exchange Mailbox Auditing list, will then to be sent to the event log.

Exchange Mailbox Protection

Previous Next

Exchange Mailbox Protection
Exchange mailbox protection introduction
Exchange Mailbox Protection page
Exchange Mailbox Protection templates
Exchange Protection wizard

Exchange mailbox protection introduction

Previous Next

Exchange mailbox protection introduction

Using mailbox protection, you can prevent unwanted access on critical mailboxes through an Exchange Mailbox Protection template.

* 
NOTE:  
Protection is designed to protect a few high-value mailboxes.
Protection prevents unauthorized users from accessing a protected mailbox through Outlook clients, OWA; it does not prevent access using ActiveSync or permission changes on the mailbox through the Exchange Administration tools.
You can specify users and groups who can access protected mailboxes.
After monitoring has been enabled or changed, it may take several minutes to complete the configuration process necessary to enable protection on the agent. Protecting a large number of mailboxes slows down the configuration process.
Agent processing of Exchange auditing and protection configurations may slow down initial user logon access or cause timeouts if many user logins occur at the same time. To avoid this issue, Quest recommends that changes to mailbox auditing or protection configurations be performed during maintenance intervals or other periods of low user mailbox activity.

Before the system is returned to normal load, one user should log in to Outlook Web Access (OWA), and Outlook clients. This triggers the agent to process the Exchange Mailbox auditing and protection configuration changes when the fewest login are occurring.

 

Exchange Mailbox Protection page

Previous Next

Exchange Mailbox Protection page

The Exchange Mailbox Protection page displays when you select Exchange Mailbox from the Protection task list in the navigation pane of the Administration Tasks tab. From this page you can start the Exchange Mailbox Protection wizard to define the mailboxes to protect from unauthorized access. You can also edit existing templates, disable a template, and remove templates that are no longer being used.The Exchange Mailbox Protection page contains an expandable view of all previously defined Exchange Mailbox Protection templates. To add a template to this list, click Add. Once added, the following information is provided for each template:

* 
NOTE: Authorization to use the administration tasks on the Administrations Tasks tab is defined using the Application User Interface page under the Configuration task list. If you are denied access to the tasks on this page, refer to the Change Auditor User Guide for more information on how to gain access.
Template

Displays the name assigned to the template when it was created.

Status

Indicates whether the template is enabled or disabled. To enable/disable the template, place your cursor in this Status cell, click the arrow control and select the appropriate option from the drop-down menu.

Override Accounts

Indicates whether the override accounts listed are excluded from protection or included in protection. This setting corresponds to the option used at the top of the last page of the Exchange Protection wizard:
Excluded from Protection - indicates that you selected the Allow option to allow only the selected accounts to access the protected objects.
Included in Protection — indicates that you selected the Deny option to allow all accounts to access the protected objects EXCEPT for those selected.
Owner Override

Indicates whether the Mailbox owner can bypass protection check box was selected and mailbox owners are allowed to access their own mailboxes.

Mailboxes

This field is used for filtering data.

Override Account Filter

This field is used for filtering data.

 

Click the expansion box to the left of the Template name to expand this view and display the following details for each template:

Exchange Mailbox

Displays the canonical name of the Exchange Mailbox or directory object included in the protection template.

Status

Indicates whether the protection for the mailbox is enabled or disabled.

Name

If applicable, this column shows the display name assigned to the directory object.

Override Account

Displays any accounts that are allowed (or not allowed) to access the protected mailboxes, as specified on the last page of the wizard.

* 
NOTE: This field is not displayed when there are no override accounts specified in the Exchange Protection wizard.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating