Chat now with support
Chat with Support

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Add Origin dialog (Add With Events)

Previous Next

Add Origin dialog (Add With Events)

The Add Origin dialog is displayed when the Add With Events tool bar button is clicked on the Origin search properties tab (Searches page or the Purge Options page in the Purge Job wizard). This dialog displays a list of originating workstations/servers that already have an event in the Change Auditor database.

From this dialog, select a workstation/server and click the Add button to add it to the list box located across the bottom of the dialog. Once you have made your selections, click the OK button to save your selection and close the dialog.

The following information/controls are included on this dialog:

Data grid

The data grid displays a list of all originating workstations/servers that have an event associated with it in the Change Auditor database.

Parameter list

The list box located at the bottom of the dialog displays the originating workstations/servers to be included in the search definition. Use the buttons located above this list box to add or remove entries:
Add - select an entry in the data grid and click the Add button to add the selected item to the parameter list.
Remove - select the entry to be removed in the parameter list and then click the Remove button.

Add Wildcard Expression

Click this button to display the Add Origin dialog where you can specify a wildcard expression to locate a workstation or server.

Add Registry Key dialog

Previous Next

Add Registry Key dialog

The Add Registry Key dialog is displayed when Add | Subsystem | Registry or Add With Events | Subsystem | Registry is selected on the What search properties tab (Searches page or the Purge Options page in the Purge Job wizard). This dialog allows you to search for changes to a specific System Registry key.

From this dialog, select a registry key and click the Add button to add it to the list box located across the bottom of the dialog.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

Once you have made your selections, click the OK button to save your selection and close the dialog.

The following information/controls are included on this dialog:

Scope

Select one of the following options to define which system registry keys are to be included in your search definition.
All Registry Keys - select this option to include all registry keys in your search definition.
This Object - select this option to include only the selected object(s). (Default)
This Object and Child Objects Only - select this option to include the selected object(s) and its direct child objects.
This Object and All Child Objects - select this option to include the selected object(s) and all subordinate objects (in all levels).

Actions

The Actions check boxes allow you to define what types of actions to the selected registry keys are to be included in the search definition.

By default, All Actions is selected meaning that all the registry actions listed will be included in your search definition. However, you can clear the All Actions option and select individual actions to be included.

The options available are:
All Actions - select this option to include all the actions. When this option is selected, all the other options are disabled. (Default)
Add Value - select this option to include when a new value is added to the selected registry key.
Delete Value - select this option to include when a registry key value is removed.
Modify Value - select this option to include when a registry key value is modified.
Add Key - select this option to include when a new registry key is added.
Delete Key - select this option to include when a registry key is removed.

Registry key hierarchy

This is a hierarchical view of the registry containers for the computer to which you are currently connected. Depending on the Scope option selected, the registry key hierarchy will either be disabled (All Registry Keys) or enabled allowing you to locate and select a registry key.

Data grid

The data grid replaces the registry key hierarchy when Add With Events | Subsystem | Registry is selected. This grid contains a list of the registry containers for the computer to which you are currently connected that have an event associated with it in the Change Auditor database.

Depending on the Scope option selected, the data grid is either disabled (All Registry Keys) or enabled allowing you to select a registry key from the list.

Path

This field displays the path which is built when you use the hierarchy view to locate a registry key. To select a registry key from a different computer, click the browse button to the right of this field to locate and select the computer to use. The system registry keys associated with the specified computer will then be displayed in the hierarchy view.

Ensure that the selected computer is on the network and has remote administration enabled. If the selected remote computer does not allow remote administration access, a message is displayed explaining that you need to select a different server.

* 
NOTE: The Path field and browse button are not available when using the Add With Events option.

Registry key list

The list box at the bottom of the dialog displays the registry keys to be included in the search (or excluded from the search if the Exclude the Above Selection(s) option is checked). Use the buttons located above this list box to add, remove or update an entry:
Add - select a registry key (or container) from the hierarchy view (or data grid) and then click the Add button to add this key to the Registry Key list.
Remove - select a registry key from the Registry Key list and then click Remove to remove it.
Update - select a registry key from the Registry Key list, modify the scope and/or actions and then click Update to save your changes.

Exclude the Above Selection(s)

Select this option to exclude the registry keys in the selection list box. When this check box is checked, Change Auditor will search all registry keys except those listed.

Runtime Prompt

Select the Runtime Prompt check box to prompt for a registry key whenever the search is run. That is, when Run is used, the Add Registry Key dialog is displayed allowing you to select the registry key to be included in the search.

* 
NOTE: When Runtime Prompt is checked, the Registry option will be disabled on the Add tool bar buttons on the What tab.

Add Results dialog

Previous Next

Add Results dialog

* 
NOTE: This option is not available when this dialog is started from the Purge Job wizard.

The Add Results dialog appears when Add | Result or Add With Events | Result is selected on the What search properties tab (Searches page or the Purge Options page in the Purge Job wizard). This dialog allows you to search for events (or purge events) based on the results of the operation mentioned in the event (None, Success, Protected or Failed).

From this dialog, select a result and click the Add button to add it to the list box located across the bottom of the dialog. Once you have made your selection(s), click the OK button to save your selection and close the dialog.

The following information/controls are included on this dialog:

Result list

The list at the top of the dialog displays the different results that can be returned for an event:
None - the operation occurred as stated, but no results were captured for the event. For example, this state is used for most of the internal Change Auditor events.
Success - the operation occurred as stated in the event.
Protected - the operation did not occur because the object is being protected using the Change Auditor protection feature.
Failed - the operation did not occur due to a factor/setting outside of Change Auditor's control.
* 
NOTE: When using the Add With Events | Result option, the list only displays the event results that have an event associated with it in the Change Auditor database.

Selection list

The list box at the bottom of the page displays the results to be included in the search definition (or excluded if the Exclude the Above Selection(s) check box is checked). Use the buttons located above this list box to add or remove entries:
Add - click the Add button to add the selected item to the list.
Remove - select the entry to be removed from the list and then click the Remove button.

Exclude the Above Selection(s)

Select this check box to exclude the items listed in the selection list box. When this check box is checked, Change Auditor will return details for all events except those that return a result that is listed.

Runtime Prompt

Select the Runtime Prompt option to prompt for the result criteria whenever the search is run. That is, when the Run tool bar button is used, the Add Results dialog appears allowing you to select the result criteria to be included in the search.

* 
NOTE: When Runtime Prompt is selected, the Result option will be disabled on the Add tool bar buttons on the What tab.
 
* 
NOTE: This option is not available when this dialog is launched from the Purge Job wizard.

Add Service dialog

Previous Next

Add Service dialog

The Add Service dialog appears when Add | Subsystem | Service is selected on the What search properties tab (Searches page or the Purge Options page in the Purge Job wizard). This dialog allows you to search for events (or purge events) generated by a specific service.

* 
NOTE: Ensure the selected computer is on the network and has remote administration enabled. If the selected remote computer does not allow remote administration access, a message will be displayed explaining that you need to select a different server.

From this dialog, select a service and click the Add button to add it to the list box located across the bottom of the dialog.

If required, use the Forest drop-down box to select in which forest the objects reside. Foreign agent forests may require foreign forests credentials which can be entered on the Credentials Required dialog.

Once you have made your selections, click the OK button to save your selection and close the dialog.

The following information/controls are included on this dialog:

Data grid

The data grid displays the services available on the server listed in the You are viewing services on field. The following information is displayed for each entry:
Service - lists the service name of the services available on the selected server.
Display Name - lists the display name for all the services listed.

You are viewing services on

This field displays the name of the server where the services you are viewing are located. To view/select services from a different server, click the Browse button to the right of this field to locate and select the computer to be used. The system services found on the selected computer will then be displayed.

Service list

The list box at the bottom of the dialog displays the name of the services to be included in the search definition (or excluded when the Exclude the Above Selection(s) check box is checked). Use the buttons located above this list box to add or remove entries:
Add - select a service in the data grid and click Add to add the selected service to the Service list. This button is activated when one or more services are selected in the data grid.
Add All - click the Add All button to add all of the services listed to the Service list.
Select Enter a service not listed above to enter an unlisted service.
Remove - select the service to be removed in the Service list and then click the Remove button.

Exclude the Above Selection(s)

Select this check box to exclude the services listed in the selection list box. When this check box is checked, Change Auditor will return events for all services except those listed.

Runtime Prompt

Select the Runtime Prompt option to prompt for the service whenever the search is run. That is, when the Run tool bar button is clicked, the Add Service dialog appears allowing you to select the service to be used.

* 
NOTE: When Runtime Prompt is selected, the Service option will be disabled on the Add tool bar buttons on the What tab.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating