Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Introduction

Previous Next

Introduction

You can search, report and alert on SharePoint activity, such as changes to SharePoint configurations, security, and documents. Using the search capabilities of Change Auditor, you can retrieve SharePoint events for multiple site collections and farms or for an individual SharePoint farm, site, path, or object.

 

Create custom SharePoint searches

Previous Next

Create custom SharePoint searches

The following scenarios explain how to use the What tab to create custom SharePoint searches.

* 
NOTE: You can use the other Search Properties tabs to define extra criteria:
Who - allows you to search for events generated by a specific user, computer or group
Where - allows you to search for events captured by a specific agent or within a specific domain or site
When - allows you to search for events that occurred within a specific date/time range

The Origin is not available for SharePoint events.

* 
NOTE: Selecting the Private folder creates a search that only you can run and view, whereas selecting the Shared folder creates a search which can be run and viewed by all users.
To search all SharePoint paths:
1
Open the Searches page.
2
In the explorer view (left pane), expand and select the folder where you want to save your search.
3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
4
On the Info tab, enter a name and description for the search.
5
Open the What tab, expand Add and select Subsystem | SharePoint.
6
On the Add SharePoint Path dialog, select All SharePoint Paths.
7
Click OK to save your selection and close the dialog.
8
Once you have defined the search criteria, you can either save the search definition or run the search.
To save the search definition without running it, click Save.
To save and run the search, click Run.
9
When this search runs, Change Auditor searches for the SharePoint events based on the search criteria specified on the What tab and display the results in a new search results page.
To search for changes to a SharePoint farm:
* 
NOTE: This procedure also applies to searching for changes to the other SharePoint objects (such as web applications, sites, lists, and so on.).
1
Open the Searches page.
2
In the explorer view (left pane), expand and select the folder where you want to save your search.
3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
4
On the Info tab, enter a name and description for the search.
5
Open the What tab, expand Add and select Subsystem | SharePoint.
6
On the Add SharePoint Path dialog, select This Object.
7
Selecting This Object enables the selection controls on this dialog, which includes a hierarchical display (left pane) and a wildcard expression pane (right pane).

The hierarchical pane displays your SharePoint farms, including the web applications, sites and lists discovered on each farm. Using this pane, you can search for events against an individual object.

The wildcard expression pane is populated as you select objects in the hierarchical pane. Using this pane, you can expand your search for events against all objects that match a specific wildcard expression.

Using this pane, select the SharePoint farm to include in the search.
To search an individual SharePoint farm, select the farm to search in the hierarchical pane on the left.
To search SharePoint farms using a wildcard expression, select the check box next to the Farm Name in the right pane. Select the operator (Like or Not Like) and enter the string of characters to use to find SharePoint farms.
8
Once you have selected the SharePoint farm to include in the search definition, click Add to add it to the Selection list at the bottom of the dialog.
* 
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for changes to all SharePoint farms EXCEPT those listed in the ‘what’ list.
* 
NOTE: Select the Runtime Prompt check box on this dialog to prompt for a SharePoint object every time the search is run.
9
Click OK to save your selection and close the dialog.
10
Once you have defined the search criteria, you can either save the search definition or run the search.
To save the search definition without running it, click Save.
To save and run the search, click Run.
11
When this search runs, Change Auditor searches for the SharePoint events based on the search criteria specified on the What tab and display the results in a new search results page.
To locate SharePoint events based on a wildcard expression:
1
Open the Searches page.
2
In the explorer view (left pane), expand and select the folder where you want to save your search.
3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
4
On the Info tab, enter a name and description for the search.
5
Open the What tab, expand Add and select Subsystem | SharePoint.
6
On the Add SharePoint Path dialog, select This Object.
7
Use the right pane to specify the wildcard expression to be used to search for SharePoint events.
Select the SharePoint components to include in your search: Farm Name, Web Name, List Name, Item Name and/or Item URL.
For each SharePoint component selected, select the comparison operator to use: Like or Not Like
For each SharePoint component selected, enter the pattern (character string and * wildcard character) to use to search for a match.
* 
NOTE: When multiple wildcard expressions are specified (such as when multiple check boxes are selected), they are ‘ANDed’ together and all of the expressions must be met to be considered a match.

For example, to search all web application sites that begin with ‘Admin’ for documents that contain ‘procedure’ in their name:
Select (check) Web Name and specify: Like Admin*
Select (check) Item Name and specify: Like *procedure*
* 
NOTE: You can also select objects in the hierarchical pane to pre-populate the fields in the wildcard expression pane. When you use this approach to pre-populate the fields, the check boxes associated with the objects do not need to be checked in order to include them in your wildcard expression. However, in order to convert or add a specific expression, you must select the corresponding check box in order to select the comparison operator and pattern to be matched.

For example, to search for all documents that begin with ‘Sales’ in a SharePoint farm:
From the hierarchical pane, select/highlight the SharePoint farm to be searched (this will pre-populate the Farm Name field in the wildcard expression pane)
From the wildcard expression pane, select Item Name check box and specify: Like Sales*
8
After entering the wildcard expressions to use, click Add to add it to the Selection list at the bottom of the dialog.
* 
NOTE: Select the Exclude the Above Selection(s) check box if you want to search for changes to all SharePoint sites EXCEPT those listed in the ‘what’ list.
* 
NOTE: Select the Runtime Prompt check box on this dialog to prompt for a SharePoint path every time the search is run.
9
Click OK to save your selection and close the dialog.
10
Once you have defined the search criteria, you can either save the search definition or run the search.
To save the search definition without running it, click Save.
To save and run the search, click Run.
11
When this search runs, Change Auditor searches for the SharePoint events based on the search criteria specified on the What tab and display the results in a new search results page.
To search for SharePoint paths that already have an event in the database:
1
Open the Searches page.
2
In the explorer view (left pane), expand and select the folder where you want to save your search.
3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
4
On the Info tab, enter a name and description for the search.
5
Open the What tab, expand Add with Events and select Subsystem | SharePoint.
6
On the Add SharePoint Paths dialog, select a path from the list and click Add to add it to the selection list at the bottom of the page.
7
Click OK to save your selection and close the dialog.
8
Once you have defined the search criteria, you can either save the search definition or run the search.
To save the search definition without running it, click Save.
To save and run the search, click Run.
9
When this search runs, Change Auditor searches for the SharePoint events based on the search criteria specified on the What tab and display the results in a new search results page.

 

Manually Add and Deploy the Change Auditor SharePoint Solution

Previous Next

Manually Add and Deploy the Change Auditor SharePoint Solution

The procedure provided in this section explains how to manually add the Change Auditor SharePoint Solution to the SharePoint Solution Store and deploy the solution to web applications.

* 
NOTE: If you have already run the SharePoint Solution Manager utility as described in Add and deploy Change Auditor SharePoint Solution, there is no need to manually add and deploy the solution.
To add and deploy the Change Auditor SharePoint Solution:
1
On the server that is running Microsoft SharePoint 2016/2019 Products, open a SharePoint PowerShell management shell (Start | All Programs | Microsoft SharePoint 2016/2019 Products | SharePoint 2016/2019 Management Shell).
2
At the command prompt, enter the following command:

Add-SPSolution -LiteralPath "C:\Program Files\Quest\ChangeAuditor\Agent\Plug-in for SharePoint\SharePoint.Auditing.Monitor.wsp"

Running this command adds the Change Auditor SharePoint Solution to the farm’s solution store.

You need to now deploy the solution.

3
Open the SharePoint Central Administration web site (Start | All Programs | Microsoft SharePoint 2016/2019 Products | SharePoint 2016/2019 Administration).
4
On the Central Administration Home page, select System Settings.
5
On the System Settings page, under Farm Management, click Manage farm solutions.
 
6
On the Solution Management page, locate and click SharePoint.Auditing.Monitor.wsp.
7
On the Solution Properties page, click Deploy Solution.
8
On the Deploy Solution page, select the appropriate options as described below:
Deploy When - select one of the following options: Now or At a specified time
Deploy To - select to deploy globally to all web applications or to an individual web application if you have specified a web application in the PowerShell cmdlet when you added the solution to the solution store

Click OK to save your selections and close the Deploy Solution page.

9
Once successfully deployed, the Status column for the Change Auditor SharePoint Solution displays Deployed as shown below.
10
Once the solution is deployed, restart the agent to enable auditing of SharePoint events.

 

SharePoint Event Requirements

Previous Next

SharePoint Event Requirements

The following table lists the SharePoint events that require additional SharePoint settings enabled for

 

Table 2. SharePoint event requirements

Event

System Provided Auditing

Versioning

All document versions deleted

X

X

All list item versions deleted

X

X

All permission levels revoked

X

 

Document library restored from recycle bin

X

 

Document restored from recycle bin

X

 

Document version deleted

X

X

Document viewed

X

 

Folder restored from recycle bin

X

 

List item restored from recycle bin

X

 

List item version deleted

X

X

List restored from recycle bin

X

 

Member added to security group

X

 

Member removed from security group

X

 

Permission inheritance broken

X

 

Permission inheritance restored

X

 

Permission level created

X

 

Permission level deleted

X

 

Permission level granted

X

 

Permission level inheritance broken

X

 

Permission level permissions modified

X

 

Permission level revoked

X

 

Security group created

X

 

Security group deleted

X

 

Site collection ownership granted

X

 

Site collection ownership revoked

X

 

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating