Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Add Foreign Forest Credential

Previous Next

Add Foreign Forest Credential

* 
NOTE: This option is not available when this dialog is started from the Purge Job wizard.

If required, agents running on computers can connect to coordinators in a foreign Active Directory forest. Before deploying an agent to a foreign forest, you need to harvest the topology.

To harvest the topology
1
From the Change Auditor client, select the Deployment tab.
2
Click Foreign Forest to open the Foreign Forest Credentials dialog where you will provide the foreign forest DNS name and credentials required to collect the foreign forest topology.
3
Click Add to enter the credentials of a user with administrator rights on the selected domain and the required forest, and click OK.
4
Click Force Refresh to populate the available servers or workstations in the forest.

You are now ready to deploy an agent.

To deploy agents to a foreign forest from the client:
1
From the Change Auditor client, select the Deployment tab.

The Deployment page is populated with the servers (domain controllers and member servers) and workstations in your Active Directory environment.

The Deployment page may initially be empty until the current forest’s server topology has completed. The topology scan takes a long time when the environment contains many workstations. This page is automatically refreshed after this task has completed.

2
From this list, select an entry and select Credentials | Set to enter the proper user credentials for installing agents on the selected domain.
3
Select one or more servers or workstations on the Deployment page and click Install or Upgrade.
4
On the Install or Upgrade dialog select one of the following options to schedule the deployment task:
Now (default)
When

If you select the When option, enter the date and time when you want the deployment task to initiate. Click OK to initiate or schedule the deployment task.

5
Enter the Active Directory credential information to allow the agent to connect to the coordinator in the remote forest, and click OK.
Coordinator Root Domain Name (example.com): Enter the coordinator forest root domain name and an account to be used by the agent to connect to the coordinator.
Account Name (example.com\user): Enter the name of the user that can find and connect to a coordinator in the Active Directory forest.
Account Password : Enter the password associated with the specified account.
Account Type: Select the account type of the specified account.

If you are using a group Managed Service Account:
The account must end with '$' and the password must be blank.
The domain should be entered in the Fully Qualified Domain Name format.
The local Administrator group must be added to the group policy debug programs. (Found under Local Computer Policy | Windows Settings | Security Settings | Local Policies | User Rights Assignments | Debug programs.)
The Windows client must be run as the administrator. (Right-click and select Run as administrator.)
The coordinator host must be correctly configured to retrieve the managed password for the specified group Managed Service Account.
Add this user to the ChangeAuditor Agents security group: This is selected by default indicating that the specified user account will be added to the ChangeAuditor Agents security group in the supplied Active Directory domain. User accounts must be added to this security group to properly authenticate.

You may need to pre-stage\create the "ChangeAuditor Agents – <InstallationName>" domain local security group and manually add the configured user account to the security group in additional domains within the forest where coordinators reside. If using a group Managed Service Account this step is required and must be performed manually.

You can add the domain user account to the ChangeAuditor Agents – <InstallationName> security group, if appropriate LDAP and network protocol access is available.

Back on the Deployment page, the Agent Status column displays ‘Pending’ and the When column displays the date and time specified.

To cancel a pending deployment task, select the server or workstation and then click Install or Upgrade. On the Install or Upgrade dialog, click Clear Pending.

As agents are successfully connected to the coordinator, the corresponding Deployment Result cell displays ‘Success’, the Agent Status cell displays ‘Active’ and a desktop notification displays in the lower right-hand corner of your screen.

To deactivate these desktop notifications, select Action | Agent Notifications.

Once agents are deployed and you open the client, the Overview page opens and provides a real-time stream of events based on a ‘favorite’ search definition and other summary information.

Add Group Policy Container dialog

Previous Next

Add Group Policy Container dialog

The Add Group Policy Container dialog is displayed when Add | Subsystem | Group Policy or Add With Events | Subsystem | Group Policy is selected on the What search properties tab (Searches page or the Purge Options page in the Purge Job wizard). From this dialog, select the Group Policy Objects to be searched.

From this dialog, select a Group Policy object and click the Add button to add it to the list box, located across the bottom of the dialog. Once you have made your selections, click OK to save your selection and close the dialog.

The following information/controls are included on this dialog:

Scope

Select one of the following options to define the scope of coverage:
All Objects - select this option to include all objects (Default)
This Object - select this option to include the selected object only

Directory Object picker

When the This Object option is selected, use either the Browse or Search page to search your environment to locate and select the Group Policy Objects to be included in the search.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

Use the Options page to view or modify the search options used to retrieve directory objects.

* 
NOTE: The Search page is initially displayed which contains GroupPolicyContainer in the Find field and an * wildcard character in the Canonical Name field. Click Search to locate the Group Policy containers in your environment.

See Directory object picker for more information about using the Browse, Search, or Options page of the Directory Object Picker.

You can also select Import Objects to import a .csv (comma separated value) file containing a list of directory objects. Using this list, you can specify object names for the search criteria. You can use the * wildcard character to match any string of zero or more characters when specifying the Name values.

* 
NOTE: For optimal performance, do not include more than 1000 objects in your import file.

The import will fail and an error message will be displayed if any errors are detected.

Columns
Description

Name (Required)

The name of the directory object to import. Name values must be specified in canonical name format.

Examples:

Column: Name

Values:

test.domain.ca/System/Policies/{D72618D2-1413-4352-8EC9-FA4A33CBE99C}
test.domain.ca/System/Policies/*

Data grid

The data grid replaces the directory object picker when Add With Events | Subsystem | Group Policy is selected. This grid displays a list of all the Group Policy objects that have an event associated with it in the Change Auditor database. For each object listed, the following information is displayed:
Object - lists the name of the Group Policy objects that have an event associated with it in the Change Auditor database.
Canonical Name - if available, displays the canonical name for the object.

Wildcard expression fields

When the This Object scope option is selected, the wildcard expression fields in the middle of the dialog are enabled. Use the wildcard expression fields to specify the expression to be used to search for Group Policy objects (Object and Canonical Name columns in Search Results grid).

1
Select the comparison operator to be used: Like or Not Like.
2
In the field to the right of the operator, enter the pattern (character string and * wildcard character) to be used to search for a match. Use the * wildcard character to match any string of zero or more characters.

For example, LIKE *Configuration* will find all Group Policy objects whose name contains 'Configuration' anywhere in its policy name.'

3
Click Add to add the wildcard expression to the Selected Objects list at the bottom of the dialog.

Selected objects list

The list box at the bottom of this dialog displays the objects selected for the search definition. That is, only the objects listed will be included in the search (or excluded from the search if the Exclude the Above Selection(s) is selected). Use the buttons located above this list box to add, remove, or update an object:
Add - Click to add the selected object to the search definition.
Remove - From the Selected objects list, select the object to remove, and click Remove.
Update - From the Selected Object list, select the object to update, make the necessary modifications, and click Update to save your changes.

Exclude the Above Selection(s)

Select this option to exclude the selected objects from the search. When this check box is checked, Change Auditor will search all Group Policy objects except those listed.

Runtime Prompt

Select the Runtime Prompt check box to prompt for the Group Policy object(s) to be included whenever the search is run. That is, when Run is used, the Add Group Policy Container dialog is displayed allowing you to select the objects to be included in the search.

* 
NOTE: When Runtime Prompt is selected, the Group Policy option is disabled on the Add tool bar buttons on the What tab.

Add Local Account dialog

Previous Next

Add Local Account dialog

* 
NOTE: This option is not available when this dialog is started from the Purge Job wizard.

The Add Local Account dialog is displayed when Add | Subsystem | Local Account or Add With Events | Subsystem | Local Account is selected on the What search properties tab (Searches page or the Purge Options page in the Purge Job wizard). This dialog allows you to search for events generated by either a local user or group account.

From this dialog, select an account and click Add to add it to the list box located across the bottom of the dialog.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

Once you have made your selections, click OK to save your selection and close the dialog.

This dialog contains the following information/controls:

Scope

Select one of the following options to define the scope of coverage:
All Objects - select this option to include all objects. (Default when using Add)
This Object - select this option to include a single object. (Default when using Add With Events)

Data grid

The data grid displays a list of all the users and groups in local SAM databases on the selected Member Server.

When the This Object option is selected in the Scope section, the data grid and buttons are enabled to select the individual objects to include in the search. For each account listed, the following information is displayed:
Principal Name - displays the name of each local user and group account.
Principal Type - displays the type of account: User or Group.
* 
NOTE: When using the Add With Events option, this data grid only includes the local accounts that have an event associated with it in the database.

Account

This field displays the principal name of the object selected in the data grid. To select a local account on a different computer, click the browse button to the far right to display the Select a Directory Object dialog to select another computer. The local user or group accounts available on the specified computer is displayed in the data grid.

* 
NOTE: When using the Add With Events option, the Account field and browse button are disabled.

Account list

The list box at the bottom of the dialog displays the local user and group accounts to include in the search (or excluded from the search if the Exclude the Above Selection(s) option is checked). Use the buttons located above this list box to add, remove, or update an entry:
Add - click to add the selected account to the Account list.
Remove - select the entry to be removed in the Account list and then click Remove.
Update - select the entry to update in the Account list, select a different account from the data grid, and then click Update to save your changes.

Exclude the Above Selection(s)

Select this option to specify the local accounts to exclude from the search. When this check box is checked, Change Auditor searches all local accounts except those listed.

Runtime Prompt

Select the Runtime Prompt check box to prompt for a local account whenever the search is run. That is, whenever Run is selected, the Add Local Account dialog is displayed allowing you to select the local user or group account to be used. This option is not available when this dialog is started from the Purge Job wizard.

Add Logons dialog

Previous Next

Add Logons dialog

The Add Logons dialog opens when Add | Subsystem | Logons is selected on the What search properties tab (Searches page or the Purge Options page in the Purge Job wizard). This dialog allows you to search for user activity events based on the logon type (Interactive, Remote Interactive, Domain Authentication, User Session or Network), and by the failure reason or status code.

From this dialog, select a logon type, and if needed, the failure reason or status code, and use the Add, Remove, and Update buttons to adjust the filter parameters as required.

The following information/controls are included in this dialog:

Logon Type

The types of logon events that can be included in the search definition. The logon event types available are:
Interactive
Remote Interactive
Domain Authentication
User Session
Network

Logon Failure Reason

Select this option and the comparison operator to use (Like or Not Like) to filter based on the failure reason. Use the wildcard character * for a partial search.

Logon Status Code

Select this option and the comparison operator to use (Equals or Does not equal) to filter based on the status code.

Parameter list

The list at the bottom of the dialog displays the filters selected for inclusion (or exclusion when the Exclude the Above Selection(s) check box is checked) in the search definition. Use the buttons located above this list box to add, remove, or update the filters:
Add: Use to add filter parameters.
Remove: Use to remove filter parameters.
Update: Use to change filter parameters.

Exclude the Above Selection(s)

Select this check box to exclude the filter listed in the Parameter list from the search query. That is, Change Auditor will search for all logon activity events except for those associated with the filter listed.

Runtime Prompt

Select the Runtime Prompt option to prompt for the logon type or error whenever the search is run. That is, when the Run tool bar button is clicked, the Add Logons dialog appears allowing you to select the logon types to include in the search. This option is not available when this dialog is launched from the Purge Job wizard.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating