Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Volume exclusion examples

Previous Next

Volume exclusion examples

Audit Path = Volume (<VolumeName>) exclusion examples

In the following examples, the volume name is Vol0 (Audit Path = Vol0); share names are HOME, SHARE2, and SHAREDDOCS.

* 
NOTE: Volume names are case sensitive and must be entered correctly in the Audit Path field on the auditing wizard.
* 
NOTE: When auditing an individual volume or all volumes, you must include the share name (or a file mask to represent the share) in the exclusion path.
* 
NOTE: If a file exclusion is added that does not include a slash (\), it will be automatically appended with "\*.*".
 

Table 5. Exclusion examples: Audit Path = Volume

What to exclude

Exclusion syntax/examples

Exclude activity against files/subfolders in a specific folder found in a specific location on the selected volume.

(Add | Folder)

Exclusion Syntax:
<ShareName>\<Path>\<FolderName>

Example: HOME\USERS\TEMP\DOCS

Excludes:
Vol0\HOME\USERS\TEMP\DOCS

Exclude activity against files/subfolders in all folders whose name contains a specific string of characters found in a specific location on the selected volume.

(Add | Folder)

Exclusion Syntax:
<ShareName>\<Path>\<CharString>

Example: HOME\USERS\TE?????DOCS

Excludes:
Vol0\HOME\USERS\TESTINGDOCS
Vol0\HOME\USERS\TEMPORARYDOCS

Exclude activity against files/subfolders in all folders with the specified folder name which is located on a specific share.

(Add | Folder)

Exclusion Syntax:
<ShareName>\**\<FolderName>

Example: HOME\**\DOCS

Excludes:
Vol0\HOME\DOCS
Vol0\HOME\DEPTS\DOCS
Vol0\HOME\USERS\TEMP\DOCS

Exclude activity against files/subfolders in all folders whose name starts with a specific string of characters which are located on a specific share.

(Add | Folder)

Exclusion Syntax:
<ShareName>\**\<CharString>*

Example: HOME\**\DOC*

Excludes:
Vol0\HOME\DOCS
Vol0\HOME\DEPTS\DOCS
Vol0\HOME\USERS\TEMP\DOCS
Vol0\HOME\USERS\DOCUMENTS

Exclude activity against files/subfolders in all folders with the specified folder name found in a specific path level on all shares on the selected volume.

(Add | Folder)

Exclusion Syntax: *\*\<FolderName>

Example 1: *\*\DOCS

Excludes:
Vol0\HOME\USERS\DOCS
Vol0\HOME\DEPTS\DOCS
Vol0\SHARE2\TEST\DOCS

Example 2: *\*\*\DOCS

Excludes:
Vol0\HOME\USERS\TEMP\DOCS
Vol0\SHARE2\PUBLIC\TEST\DOCS

Exclude activity against files/subfolders in all folders with the specified folder name which may be located anywhere on the selected volume.

(Add | Folder)

Exclusion Syntax: **\<FolderName>

Example: **\DOCS

Excludes:
Vol0\HOME\DOCS
Vol0\HOME\DEPTS\DOCS
Vol0\HOME\USERS\TEMP\DOCS
Vol0\SHARE2\TEST\DOCS
Vol0\SHARE2\PUBLIC\TEST\DOCS

Exclude activity against files/subfolders in all shares and folders whose name contains a specific string of characters which may be located anywhere on the selected volume.

(Add | Folder)

Exclusion Syntax: **<CharString>*

Example: **DOC*

Excludes:
Vol0\HOME\DOCS
Vol0\HOME\MYDOCS
Vol0\HOME\USERS\TEMP\DOCS
Vol0\HOME\USERS\TEMPORARYDOCS
Vol0\SHARE2\TEST\DOCS
Vol0\SHARE2\PUBLIC\TEST\MYDOCS
Vol0\SHAREDDOC

Exclude activity against files whose name contains a specific string of characters which may be found anywhere on the selected volume.

(Add | File)

Exclusion Syntax: **\*<CharString>*

Example: **\*DOC*

Excludes:

Vol0\HOME\Document1.tmp

Vol0\HOME\FILES\Testing.doc

Vol0\HOME\USERS\TEMP\FILES\BetaDoc.pdf

Vol0\SHARE2\USERS\DECEMBER\Test1.docx

Vol0\SHARE2\PUBLIC\MARCH\OldDocPlan

Exclude activity against a specific file found in a specific location on the selected volume.

(Add | File)

Exclusion Syntax:
<ShareName>\<Path>\<FileName.Ext>

Example:
SHARE2\USERS\DOCS\Test1.docx

Excludes:
Vol0\SHARE2\USERS\DOCS\Test1.docx

Exclude activity against files with a specific file name (regardless of the file extension) which may be located anywhere on the selected volume.

(Add | File)

Exclusion Syntax: **\<FileName>.*

Example: **\test1.*

Excludes:
Vol0\HOME\DEPTS\DOCS\test1.docx
Vol0\HOME\USERS\TEMP\DOCS\test1.docx
Vol0\HOME\USERS\DOCUMENTS\test1.pdf
Vol0\SHARE2\TEST\DOCS\test1.txt

Exclude activity against files with the specified file extension found in a specific location on the selected volume.

(Add | File)

Exclusion Syntax:
<ShareName>\<Path>\*.<Ext>

Example: SHARE2\TEST\DOCS\*.docx

Excludes:
Vol0\SHARE2\TEST\DOCS\Test1.docx
Vol0\SHARE2\TEST\DOCS\MyInfo.docx

Exclude activity against files with the specified file extension which may be located anywhere on the selected volume.

(Add | File)

Exclusion Syntax: **\*.<Ext>

Example: **\*.pdf

Excludes:
Vol0\HOME\MYDOCS\Final.pdf
Vol0\HOME\DEPTS\DOCS\Test123.pdf
Vol0\HOME\USERS\DOCUMENTS\Test1.pdf
Vol0\SHARE2\TEST\DOCS\Current.pdf
Vol0\SHARE2\PUBLIC\TEST\MYDOCS\Ex.pdf

All volume exclusion examples

Previous Next

All volume exclusion examples

Audit Path = All Volumes exclusion examples

In the following examples, Vol0 contains three shares: HOME, SHARE2 and SHAREDDOCS; and Vol1 contains one share: SHAREDAPPS.

* 
NOTE: When using All Volumes, you cannot exclude an individual volume. You must use a share name, which is unique to a volume. That is, you cannot have two shares with the name of HOME (either on the same volume or different volumes).
* 
NOTE: When auditing an individual volume or all volumes, you must include the share name (or a file mask to represent the share) in the exclusion path.

 

Table 6. Exclusion examples: Audit Path = All Volumes

What to exclude

Exclusion syntax/examples

Exclude activity against files/subfolders in a specific folder found in a specific location on all volumes.

(Add | Folder)

Exclusion Syntax: *\<Path>\<FolderName>

Example: *\USERS\TEMP\DOCS

Excludes:
Vol0\HOME\USERS\TEMP\DOCS
Vol0\SHARED2\USERS\TEMP\DOCS
Vol1\SHAREDAPPS\USERS\TEMP\DOCS

Exclude activity against files/subfolders in all folders with the specified folder name found on a specific share.

(Add | Folder)

Exclusion Syntax:
<ShareName>\**\<FolderName>

Example: HOME\**\DOCS

Excludes:
Vol0\HOME\DOCS
Vol0\HOME\DEPTS\DOCS
Vol0\HOME\USERS\TEMP\DOCS

Exclude activity against files/subfolders in all folders whose name starts with a specific string of characters found on a specific share.

(Add | Folder)

Exclusion Syntax:
<ShareName>\**\<CharString>*

Example: HOME\**\DOC*

Excludes:
Vol0\HOME\DOCS
Vol0\HOME\DEPTS\DOCS
Vol0\HOME\USERS\TEMP\DOCS
Vol0\HOME\USERS\DOCUMENTS

Exclude activity against files/subfolders in all folders with the specified folder name found anywhere on all volumes.

(Add | Folder)

Exclusion Syntax: **\<FolderName>

Example: **\DOCS

Excludes:
Vol0\HOME\DOCS
Vol0\HOME\DEPTS\DOCS
Vol0\HOME\USERS\TEMP\DOCS
Vol0\SHARE2\TEST\DOCS
Vol1\SHAREDAPPS\DOCS

Exclude activity against files/subfolders in all folders with the specified folder name found at a specific level on all volumes.

(Add | Folder)

Exclusion Syntax: *\*\<FolderName>

Example 1: *\*\DOCS

Excludes:
Vol0\HOME\DEPTS\DOCS
Vol0\SHARE2\TEST\DOCS
Vol1\SHAREDAPPS\INSTALL\DOCS

Example 2: *\*\*\DOCS

Excludes:
Vol0\HOME\USERS\TEMP\DOCS
Vol0\SHARED2\PUBLIC\TEST\DOCS
Vol1\SHAREDAPPS\PROCS\INTRO\DOCS

Exclude activity against files/subfolders in all shares and folders whose name ends with a specific string of characters that may be located anywhere on all volumes.

(Add | Folder)

Exclusion Syntax: **<CharString>

Example: **DOCS

Excludes:
Vol0\HOME\DOCS
Vol0\HOME\MYDOCS
Vol0\HOME\USERS\TEMP\DOCS
Vol0\HOME\USERS\TEMPORARYDOCS
Vol0\HOME\USERS\TEMP\TESTINGDOCS
Vol0\SHARE2\TEST\DOCS
Vol0\SHARE2\PUBLIC\TEST\DOCS
Vol0\SHAREDDOCS
Vol1\SHAREDAPPS\INSTALL\DOCS
Vol1\SHAREDAPPS\PROCS\INTRO\DOCS

Exclude a specific file found in a specific location on the specified share.

(Add | File)

Exclusion Syntax:
<ShareName>\<Path>\<FileName.Ext>

Entering:
SHARE2\USERS\DOCS\Test1.docx

Excludes:
Vol0\SHARE2\USERS\DOCS\Test1.docx

Exclude activity against all files with the specified file extension found in a specific location on the specified share.

(Add | File)

Exclusion Syntax:
<ShareName>\<Path>\*.<Ext>

Entering: SHARE2\TEST\DOCS\*.docx

Excludes:
Vol0\SHARE2\TEST\DOCS\Test1.docx
Vol0\SHARE2\TEST\DOCS\123testing.docx

Exclude activity against all files with the specified file extension found anywhere on all volumes.

(Add | File)

Exclusion Syntax: **\*.<Ext>

Example: **\*.pdf

Excludes:
Vol0\HOME\DEPTS\DOCS\Test123.pdf
Vol0\SHARE2\TEST\DOCS\Current.pdf
Vol1\SHAREDAPPS\WhatsNew.pdf

Exclude a specific file (regardless of the file extension) found anywhere on the all volumes.

(Add | File)

Exclusion Syntax: **\<FileName>.*

Entering: **\test1.*

Excludes:
Vol0\HOME\DEPTS\DOCS\test1.docx
Vol0\HOME\USERS\TEMP\DOCS\test1.docx
Vol0\HOME\USERS\DOCUMENTS\test1.pdf
Vol0\SHARE2\USERS\DOCS\test1.txt
Vol1\SHAREDAPPS\test1.xlsx

Change Auditor for SharePoint

Previous Next

Change Auditor for SharePoint

The Change Auditor for SharePoint book contains information on installing and configuring Change Auditor for SharePoint. It also contains information about the additional features that are available when a valid Change Auditor for SharePoint license has been applied. It contains the following topics:
Change Auditor for SharePoint Overview: This section provides an overview of Change Auditor for SharePoint including a system overview, deployment requirements and a list of the additional features that are available with a valid Change Auditor for SharePoint license.
Installation and Configuration: This section provides instructions for installing and configuring Change Auditor for SharePoint.
Getting Started: This section provides a high-level view of the tasks to get you started using Change Auditor for SharePoint.
SharePoint Auditing: This section provides a description of the SharePoint Auditing page (on the Administration Tasks tab) and explains how to specify the SharePoint farm and path(s) to be audited.
SharePoint Searches and Reports: This section provides instructions for creating a custom SharePoint search using the What tab.
Manually Add and Deploy the Change Auditor SharePoint Solution: This section provides an alternate method of adding and deploying the Change Auditor SharePoint Solution, which is required as part of the installation process.
SharePoint Event Requirements: This section lists the SharePoint events that require additional SharePoint settings to be enabled in order for Change Auditor for SharePoint to capture the event.
Upgrade Change Auditor for SharePoint: This section provides instructions for upgrading from a previous version of Change Auditor for SharePoint.

 

Change Auditor for SharePoint Overview

Previous Next

Change Auditor for SharePoint Overview
Introduction
System overview
Deployment requirements
Client components and features
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating