What are the new features and what has been resolved in Change Auditor 7.3?
解决办法
New Features:
SQL Extended Events auditing (Preview):
Ability to audit SQL Extended events using the following PowerShell commands:
Get-CASQLExtendedEventsInfo
New-CASQLExtendedEventsFilter
New-CASQLExtendedEventsObject
New-CASQLExtendedEventsTemplate
Get-CASQLExtendedEventsTemplates
Remove-CASQLExtendedEventsTemplate
The following events are audited:
SQL Server Admin Extended Event
SQL Server Analytic Extended Event
SQL Server Operational Extended Event
The following internal events are available:
SQL Extended Events auditing template added
SQL Extended Events auditing template deleted
Active Directory Database protection enhancements:
All SQL Extended Events in the last 24 hours
All SQL Operational Extended Events in the last 24 hours
All SQL Analytic Extended Events in the last 24 hours
All SQL Admin Extended Events in the last 24 hours
Active Directory Database auditing enhancements:
Ability to manage Active Directory Database auditing using the following PowerShell commands:
New-CAADDatabaseTemplate
Get-CAADDatabaseTemplates
Remove-CAADDatabaseTemplate
Set-CAADDatabaseTemplate
Active Directory Database protection enhancements:
Ability to manage Active Directory Database protection using the following PowerShell commands:
New-CAADDProtectionTemplate
Get-CAADDProtectionTemplates
Remove-CAADDProtectionTemplate
Set-CAADDProtectionTemplate
Event forwarding to Microsoft Sentinel:
Ability to configure the integration through the Windows client and PowerShell commands.
Ability to manage the integration using the following PowerShell commands:
New-CASentinelEventSubscription
Get-CASentinelEventSubscriptions
Set-CASentinelEventSubscription
Remove-CASentinelEventSubscription
Internal events are available to track changes to the subscription:
Microsoft Sentinel subscription added
Microsoft Sentinel subscription modified
Microsoft Sentinel subscription removed
Security improvements
The following event is generated when the encryption level used by Kerberos service ticket requests do not meet the expected level of security:
A Kerberos service ticket was created with an unsafe encryption type
The following built-in search is available:
All Kerberos service ticket events for unsafe encryption type in the last 7 days
Logon Activity auditing enhancements:
Ability to include and exclude events performed by users with the Administrator right in search results by filtering on the“Is Administrator” column
The following built-in search is available:
All Logons by administrators in the past 24 hour
PowerShell improvements:
Commands have been added to import and export the Change Auditor configuration:
Import-CAConfigurations
Export-CAConfigurations
Commands have been added to manage Active Directory protection templates:
Remove-CAProtectedObject
Set-CAADProtectionTemplate
Additional platform support:
The following support has been added:
Microsoft Exchange Server 2016 CU23
Microsoft Exchange Server 2019 CU12
Microsoft SQL Server 2016 SP3
Windows Server 2022 for auditing on all subsystems
Windows 10 Enterprise for Virtual Desktops for workstation agents
Active Roles 7.5.1, 7.6, and 8.0
NetApp ONTAP 9.9 and 9.10
GPOADmin 5.17
EMC Common Event Enabler (CEE) Framework 8.9.7.1
The following support has been removed:
SQL Server 2012 for the coordinator and auditing
Internet Explorer 11
Ability to publish to the Quest Knowledge portal
Miscellaneous features and enhancements:
Ability to ignore GPOADmin working copies in Group Policy protection templates and the addition of the following associated internal events:
Do not enforce protection for GPOADmin working copy option disabled.
Do not enforce protection for GPOADmin working copy option enabled.
Ability to globally protect all GPO links unless change comes from an override account.
Additional internal events generated when a coordinator is unable to send events to a SIEM subscription:
Event forwarding subscription disabled due to webhook receiver error.
Event forwarding suspended due to webhook error.
Event forwarding has resumed.
Additional logging when a foreign agent is unable to connect to the coordinator
Additional support in the Windows client for accessibility tools such as screen readers.
Updated import and export functionality to support certificate authentication in Office 365 templates.
Performance improvements to the purge process.
Delete events are recorded for each object contained in an OU when the "Use Delete Subtree server control" option is selected when deleting an OU.
Resolved Issues:
Unable to create an Office 365 auditing template or set mailbox auditing permissions when connected to a Chinese tenant when missing an Azure E5 license - 242453
Several Active Directory Custom User Monitoring event classes could not be monitored without a Change Auditor Exchange license - 248618
Invalid license unexpectedly recorded when the agent connects to the coordinator after the coordinator is restarted - 279044
Unable to log in to the Change Auditor client when the operating system format is set to Turkish - 323934
Foreign forest agents are unable to connect to the coordinator if there are abnormal Active Directory sites in the agent host's domain or forest - 326648
Agent database can not be upgraded when it contains corrupt out of order column data - 345754
After upgrading to version 7.2, members of the CA Operators group are unable to log into the Win32 client - 347556
Coordinator group expansion does enumerate full group membership for very large groups - 348660
Active Directory protection templates are unable to be edited and displays incorrect attributes in the wizard - 352011
The "NT Authority\SELF" account override does not function properly for gMSA accounts in Active Directory protection templates - 353736
"Can't find the NetBIOS name for the Domain" error is causing high memory usage for both the agent and LSASS processes - 355043
“Failed to get cached search” error is causing high memory usage for the agent process - 355261
Documentation updated to note that the user account used to deploy agent must have Interactive logon rights - 355728
Documentation updated to note that to access an archive database, the account that you use to log into the client must not have the 'Deny logon over the network' right set - 365910
The "Account Name" field on the coordinator configuration page and the “UserName" column in the "Alert.Mail" are restricted to 64 characters - 366374
Certain saved search settings can cause the client to close unexpectedly when logging in for a database direct connection - 370629
When creating a Syslog event subscription using CEF format, some field names are malformed in the event data causing issues when the Syslog host tries to ingest the subscription data - 381012
“Irregular domain replication activity detected” event is not recorded after the Windows Server 2012 April updates have been applied - 361717