Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Gathering Change Auditor system information

Previous Next

Gathering Change Auditor system information

You can gather Change Auditor system information to help you to manage your installation components.
Get-CACoordinator
Get-CACoordinators
Get-CAInstallation
Get-CAAgents

Get-CACoordinator

Use this command to retrieve coordinator-specific (as opposed to installation-wide) status information from the connected coordinator such as coordinator name, status, deployment name, version, connected agents, connected legacy agents, connected clients, client port, total events, and buffered events which may be different on each coordinator.

Example: Gather coordinator information for a specified connection

Get-CACoordinator $connection

Example: Gather coordinator information for a specified connection, when using certificate authentication

$creds = Get-Credential

$connection = Connect-CAClient -Credential $creds

Get-CACoordinator -Connection $connection

Get-CACoordinators

Use this command to gather information about all the coordinators in a Change Auditor installation.

Example: Gather coordinator information for all coordinators for a specified connection

Get-CACoordinators -Connection $connection

Example: Gather coordinator information for all coordinators for a specified connection, when using certificate authentication

$creds = Get-Credential

$connection = Connect-CAClient -Credential $creds

Get-CACoordinators -Connection $connection

Get-CAInstallation

Use this command to retrieve installation-specific (as opposed to coordinator-specific) status information including the name of the installation, database server, and database and the database size.

Example: Gather installation information for a specified connection

Get-CAInstallation -Connection $connection

Get-CAAgents

Use this command to view information on all available (and optionally uninstalled) agents.

* 
NOTE: This returns information for workstation, server, and domain controller agents.

Table 13. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-IncludeUninstalled (Optional)

Adds uninstalled agents to the list of agents returned from this command.

Example: Viewing all available and unistalled agents within a specific installation

Get-CAAgents -Connection $connection -IncludeUninstalled

Deploying Change Auditor agents

Previous Next

Deploying Change Auditor agents

The following commands are available to manage your agent deployments.

* 
NOTE: You must be a member of the Administrators role to use these commands.
NOTE: Any changes affecting configuration are audited with internal events.
Install-CAAgent
Ping-CAAgent
Uninstall-CAAgent
Update-CAAgent
Update-CAAgentConfigurations
Set-CAAgentConfiguration
Get-CAAgentSubsystems
Enable-CAAgentTemplate
Disable-CAAgentTemplate
Remove-CAAgentTemplate
New-CAConfiguration
Get-CAConfigurations
Set-CAConfiguration
Remove-CAConfiguration

Install-CAAgent

Use this command to install an agent.

Table 14. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-MachineName

The fully qualified name of a target computer.

-Credential

Credentials used to access the target computer.

-OperationTime (Optional)

Specifies when to perform this operation.

NOTE: If this is not specified, it defaults to the current time.
Example: Install an agent

Install-CAAgent -Connection $connection -MachineName "ComputerName.DomainName.com" -Credential $credential -OperationTime “01/01/2020 12:00:00”

Ping-CAAgent

Use this command to ensure that the coordinator and agent can communicate using WCF framework.

Table 15. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-AgentInfo

The PSCAAgentInfo retrieved from the Get-CAAgents command.

Example: Test the communication between an agent and coordinator

Ping-CAAgent -Connection $connection -AgentInfo $agentinfo

Uninstall-CAAgent

Use this command to uninstall an agent.

Table 16. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-MachineName

The fully qualified name of the target computer.

-Credential

Credentials used to access the target computer.

-OperationTime (Optional)

Specifies when to perform this operation.

NOTE: If this is not specified, it defaults to the current time.
Example: Uninstall an agent

Uninstall-CAAgent -Connection $connection -MachineName "ComputerName.DomainName.com" -Credential $credential -OperationTime “01/01/2020 12:00:00”

Update-CAAgent

Use this command to upgrade an agent.

Table 17. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Agent

Agents obtained from a previous call to Get-CAAgents.

-Credential

Credentials used to access the target computer.

-OperationTime (Optional)

Specifies when to perform this operation.

NOTE: If this is not specified, it defaults to the current time.
Example: Upgrade an agent

Update-CAAgent -Connection $connection -Agent $agent -Credential $credential

Update-CAAgentConfigurations

Use this command to update the agent configuration to ensure that the agent is using the most up-to-date configuration.

Table 18. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Agents

Agents obtained from a previous call to Get-CAAgents.

Example: Update an agent configuration

Update-CAAgentConfigurations -Connection $connection -Agents $agent

Set-CAAgentConfiguration

Use this command to assign an auditing configuration to an agent.

Table 19. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Agents

Agents obtained from a previous call to Get-CAAgents.

-Configuration

The configuration obtained by a previous call to Get-CAConfigurations.

Example: Update an agent configuration

Set-CAAgentConfiguration -Connection $connection -Agents $agent -Configuration
$configuration

Get-CAAgentSubsystems

Use this command to see the list of subsystems included in an agent‘s configuration.

Table 20. Available parameters

Parameter

Description

-AgentInfo

The PSCAAgentInfo retrieved from the Get-CAAgents command.

Example: See a list of all subsystems included in an agent‘s configuration

Get-CAAgentSubsystems -AgentInfo $agentinfo

Enable-CAAgentTemplate

Use this command to enable a template.

* 
NOTE: Currently, this is only supported for Microsoft Entra ID and Microsoft 365.

Table 21. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

The template to modify.

-Credential (Optional)

Credentials associated with the target agent and template. These vary depending on the type of template.

Example: Enable a template

Enable-CAAgentTemplate -Connection $connection -Template $template

Disable-CAAgentTemplate

Use this command to disable a template.

* 
NOTE: Currently, this is only supported for Microsoft Entra ID and Microsoft 365.

Table 22. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

The template to modify.

-Credential (Optional)

Credentials associated with the target agent and template. These vary depending on the type of template.

Example: Disable a template

Disable-CAAgentTemplate -Connection $connection -Template $template

Remove-CAAgentTemplate

Use this command to remove a template.

* 
NOTE: Currently, this is only supported for Microsoft Entra ID and Microsoft 365.

 

Table 23. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

The template to remove.

-Credential (Optional)

Credentials associated with the target agent and template. These vary depending on the type of template.

Example: Remove a template

Remove-CAAgentTemplate -Connection $connection -Template $template -credential $credential

New-CAConfiguration

Use this command to create an agent configuration.

Table 24. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-ConfigurationName

The name of the agent configuration to create.

Example: Create an agent configuration

New-CAConfiguration -Connection $connection -ConfigurationName $configurationName

Get-CAConfigurations

Use this command to get list of all agent configurations for a deployment.

Table 25. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

Example: See a list of all agent configurations

Get-CAConfigurations -Connection $connection

Set-CAConfiguration

Use this command to change the agents port used for the coordinator to communicate with the agent and to configure a proxy server.

* 
NOTE: If you change the agent port number, you must also create a firewall exception for the new port number on your agent computers.
* 
NOTE: If your organization uses a proxy server to connect to the internet, you must configure the proxy parameters to audit Microsoft Entra ID and Microsoft 365 targets. If your proxy server requires authentication, you must also set the credentials using the -ProxyCredential parameter.

Table 26. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Configuration

The configuration on which to set the port on.

-Port

The port the agent starts its service on for coordinator and agent communication.

-ProxyServer

The fully qualified domain name, down-level name, or IPv4 address of the proxy server.

NOTE: To clear the proxy configuration and set the proxy settings back to the default values, specify an empty value for this parameter.

-ProxyPort

The port on which to communicate with the proxy server. (Default is 8080).

-ProxyCredential

The credentials used to authenticate with the proxy server.

-ClearProxyCredential

Specify this parameter to clear the credentials for the proxy server authentication.

Example: Update the port used to communicate with the agent

Set-CAConfiguration –Connection $connection –Configuration $configurationObject –Port $port

Example: Update the configuration to allow for cloud-based auditing

Set-CAConfiguration -Connection $connection -Configuration $config -ProxyServer "ServerName" -ProxyPort 8080

Remove-CAConfiguration

Use this command to remove an existing agent configuration.

Table 27. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Configuration

The name of the configuration to remove.

NOTE: You cannot delete the default configuration template.

Example: Remove an agent

Remove-CAConfiguration -Connection $connection -Configuration $configuration

Managing auditing templates

Previous Next

Managing auditing templates
Add-CATemplateToConfiguration
Get-CAConfigurationTemplates
Get-CATemplatesInConfiguration
Remove-CATemplatesFromConfiguration

Add-CATemplateToConfiguration

Use this command to assign an auditing template to a Change Auditor configuration.

Table 28. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Configuration

The configuration to which to add a template. Use Get-CAConfigurations to obtain the configuration object.

-Templates

The templates to apply to the configuration. Use Get-CAConfigurationTemplates to obtain the templates.

Example: Assign a template to a configuration

Add-CATemplateToConfiguration -Connection $connection -Configuration $configuration -Templates $templates

Get-CAConfigurationTemplates

Use this command to get a list of all templates in the installation.

Table 29. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

Example: Get a list of all templates in the installation

Get-CAConfigurationTemplates -Connection $connection

Get-CATemplatesInConfiguration

Use this command to get a list of the templates that are assigned to a configuration.

Table 30. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Configuration

Use Get-CAConfigurations to obtain the configuration object.

Example: Get a list of all templates assigned to a configuration

Get-CATemplatesInConfiguration -Connection $connection -Configuration $configuration

 

Remove-CATemplatesFromConfiguration

Use this command to remove templates from a configuration.

Table 31. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Configuration

The configuration from which to remove a template. Use Get-CAConfigurations to obtain the configuration object.

-Templates

The templates to remove from the configuration. Use Get-CAConfigurationTemplates to obtain the templates.

Example: Remove a template from a configuration

Remove-CATemplatesFromConfiguration -Connection $connection -Connection $connection
-Configuration $configuration

 

 

Working with searches

Previous Next

Working with searches

Searches (both built-in and private) allow you to view valuable information based on activity captured by Change Auditor.

When using the commands, consider the following:
You cannot create multiple folders with the same name in the same directory.
Microsoft folder naming standards are upheld and restrict folder names to a length between 1 and 4000 characters.
You cannot create multiple searches with the same name in the same directory.
The commands generate audit events when a folder that contains public searches is deleted.
Administrators have full access to all the search commands.
Operators access inlcudes the following:

Full access for:

Invoke-CASearch
Get-CASearches
Get-CASearchDefinition

Restricted access to private searches and folders for:
Set-CASearchProperties
Copy-CASearch
Add-CASearch
Move-CASearch
Remove-CASearch
Add-CASearchFolder
Remove-CASearchFolder

The following commands are available to manage searches:
Invoke-CASearch
Get-CASearches
Get-CASearchDefinition
Set-CASearchProperties
Copy-CASearch
Add-CASearch
Move-CASearch
Remove-CASearch
Add-CASearchFolder
Remove-CASearchFolder

Invoke-CASearch

Use this command to run a search.

Table 32. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Search

The search to run. Use Get-CASearches to find the PSCASearchInfo object required to identify the search.

-StartTime (Optional)

The start time for the events that will be retrieved. By default this is the start time defined in the search.

-EndTime (Optional)

The end time for the events that will be retrieved. By default this is the start time defined in the search.

-Limit (Optional)

The maximum number of records to retrieve and display. By default this is the limit defined in the search.

Example: Running a search and limit the display to 10 events

$connection = Connect-CAClient -InstallationName 'DEFAULT"

$search = Get-CASearches $connection | ? {$_.Name -eq "All Events"}

Invoke-CASearch -Connection $connection -Search $search -limit 10

 

Get-CASearches

Use this command to view information on all available searches and identify a search info object that is required for some other commands.

Table 33. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

Example: Viewing all available searches within a specific installation

Get-CASearches $connection

Example: Viewing a specific search

Get-CASearches $connection | ? {$_.Name -eq "All AD Queries in the last 30 days"}

Get-CASearchDefinition

Use this command to obtain the search definition from an existing search. The search definition is XML that can be modified and used to create a search.

Table 34. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

- Search

The search info object obtained from the Get-CASearches command.

Example: Getting the definition of a search with the name “All Events” and writing it to a file at the directory “C:\definitions\All Events.xml”

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

[xml]$xmlString = Get-CASearches $connection | ? {$_.Name –eq “All Events”} | Get-CASearchDefinition $connection

$xmlString.Save(“C:\definitions\All Events.xml”)

Set-CASearchProperties

Use this command to update the search name, default folder, set the limit of a public or private search, or the path and subsystem for an imported .csv file of a list of directory objects.

Table 35. Available parameters

Parameter

Description

-Connection

A connection obtained by using the Connect-CAClient command.

-Search

The search info object obtained from the Get-CASearches command.

-Name

Specifies a new name for the search.

-DefaultFolderPath

Specifies a new default folder path for the search.

-Limit

Specifies a new limit for the search.

-PassThru (Optional)

A switch that specifies to return the updated search after the command runs.

-Subsytem

The subsystem to update. The ability to import a .csv file with a list of objects is available for Active Directory, Exchange, and Group Policy.

-Path

Path to the .csv file to import.

Example: Changing the display name of a search, set the default folder path and limit

$connection = Connect-CAClient –InstallationName ‘DEFAULT’

$search = Get-CASearches $connection | ?{$_.Name –eq “All Owner Mailbox Events”}

Set-CASearchProperties $connection -Search $search -Name "NewName"
-DefaultFolderPath "C:\PATH\MYSEARCH" -Limit 1000

Example: Import a .csv file of Active Directory objects
* 
NOTE: For optimal performance, do not include more than 1000 objects in your import file.

$connection=Connect-CAClient -InstallationName 'Default'

$search = Get-CASearches $connection | ? {$_.Name -eq "All My Events"}

Set-CASearchProperties $connection -Search $search -Subsystem "Active Directory" -Path "C:\MyCSVObjectList.csv"

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating