立即与支持人员聊天
与支持团队交流

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

File/Folder Inclusion and Exclusion Examples

Previous Next

File/Folder Inclusion and Exclusion Examples

This appendix provides sample entries for the Inclusions and Exclusions tabs on the auditing wizard. It does not list every combination available, but provides a variety of examples to help you understand how to use the wildcard characters allowed on these two tabs.

The Inclusions and Exclusions tabs only appear when the Folder or All Drives option is selected in the Audit Path field and the Scope includes child objects. Use these two tabs as described below:
Inclusions tab - enter a file mask to specify what is to be audited.
Exclusions tab - optionally enter a file mask (or path) to specify subfolders and files in the selected audit path that are to be excluded from auditing.

Inclusions tab

Previous Next

Inclusions tab

You must enter a file mask on the Inclusions tab to specify what is to be audited in the selected audit path. Use the following characters to specify a file mask on the Inclusions tab:
Fixed characters such as letters, numbers and other characters that are allowed in file names.
An asterisk (*) wildcard character to substitute zero or more characters.
Question mark (?) wildcard character to substitute a single character.
* 
NOTE: For file system auditing, the slash characters (\) and double asterisks (**) are not allowed in file masks; therefore, to include a specific folder (or share), use the Audit Path field at the top of the page to specify the folder (or share) to be audited and enter an * on the Inclusions tab.

Examples:

The following table provides some examples of file masks that can be used on the Inclusions tab of the auditing wizard. Note that <String> in this table may contain any of the file mask characters described above (i.e., fixed characters, * or ?).

Table 4. Inclusion examples

What to include in audit:

Inclusion syntax/examples:

Include all files located anywhere in the audit path.

NOTE: This is the most commonly used file mask.

Inclusion Syntax: *

Include all files with a specific file name regardless of its file extension.

Inclusion Syntax: <FileName>.*

Example: Name.*

Includes:
Name.txt
Name.docx
Name.pdf

Include all files with a specific file extension.

Inclusion Syntax: <FileNameString>.<Ext>

Example 1: *.tmp

Includes:
Files with a file extension of .tmp.

Name.tmp
Testing.tmp

Example 2: ???*.doc

Includes:
Files whose name contains at least three characters with a file extension of .doc.

MyTest.doc
Testing123.doc
123.doc

Example 3: ???test.doc

Includes:
Files whose name contains seven characters and ends in ‘test’ with a file extension of .doc.

ABCtest.doc
123test.doc

Include all files with a specific file name that has a file extension of a specific length (number of characters).

Inclusion Syntax: <FileName>.<ExtString>

Example 1: Name.???

Includes:
Name.txt
Name.tmp
Name.pdf

Example 2: Name.????

Includes:
Name.docx
Name.xlsx

Include all files that contain a specific string in their name and/or file extension.

Inclusion Syntax: <FileNameString>.<ExtString>

Example: *name.??p

Includes:
Files whose name end with ‘name’ with a three character file extension that ends in the letter ‘p’.

Myname.tmp
Name.bmp

 

Exclusions tab

Previous Next

Exclusions tab

If you do not want to exclude anything (folders or files) in the audit path from auditing, skip this tab. However, if you want to exclude a specific folder/file or group of folders/files, use the following characters to specify what is to be excluded:
Fixed characters such as letters, numbers and other characters that are allowed in file names.
An asterisk (*) wildcard character to substitute zero or more characters.
* 
NOTE: Use a single asterisk (*) to specify a non-recursive match (find match in the folder only; does not match any slash characters (\)).

Use a double asterisk (**) to specify a recursive match (find match in the folder and all subfolders in audit path; matches slash characters (\) and directory names in paths).
Question mark (?) wildcard character to substitute a single character (does not match any slash characters (\).
* 
NOTE: Be sure to select the appropriate Add option (Folder or File) when adding an exclusion or you may not get the results expected. That is, use Add | Folder to exclude the auditing of activity against files/subfolders in folder(s) that match the exclusion string. Use Add | File to exclude the auditing of activity against file(s) that match the exclusion string.

Examples

The following tables provide some examples of file masks that can be used on the Exclusions tab of the auditing wizard. Note that <String> in these tables may contain any of the file mask characters described above (i.e., fixed characters, * or ?).

Audit Path = Folder (<Drive>:\<FolderName>\)
* 
NOTE: When the Auditing Path is All Shares, you cannot specify to exclude an individual share or folders/files found on an individual shares; you can only specify to exclude files and/or folders which may be found on all shares. Change Auditor automatically appends *\ to the beginning of all exclusion entries when the Audit Path is All Shares.

In the following examples the Audit Path is C:\TEMP\.

 

Table 5. Exclusion examples: Audit Path = Folder

What to exclude:

Exclusion syntax/examples:

Exclude activity against files/subfolders in the specified folder in the base audit path.

(Add | Folder)

Exclusion Syntax: <FolderName>

Example: DOCS

Excludes:
C:\TEMP\DOCS

Exclude activity against files/subfolders in all folders with a specific name, which may be found anywhere in the audit path.

(Add | Folder)

Exclusion Syntax: **\<FolderName>

Example: **\MYDOCS

Excludes:
C:\TEMP\MYDOCS
C:\TEMP\DOCUMENTS\MYDOCS
C:\TEMP\DOCS\PRIVATE\MYDOCS

Exclude activity against files/subfolders in all folders that contain a specific string in their name.

(Add | Folder)

Exclusion Syntax: <FolderNameString>

Example 1: DOC*

Excludes:

Folders whose name begins with ‘DOC’ which are located in the base audit path.

HOME\TEMP\DOCS
HOME\TEMP\DOCUMENTS

Example 2: **DOC

Excludes:

Folders whose name ends in ‘DOC’ which may be located anywhere in the audit path.

C:\TEMP\MYDOC
C:\TEMP\DOCS\PRIVATE\DOC

Example 3: **DOC*

Excludes:

Folders whose name contains ‘DOC’ which may be located anywhere in the audit path.

C:\TEMP\DOCS
C:\TEMP\DOCUMENTS
C:\TEMP\MYDOCS
C:\TEMP\FINALDOC
C:\TEMP\PUBLIC\DOCS
C:\TEMP\TEST\BETA\DOCUMENTS

Exclude activity against files whose name contains a specific character string, which may be found anywhere in the audit path.

(Add | File)

Exclusion Syntax: **<CharString>*

Example: **DOC*

Excludes:
C:\TEMP\Test1.docx
C:\TEMP\Doc1.tmp
C:\TEMP\TEST\BETA\FinalDocument.pdf

Exclude activity against a specific file in the base audit path.

(Add | File)

Exclusion Syntax: <FileName.Ext>

Example: Test1.docx

Excludes: C:\TEMP\Test1.docx

Exclude activity against all files with a specific extension, which are located in the base audit path.

(Add | File)

Exclusion Syntax: *.<Ext>

Example: *.tmp

Excludes:
C:\TEMP\Doc1.tmp
C:\TEMP\Testing123.tmp

Exclude activity against all files with a specific extension, which may be found anywhere in audit path.

(Add | File)

Exclusion Syntax: **.<Ext>

Example: **.tmp

Excludes:
C:\TEMP\Doc1.tmp
C:\TEMP\DOCUMENTS\Testing.tmp
C:\TEMP\TEST\BETA\Draft1.tmp

Exclude activity against all files that contain a specific string in their name and/or file extension, which are located in the base audit path.

(Add | File)

Exclusion Syntax:
<FileNameString>.<ExtString>

Example 1: ??word.???

Excludes:
Files whose name contains six characters and ends in ‘word’, with a three character file extension, found in the base audit path.

C:\TEMP\Myword.doc
C:\TEMP\12word.txt

Example 2: *word*.??p

Excludes:
Files whose name contains the string ‘word’, with a three character file extension that ends with the letter ‘p’.

C:\TEMP\Word.tmp
C:\TEMP\Mywordtest.tmp
C:\TEMP\Nowords.bmp

Audit Path = All Drives

In the following examples, there are two drives: C and D.

* 
NOTE: When the Auditing Path is All Drives, you cannot specify to exclude an individual drive or folders/files found on an individual drive; you can only specify to exclude files and/or folders which may be found on all drives. Change Auditor automatically appends *\ to the beginning of all exclusion entries when the Audit Path is All Drives.
 

Table 6. Exclusion examples: Audit Path = All Drives

What’s to be excluded:

Exclusion syntax/examples:

Exclude activity against files/subfolders in a specific folder and path that may be found anywhere on all drives.

(Add | Folder)

NOTE: You cannot specify an absolute path when the Audit Path is All Drives.

Exclusion Syntax: **<Path>\<FolderName>

Example: **USERS\TEMP\DOCS

Excludes:
C:\USERS\TEMP\DOCS
D:\USERS\TEMP\DOCS
D:\SHARED\APPS\USERS\TEMP\DOCS

Exclude activity against files/subfolders in all folders with the specified folder name, which may be found anywhere on all drives.

(Add | Folder)

Exclusion Syntax: **\<FolderName>

Example: **\DOCS

Excludes:
C:\USERS\TEMP\DOCS
C:\DOCUMENTS\CHANGEAUDITOR\TEST\DOCS
D:\USERS\TEMP\DOCS
D:\SHARED\APPS\USERS\TEMP\DOCS

Exclude activity against files/subfolders in all folders whose name ends in a specified string, which is located in the base audit path.

NOTE: The base audit path refers to the top level drive letter when All Drives is specified.

(Add | Folder)

Exclusion Syntax: *<FolderNameString>

Example: *DOC

Excludes:
C:\DOC
C:\TESTDOC
D:\DOC

Exclude activity against files/subfolders in all folders whose name contains a specific string of characters, which may be found anywhere on all drives.

(Add | Folder)

Exclusion Syntax: **<CharString>*

Example: **DOC*

Excludes:
C:\DOCUMENTS
C:\MYDOCS
C:\USERS\TEMP\DOCS
D:\USERS\TEMP\DOCS
D:\SHARED\APPS\INSTALLDOC
D:\SHARED\APPS\USERS\TEMP\DOCS

Exclude activity against files whose name contains a specific string of characters, which may be found anywhere on all drives.

(Add | File)

Exclusion Syntax: **<CharString>*

Example: **DOC*

Excludes:
C:\TEMP\Test1.docx
C:\TEMP\Doc1.tmp
C:\USERS\TEMP\DOCS\Test1.doc
C:\TEMP\TEST\BETA\FinalDocument.pdf
D:\SHARED\APPS\USERS\TEMP\OldDocPlan

Exclude activity against files whose name ends with a specific string (regardless of the extension), that may be found anywhere on all drives.

(Add | File)

Exclusion Syntax: **<FileName>.*

Entering: **test1.*

Excludes:
C:\TEMP\Test1.docx
C:\DEPTS\TECHNICALDOCS\MyTest1.doc
C:\USERS\DOCS\NewTest1.docx
D:\SHARED\APPS\USERS\TEMP\Test1.xlsx

Exclude a file with a specific file name (regardless of the extension), that is found at the second level of a path on all drives.

(Add | File)

Exclusion Syntax: *\<FileName>.*

Entering: *\test1.*

Excludes:
C:\TEMP\Test1.docx
D:\SHARED\Tests1.xls

Exclude activity against all files with a specific extension, which are located in the base audit path.

NOTE: The base audit path refers to only the top level drive letter when All Drives is specified.

(Add | File)

Exclusion Syntax: *.<Ext>

Example: *.tmp

Excludes:
C:\Doc1.tmp
C:\Testing123.tmp
D:\MyTest.tmp

Exclude activity against all files with the specified file extension found anywhere on all drives.

(Add | File)

Exclusion Syntax: **.<Ext>

Example: **.pdf

Excludes:
C:\DOCUMENTS\Test123.pdf
C:\TEST\DOCS\Current.pdf
C:\TEMP\TEST\BETA\FinalDocument.pdf
D:\ReleaseHistory.pdf
D:\SHARED\APPS\WhatsNew.pdf

 

Change Auditor for Active Directory Queries

Previous Next

Change Auditor for Active Directory Queries

The Change Auditor for Active Directory Queries book contains information about the additional features that are available when a valid Change Auditor for Active Directory Queries license has been applied. It contains the following topics:
Change Auditor for Active Directory Queries Overview: This section provides an overview of Active Directory query auditing and provides a list of the additional features and components that require a valid Change Auditor for Active Directory Queries license.
Configure AD Query Auditing: This section provides instructions for excluding containers from AD query auditing as well as a description of the Excluded AD Query Auditing page (on the Administration Tasks tab).
Active Directory Query Searches/Reports: This section explains how to run a built-in AD Query report and how to create a custom AD Query search using the What tab.
AD Query Event Details: This section provides a description of the ‘What’ details that are provided on the Events Details pane for an AD Query event.

 

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级