Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Exchange Mailbox Protection templates

Previous Next

Exchange Mailbox Protection templates

* 
NOTE: The cells directly under the main heading rows are used for filtering data. That is, as you enter characters into these cells, the client will redisplay the templates that meet the search criteria (i.e., comparison operator and characters entered). For more details about using the data filtering function provided throughout the client, see the Change Auditor User Guide.

To enable protection, you must first create one or more Exchange Mailbox Protection templates which specify whose mailboxes to lock down. Once Exchange Mailbox Protection templates are defined, they will apply to all Exchange servers that host a Change Auditor agent.

* 
NOTE: If you are planning to use multiple Exchange Mailbox Protection templates, see the Change Auditor Technical Insight Guide for information on how multiple protection templates are evaluated.
* 
NOTE: You can also open the protection wizard from the event details pane. Simply open the Search Results tab, select an event, and click the Protect Object button.
To create a protection template:
1
Open the Administration Tasks tab.
2
Click Protection.
3
Select Exchange Mailbox in the Protection task list to open the Exchange Mailbox Protection page.
4
Click Add to start the Exchange Protection wizard which steps you through the process of defining the mailboxes to protect.
5
Use the Browse and Search pages to locate and select a directory object (i.e., User, Group, Container, DomainDNS, OrganizationalUnit, or BuiltinDomain) and click Add to add the selected object to the Selected Object list. Repeat this step to add additional directory objects to the template.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

6
On the next page of the wizard, use the Browse or Search page to optionally select user or group accounts which will be allowed to access the protected objects selected on the previous page.

If required, use the Forest drop-down box to select in which forest the objects reside. (Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.)

Click Add to add the selected user or group to the Account list.

* 
NOTE: The Allow option is selected by default indicating that the selected users or groups are allowed to access the protected objects. However, you can select the Deny option to select individual users or groups that are not allowed to access the protected objects. When using the Deny option, you are allowing all users and groups to access the protected objects except for those selected on this page.

To allow mailbox owners to bypass protection and be able to access their own mailboxes, select the Mailbox owner can bypass protection check box at the top of this page.

7
Click Finish to create the template, close the wizard, and return to the Exchange Mailbox Protection page, where the newly created template is listed.
To modify a template:
1
On the Exchange Mailbox Protection page, select the template to modify and click Edit.

This displays the Exchange Mailbox Protection wizard, where you can modify the directory objects whose mailboxes to protect.

2
Click Finish.
To disable a template:

The disable feature allows you to temporarily stop protecting the specified mailboxes without having to remove the protection template or individual mailbox from an active template.

1
On the Exchange Mailbox Protection page, place your cursor in the Status cell for the template to be disabled, click the arrow control and select Disabled

The entry in the Status column for the template will change to ‘Disabled’.

2
To re-enable the protection template, use the Enable option in either the Status cell or right-click menu.
To disable the protection of a mailbox:
1
On the Exchange Mailbox Protection page, place your cursor in the Status cell for the mailbox whose protection is to be disabled, click the arrow control and select Disabled

The entry in the Status column for the selected mailbox will change to ‘Disabled’.

2
To re-enable protection for the mailbox, use the Enable option in either the Status cell or right-click menu.
To delete a template:
1
On the Exchange Mailbox Protection page, select the template and click Delete | Delete Template.
2
A dialog is displayed confirming that you want to delete the selected template. Click Yes.
To delete an individual mailbox from a template:
1
On the Exchange Mailbox Protection page, select the mailbox and click Delete | Delete Exchange Mailbox.
2
A dialog is displayed confirming that you want to delete the selected mailbox from the template. Click Yes.
* 
NOTE: If the mailbox is the last one in the template, deleting this mailbox will also delete the template.

Exchange Protection wizard

Previous Next

Exchange Protection wizard

The Exchange Protection wizard displays when you click Add on the Exchange Mailbox Protection page. This wizard steps you through the process of defining the mailbox to protect from unauthorized access.

* 
NOTE: You can also open the protection wizard from the event details pane. Simply open the Search Results tab, select an event, and click the Protect Object button.

The following table provides a description of the fields and controls in the Exchange Protection wizard:

* 
NOTE: A red flashing icon indicates that you have not yet entered the required information. Hovering your cursor over this icon displays a tool tip explaining what needs to be entered.

Table 3. Exchange Protection wizard

Create or modify an Exchange Mailbox Protection Template page:

Use this page to enter a name for the template and select one or more Exchange mailboxes to be protected.

Template Name

Enter a descriptive name for the template being created.

Browse page

Displays a hierarchical view of the containers in your environment allowing you to locate and select the directory objects whose mailbox is to be protected from unauthorized access.

Once you have selected a directory object, click Add to add it to the list at the bottom of the page.

Search page

Use the controls at the top of the Search page to search your environment to locate the directory objects whose mailbox is to be protected.

Once you have selected a directory object, click Add to add it to the list at the bottom of the page.

Options page

Use the Options page to modify the search options used to retrieve directory objects.

 

Exchange Mailbox list

The Exchange mailboxes selected for protection are displayed in the list box at the bottom of the page. Use the buttons located above this list box to add and remove mailboxes.
Add - Select a directory object in the Browse or Search page and then click Add.
Remove - Select an entry in the Exchange Mailbox list and then click Remove.
Enterprise - Click Enterprise to protect all mailboxes in the Enterprise from unauthorized access.

(Optional) Select Accounts Allowed (not Allowed) to Access Protected Objects page

Use this page to optionally select user or group accounts that are allowed (not allowed) to access the selected protected mailboxes.

Allow

The Allow option is selected by default indicating that the users and group selected on this page will be the only accounts allowed to access the protected objects.

Use the Browse or Search page to select the user or group accounts.

Deny

Select the Deny option to allow all users and groups to access the protected objects except for those selected on this page.

Use the Browse or Search page to select the user or group accounts.

Mailbox owner can bypass protection

Select this check box to allow mailbox owners to bypass protection and access their own mailboxes even though they are not explicitly added to the Override Account list.

Browse page

Displays a hierarchical view of the containers in your environment allowing you to locate and select the users or groups that will be allowed (not allowed) to access the protected mailboxes.

Once you have selected an account, click Add to add it to the list at the bottom of the page.

Search page

Use the controls at the top of the Search page to search your environment to locate the users or groups that will be allowed (not allowed) to access the protected mailboxes.

Once you have selected an account, click Add to add it to the list at the bottom of the page.

Options page

Use the Options page to modify the search options used to retrieve directory objects.

Override Account list

The list box at the bottom of this page contains the user and group accounts selected above. Use the buttons located above this list box to add and remove accounts.
Add - Select an account in the Browse or Search page and then click Add.
Remove - Select an entry in the Override Account list and then click Remove.
 

Managing Shared Mailboxes

Previous Next

Managing Shared Mailboxes

Change Auditor for Exchange generates shared mailbox events for shared mailbox, room and equipment resources, and for any other mailboxes identified as shared. Shared mailbox events are generated only when both of the following conditions exist:
The affected mailbox is selected for auditing (i.e., added to the Exchange Mailbox Auditing list on the Administration Tasks tab).
The mailbox is either located in an Exchange mailbox store or has been marked as a shared mailbox by the user.
* 
NOTE: As with individual mailboxes, if the shared mailbox is not added to the Exchange Mailbox Auditing list, the mailbox is not being audited and no events are generated.

If the mailbox is not a shared mailbox, room or equipment resource in an Exchange mailbox store and it has not been manually marked as a shared mailbox by the user, then normal mailbox owner or non-owner events will be generated for the affected mailboxes.

Many of the shared mailbox events are disabled by default. In order to generate these events, they must first be enabled using the Audit Events page on the Administration Tasks tab.

Use the Exchange Mailbox Auditing page on the Administration Tasks tab to ensure shared mailboxes are set up correctly for auditing. From this page, you can:
View a list of shared mailboxes that have been automatically detected in the network. By default, this list is filtered to display only the shared mailboxes selected for auditing.
Mark normal mailboxes as ‘shared’ by manually adding them to the shared mailbox list.
To view list of shared mailboxes in the auditing list:

Automatic shared mailbox detection locates shared mail, equipment and room mailboxes in the network.

1
Open the Administration Tasks tab.
2
Click Auditing.
3
Select Exchange Mailboxes under the Applications heading in the Auditing task list.
4
At the top of the Exchange Mailbox Auditing page, click Shared Mailboxes.
5
If not already displayed, open the Auto Detected page.

The Auto Detected page displays a read-only list of the shared mailboxes detected in the network.

The Filter Shared Mailboxes Based on Exchange Auditing Scope check box is selected by default and only shared mailboxes that are selected for auditing are displayed. To display all shared mailboxes detected in the network, clear this check box.

6
Click Close to return to the Exchange Mailbox Auditing page.
* 
NOTE: If you have not yet added the shared mailboxes to the Exchange Mailbox Auditing list, click Add on the Exchange Mailbox Auditing page to locate and add the mailboxes to audit.
To add mailboxes to shared mailbox list:

Any mailbox can be marked as a shared mailbox by manually adding it to the shared mailbox list.

1
Open the Administration Tasks tab.
2
Click Auditing.
3
Select Exchange Mailboxes under the Applications heading in the Auditing task list.
4
At the top of the Exchange Mailbox Auditing page, click Shared Mailboxes.
5
Open the User Defined page on the Shared Mailboxes dialog.
6
Click Add.
7
On the Exchange Shared Mailboxes dialog, use the Browse and Search pages to locate and select a directory object (such as User, Group, Container, DomainDNS, OrganizationalUnit, or BuiltinDomain) and click Add to add the selected object to the Selected Object list.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

Repeat this step to add additional directory objects to the Exchange Shared Mailbox list.

8
Click Finish to return to the Shared Mailboxes dialog, where your selections will now be listed on the User Defined page of this dialog.
9
The default scope of coverage is displayed in the Scope cell. You can change this by placing your cursor in the Scope cell, clicking the arrow control and selecting the appropriate option from the list:
Object - to audit an individual object
One Level - to audit an object and its direct child objects
Subtree - to audit an object all of its subordinate objects (all levels)
10
The Status field on this page indicates the type of events that are to be generated for the mailbox:
Enabled (default) - shared mailbox events are to be generated for the mailbox
Disabled - owner or non-owner events are to be generated for the mailbox

To change this setting, place your cursor in the Status cell, click the arrow control and select the appropriate option from the list.

11
Click Close to save your selections, close the dialog, and return to the Exchange Mailbox Auditing page.
* 
NOTE: If you have not yet added the ‘marked’ mailboxes to the Exchange Mailbox Auditing list, click Add on the Exchange Mailbox Auditing page to locate and add the mailboxes to audit.

Shared Mailbox events

Previous Next

Shared Mailbox events

The Exchange Mailbox Monitoring events that can be generated for shared mailboxes include:
Appointment Copied in Shared Mailbox*
Appointment Created in Shared Mailbox*
Appointment Deleted in Shared Mailbox*
Appointment Modified in Shared Mailbox*
Appointment Moved in Shared Mailbox*
Appointment Permanently Deleted in Shared Mailbox*
Appointment Read in Shared Mailbox*
Contact Copied in Shared Mailbox*
Contact Created in Shared Mailbox*
Contact Deleted in Shared Mailbox*
Contact Modified in Shared Mailbox*
Contact Moved in Shared Mailbox*
Contact Permanently Deleted in Shared Mailbox*
Contact Read in Shared Mailbox*
Folder Copied in Shared Mailbox
Folder Created in Shared Mailbox
Folder Deleted in Shared Mailbox
Folder Moved in Shared Mailbox
Folder Permanently Deleted in Shared Mailbox
Folder Renamed in Shared Mailbox
Message Copied in Shared Mailbox*
Message Created in Shared Mailbox*
Message Deleted in Shared Mailbox*
Message Marked Unread in Shared Mailbox*
Message Modified in Shared Mailbox*
Message Moved in Shared Mailbox*
Message Permanently Deleted in Shared Mailbox*
Message Read in Shared Mailbox*
Object Copied in Shared Mailbox*
Object Created in Shared Mailbox*
Object Deleted in Shared Mailbox*
Object Marked Unread in Shared Mailbox*
Object Modified in Shared Mailbox*
Object Moved in Shared Mailbox*
Object Permanently Deleted in Shared Mailbox*
Object Read in Shared Mailbox*
Shared Mailbox Folder Permissions Changed
Shared Mailbox Opened*
Task Copied in Shared Mailbox*
Task Created in Shared Mailbox*
Task Deleted in Shared Mailbox*
Task Modified in Shared Mailbox*
Task Moved in Shared Mailbox*
Task Permanently Deleted in Shared Mailbox*
Task Read in Shared Mailbox*
* 
NOTE: The events marked with an asterisk (*) are disabled by default. In order to generate any of these events, you must first enable them using the Audit Events page on the Administration Tasks tab.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating