立即与支持人员聊天
与支持团队交流

Change Auditor 7.5 - User Guide

Welcome to Change Auditor Help Change Auditor Core Functionality
Change Auditor Core Functionality Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Working with Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags
Microsoft 365 and Microsoft Entra ID Auditing Change Auditor for Active Directory
Change Auditor for Active Directory Overview Custom Active Directory Searches and Reports Custom Active Directory Object Auditing Custom Active Directory Attribute Auditing Member of Group Auditing Active Directory Federation Services Auditing ADAM (AD LDS) Auditing Active Directory Database Auditing Active Roles Integration Quest GPOADmin Integration Active Directory Protection Event Details Pane About us
Change Auditor for Authentication Services Change Auditor for Defender Change Auditor for EMC Change Auditor for Exchange Change Auditor for Windows File Servers Change Auditor for Active Directory Queries Change Auditor for Logon Activity Change Auditor for NetApp Change Auditor for SharePoint Change Auditor for SQL Server Change Auditor SIEM Integration Guide
Webhooks in Change Auditor Integrating Change Auditor and SIEM Tools Subscription Management
Adding the PowerShell module Viewing available commands and help Connecting to Change Auditor Managing subscriptions Working with event subscriptions in the client Managing a Splunk integration Splunk event subscription wizard Managing an IBM QRadar integration QRadar event subscription wizard Managing a Micro Focus Security ArcSight Logger and Enterprise Security Manager (ESM) integration ArcSight event subscription wizard Managing a Quest IT Security Search integration (Preview) Managing a Syslog integration Syslog event subscription wizard Managing a Microsoft Sentinel integration Microsoft Sentinel event subscription wizard
Webhook technical insights
Change Auditor Threat Detection Deployment Change Auditor Threat Detection Dashboard Change Auditor PowerShell Command Guide Change Auditor Dialogs
Change Auditor dialogs
Quest Change Auditor dialog Add Administrator Add Agents, Domains, Sites dialog Add Container dialog Add Active Directory Container dialog (AD Query) Add Facilities or Event Classes dialog Add Facilities or Event Classes dialog (Add With Events) Add File System Path dialog Add Foreign Forest Credential Add Group Policy Container dialog Add Local Account dialog Add Logons dialog Add Logons dialog (Add With Events) Add Object Classes dialog Add Object Classes dialog (Add With Events) Add Origin dialog Add Origin dialog (Add With Events) Add Registry Key dialog Add Results dialog Add Service dialog Add Service dialog (Add With Events) Add Severities dialog Add Severities dialog (Add With Events) Add SharePoint Path dialog Add SQL Instance dialog Add SQL Data Level Object Add Users, Computers or Groups dialog Add Where dialog Add Who dialog Advanced Deployment Options dialog Agent Assignment dialog Alert Body Configuration dialog Alert Custom Email dialog Auditing and Protection Templates dialog Authorizations: Application Group dialog Authorizations: Operations | Role Definitions | Task Definitions | Application Group Authorizations: Role dialog Authorizations: Task dialog Auto Deploy to New Servers in Forest dialog Browse for Folder dialog Browse SharePoint dialog Comments dialog Configuration Setup dialog Configure cepp.conf Auditing dialog Connection screen Coordinator Configuration tool Coordinator Credentials Required dialog Credentials Required dialog Custom Filter dialog Database Credentials Required dialog Directory object picker Domain Credentials dialog Eligible Change Auditor Agents dialog Event Logging dialog Export/Import dialog Install or Upgrade/Uninstall/Update Foreign Agent Credentials IP Address dialog Log page Logon Credentials dialog (Deployment page) Logon Credentials dialog (EMC Auditing wizard) Manage Connection Profiles dialog New Report Layout dialog Microsoft 365 dialog Rename dialog Save As dialog Select a SQL Instance and Database dialog Select Destination Folder dialog Select Exchange Users dialog Select Registry Key dialog Select SQL Reporting Services Template dialog Shared Mailboxes dialog SharePoint Credentials Required dialog When dialog
About Us

Custom Filter dialog

Previous Next

Custom Filter dialog

The Custom Filter dialog appears when (Custom) is selected in the data filtering cell located directly beneath a column heading in a data grid in Change Auditor client. Use this dialog to specify a custom filter for filtering the displayed data.

This dialog contains the following controls:

Filter based on

Use the arrow control to select one of the following filtering options:
All (default) - select if all the criteria entered has to be met in order to be included.
Any - select if only one of the criteria entered has to be met in order to be included.

Comparison Operation

In the field to the right of the column heading, click the arrow control to select the comparison operation to be used:
Equals
Does not equal
Less than
Less than or equal to
Greater than
Greater than or equal to
Like
Matches Regular Expression
Starts with
Contains
Ends with
Does not start with
Does not contain
Does not end with
Does not match
Not Like

Pattern

In the field to the right of the comparison operator, enter the pattern (character string or value) to be used to search for a match.

Use a * wildcard character to match any string of zero or more characters. For example, entering LIKE *change* in the Event data filtering cell, will find events that contain the string ‘change’, such as, changed, Change Auditor, etc.

Add

Use to add additional criteria. Clicking this button adds a new row to the custom filter allowing you to specify additional criteria for the selected column.

Delete

Select an entry and click Delete to remove if from the custom filter.

Database Credentials Required dialog

Previous Next

Database Credentials Required dialog

 

The Database Credentials Required dialog appears when the current authenticated user running the Change Auditor client does not have the proper SQL credentials for accessing the SQL database. From this dialog, enter the SQL credentials to be used to access the database.

Windows Authentication

Select this option to use Windows Integrated Authentication to access the SQL database.

When selected, enter the Windows credentials to be used to log onto the specified SQL server.

If Windows Authentication is used to access the designated SQL instance, a verification screen is displayed. Verify that the server name, SQL instance name, and credentials are correct before proceeding. Incorrect entries cause the Change Auditor coordinator service to fail on startup.

When using a group Managed Service Account:
The account must end with '$' and the password must be blank.
The domain should be entered in the Fully Qualified Domain Name format.
The local Administrator group must be added to the group policy debug programs. (Found under Local Computer Policy | Windows Settings | Security Settings | Local Policies | User Rights Assignments | Debug programs.)
The coordinator host must be correctly configured to retrieve the managed password for the specified group Managed Service Account.
The coordinator installer must be run as the administrator. (Right-click and select Run as administrator.)

SQL Server Authentication

Select this option to use SQL Server Authentication to access the SQL database.

When selected, enter the SQL credentials to be used to log onto the specified SQL server.

Server

This is a read-only field and displays the IP address/name of the SQL server.

User

Enter the name of the user to be used to access the designated SQL server instance.

Password

Enter the password associated with the user account entered above.

Domain

Enter the domain name for the account to be used to access the designated SQL server instance. (N/A for SQL Server Authentications)

Remember Creds

Select to cache the logon credentials entered so they can be used for subsequent authentications to the SQL database.

* 
NOTE: You can clear these saved credentials by clicking the Clear Creds button on the Manage Connection Profiles dialog. Clearing the cached logon credentials on the current workstation allows you to use a different set of credentials for accessing the SQL database.

Directory object picker

Previous Next

Directory object picker

Throughout the Change Auditor client, the directory object picker is used to locate and select Active Directory objects from the environment. This object picker appears in either a stand alone dialog (such as the Select Active Directory Objects dialog) or as a page in a wizard. The Change Auditor client needs to be able to connect to a Global Catalog (GC) to display the object picker and query objects. The client contacts the coordinator to get the Global Catalog that should be used. The coordinator will attempt to choose a GC in its local domain and site. If none are found, it will choose one in its domain, then in the local site, and lastly the entire forest. It is recommended to have the coordinator and the client reside in the same site and/or domain so that the directory object picker performs more efficiently.

The directory object picker consists of two tabbed pages to assist you in locating the desired Active Directory object and a third tabbed page to define various search options:
Browse page - allows you to select the desired object from a hierarchical view of your environment.
Search page - allows you to search your environment for the desired object.
Options page - allows you to view or modify the search options used to retrieve directory objects.
* 
NOTE: In some cases, you must select the forest.
Browse page

The Browse page displays and contains a hierarchical view of the objects in your environment. The following information and controls can be used to browse your environment to locate a directory object.

Forest

Use the Forest field to select the forest that contains the required directory objects. This field is available le in the directory object picker in the following areas:
Group membership expansion, Email Alerts configuration and shared folder configuration
Purge and archive jobs
Active Directory, AD Query, ADAM (AD LDS), Exchange, Group Policy, Local accounts, Registry, Service, and SQL Server searches
Report and alert email configuration
Windows File System, Active Directory, and AD Query auditing wizard
File System and Active Directory protection wizard

Find

Use to select the type of directory objects to be displayed. You can either type in an entry or use the drop-down menu to select the class. You can type in multiple classes, separated by either a period or semi-colon. Note that when you type in an entry, you must click the Apply Filter button to display the objects.

* 
NOTE: Most of the time, this field will be automatically filled in with the appropriate entry. Thus, when this field is grayed out, this is a read-only field which cannot be changed.

Explorer view

Displays a hierarchical view of the containers in your environment. Single-click on the expansion state box to the left of a container or double-click a container to expand the view to display subordinate objects. When you select a container in this pane, the object list (right pane) will be populated with the objects that belong to the selected container.

* 
NOTE: Right-clicking the root domain in the explorer view will display a drop-down menu listing any peer domains. To view a different domain's objects, select the desired domain from those listed.

Use F5 to refresh the contents of this pane.

Object list

Displays the objects that belong to the container selected in the explorer view. To select an object, click on the object to highlight it and click the Add button to add it to the Selected Objects list at the bottom of the dialog.

Selected Objects list

The Selected Objects list, located across the bottom of the page, displays the objects selected. This list is used for both the Browse and Search pages and will contain the objects selected from either of these pages. Use the buttons above this list box to add or remove objects.
Add - Use the Add button to add the selected object to the Selected Objects list. The Add button will only be activated when you have selected an object of the designated type (based on the Find field).
Remove - Select the object to be removed from the Selected Objects list and then click the Remove button.

Once you have added the desired object(s) to the Selected Objects list, click the Select button in the lower right corner of the dialog to save your selection and close the dialog. The selected object(s) will then be listed on the originating dialog.

Search page

The Search page allows you to search your environment to locate the desired object(s). This page is most helpful in locating objects in very large environments. Use the controls, located at the top of the dialog, to search the environment and locate the desired object(s). Click the Search button to display the information requested.

This page contains the following information/controls that can be used to search your environment to locate a directory object.

Find

Use to select the type of directory objects to be displayed. You can either type in an entry or use the drop-down menu to select the class. You can type in multiple classes, separated by either a period or semi-colon. Note that when you type in an entry, you must click the Search button to display the objects.

* 
NOTE: Most of the time, this field will be automatically filled in with the appropriate entry. Thus, when this field is grayed out, this is a read-only field which cannot be changed.

Name

Use to specify the search expression to be used to search Active Directory to locate a particular object.

ANR

The ANR check box is checked by default indicating that Ambiguous Name Resolution (ANR) is the search algorithm used, which allows you to enter limited input (partial data) to find multiple objects in your network.

When the ANR check box is checked, use one of the following methods to enter your search expression:
Enter a partial string to return exact matches or a list of possible matches. For example, entering ‘Admin’ will return objects that contain the name ‘Admin’, ‘Admins’, ‘Administrator’, ‘Administrators’, etc.
Enter a string preceded by the equal sign ((=Admin) to return only exact matches. For example, entering ‘=Admin’ will return only those objects containing the name ‘Admin’.

By default, ANR will search the following attribute fields in Active Directory:
First Name (GivenName)
Last Name (Surname)
Display Name (displayName)
LegacyExchangeDN
msExchMailNickname
Relative Distinguished Name of the object (RDN)
Office (physicalDeliveryOfficeName)
Email address (proxyAddress)
Security Account Manager account (sAMAccountName)

When the ANR check box is cleared, the search expression entered will be used to search only the Display Name of directory objects to locate a particular object. To use this search mechanism, enter a string of characters and the wildcard (*) character as described below.

For example, n* will return objects that start with the letter ‘n’; *n will return objects that end in the letter ‘n’; and *n* will return objects that contain the letter ‘n’ within their Display Name.

Search

After entering a search expression, click the Search button to initiate the search and return the results of the search.

Object list

Displays the objects found as a result of your search. To select an object, select the object to highlight it and click the Add button to add it to the Selected Objects list.

Selected objects list

The Selected Objects list, located across the bottom of the page, displays the objects selected. This list is used for both the Browse and Search pages and will contain the objects selected from either of these pages. Use the buttons above this list box to add or remove objects.
Add - Click the Add button to add the selected directory object to the Selected Objects list.
Remove - Select the object to be removed in the Selected Objects list and then click the Remove button.

Once you have added the desired object(s) to the Selected Objects list, click the Select button in the lower right-hand corner of the dialog to save your selection and close the dialog. The selected object(s) will then be listed on the originating dialog.

Options page

The Options page allows you to view and modify the search options used to retrieve directory objects.

* 
NOTE: The settings on the Options page only apply to the current user and will not impact other users using a Change Auditor client.

This page contains the following information/controls to manage the search options used to retrieve directory objects.

Search Limit

Specifies the maximum number of records to be returned for an Active Directory object search. The default is 2000 records. Minimum value is 100 and the maximum value is 9999.

No Search Limit

Select to allow an unlimited number of records to be returned.

Page Size

Displays the maximum number of records returned per LDAP polling cycle. The default is 1000 records.

* 
IMPORTANT: Care should be taken when modifying this value because it could impact the performance of your searches.

Domain Credentials dialog

Previous Next

Domain Credentials dialog

The Domain Credentials dialog appears when the Credentials tool bar button or right-click command is selected on the Deployment page. This dialog is also displayed when the Install or Upgrade command is selected and you do not currently have the proper credentials to install a Change Auditor agent on the selected domain. This dialog consists of a list of domains in your environment and allows you to set or clear the user credentials that are to be used to install or upgrade agents on these domains.

Use the buttons at the bottom of this page as described below:

Set

Select a domain from the list and click the Set button to display the Logon Credentials dialog where you can then enter the credentials of a user with administrative rights to the selected domain.

Clear

Select a domain from the list and click the Clear button to clear the specified user credentials.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级