立即与支持人员聊天
与支持团队交流

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Browse SharePoint dialog

Previous Next

Browse SharePoint dialog

The Browse SharePoint dialog appears when the Add button is used to select a SharePoint path to be audited on the first page of the SharePoint Auditing wizard. This dialog displays a hierarchical representation of the SharePoint containers available on the selected SharePoint Farm.

Comments dialog

Previous Next

Comments dialog

The Comments dialog appears when you click the Comments tool bar button on the Event Details pane (or Comments right-click command for an event in the Search Results grid). This dialog allows you to enter (or append) comments regarding the selected event.

Comments

The top text box displays the comments that have already been entered for the selected event.

New comments

At the cursor, enter any additional comments that will be appended to the comment(s) already posted for this event.

Configuration Setup dialog

Previous Next

Configuration Setup dialog

The Configuration Setup dialog appears when you select Configurations on the Agent Configuration page. From this dialog, you can review the settings established for existing agent configurations, define new agent configurations and remove obsolete agent configurations. After making any changes on this dialog, click Apply to save and apply your changes to the selected agent configuration.

By default, all agents are assigned to the Default Configuration. To use a different agent configuration, back on the Agent Configuration page, select at least one server agent from the list, click Assign, and select the agent configuration to be used by the selected agents.

Workstation agents always use the Default Configuration. You cannot assign a different agent configuration to workstation agents.

This dialog contains the following information/controls:

Configuration list

Displays the available agent configuration definitions. Use the buttons beneath this list to add and remove agent configurations.

The fields to the right are populated with the settings assigned to the selected configuration. To define a new configuration or modify an existing configuration, enter the requested information as described below:

Add

Use to create a new configuration definition. When this button is clicked, a new configuration will be added to the list where you can then enter a new name for your configuration.

In addition, the settings on this dialog will be activated allowing you to specify the appropriate system settings and apply auditing and protection templates. After entering the configuration settings, click OK to save the new configuration.

Copy

Use to use the selected configuration definition as a basis for a new configuration. When this button is clicked, a new configuration will be added to the list where you can then enter a name for the copied configuration.

The current configuration settings can also by modified as necessary. After entering a name and modifying any of the configuration settings, click OK to save the new configuration.

Delete

Use to remove the selected configuration definition from the list. Select the configuration to be removed from the Configuration list and click Delete.

* 
NOTE: This button is not available for the Default Configuration.
System Settings tab

Use these settings to define how agents process events.

Polling Interval (seconds)

How often agents check to determine if there have been any modifications to the agent's configuration.

The default is 900 seconds (15 minutes). Use the arrow controls to increase or decrease this value.

Valid range: 60 - 9999 seconds

Retry Interval (seconds)

How often an agent will resend all unacknowledged events if it does not receive an immediate acknowledgment from the coordinator.

By default, if an agent does not receive an immediate acknowledgment from the coordinator for the events being transmitted, the agent will resend all unacknowledged events five minutes (300 seconds) after the previous attempt. Use the arrow controls to increase or decrease this value.

Valid range: 60 - 600 seconds

Forwarding Interval (seconds)

Determines how often an agent will forward events to the coordinator.

By default, every five seconds an agent forwards all of the events stored in the local queue (agent’s database) to the coordinator. Use the arrow controls to increase or decrease this value.

Valid range: 5 - 999 seconds

Kerberos Ticket Lifetime (hours)

A Kerberos user ticket can be used to verify your identity and gain access to specific resources or services in your domain. A golden ticket is a forged Kerberos ticket. An attack using a golden ticket is extremely dangerous due to the forged identity, elevated access it allows, and because it can be reused over its lifetime (10 years by default).

The setting determines the maximum ticket lifetime. When this value is exceeded, the “Kerberos user ticket that exceeds the maximum ticket lifetime detected” domain controller authentication event is generated. This event may indicate a possible golden ticket attack.

By default, the Kerberos ticket lifetime will be set to 10 hours.

Valid Range: 1 to 99999 hours.

Note: A valid Change Auditor Logon User license is required.

Max events per connection

Indicates the maximum number of events that will be sent to the coordinator per connection.

By default, a maximum of 1500 events will be sent per connection. Use the arrow controls to increase or decrease this number.

Valid range: 100 - 99999

Agent Load Threshold

Defines how many events can get backed up on an agent before it goes into Suspend (Critical) mode.

Default is 10000 events

Valid range: 100 - 100000

Allowed time for connection

These controls define when events are to be collected and forwarded to the coordinator.

Day of week check boxes: By default, events are collected and forwarded to a coordinator 24x7 (all seven days a week, 24 hours a day). To exclude a particular day of the week from the forwarding process, clear the appropriate check box.
From/To fields: By default, events are forwarded from 12:00 a.m. to 11:59 p.m. Use the arrow controls to specify a different time range.
Proxy Server tab

These settings are required to allow the agent to audit Microsoft Entra ID and Microsoft 365 targets if your organization uses a proxy server to connect to the internet.

Proxy server

The name or IP address of the proxy server.

Valid values: Proxy server fully qualified domain name, down-level name, or IPv4 address

Default: Not set

Port

The port on which to communicate with the proxy server.

Valid range: 1- 65535

Default: 8080

Validate Proxy Settings

Uses the configured settings to access a website.

This test uses the https://www.quest.com web site.

Requires authentication

The credentials used to authenticate with the proxy server.

Default: Not set

File System tab

These settings define how to process duplicate file system events.

* 
NOTE: The settings on the File System tab only apply when Change Auditor for Windows File Servers, Change Auditor for NetApp and/or Change Auditor for EMC is licensed.

Discard duplicates that occur within nn seconds

This option is selected by default and will discard duplicate file system events that occur within 10 seconds of each other. You can use the arrow controls to increase or decrease this value.

Valid range: 1 - 600 seconds

Audit all configured, including duplicates. (Not Recommended)

Select this option to audit all configured file system events including duplicate events.

This in NOT recommended.

AD Query tab

Use these settings to optimize the Active Directory auditing process by summarizing similar operations from the same client and only record the summary periodically. These settings only apply when Change Auditor for Active Directories Queries is licensed.

Discard results less than nn records

This setting instructs Change Auditor to only generate an event if an Active Directory query returns more or equal to the number of records specified.

The default value is 0; therefore, Change Auditor will generate an event even if the AD query returns no results.

Valid range: 0 - 99999

Discard queries taking less than nn milliseconds

This setting instructs Change Auditor to only generate an event if the Active Directory query takes longer than or equal to the specified number of milliseconds.

The default value is 20 milliseconds.

Valid range: 0 - 99999 milliseconds

Discard duplicate queries occurring within nn minutes

This setting defines how long AD Query events are to be ‘held’ to determine if duplicates have occurred before they are forwarded to the Change Auditor client.

The default is 15 minutes, meaning Change Auditor will gather AD Query events and hold them in a queue to determine if any duplicate queries have been generated during the specified interval. Change Auditor will then forward the AD Query event to the client specifying how many occurrences of that query where performed during the 15 minute interval.

Valid range: 0 - 1440 minutes

AD Query auditing enabled

This setting allows you to disable AD Query auditing on busy agents. This check box is selected by default indicating the AD Query auditing is enabled for all agents. Clearing this check box disables AD Query auditing on the agents assigned to the agent configuration selected in the left pane.

Exchange tab

Use these settings to define how to handle duplicate folder open events. These setting only applies when Change Auditor for Exchange is licensed.

Discard duplicates that occur within nn seconds

This setting defines how long Exchange folder open events are to be ‘held’ to determine if duplicates have occurred before they are forwarded to the Change Auditor client. It is intended to eliminate the folder open events that Outlook or OWA Exchange users get when their inbox is automatically refreshed.

By default, this setting is set to zero indicating that it is turned off and duplicate folder opens will be sent to the Change Auditor client. However, you can use the arrow controls to enable this feature and specify the amount of time folder open events are to be held to determine if duplicates have occurred.

Valid range: 0 - 600 seconds

Defender tab

Use this setting to enable and disable Defender auditing.

Authentication Services tab

Use this setting to enable and disable Authentication Services auditing.

Auditing and Protection Templates pane

Use this to manage and assign your auditing and protection templates to the selected agent configuration.

Adding File System auditing or protection templates will not capture the associated events unless you have licensed Change Auditor for Windows File Servers. SQL Server auditing templates will not capture the associated events unless you have licensed Change Auditor for SQL Server.

Template list

This list contains the Auditing and Protection templates that have been defined and can be included in agent configurations. This list contains the following information for each template:
Assigned - indicates whether the template is assigned to the currently selected agent configuration. Click in this cell to assign (Yes) or unassign (No) a template to the selected agent configuration.
Type - displays the type of template.
Name - displays the name assigned to the template when it was created.
Status - indicates whether the template is enabled or disabled.

Restore to Default

Click to reset any changed settings back to the factory defaults for the Default Configuration.

* 
NOTE: This button is only available when the Default Configuration is selected in the Configurations list box.

Edit Templates

Click to display the Auditing and Protection Templates dialog where you can add, edit or delete a template.

Configure cepp.conf Auditing dialog

Previous Next

Configure cepp.conf Auditing dialog

This dialog appears when you click Audit File on the cepp.conf file page in the EMC Auditing wizard. From this page you can enable or disable the auditing of the cepp.conf file for changes made by other applications.

When this configuration file is being audited, an event is generated whenever another application modifies the configuration file. Modifications made to this configuration file by another application may prevent Change Auditor from capturing EMC events. This is a limitation of EMC in that EMC supports only one auditing pool at a time.

This dialog contains the following fields/options:

Enable Auditing

Select to enable the auditing of the cepp.conf file for modifications made by other third-party applications.

Polling Interval

By default, this configuration file will be polled for changes every 60 minutes. Use the arrow controls to change the polling interval.

Agent list

Select the Change Auditor agent from this list that is to poll the cepp.conf file.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级