What are the new features and what has been resolved in Change Auditor 7.1?
解决办法
New Features:
Azure Active Directory and Office 365 updates:
Change Auditor has implemented the updated Microsoft graph API which has resulted in the following additional built-in reports for risky events:
All Azure Active Directory sign-in from anonymous IP address events in the past 7 days
All Azure Active Directory sign-in from confirmed compromised user events in the past 7 days
All Azure Active Directory sign-in from IP address with malicious activity events in the past 7 days
All Azure Active Directory sign-in from IP address with suspicious activity events in the past 7 days
All Azure Active Directory sign-in from malware-infected device events in the past 7 days
All Azure Active Directory sign-in with impossible travel events in the past 7 days
All Azure Active Directory sign-in with valid credentials from blocked IP address events in the past 7 days
All Azure Active Directory sign-in with unfamiliar location or properties events in the past 7 days
All Azure Active Directory suspicious manipulation or rules in user's inbox events in the past 7 days
All Azure Active Directory user activity with known sign-in attack pattern events in the past 7 days
All Azure Active Directory user activity with known attack pattern events in the past 7 days
All Azure Active Directory unlikely travel between sign-in source locations events in the past 7 days
All Azure Active Directory users sign-in with leaked credentials events in the past 7 days
Increased performance of Azure Active Directory auditing allowing for more events to be processed
Office 365 auditing page now displays whether SharePoint Online and OneDrive for Business events are being monitored
Office 365 event details Item tab added that displays Id, rights, SID, Upn, name and path details for Exchange Online permission additions, removals, or modifications
Additional Info tab added for Azure Active Directory risky events that displays information such as user agent, related event time in UTC, related user agent, device information, related location, request ID, correlation ID
Ability to set whether or not mailbox auditing settings specified in the auditing template overwrite the existing mailbox auditing settings specified in the Office 365 tenant
Ability to create a custom Azure Active Directory search based on location
Active Directory updates:
Ability to audit changes to Active Directory temporary groups where the members have a specified time to live. The time to live for each member is also reported in the event
Ability to allow Managed Service Accounts to access protected Active Directory objects
Foreign forest support:
The following is supported in environments where a coordinator does not exist in the foreign forest where agents are deployed:
Ability to harvest the foreign forest topology
Ability to deploy agents through the Change Auditor client
Ability to audit logon activity with an agent in the foreign forest
Ability to audit and protect Windows File System with an agent in the foreign forest
Ability to audit and protect Active Directory objects with an agent in the foreign forest
Ability to audit Active Directory attributes with an agent in the foreign forest
Ability to select objects from the foreign forest in object pickers for search queries
Ability to include and exclude objects from the foreign forest in AD queries
On Demand Audit integration updates:
Ability to send the Change Auditor version and list of coordinators to On Demand Audit after an upgrade so that On Demand Audit can display the most current Change Auditor information
New events generated when event forwarding to On Demand Audit is suspended due to an error and then resumed: - On Demand Audit subscription has suspended - On Demand Audit subscription has resumed
New events generated when an On Demand administrator makes changes to the Change Auditor event forwarding settings within On Demand Audit: - Event sending to On Demand Audit has paused - Event sending to On Demand Audit has resume - On Demand Audit configuration removed
New event generated when Change Auditor connects to On Demand Audit - On Demand Audit configuration added
Authentication and Logon activity updates:
Additional events:
User performed a successful NTLM V1 logon is created when a user successfully logged into server through NTLM V1
User performed a successful NTLM V2 logon is created when a user successfully logged into server through NTLM V2
User authenticated through NTLM (or User failed to authenticate through NTLM) is created when a user successfully authenticates (or fails to authenticate) to a domain controller using NTLM authentication
Additional built-in searches:
All Kerberos Authentication Activity in the past 24 hours
All NTLM Authentication Activity in the past 24 hours
All NTLM version 1 logons in the last 7 days
Ability to search logon events by the failure reason or status code
Ability to set Kerberos ticket lifetime in agent configuration and detect possible golden ticket use. When a Kerberos ticket lifetime that exceeds the value specified in the agent configuration is detected, the “Kerberos user ticket that exceeds the maximum lifetime detected” domain controller authentication event is generated. A valid Change Auditor Logon Acitvity User license is required
Additional platform support:
The following support has been added:
Windows Server Core 1909 (Active Directory, Windows File System, Registry, Services, and Local User and Group auditing only)
Microsoft Exchange Server 2016 CU15
Microsoft Exchange Server 2019 CU4
Microsoft SQL Server 2019 CU2 (coordinator database, SQL and SQL DLA auditing)
.NET Framework 4.6.2 for the agent
NetApp 9.7
Defender 5.9.6
GPOADmin 5.14
Active Roles Server 7.4.2
Fluid File System 6.0.3
The following support has been removed:
Microsoft Exchange Server 2010 is no longer supported for auditing or protection
Windows Server 2008 R2 is no longer supported for agent installations
Windows server 2008 SP2 is no longer supported for legacy agent installations
Miscellaneous features and enhancements:
Ability to manually specify a service name in the Services Auditing Template wizard
Performance improvements when auditing a high volume of AD Query events
Performance improvements have been made to the "Discard duplicate queries occurring within" event consolidation to reduce the amount of required memory. Note: Although improved, the agent will still consume considerably more memory when auditing high volume Active Directory Query events over longer periods of time compared to baseline agent memory usage
SMTP Alert Failed event created when an SMTP alert notification fails enabling you to identify and fix SMTP server configuration issues
Defender and Authentication Services auditing no longer requires a Change Auditor for Defender or a Change Auditor for Authentication Services license. Auditing for these applications is now enabled and disabled on a configuration basis from through the configuration setup. (After an agent upgrade from version 7.0.4 or earlier, you will need to update your configuration setup to enable Defender or Authentication Services auditing where required.)
Ability to use autofill software with the Change Auditor web client log on
The "Refresh Status" button on the Deployment tab will now use the credentials defined in "Set credentials" dialog.
Resolved Issues:
Unable to audit Fluid File System due to message encoding change implemented in version 6.0.3 – 197611
Support for auditing Fluid File System 6.0.3 – 197570
Delays experienced when processing a large number of Azure sign-in events – 193826
HTTP 500 error returned when collecting risky sign-in events. 193990 Agent initialization may be delayed in environments with large numbers of Active Directory subnets – 194352
Azure Active Directory risky sign-in events are not captured due to exception processing events – 196946
Scheduled reports contain a malformed subject line when the Send empty report notification option is enabled – 186044
Ability to audit logon activity in a foreign forest – 187054
Unable to capture Kerberos events on Windows 2016 Server after latest Windows updates have been applied – 187304
Support for auditing Azure Risk events using the new Microsoft riskDetection API that replaces the deprecated Microsoft IdentityRiskEvents API used in previous Change Auditor versions – 181508
Due to a recent change made by Microsoft to the auditing API, an error will occur when attempting to create an Azure Active Directory or Office 365 auditing template – 186027
The Change Auditor client cannot connect to a coordinator in a multi-forest installation - 186567